001/* 002 * (C) Copyright 2006-2007 Nuxeo SAS (http://nuxeo.com/) and contributors. 003 * 004 * All rights reserved. This program and the accompanying materials 005 * are made available under the terms of the GNU Lesser General Public License 006 * (LGPL) version 2.1 which accompanies this distribution, and is available at 007 * http://www.gnu.org/licenses/lgpl.html 008 * 009 * This library is distributed in the hope that it will be useful, 010 * but WITHOUT ANY WARRANTY; without even the implied warranty of 011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 012 * Lesser General Public License for more details. 013 * 014 * Contributors: 015 * Nuxeo - initial API and implementation 016 * 017 * $Id: JOOoConvertPluginImpl.java 18651 2007-05-13 20:28:53Z sfermigier $ 018 */ 019 020package org.nuxeo.ecm.platform.ui.web.auth.portal; 021 022import java.security.MessageDigest; 023import java.security.NoSuchAlgorithmException; 024import java.util.Date; 025import java.util.List; 026import java.util.Map; 027 028import javax.servlet.http.HttpServletRequest; 029import javax.servlet.http.HttpServletResponse; 030 031import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo; 032import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin; 033 034import com.noelios.restlet.util.Base64; 035 036public class PortalAuthenticator implements NuxeoAuthenticationPlugin { 037 038 private static final String SECRET_KEY_NAME = "secret"; 039 040 private static final String MAX_AGE_KEY_NAME = "maxAge"; 041 042 private static final String TS_HEADER = "NX_TS"; 043 044 private static final String RANDOM_HEADER = "NX_RD"; 045 046 private static final String TOKEN_HEADER = "NX_TOKEN"; 047 048 private static final String USER_HEADER = "NX_USER"; 049 050 private static final String TOKEN_SEP = ":"; 051 052 // 053 private String secret = "secret"; 054 055 // one hour by default 056 private long maxAge = 60 * 60; 057 058 public List<String> getUnAuthenticatedURLPrefix() { 059 return null; 060 } 061 062 public Boolean handleLoginPrompt(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String baseURL) { 063 return false; 064 } 065 066 public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest, 067 HttpServletResponse httpResponse) { 068 069 String ts = httpRequest.getHeader(TS_HEADER); 070 String random = httpRequest.getHeader(RANDOM_HEADER); 071 String token = httpRequest.getHeader(TOKEN_HEADER); 072 String userName = httpRequest.getHeader(USER_HEADER); 073 074 if (userName == null || ts == null || random == null || token == null) { 075 return null; 076 } 077 078 if (validateToken(ts, random, token, userName)) { 079 return new UserIdentificationInfo(userName, userName); 080 } else { 081 return null; 082 } 083 } 084 085 public void initPlugin(Map<String, String> parameters) { 086 if (parameters.containsKey(SECRET_KEY_NAME)) { 087 secret = parameters.get(SECRET_KEY_NAME); 088 } 089 if (parameters.containsKey(MAX_AGE_KEY_NAME)) { 090 String maxAgeStr = parameters.get(MAX_AGE_KEY_NAME); 091 if (maxAgeStr != null && !maxAgeStr.equals("")) { 092 maxAge = Long.parseLong(maxAgeStr); 093 } 094 } 095 } 096 097 public Boolean needLoginPrompt(HttpServletRequest httpRequest) { 098 return false; 099 } 100 101 private Boolean validateToken(String ts, String random, String token, String userName) { 102 // reconstruct the token 103 String clearToken = ts + TOKEN_SEP + random + TOKEN_SEP + secret + TOKEN_SEP + userName; 104 105 byte[] hashedToken; 106 try { 107 hashedToken = MessageDigest.getInstance("MD5").digest(clearToken.getBytes()); 108 } catch (NoSuchAlgorithmException e) { 109 return false; 110 } 111 String base64HashedToken = Base64.encodeBytes(hashedToken); 112 113 // check that tokens are the same => that we have the same shared key 114 if (!base64HashedToken.equals(token)) { 115 return false; 116 } 117 118 // check time stamp 119 long portalTS = Long.parseLong(ts); 120 long currentTS = (new Date()).getTime(); 121 122 return (currentTS - portalTS) / 1000 <= maxAge; 123 } 124 125}