AbstractAuthenticator.java

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2013, Red Hat, Inc., and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */

package org.jboss.capedwarf.users;

import java.io.IOException;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.server.HttpServerExchange;
import io.undertow.servlet.api.LoginConfig;
import io.undertow.servlet.handlers.ServletRequestContext;
import org.jboss.capedwarf.appidentity.CapedwarfHttpServletRequestWrapper;
import org.jboss.capedwarf.common.servlet.ServletUtils;

/**
 * @author <a href="mailto:ales.justin@jboss.org">Ales Justin</a>
 */
public abstract class AbstractAuthenticator implements AuthenticationMechanism {
    protected static final String KEY = CapedwarfHttpServletRequestWrapper.USER_PRINCIPAL_SESSION_ATTRIBUTE_KEY;

    public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
        final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        final HttpServletRequest request = (HttpServletRequest) servletRequestContext.getServletRequest();
        final HttpServletResponse response = (HttpServletResponse) servletRequestContext.getServletResponse();

        final HttpSession session = request.getSession(false);
        if (session == null) {
            return notAttempted();
        }

        final LoginConfig config = servletRequestContext.getDeployment().getDeploymentInfo().getLoginConfig();
        final CapedwarfUserPrincipal principal = getPrincipal(session);

        if (isAdminConsoleAccess(request, config)) {
            return authenticateAdmin(securityContext, request, response, config, principal);
        }

        if (principal != null) {
            return authorized(securityContext, principal);
        } else {
            return notAttempted();
        }
    }

    protected boolean isAdminConsoleAccess(HttpServletRequest request, LoginConfig config) {
        // if config exists, it means we want to check for auth
        return (config != null && isAdminConsoleURI(request));
    }

    @SuppressWarnings("UnusedParameters")
    protected AuthenticationMechanismOutcome authenticateAdmin(SecurityContext securityContext, HttpServletRequest request, HttpServletResponse response, LoginConfig config, CapedwarfUserPrincipal principal) {
        if (principal != null) {
            if (principal.isAdmin()) {
                return authorized(securityContext, principal);
            } else {
                return unauthorized(response);
            }
        } else {
            return notAttempted();
        }
    }

    protected boolean isAdminConsoleURI(HttpServletRequest request) {
        String path = ServletUtils.getRequestURIWithoutContextPath(request);
        return path.startsWith("/_ah/admin");
    }

    protected final AuthenticationMechanismOutcome notAttempted() {
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    protected AuthenticationMechanismOutcome authorized(SecurityContext securityContext, final CapedwarfUserPrincipal principal) {
        Account account = new CapedwarfAccount(principal);
        securityContext.authenticationComplete(account, "CAPEDWARF", false);
        return AuthenticationMechanismOutcome.AUTHENTICATED;
    }

    protected AuthenticationMechanismOutcome unauthorized(HttpServletResponse response) {
        try {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }

    protected CapedwarfUserPrincipal getPrincipal(HttpSession session) {
        return (CapedwarfUserPrincipal) session.getAttribute(KEY);
    }
}