001/* 002 * (C) Copyright 2006-2016 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Nuxeo - initial API and implementation 018 */ 019package org.nuxeo.ecm.platform.ui.web.auth.plugins; 020 021import java.io.IOException; 022import java.util.ArrayList; 023import java.util.List; 024import java.util.Map; 025import java.util.Map.Entry; 026 027import javax.servlet.http.Cookie; 028import javax.servlet.http.HttpServletRequest; 029import javax.servlet.http.HttpServletResponse; 030 031import org.apache.commons.codec.binary.Base64; 032import org.apache.commons.lang.StringUtils; 033import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo; 034import org.nuxeo.ecm.platform.ui.web.auth.NXAuthConstants; 035import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin; 036 037public class BasicAuthenticator implements NuxeoAuthenticationPlugin { 038 039 protected static final String REALM_NAME_KEY = "RealmName"; 040 041 protected static final String FORCE_PROMPT_KEY = "ForcePromptURL"; 042 043 protected static final String AUTO_PROMPT_KEY = "AutoPrompt"; 044 045 protected static final String PROMPT_URL_KEY = "PromptUrl"; 046 047 protected static final String DEFAULT_REALMNAME = "Nuxeo 5"; 048 049 protected static final String BA_HEADER_NAME = "WWW-Authenticate"; 050 051 protected static final String EXCLUDE_URL_KEY = "ExcludeBAHeader"; 052 053 protected String realName; 054 055 protected Boolean autoPrompt = false; 056 057 protected List<String> forcePromptURLs; 058 059 private List<String> excludedHeadersForBasicAuth; 060 061 @Override 062 public Boolean handleLoginPrompt(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String baseURL) { 063 try { 064 065 if (needToAddBAHeader(httpRequest)) { 066 String baHeader = "Basic realm=\"" + realName + '\"'; 067 httpResponse.addHeader(BA_HEADER_NAME, baHeader); 068 } 069 int statusCode; 070 Integer requestStatusCode = (Integer) httpRequest.getAttribute(NXAuthConstants.LOGIN_STATUS_CODE); 071 if (requestStatusCode != null) { 072 statusCode = requestStatusCode; 073 } else { 074 statusCode = HttpServletResponse.SC_UNAUTHORIZED; 075 } 076 httpResponse.sendError(statusCode); 077 return true; 078 } catch (IOException e) { 079 return false; 080 } 081 } 082 083 /** 084 * Checks if we need to include a basic auth header back to the client. 085 * 086 * @return true if we need to include the auth header 087 * @since 5.9.2 088 */ 089 private boolean needToAddBAHeader(HttpServletRequest httpRequest) { 090 for (String header : excludedHeadersForBasicAuth) { 091 if (StringUtils.isNotBlank(httpRequest.getHeader(header))) { 092 return false; 093 } 094 if (httpRequest.getCookies() != null) { 095 for (Cookie cookie : httpRequest.getCookies()) { 096 if (cookie.getName().equals(header)) { 097 return false; 098 } 099 } 100 } 101 } 102 return true; 103 } 104 105 @Override 106 public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest, 107 HttpServletResponse httpResponse) { 108 109 String auth = httpRequest.getHeader("authorization"); 110 111 if (auth != null && auth.toLowerCase().startsWith("basic")) { 112 int idx = auth.indexOf(' '); 113 String b64userPassword = auth.substring(idx + 1); 114 byte[] clearUp = Base64.decodeBase64(b64userPassword); 115 String userCredentials = new String(clearUp); 116 int idxOfColon = userCredentials.indexOf(':'); 117 if (idxOfColon > 0 && idxOfColon < userCredentials.length() - 1) { 118 String username = userCredentials.substring(0, idxOfColon); 119 String password = userCredentials.substring(idxOfColon + 1); 120 return new UserIdentificationInfo(username, password); 121 } else { 122 return null; 123 } 124 } 125 return null; 126 } 127 128 @Override 129 public Boolean needLoginPrompt(HttpServletRequest httpRequest) { 130 if (autoPrompt) { 131 return true; 132 } else { 133 String requestedURI = httpRequest.getRequestURI(); 134 String context = httpRequest.getContextPath() + '/'; 135 requestedURI = requestedURI.substring(context.length()); 136 for (String prefixURL : forcePromptURLs) { 137 if (requestedURI.startsWith(prefixURL)) { 138 return true; 139 } 140 } 141 return false; 142 } 143 } 144 145 @Override 146 public void initPlugin(Map<String, String> parameters) { 147 if (parameters.containsKey(REALM_NAME_KEY)) { 148 realName = parameters.get(REALM_NAME_KEY); 149 } else { 150 realName = DEFAULT_REALMNAME; 151 } 152 153 if (parameters.containsKey(AUTO_PROMPT_KEY)) { 154 autoPrompt = parameters.get(AUTO_PROMPT_KEY).equalsIgnoreCase("true"); 155 } 156 157 forcePromptURLs = new ArrayList<>(); 158 for (Entry<String, String> entry : parameters.entrySet()) { 159 if (entry.getKey().startsWith(FORCE_PROMPT_KEY)) { 160 forcePromptURLs.add(entry.getValue()); 161 } 162 } 163 164 excludedHeadersForBasicAuth = new ArrayList<>(); 165 for (Entry<String, String> entry : parameters.entrySet()) { 166 if (entry.getKey().startsWith(EXCLUDE_URL_KEY)) { 167 excludedHeadersForBasicAuth.add(entry.getValue()); 168 } 169 } 170 } 171 172 @Override 173 public List<String> getUnAuthenticatedURLPrefix() { 174 return null; 175 } 176 177}