RestSecurityFilter.java

package com.intuit.tank.util;

/*
 * #%L
 * JSF Support Beans
 * %%
 * Copyright (C) 2011 - 2015 Intuit Inc.
 * %%
 * All rights reserved. This program and the accompanying materials
 * are made available under the terms of the Eclipse Public License v1.0
 * which accompanies this distribution, and is available at
 * http://www.eclipse.org/legal/epl-v10.html
 * #L%
 */

import java.io.IOException;

import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.picketlink.Identity;

import com.intuit.tank.auth.TankUser;
import com.intuit.tank.dao.UserDao;
import com.intuit.tank.project.User;
import com.intuit.tank.vm.settings.TankConfig;

public class RestSecurityFilter implements Filter {

    private static final Logger LOG = LogManager.getLogger(RestSecurityFilter.class);

    private TankConfig config;

    @Inject
    private Identity identity;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        config = new TankConfig();
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
            ServletException {
        if (config.isRestSecurityEnabled()) {
            User user = getUser((HttpServletRequest) request);
            if (user == null) {
                // send 401 unauthorized and return
                HttpServletResponse resp = (HttpServletResponse) response;
                resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
                return; // break filter chain, requested JSP/servlet will not be executed
            }
        }
        chain.doFilter(request, response);
    }

    public User getUser(HttpServletRequest req) {
        User user = null;
        // firsttry the session
        if (identity != null) {
        	org.picketlink.idm.model.basic.User picketLinkUser = (org.picketlink.idm.model.basic.User) identity.getAccount();
            if (picketLinkUser != null && picketLinkUser instanceof TankUser) {
                user = ((TankUser)picketLinkUser).getUserEntity();
            }
        }
        if (user == null) {
            String authHeader = req.getHeader("authorization");
            try {
                if (authHeader != null) {
                    String[] split = StringUtils.split(authHeader, ' ');
                    if (split.length == 2) {
                        String s = new String(Base64.decodeBase64(split[1]), "UTF-8");
                        String[] upass = StringUtils.split(s, ":", 2);
                        if (upass.length == 2) {
                            String name = upass[0];
                            String token = upass[1];
                            UserDao userDao = new UserDao();
                            user = userDao.findByApiToken(token);
                            if (user == null || user.getName().equals(name)) {
                                user = userDao.authenticate(name, token);
                            }
                        }
                    }
                }
            } catch (Exception e) {
                LOG.error("Error getting user: " + e, e);
            }
        }
        return user;
    }

    @Override
    public void destroy() {

    }

}