Source code

001/*
002 * (C) Copyright 2006-2007 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Nuxeo - initial API and implementation
018 *     Florent Guillaume
019 *     Florent Munch
020 */
021package org.nuxeo.ecm.platform.ui.web.auth.portal;
022
023import java.security.MessageDigest;
024import java.security.NoSuchAlgorithmException;
025import java.time.Duration;
026import java.util.Base64;
027import java.util.Date;
028import java.util.List;
029import java.util.Map;
030
031import javax.servlet.http.HttpServletRequest;
032import javax.servlet.http.HttpServletResponse;
033
034import org.apache.commons.lang3.StringUtils;
035import org.apache.commons.logging.Log;
036import org.apache.commons.logging.LogFactory;
037import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
038import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
039
040public class PortalAuthenticator implements NuxeoAuthenticationPlugin {
041
042    private static final Log log = LogFactory.getLog(PortalAuthenticator.class);
043
044    public static final String SECRET_KEY_NAME = "secret";
045
046    public static final String MAX_AGE_KEY_NAME = "maxAge";
047
048    /** @since 10.3 */
049    public static final String DIGEST_ALGORITHM_KEY_NAME = "digestAlgorithm";
050
051    public static final String DIGEST_ALGORITHM_DEFAULT = "MD5";
052
053    private static final String TS_HEADER = "NX_TS";
054
055    private static final String RANDOM_HEADER = "NX_RD";
056
057    private static final String TOKEN_HEADER = "NX_TOKEN";
058
059    private static final String USER_HEADER = "NX_USER";
060
061    private static final String TOKEN_SEP = ":";
062
063    //
064    private String secret = "secret";
065
066    // one hour by default
067    private long maxAge = Duration.ofHours(1).toSeconds();
068
069    protected String digestAlgorithm = DIGEST_ALGORITHM_DEFAULT;
070
071    @Override
072    public List<String> getUnAuthenticatedURLPrefix() {
073        return null; // NOSONAR
074    }
075
076    @Override
077    public Boolean handleLoginPrompt(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String baseURL) {
078        return Boolean.FALSE;
079    }
080
081    @Override
082    public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest,
083            HttpServletResponse httpResponse) {
084
085        String ts = httpRequest.getHeader(TS_HEADER);
086        String random = httpRequest.getHeader(RANDOM_HEADER);
087        String token = httpRequest.getHeader(TOKEN_HEADER);
088        String userName = httpRequest.getHeader(USER_HEADER);
089
090        if (userName == null || ts == null || random == null || token == null) {
091            return null;
092        }
093
094        if (validateToken(ts, random, token, userName)) {
095            return new UserIdentificationInfo(userName);
096        } else {
097            return null;
098        }
099    }
100
101    @Override
102    public void initPlugin(Map<String, String> parameters) {
103        if (parameters.containsKey(SECRET_KEY_NAME)) {
104            secret = parameters.get(SECRET_KEY_NAME);
105        }
106        if (parameters.containsKey(MAX_AGE_KEY_NAME)) {
107            String maxAgeStr = parameters.get(MAX_AGE_KEY_NAME);
108            if (maxAgeStr != null && !maxAgeStr.equals("")) {
109                maxAge = Long.parseLong(maxAgeStr);
110            }
111        }
112        if (parameters.containsKey(DIGEST_ALGORITHM_KEY_NAME)) {
113            String algo = parameters.get(DIGEST_ALGORITHM_KEY_NAME);
114            if (StringUtils.isNotBlank(algo)) {
115                digestAlgorithm = algo;
116            }
117        }
118    }
119
120    @Override
121    public Boolean needLoginPrompt(HttpServletRequest httpRequest) {
122        return Boolean.FALSE;
123    }
124
125    protected boolean validateToken(String ts, String random, String token, String userName) {
126        // reconstruct the token
127        String clearToken = ts + TOKEN_SEP + random + TOKEN_SEP + secret + TOKEN_SEP + userName;
128
129        byte[] hashedToken;
130        try {
131            hashedToken = MessageDigest.getInstance(digestAlgorithm).digest(clearToken.getBytes());
132        } catch (NoSuchAlgorithmException e) {
133            log.error("Invalid algorithm: " + digestAlgorithm);
134            return false;
135        }
136        String base64HashedToken = Base64.getEncoder().encodeToString(hashedToken);
137
138        // check that tokens are the same => that we have the same shared key
139        if (!base64HashedToken.equals(token)) {
140            return false;
141        }
142
143        // check time stamp
144        long portalTS = Long.parseLong(ts);
145        long currentTS = (new Date()).getTime();
146
147        return (currentTS - portalTS) / 1000 <= maxAge;
148    }
149
150}