/**
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.brixcms.rmiserver.web.admin;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.wicket.Application;
import org.apache.wicket.Component;
import org.apache.wicket.Page;
import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.request.IRequestCycle;
import org.apache.wicket.request.IRequestHandler;
import org.apache.wicket.request.component.IRequestableComponent;
import org.apache.wicket.request.cycle.RequestCycle;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.apache.wicket.request.resource.IResource;
import org.brixcms.rmiserver.AuthenticationException;
import org.brixcms.rmiserver.Role;
public class AdminAuthorizationStrategy implements IAuthorizationStrategy {
public <T extends IRequestableComponent> boolean isInstantiationAuthorized(Class<T> componentClass) {
boolean authorized = false;
if (Page.class.isAssignableFrom(componentClass)) {
if (Application.get().getApplicationSettings().getAccessDeniedPage().isAssignableFrom(componentClass)) {
return true;
}
AdminSession session = AdminSession.get();
HttpServletRequest req = (HttpServletRequest) RequestCycle.get().getRequest().getContainerRequest();
if (!session.isUserLoggedIn()) {
boolean authenticated = false;
String[] auth = parseAuthHeader(req.getHeader("Authorization"));
if (auth != null) {
try {
session.loginUser(auth[0], auth[1]);
authenticated = true;
} catch (AuthenticationException e) {
// noop
}
}
if (authenticated == false) {
RequestCycle.get().scheduleRequestHandlerAfterCurrent(new IRequestHandler() {
public void detach(RequestCycle requestCycle) {
}
public void respond(RequestCycle rc) {
HttpServletResponse res = (HttpServletResponse) rc.getResponse().getContainerResponse();
res.setHeader("WWW-Authenticate", "BASIC");
res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
@Override
public void respond(IRequestCycle requestCycle) {
}
@Override
public void detach(IRequestCycle requestCycle) {
}
});
// throw new AbstractRestartResponseException() {
// private static final long serialVersionUID = 1L;
// };
}
}
// user is authenticated
AllowedRoles ar = componentClass.getAnnotation(AllowedRoles.class);
if (ar != null) {
for (Role role : ar.value()) {
if (session.loggedinUser().getRoles().contains(role)) {
authorized = true;
break;
}
}
} else {
authorized = true;
}
} else {
// not a page
authorized = true;
}
return authorized;
}
public boolean isActionAuthorized(Component component, Action action) {
return true;
}
private String[] parseAuthHeader(String auth) {
if (auth != null && auth.toLowerCase().startsWith("basic ")) {
auth = auth.substring(6);
auth = new String(Base64.decodeBase64(auth.getBytes()));
String tokens[] = auth.split(":");
if (tokens.length == 2) {
return tokens;
}
}
return null;
}
@Override
public boolean isResourceAuthorized(IResource resource, PageParameters parameters) {
return true;
}
}