package org.akaza.openclinica.web.filter;
import org.akaza.openclinica.bean.login.UserAccountBean;
import org.akaza.openclinica.dao.login.UserAccountDAO;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.StringTokenizer;
/**
* Created by krikorkrumlian on 8/7/15.
*/
public class ApiSecurityFilter extends OncePerRequestFilter {
private String realm = "Protected";
@Autowired
private DataSource dataSource;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
System.out.println("Oh look at you triggering API calls i see !!!!!!");
String authHeader = request.getHeader("Authorization");
if (authHeader != null) {
StringTokenizer st = new StringTokenizer(authHeader);
if (st.hasMoreTokens()) {
String basic = st.nextToken();
if (basic.equalsIgnoreCase("Basic")) {
try {
String credentials = new String(Base64.decodeBase64(st.nextToken().getBytes()), "UTF-8");
int p = credentials.indexOf(":");
if (p != -1) {
String _username = credentials.substring(0, p).trim();
String _password = credentials.substring(p + 1).trim();
UserAccountDAO userAccountDAO = new UserAccountDAO(dataSource);
UserAccountBean ub = (UserAccountBean) userAccountDAO.findByApiKey(_username);
if(ub.getId() != 0){
request.getSession().setAttribute("userBean",ub);
}else{
unauthorized(response, "Bad credentials");
return;
}
} else {
unauthorized(response, "Invalid authentication token");
return;
}
} catch (UnsupportedEncodingException e) {
throw new Error("Couldn't retrieve authentication", e);
}
}
}
} else {
unauthorized(response);
}
filterChain.doFilter(request, response);
}
private void unauthorized(HttpServletResponse response, String message) throws IOException {
response.setHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");
response.sendError(401, message);
}
private void unauthorized(HttpServletResponse response) throws IOException {
unauthorized(response, "Unauthorized");
}
}