001/* (C) Copyright 2002-2008 Nuxeo SAS (http://nuxeo.com/) and contributors. 002 * 003 * All rights reserved. This program and the accompanying materials 004 * are made available under the terms of the GNU Lesser General Public License 005 * (LGPL) version 2.1 which accompanies this distribution, and is available at 006 * http://www.gnu.org/licenses/lgpl.html 007 * 008 * This library is distributed in the hope that it will be useful, 009 * but WITHOUT ANY WARRANTY; without even the implied warranty of 010 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 011 * Lesser General Public License for more details. 012 * 013 * Contributors: 014 * Nuxeo - initial API and implementation 015 * 016 * $Id: JOOoConvertPluginImpl.java 18651 2007-05-13 20:28:53Z sfermigier $ 017 */ 018package org.nuxeo.ecm.platform.ui.web.auth.plugins; 019 020import java.util.ArrayList; 021import java.util.List; 022import java.util.Map; 023 024import javax.servlet.http.HttpServletRequest; 025import javax.servlet.http.HttpServletResponse; 026 027import org.apache.commons.logging.Log; 028import org.apache.commons.logging.LogFactory; 029import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo; 030import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin; 031 032/** 033 * The Web Service Servlet needs no login prompt and / or authentiocation. 034 * <p> 035 * I see 2 different scenarios: 036 * <ol> 037 * <li>The client application is a standalone application. It connects to WS with the real credentials and keeps a 038 * session only for WS. It has nothing to do with the Web Application or whatsoever. Initially client comes to 039 * MainEntrancePoint and tries to get a Stateful WebService (actual WS perfoming the job). NuxeoAuthenticationFilter 040 * (NAF) finds no authentication data in message. It has to let the request pass and not forward the request to login 041 * page. The WS makes the authentication based on user credentials. 042 * <li>The client application reuses a Web Session or uses another mechanism to hold a HTTP Session (the SSO case). 043 * Client comes to MainEntrancePoint and tries to gets a Stateful WebService (actual WS perfoming the job) calling a 044 * different method (no user/pass). NAF finds the authentication data in message this time. It establishes the JAAS 045 * context and forwards the request on chain. The WS is not doing authentication anymore, but relies on the JAAS context 046 * already established.Further, the same will apply while communicating with SFWS. The SFWS relies on JAAS Login Context 047 * established by NAF, while the Core Session is managed internally. The SFWS will be able to work only if the JAAS 048 * context is kept valid (the Web Session is on). 049 * </ol> 050 * This plugin has to only block the login form for the requests addressed to WS. The requests are identified by the 051 * prefix of the URL. 052 * 053 * @author rux 054 */ 055public class WebServicesAuthenticator implements NuxeoAuthenticationPlugin { 056 057 private static final Log log = LogFactory.getLog(WebServicesAuthenticator.class); 058 059 protected String skipURL; 060 061 public List<String> getUnAuthenticatedURLPrefix() { 062 // skip webservices URL 063 List<String> prefixes = new ArrayList<String>(); 064 prefixes.add(skipURL); 065 return prefixes; 066 } 067 068 public Boolean handleLoginPrompt(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String baseURL) { 069 // no need of login of whatsoever type 070 return false; 071 } 072 073 public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest, 074 HttpServletResponse httpResponse) { 075 // WebServices not aware of any identity 076 return null; 077 } 078 079 public void initPlugin(Map<String, String> parameters) { 080 // store the URL prefix to skip as being called a webservice 081 skipURL = parameters.get("URLSkip"); 082 log.debug("Configured URL to skip: " + skipURL); 083 if (skipURL == null) { 084 skipURL = "webservices/"; 085 } 086 log.info("WebServices Authentication filter configured - " + skipURL); 087 } 088 089 public Boolean needLoginPrompt(HttpServletRequest httpRequest) { 090 // no need of login of whatsoever type 091 return false; 092 } 093 094}