/*
* (C) Copyright 2006-2008 Nuxeo SA (http://nuxeo.com/) and others.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Contributors:
* Nuxeo - initial API and implementation
*
* $Id: JOOoConvertPluginImpl.java 18651 2007-05-13 20:28:53Z sfermigier $
*/
package org.nuxeo.ecm.platform.ui.web.auth.plugins;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
/**
* The Web Service Servlet needs no login prompt and / or authentiocation.
* <p>
* I see 2 different scenarios:
* <ol>
* <li>The client application is a standalone application. It connects to WS with the real credentials and keeps a
* session only for WS. It has nothing to do with the Web Application or whatsoever. Initially client comes to
* MainEntrancePoint and tries to get a Stateful WebService (actual WS perfoming the job). NuxeoAuthenticationFilter
* (NAF) finds no authentication data in message. It has to let the request pass and not forward the request to login
* page. The WS makes the authentication based on user credentials.
* <li>The client application reuses a Web Session or uses another mechanism to hold a HTTP Session (the SSO case).
* Client comes to MainEntrancePoint and tries to gets a Stateful WebService (actual WS perfoming the job) calling a
* different method (no user/pass). NAF finds the authentication data in message this time. It establishes the JAAS
* context and forwards the request on chain. The WS is not doing authentication anymore, but relies on the JAAS context
* already established.Further, the same will apply while communicating with SFWS. The SFWS relies on JAAS Login Context
* established by NAF, while the Core Session is managed internally. The SFWS will be able to work only if the JAAS
* context is kept valid (the Web Session is on).
* </ol>
* This plugin has to only block the login form for the requests addressed to WS. The requests are identified by the
* prefix of the URL.
*
* @author rux
*/
public class WebServicesAuthenticator implements NuxeoAuthenticationPlugin {
private static final Log log = LogFactory.getLog(WebServicesAuthenticator.class);
protected String skipURL;
public List<String> getUnAuthenticatedURLPrefix() {
// skip webservices URL
List<String> prefixes = new ArrayList<String>();
prefixes.add(skipURL);
return prefixes;
}
public Boolean handleLoginPrompt(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String baseURL) {
// no need of login of whatsoever type
return false;
}
public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest,
HttpServletResponse httpResponse) {
// WebServices not aware of any identity
return null;
}
public void initPlugin(Map<String, String> parameters) {
// store the URL prefix to skip as being called a webservice
skipURL = parameters.get("URLSkip");
log.debug("Configured URL to skip: " + skipURL);
if (skipURL == null) {
skipURL = "webservices/";
}
log.info("WebServices Authentication filter configured - " + skipURL);
}
public Boolean needLoginPrompt(HttpServletRequest httpRequest) {
// no need of login of whatsoever type
return false;
}
}