001/* 002 * (C) Copyright 2006-2008 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Nuxeo - initial API and implementation 018 * 019 * $Id: JOOoConvertPluginImpl.java 18651 2007-05-13 20:28:53Z sfermigier $ 020 */ 021package org.nuxeo.ecm.platform.ui.web.auth.plugins; 022 023import java.util.ArrayList; 024import java.util.List; 025import java.util.Map; 026 027import javax.servlet.http.HttpServletRequest; 028import javax.servlet.http.HttpServletResponse; 029 030import org.apache.commons.logging.Log; 031import org.apache.commons.logging.LogFactory; 032import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo; 033import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin; 034 035/** 036 * The Web Service Servlet needs no login prompt and / or authentiocation. 037 * <p> 038 * I see 2 different scenarios: 039 * <ol> 040 * <li>The client application is a standalone application. It connects to WS with the real credentials and keeps a 041 * session only for WS. It has nothing to do with the Web Application or whatsoever. Initially client comes to 042 * MainEntrancePoint and tries to get a Stateful WebService (actual WS perfoming the job). NuxeoAuthenticationFilter 043 * (NAF) finds no authentication data in message. It has to let the request pass and not forward the request to login 044 * page. The WS makes the authentication based on user credentials. 045 * <li>The client application reuses a Web Session or uses another mechanism to hold a HTTP Session (the SSO case). 046 * Client comes to MainEntrancePoint and tries to gets a Stateful WebService (actual WS perfoming the job) calling a 047 * different method (no user/pass). NAF finds the authentication data in message this time. It establishes the JAAS 048 * context and forwards the request on chain. The WS is not doing authentication anymore, but relies on the JAAS context 049 * already established.Further, the same will apply while communicating with SFWS. The SFWS relies on JAAS Login Context 050 * established by NAF, while the Core Session is managed internally. The SFWS will be able to work only if the JAAS 051 * context is kept valid (the Web Session is on). 052 * </ol> 053 * This plugin has to only block the login form for the requests addressed to WS. The requests are identified by the 054 * prefix of the URL. 055 * 056 * @author rux 057 */ 058public class WebServicesAuthenticator implements NuxeoAuthenticationPlugin { 059 060 private static final Log log = LogFactory.getLog(WebServicesAuthenticator.class); 061 062 protected String skipURL; 063 064 public List<String> getUnAuthenticatedURLPrefix() { 065 // skip webservices URL 066 List<String> prefixes = new ArrayList<String>(); 067 prefixes.add(skipURL); 068 return prefixes; 069 } 070 071 public Boolean handleLoginPrompt(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String baseURL) { 072 // no need of login of whatsoever type 073 return false; 074 } 075 076 public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest, 077 HttpServletResponse httpResponse) { 078 // WebServices not aware of any identity 079 return null; 080 } 081 082 public void initPlugin(Map<String, String> parameters) { 083 // store the URL prefix to skip as being called a webservice 084 skipURL = parameters.get("URLSkip"); 085 log.debug("Configured URL to skip: " + skipURL); 086 if (skipURL == null) { 087 skipURL = "webservices/"; 088 } 089 log.info("WebServices Authentication filter configured - " + skipURL); 090 } 091 092 public Boolean needLoginPrompt(HttpServletRequest httpRequest) { 093 // no need of login of whatsoever type 094 return false; 095 } 096 097}