/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.rs.security.oauth.filters;
import java.io.IOException;
import java.security.Principal;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import net.oauth.OAuthProblemException;
import net.oauth.server.OAuthServlet;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.oauth.data.OAuthContext;
import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;
/**
* HTTP Servlet filter which can be used to protect end user endpoints
*/
public class OAuthServletFilter extends AbstractAuthFilter implements javax.servlet.Filter {
protected static final String USE_USER_SUBJECT = "org.apache.cxf.rs.security.oauth.use_user_subject";
public void init(FilterConfig filterConfig) throws ServletException {
ServletContext servletContext = filterConfig.getServletContext();
super.setDataProvider(OAuthUtils.getOAuthDataProvider(servletContext));
super.setValidator(OAuthUtils.getOAuthValidator(servletContext));
super.setUseUserSubject(MessageUtils.isTrue(servletContext.getInitParameter(USE_USER_SUBJECT)));
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws
IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
try {
OAuthInfo info = handleOAuthRequest(req);
req = setSecurityContext(req, info);
chain.doFilter(req, resp);
} catch (OAuthProblemException e) {
OAuthServlet.handleException(resp, e, "");
} catch (Exception e) {
OAuthServlet.handleException(resp, e, "");
}
}
protected HttpServletRequest setSecurityContext(HttpServletRequest request,
OAuthInfo info) {
final SecurityContext sc = createSecurityContext(request, info);
HttpServletRequest newRequest = new HttpServletRequestWrapper(request) {
@Override
public Principal getUserPrincipal() {
return sc.getUserPrincipal();
}
@Override
public boolean isUserInRole(String role) {
return sc.isUserInRole(role);
}
@Override
public String getAuthType() {
return "OAuth";
}
};
newRequest.setAttribute(OAuthContext.class.getName(), createOAuthContext(info));
return newRequest;
}
public void destroy() {
}
}