SecurityFilter.java

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 2010-2011 Oracle and/or its affiliates. All rights reserved.
 *
 * The contents of this file are subject to the terms of either the GNU
 * General Public License Version 2 only ("GPL") or the Common Development
 * and Distribution License("CDDL") (collectively, the "License").  You
 * may not use this file except in compliance with the License.  You can
 * obtain a copy of the License at
 * http://glassfish.java.net/public/CDDL+GPL_1_1.html
 * or packager/legal/LICENSE.txt.  See the License for the specific
 * language governing permissions and limitations under the License.
 *
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at packager/legal/LICENSE.txt.
 *
 * GPL Classpath Exception:
 * Oracle designates this particular file as subject to the "Classpath"
 * exception as provided by Oracle in the GPL Version 2 section of the License
 * file that accompanied this code.
 *
 * Modifications:
 * If applicable, add the following below the License Header, with the fields
 * enclosed by brackets [] replaced by your own identifying information:
 * "Portions Copyright [year] [name of copyright owner]"
 *
 * Contributor(s):
 * If you wish your version of this file to be governed by only the CDDL or
 * only the GPL Version 2, indicate your decision by adding "[Contributor]
 * elects to include this software in this distribution under the [CDDL or GPL
 * Version 2] license."  If you don't indicate a single choice of license, a
 * recipient has the option to distribute your version of this file under
 * either the CDDL, the GPL Version 2 or to extend the choice of license to
 * its licensees as provided above.  However, if you add GPL Version 2 code
 * and therefore, elected the GPL Version 2 license, then the option applies
 * only if the new code is made subject to such option by the copyright
 * holder.
 */

package com.sun.jersey.samples.contacts.server.auth;

import com.sun.jersey.api.container.MappableContainerException;
import com.sun.jersey.samples.contacts.models.User;
import com.sun.jersey.samples.contacts.server.Database;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import java.security.Principal;
import java.util.List;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.PathSegment;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;

/**
 * <p>A Jersey {@link ContainerRequestFilter} that provides a {@link SecurityContext}
 * for all requests processed by this application.  All defined users are
 * considered to possess role <code>user</code>, which authorizes read/write
 * access to the contacts list for that user.  The user named <code>admin</code>
 * is also considered to possess role <code>admin</code>, which authorizes
 * read/write access to the contacts list for any user, as well as read/write
 * access to the list of defined users.</p>
 */
public class SecurityFilter implements ContainerRequestFilter {


    // ------------------------------------------------------ Manifest Constants


    /**
     * <p>The realm name to use in authentication challenges.</p>
     */
    private static final String REALM = "Contacts Service";


    // ------------------------------------------------------ Instance Variables


    /**
     * <p>The URI information for this request.</p>
     */
    @Context
    UriInfo uriInfo;


    // ------------------------------------------ ContainerRequestFilter Methods


    /**
     * <p>Authenticate the user for this request, and add a security context
     * so that role checking can be performed.</p>
     *
     * @param request The request we re processing
     * @return the decorated request
     * @exception AuthenticationException if authentication credentials
     *  are missing or invalid
     */
    public ContainerRequest filter(ContainerRequest request) {
        User user = authenticate(request);
        request.setSecurityContext(new Authorizer(user));
//        System.out.println("CURRENT USER IS " + user.getUsername());
        return request;
    }


    // --------------------------------------------------------- Private Methods


    /**
     * <p>Perform the required authentication checks, and return the
     * {@link User} instance for the authenticated user.</p>
     *
     * @exception MappableContainerException if authentication fails
     *  (will contain an AuthenticationException)
     */
    private User authenticate(ContainerRequest request) {

        // Extract authentication credentials
        String authentication = request.getHeaderValue(ContainerRequest.AUTHORIZATION);
        if (authentication == null) {
            throw new MappableContainerException
                    (new AuthenticationException("Authentication credentials are required\r\n", REALM));
        }
        if (!authentication.startsWith("Basic ")) {
            throw new MappableContainerException
                    (new AuthenticationException("Only HTTP Basic authentication is supported\r\n", REALM));
        }
        authentication = authentication.substring("Basic ".length());
        String[] values = new String(Base64.base64Decode(authentication)).split(":");
        if (values.length < 2) {
            throw new MappableContainerException
                    (new AuthenticationException("Invalid syntax for username and password\r\n", REALM));
        }
        String username = values[0];
        String password = values[1];
        if ((username == null) || (password == null)) {
            throw new MappableContainerException
                    (new AuthenticationException("Missing username or password\r\n", REALM));
        }

        // Validate the extracted credentials
        User user = null;
        synchronized (Database.users) {
            user = Database.users.get(username);
            if (user == null) {
                throw new MappableContainerException(new AuthenticationException("Invalid username or password\r\n", REALM));
            } else if (!password.trim().equals(user.getPassword().trim())) {
                throw new MappableContainerException(new AuthenticationException("Invalid username or password\r\n", REALM));
            }
        }

        // Return the validated user
        return user;

    }


    // --------------------------------------------------------- Support Classes


    /**
     * <p>SecurityContext used to perform authorization checks.</p>
     */
    public class Authorizer implements SecurityContext {

        public Authorizer(final User user) {
            this.principal = new Principal() {
                public String getName() {
                    return user.getUsername();
                }
            };
        }

        private Principal principal;

        public Principal getUserPrincipal() {
            return this.principal;
        }

        /**
         * <p>Determine whether the authenticated user possesses the requested
         * role, according to the following rules:</p>
         * <ul>
         * <li>User <code>admin</code> has the <code>admin</code> and
         *     <code>user</code> roles unconditionally.</li>
         * <li>For all other users, grant the <code>user</code> role IF AND ONLY IF
         *     this request URI used the <code>username</code> path parameter,
         *     and the specifyed username matches the username in the HTTP
         *     Basic authentication header.  (An alternative strategy for
         *     conditionally granting a role would be to call
         *     <code>uriInfo.getPathSegments()</code> and make a decision
         *     based on a more fine grained understanding of this application's
         *     URI structure.)</li>
         * </ul>
         *
         * @param role Role to be checked
         */
        public boolean isUserInRole(String role) {
            if ("admin".equals(role)) {
//                System.out.println("isUserInRole(admin) ==> " + "admin".equals(this.principal.getName()));
                return "admin".equals(this.principal.getName());
            } else if ("user".equals(role)) {
                if ("admin".equals(this.principal.getName())) {
//                    System.out.println("isUserInRole(user) ==> true for admin unconditionally");
                    return true;
                }
                String pathParam = uriInfo.getPathParameters().getFirst("username");
                if ((pathParam != null) &&
                    this.principal.getName().endsWith(pathParam)) {
//                    System.out.println("isUserInRole(user) ==> true for this user");
                    return true;
                }
                /*
                List<PathSegment> pathSegments = uriInfo.getPathSegments();
                if ((pathSegments.size() >= 2) &&
                    "contacts".equals(pathSegments.get(0).getPath()) &&
                    this.principal.getName().equals(pathSegments.get(1).getPath())) {
//                    System.out.println("isUserInRole(user) ==> true for this user");
                    return true;
                } else {
//                    System.out.println("isUserInRole(user) ==> false for this user");
                    return false;
                }
                */
            }
//            System.out.println("isUserInRole(" + role + ") ==> false unconditionally");
            return false;
        }

        public boolean isSecure() {
            return "https".equals(uriInfo.getRequestUri().getScheme());
        }

        public String getAuthenticationScheme() {
            return SecurityContext.BASIC_AUTH;
        }
    }


}