AuthDataApplication.java

package net.databinder.auth.ao;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.sql.SQLException;

import javax.servlet.http.HttpServletRequest;

import net.databinder.ao.DataApplication;
import net.databinder.ao.Databinder;
import net.databinder.auth.AuthApplication;
import net.databinder.auth.AuthSession;
import net.databinder.auth.components.ao.DataSignInPage;
import net.databinder.auth.data.DataUser;
import net.java.ao.Query;
import net.java.ao.RawEntity;

import org.apache.wicket.Component;
import org.apache.wicket.Request;
import org.apache.wicket.RequestCycle;
import org.apache.wicket.Response;
import org.apache.wicket.RestartResponseAtInterceptPageException;
import org.apache.wicket.Session;
import org.apache.wicket.WicketRuntimeException;
import org.apache.wicket.authorization.IUnauthorizedComponentInstantiationListener;
import org.apache.wicket.authorization.UnauthorizedInstantiationException;
import org.apache.wicket.authorization.strategies.role.IRoleCheckingStrategy;
import org.apache.wicket.authorization.strategies.role.RoleAuthorizationStrategy;
import org.apache.wicket.authorization.strategies.role.Roles;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.protocol.http.WebRequest;
import org.apache.wicket.util.crypt.Base64UrlSafe;

/** Optional base class for ActiveObjects applications using Databinder authentication. */
public abstract class AuthDataApplication extends DataApplication implements IUnauthorizedComponentInstantiationListener, IRoleCheckingStrategy, AuthApplication {
	
	/**
	 * Internal initialization. Client applications should not normally override
	 * or call this method.
	 */
	@Override
	protected void internalInit() {
		super.internalInit();
		authInit();
	}
	
	/**
	 * Sets Wicket's security strategy for role authorization and appoints this 
	 * object as the unauthorized instatiation listener. Called automatically on start-up.
	 */
	protected void authInit() {
		getSecuritySettings().setAuthorizationStrategy(new RoleAuthorizationStrategy(this));
		getSecuritySettings().setUnauthorizedComponentInstantiationListener(this);
	}

	/**
	 * @return new AuthDataSession
	 * @see AuthDataSession
	 */
	@Override
	public Session newSession(Request request, Response response) {
		return new AuthDataSession((WebRequest) request);
	}
	
	/**
	 * Sends to sign in page if not signed in, otherwise throws UnauthorizedInstantiationException.
	 */
	public void onUnauthorizedInstantiation(Component component) {
		if (((AuthSession)Session.get()).isSignedIn()) {
			throw new UnauthorizedInstantiationException(component.getClass());
		}
		else {
			throw new RestartResponseAtInterceptPageException(getSignInPageClass());
		}	
	}
	
	/**
	 * Passes query on to the DataUser object if signed in.
	 */
	public final boolean hasAnyRole(Roles roles) {
		DataUser user = ((AuthSession)Session.get()).getUser();
		if (user != null)
			for (String role : roles)
				if (user.hasRole(role))
					return true;
		return false;
	}
	
	/** @return DataUser implementation used by this application. */
	public abstract Class<? extends DataUser> getUserClass();

	/**
	 * Return user object by matching against a "username" property. Override
	 * if you have a differently named property.
	 * @return DataUser for the given username. 
	 */
	@SuppressWarnings("unchecked")
	public DataUser getUser(String username) {
		try {
			Query q = Query.select().where("username = ?", username).limit(1);
			DataUser[] users = (DataUser[]) Databinder.getEntityManager().find(
					(Class<? extends RawEntity>)getUserClass(),q);
			if (users.length == 0)
				return null;
			return users[0];
		} catch (SQLException e) {
			throw new WicketRuntimeException(e);
		}
	}

	/**
	 * Override if you need to customize the sign-in page.
	 * @return page to sign in users
	 */
	public Class< ? extends WebPage> getSignInPageClass() {
		return DataSignInPage.class;
	}
	
	/**
	 * @return app-salted MessageDigest.  
	 */
	public MessageDigest getDigest() {
		try {
			MessageDigest digest = MessageDigest.getInstance("SHA");
			digest.update(getSalt());
			return digest;
		} catch (NoSuchAlgorithmException e) {
			throw new RuntimeException("SHA Hash algorithm not found.", e);
		}
	}
	
	/**
	 * Get the restricted token for a user, using IP addresses as location parameter. This implementation
	 * combines the "X-Forwarded-For" header with the remote address value so that unique
	 * values result with and without proxying. (The forwarded header is not trusted on its own
	 * because it can be most easily spoofed.)
	 * @param user source of token
	 * @return restricted token
	 */
	public String getToken(DataUser user) {
		HttpServletRequest req = ((WebRequest) RequestCycle.get().getRequest()).getHttpServletRequest();
		String fwd = req.getHeader("X-Forwarded-For");
		if (fwd == null)
			fwd = "nil";
		MessageDigest digest = getDigest();
		user.getPassword().update(digest);
		digest.update((fwd + "-" + req.getRemoteAddr()).getBytes());
		byte[] hash = digest.digest(user.getUsername().getBytes());
		return new String(Base64UrlSafe.encodeBase64(hash));
	}
	
}