/*
* Copyright (c) 1998-2011 Caucho Technology -- all rights reserved
*
* This file is part of Resin(R) Open Source
*
* Each copy or derived work must preserve the copyright notice and this
* notice unmodified.
*
* Resin Open Source is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* Resin Open Source is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, or any warranty
* of NON-INFRINGEMENT. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License
* along with Resin Open Source; if not, write to the
*
* Free Software Foundation, Inc.
* 59 Temple Place, Suite 330
* Boston, MA 02111-1307 USA
*
* @author Scott Ferguson
*/
package com.caucho.security;
import java.security.Principal;
import java.util.ArrayList;
import javax.ejb.Startup;
import javax.inject.Singleton;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* Used to allow multiple login types in a priority list.
*
* @since Resin 4.0.2
*/
@Singleton
@Startup
public class LoginList implements Login {
private final ArrayList<Login> _loginList = new ArrayList<Login>();
/**
* Adds the next login in the list.
*/
public void add(Login login)
{
_loginList.add(login);
}
/**
* Returns the login list.
*/
public ArrayList<Login> getLoginList()
{
return _loginList;
}
/**
* Returns the authentication type. <code>getAuthType</code> is called
* by <code>HttpServletRequest.getAuthType</code>.
*/
public String getAuthType()
{
if (_loginList.size() == 0)
return null;
return _loginList.get(0).getAuthType();
}
/**
* Returns the configured authenticator
*/
public Authenticator getAuthenticator()
{
if (_loginList.size() == 0)
return null;
return _loginList.get(0).getAuthenticator();
}
/**
* Returns true if the login is used for this request
*/
public boolean isLoginUsedForRequest(HttpServletRequest request)
{
for (int i = 0; i < _loginList.size(); i++) {
if (_loginList.get(i).isLoginUsedForRequest(request))
return true;
}
return false;
}
/**
* Returns the Principal associated with the current request.
* getUserPrincipal is called in response to the Request.getUserPrincipal
* call. Login.getUserPrincipal can't modify the response or return
* an error page.
*
* @param request servlet request
*
* @return the logged in principal on success, null on failure.
*/
public Principal getUserPrincipal(HttpServletRequest request)
{
for (int i = 0; i < _loginList.size(); i++) {
Principal user = _loginList.get(i).getUserPrincipal(request);
if (user != null)
return user;
}
return null;
}
/**
* Logs a user in. The authenticate method is called during the
* security check. If the user does not exist, <code>authenticate</code>
* sets the reponse error page and returns null.
*
* @param request servlet request
* @param response servlet response for a failed authentication.
* @param isFail true if the authorization has failed
*
* @return the logged in principal on success, null on failure.
*/
public Principal login(HttpServletRequest request,
HttpServletResponse response,
boolean isFail)
{
for (int i = 0; i < _loginList.size(); i++) {
Login login = _loginList.get(i);
if (login.isLoginUsedForRequest(request)) {
Principal user = login.login(request, response, isFail);
if (user != null)
return user;
}
}
// if none match, use first
if (_loginList.size() > 0) {
Login login = _loginList.get(0);
Principal user = login.login(request, response, isFail);
return user;
}
return null;
}
/**
* Returns true if username and password based authentication is supported.
* @see BasicLogin
* @return
*/
public boolean isPasswordBased()
{
for (int i = 0; i < _loginList.size(); i++) {
if (_loginList.get(i).isPasswordBased())
return true;
}
return false;
}
/**
* Returns true if the current user plays the named role.
* <code>isUserInRole</code> is called in response to the
* <code>HttpServletRequest.isUserInRole</code> call.
*
* @param user the logged in user
* @param role the role to check
*
* @return true if the user plays the named role
*/
public boolean isUserInRole(Principal user, String role)
{
for (int i = 0; i < _loginList.size(); i++) {
if (_loginList.get(i).isUserInRole(user, role))
return true;
}
return false;
}
/**
* Logs the user out from the given request.
*
* <p>Since there is no servlet API for logout, this must be called
* directly from user code. Resin stores the web-app's login object
* in the ServletContext attribute "caucho.login".
*/
public void logout(Principal user,
HttpServletRequest request,
HttpServletResponse response)
{
for (int i = 0; i < _loginList.size(); i++) {
_loginList.get(i).logout(user, request, response);
}
}
/**
* Called when the session invalidates.
*/
public void sessionInvalidate(HttpSession session,
boolean isTimeout)
{
for (int i = 0; i < _loginList.size(); i++) {
_loginList.get(i).sessionInvalidate(session, isTimeout);
}
}
public String toString()
{
return getClass().getSimpleName() + _loginList;
}
}