Source code

001/*
002 *  Licensed to the Apache Software Foundation (ASF) under one
003 *  or more contributor license agreements.  See the NOTICE file
004 *  distributed with this work for additional information
005 *  regarding copyright ownership.  The ASF licenses this file
006 *  to you under the Apache License, Version 2.0 (the
007 *  "License"); you may not use this file except in compliance
008 *  with the License.  You may obtain a copy of the License at
009 *
010 *        http://www.apache.org/licenses/LICENSE-2.0
011 *
012 *  Unless required by applicable law or agreed to in writing,
013 *  software distributed under the License is distributed on an
014 *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 *  KIND, either express or implied.  See the License for the
016 *  specific language governing permissions and limitations
017 *  under the License.
018 */
019package org.apache.isis.viewer.restfulobjects.server.authentication;
020
021import java.util.regex.Matcher;
022import java.util.regex.Pattern;
023
024import javax.servlet.ServletRequest;
025import javax.servlet.ServletResponse;
026import javax.servlet.http.HttpServletRequest;
027import javax.servlet.http.HttpSession;
028
029import org.apache.commons.codec.binary.Base64;
030import org.apache.isis.core.commons.authentication.AuthenticationSession;
031import org.apache.isis.core.runtime.authentication.AuthenticationManager;
032import org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword;
033import org.apache.isis.core.runtime.system.context.IsisContext;
034import org.apache.isis.core.webapp.auth.AuthenticationSessionStrategyAbstract;
035
036/**
037 * Implements the HTTP Basic Auth protocol; does not bind the
038 * {@link AuthenticationSession} onto the {@link HttpSession}.
039 */
040public class AuthenticationSessionStrategyBasicAuth extends AuthenticationSessionStrategyAbstract {
041
042    private static Pattern USER_AND_PASSWORD_REGEX = Pattern.compile("^(.+):(.+)$");
043
044    @Override
045    public AuthenticationSession lookupValid(final ServletRequest servletRequest, final ServletResponse servletResponse) {
046
047        final HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
048        final String authStr = httpServletRequest.getHeader("Authorization");
049
050        // value should be in the form:
051        // Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
052        if (authStr == null || !authStr.startsWith("Basic ")) {
053            return null;
054        }
055        final String digest = authStr.substring(6);
056
057        final String userAndPassword = new String(new Base64().decode(digest.getBytes()));
058        final Matcher matcher = USER_AND_PASSWORD_REGEX.matcher(userAndPassword);
059        if (!matcher.matches()) {
060            return null;
061        }
062
063        final String user = matcher.group(1);
064        final String password = matcher.group(2);
065
066        final AuthenticationSession authSession = getAuthenticationManager().authenticate(new AuthenticationRequestPassword(user, password));
067        return authSession;
068    }
069
070    // //////////////////////////////////////////////////////////
071    // Dependencies (from context)
072    // //////////////////////////////////////////////////////////
073
074    protected AuthenticationManager getAuthenticationManager() {
075        return IsisContext.getAuthenticationManager();
076    }
077
078}