001/* 002 * (C) Copyright 2006-2007 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Nuxeo - initial API and implementation 018 * Florent Guillaume 019 * Florent Munch 020 */ 021package org.nuxeo.ecm.platform.ui.web.auth.portal; 022 023import java.security.MessageDigest; 024import java.security.NoSuchAlgorithmException; 025import java.time.Duration; 026import java.util.Base64; 027import java.util.Date; 028import java.util.List; 029import java.util.Map; 030 031import javax.servlet.http.HttpServletRequest; 032import javax.servlet.http.HttpServletResponse; 033 034import org.apache.commons.lang3.StringUtils; 035import org.apache.commons.logging.Log; 036import org.apache.commons.logging.LogFactory; 037import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo; 038import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin; 039 040public class PortalAuthenticator implements NuxeoAuthenticationPlugin { 041 042 private static final Log log = LogFactory.getLog(PortalAuthenticator.class); 043 044 public static final String SECRET_KEY_NAME = "secret"; 045 046 public static final String MAX_AGE_KEY_NAME = "maxAge"; 047 048 /** @since 10.3 */ 049 public static final String DIGEST_ALGORITHM_KEY_NAME = "digestAlgorithm"; 050 051 public static final String DIGEST_ALGORITHM_DEFAULT = "MD5"; 052 053 private static final String TS_HEADER = "NX_TS"; 054 055 private static final String RANDOM_HEADER = "NX_RD"; 056 057 private static final String TOKEN_HEADER = "NX_TOKEN"; 058 059 private static final String USER_HEADER = "NX_USER"; 060 061 private static final String TOKEN_SEP = ":"; 062 063 // 064 private String secret = "secret"; 065 066 // one hour by default 067 private long maxAge = Duration.ofHours(1).toSeconds(); 068 069 protected String digestAlgorithm = DIGEST_ALGORITHM_DEFAULT; 070 071 @Override 072 public List<String> getUnAuthenticatedURLPrefix() { 073 return null; // NOSONAR 074 } 075 076 @Override 077 public Boolean handleLoginPrompt(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String baseURL) { 078 return Boolean.FALSE; 079 } 080 081 @Override 082 public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest, 083 HttpServletResponse httpResponse) { 084 085 String ts = httpRequest.getHeader(TS_HEADER); 086 String random = httpRequest.getHeader(RANDOM_HEADER); 087 String token = httpRequest.getHeader(TOKEN_HEADER); 088 String userName = httpRequest.getHeader(USER_HEADER); 089 090 if (userName == null || ts == null || random == null || token == null) { 091 return null; 092 } 093 094 if (validateToken(ts, random, token, userName)) { 095 return new UserIdentificationInfo(userName); 096 } else { 097 return null; 098 } 099 } 100 101 @Override 102 public void initPlugin(Map<String, String> parameters) { 103 if (parameters.containsKey(SECRET_KEY_NAME)) { 104 secret = parameters.get(SECRET_KEY_NAME); 105 } 106 if (parameters.containsKey(MAX_AGE_KEY_NAME)) { 107 String maxAgeStr = parameters.get(MAX_AGE_KEY_NAME); 108 if (maxAgeStr != null && !maxAgeStr.equals("")) { 109 maxAge = Long.parseLong(maxAgeStr); 110 } 111 } 112 if (parameters.containsKey(DIGEST_ALGORITHM_KEY_NAME)) { 113 String algo = parameters.get(DIGEST_ALGORITHM_KEY_NAME); 114 if (StringUtils.isNotBlank(algo)) { 115 digestAlgorithm = algo; 116 } 117 } 118 } 119 120 @Override 121 public Boolean needLoginPrompt(HttpServletRequest httpRequest) { 122 return Boolean.FALSE; 123 } 124 125 protected boolean validateToken(String ts, String random, String token, String userName) { 126 // reconstruct the token 127 String clearToken = ts + TOKEN_SEP + random + TOKEN_SEP + secret + TOKEN_SEP + userName; 128 129 byte[] hashedToken; 130 try { 131 hashedToken = MessageDigest.getInstance(digestAlgorithm).digest(clearToken.getBytes()); 132 } catch (NoSuchAlgorithmException e) { 133 log.error("Invalid algorithm: " + digestAlgorithm); 134 return false; 135 } 136 String base64HashedToken = Base64.getEncoder().encodeToString(hashedToken); 137 138 // check that tokens are the same => that we have the same shared key 139 if (!base64HashedToken.equals(token)) { 140 return false; 141 } 142 143 // check time stamp 144 long portalTS = Long.parseLong(ts); 145 long currentTS = (new Date()).getTime(); 146 147 return (currentTS - portalTS) / 1000 <= maxAge; 148 } 149 150}