001/*
002 * (C) Copyright 2006-2016 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Nuxeo - initial API and implementation
018 */
019package org.nuxeo.ecm.platform.ui.web.auth.plugins;
020
021import java.io.IOException;
022import java.util.ArrayList;
023import java.util.List;
024import java.util.Map;
025import java.util.Map.Entry;
026
027import javax.servlet.http.Cookie;
028import javax.servlet.http.HttpServletRequest;
029import javax.servlet.http.HttpServletResponse;
030
031import org.apache.commons.codec.binary.Base64;
032import org.apache.commons.lang3.StringUtils;
033import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
034import org.nuxeo.ecm.platform.ui.web.auth.NXAuthConstants;
035import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
036
037public class BasicAuthenticator implements NuxeoAuthenticationPlugin {
038
039    protected static final String REALM_NAME_KEY = "RealmName";
040
041    protected static final String FORCE_PROMPT_KEY = "ForcePromptURL";
042
043    protected static final String AUTO_PROMPT_KEY = "AutoPrompt";
044
045    protected static final String PROMPT_URL_KEY = "PromptUrl";
046
047    protected static final String DEFAULT_REALMNAME = "Nuxeo 5";
048
049    protected static final String BA_HEADER_NAME = "WWW-Authenticate";
050
051    protected static final String EXCLUDE_URL_KEY = "ExcludeBAHeader";
052
053    protected String realName;
054
055    protected Boolean autoPrompt = false;
056
057    protected List<String> forcePromptURLs;
058
059    private List<String> excludedHeadersForBasicAuth;
060
061    @Override
062    public Boolean handleLoginPrompt(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String baseURL) {
063        try {
064
065            if (needToAddBAHeader(httpRequest)) {
066                String baHeader = "Basic realm=\"" + realName + '\"';
067                httpResponse.addHeader(BA_HEADER_NAME, baHeader);
068            }
069            int statusCode;
070            Integer requestStatusCode = (Integer) httpRequest.getAttribute(NXAuthConstants.LOGIN_STATUS_CODE);
071            if (requestStatusCode != null) {
072                statusCode = requestStatusCode;
073            } else {
074                statusCode = HttpServletResponse.SC_UNAUTHORIZED;
075            }
076            httpResponse.sendError(statusCode);
077            return true;
078        } catch (IOException e) {
079            return false;
080        }
081    }
082
083    /**
084     * Checks if we need to include a basic auth header back to the client.
085     *
086     * @return true if we need to include the auth header
087     * @since 5.9.2
088     */
089    private boolean needToAddBAHeader(HttpServletRequest httpRequest) {
090        for (String header : excludedHeadersForBasicAuth) {
091            if (StringUtils.isNotBlank(httpRequest.getHeader(header))) {
092                return false;
093            }
094            if (httpRequest.getCookies() != null) {
095                for (Cookie cookie : httpRequest.getCookies()) {
096                    if (cookie.getName().equals(header)) {
097                        return false;
098                    }
099                }
100            }
101        }
102        return true;
103    }
104
105    @Override
106    public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest,
107            HttpServletResponse httpResponse) {
108
109        String auth = httpRequest.getHeader("authorization");
110
111        if (auth != null && auth.toLowerCase().startsWith("basic")) {
112            int idx = auth.indexOf(' ');
113            String b64userPassword = auth.substring(idx + 1);
114            byte[] clearUp = Base64.decodeBase64(b64userPassword);
115            String userCredentials = new String(clearUp);
116            int idxOfColon = userCredentials.indexOf(':');
117            if (idxOfColon > 0 && idxOfColon < userCredentials.length() - 1) {
118                String username = userCredentials.substring(0, idxOfColon);
119                String password = userCredentials.substring(idxOfColon + 1);
120                return new UserIdentificationInfo(username, password);
121            } else {
122                return null;
123            }
124        }
125        return null;
126    }
127
128    @Override
129    public Boolean needLoginPrompt(HttpServletRequest httpRequest) {
130        if (autoPrompt) {
131            return true;
132        } else {
133            String requestedURI = httpRequest.getRequestURI();
134            String context = httpRequest.getContextPath() + '/';
135            requestedURI = requestedURI.substring(context.length());
136            for (String prefixURL : forcePromptURLs) {
137                if (requestedURI.startsWith(prefixURL)) {
138                    return true;
139                }
140            }
141            return false;
142        }
143    }
144
145    @Override
146    public void initPlugin(Map<String, String> parameters) {
147        if (parameters.containsKey(REALM_NAME_KEY)) {
148            realName = parameters.get(REALM_NAME_KEY);
149        } else {
150            realName = DEFAULT_REALMNAME;
151        }
152
153        if (parameters.containsKey(AUTO_PROMPT_KEY)) {
154            autoPrompt = parameters.get(AUTO_PROMPT_KEY).equalsIgnoreCase("true");
155        }
156
157        forcePromptURLs = new ArrayList<>();
158        for (Entry<String, String> entry : parameters.entrySet()) {
159            if (entry.getKey().startsWith(FORCE_PROMPT_KEY)) {
160                forcePromptURLs.add(entry.getValue());
161            }
162        }
163
164        excludedHeadersForBasicAuth = new ArrayList<>();
165        for (Entry<String, String> entry : parameters.entrySet()) {
166            if (entry.getKey().startsWith(EXCLUDE_URL_KEY)) {
167                excludedHeadersForBasicAuth.add(entry.getValue());
168            }
169        }
170    }
171
172    @Override
173    public List<String> getUnAuthenticatedURLPrefix() {
174        return null;
175    }
176
177}