OpenAMAuthenticator.java

/**
 * geo-platform
 * Rich webgis framework
 * http://geo-platform.org
 * ====================================================================
 * <p>
 * Copyright (C) 2008-2017 geoSDI Group (CNR IMAA - Potenza - ITALY).
 * <p>
 * This program is free software: you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version. This program is distributed in the
 * hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR
 * A PARTICULAR PURPOSE. See the GNU General Public License
 * for more details. You should have received a copy of the GNU General
 * Public License along with this program. If not, see http://www.gnu.org/licenses/
 * <p>
 * ====================================================================
 * <p>
 * Linking this library statically or dynamically with other modules is
 * making a combined work based on this library. Thus, the terms and
 * conditions of the GNU General Public License cover the whole combination.
 * <p>
 * As a special exception, the copyright holders of this library give you permission
 * to link this library with independent modules to produce an executable, regardless
 * of the license terms of these independent modules, and to copy and distribute
 * the resulting executable under terms of your choice, provided that you also meet,
 * for each linked independent module, the terms and conditions of the license of
 * that module. An independent module is a module which is not derived from or
 * based on this library. If you modify this library, you may extend this exception
 * to your version of the library, but you are not obligated to do so. If you do not
 * wish to do so, delete this exception statement from your version.
 */
package org.geosdi.geoplatform.experimental.openam.support.authenticator;

import org.geosdi.geoplatform.exception.NotAuthorizedFault;
import org.geosdi.geoplatform.exception.ServerInternalFault;
import org.geosdi.geoplatform.experimental.openam.api.annotation.GPOpenAMSupport;
import org.geosdi.geoplatform.experimental.openam.api.authenticator.filter.BaseOpenAmAuthenticator;
import org.geosdi.geoplatform.experimental.openam.api.connector.GPOpenAMConnector;
import org.geosdi.geoplatform.experimental.openam.api.model.validate.IOpenAMValidateToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.annotation.Priority;
import javax.ws.rs.Priorities;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import java.io.IOException;

/**
 * @author Giuseppe La Scaleia - CNR IMAA geoSDI Group
 * @email giuseppe.lascaleia@geosdi.org
 */
@GPOpenAMSupport
@Provider
@Priority(Priorities.AUTHENTICATION)
public class OpenAMAuthenticator extends BaseOpenAmAuthenticator {

    private static final Logger logger = LoggerFactory.getLogger(OpenAMAuthenticator.class);
    //
    private final GPOpenAMConnector openAMConnector;

    public OpenAMAuthenticator(GPOpenAMConnector theOpenAMConnector) {
        this.openAMConnector = theOpenAMConnector;
    }

    /**
     * Filter method called before a request has been dispatched to a resource.
     * <p/>
     * <p>
     * Filters in the filter chain are ordered according to their {@code javax.annotation.Priority}
     * class-level annotation value.
     * If a request filter produces a response by calling {@link ContainerRequestContext#abortWith}
     * method, the execution of the (either pre-match or post-match) request filter
     * chain is stopped and the response is passed to the corresponding response
     * filter chain (either pre-match or post-match). For example, a pre-match
     * caching filter may produce a response in this way, which would effectively
     * skip any post-match request filters as well as post-match response filters.
     * Note however that a responses produced in this manner would still be processed
     * by the pre-match response filter chain.
     * </p>
     *
     * @param requestContext request context.
     * @throws IOException if an I/O exception occurs.
     * @see javax.ws.rs.container.PreMatching
     */
    @Override
    public void filter(ContainerRequestContext requestContext) throws IOException {
        logger.debug("::::::::::::::::::::::::{} is validating --------------> Path : {}\n",
                getAuthenticatorType(), requestContext.getUriInfo().getAbsolutePath());
        // Get the HTTP Authorization header from the request
        String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
        if (authorizationHeader == null || !authorizationHeader.startsWith("OpenAM ")) {
            throw new NotAuthorizedFault("Authorization header must be provided");
        }
        String token = authorizationHeader.substring("OpenAM".length()).trim();
        try {
            validateToken(token);
        } catch (Exception ex) {
            requestContext.abortWith(
                    Response.status(Response.Status.UNAUTHORIZED).build());
        }
    }

    /**
     * @param token
     * @throws Exception
     */
    @Override
    protected void validateToken(String token) throws Exception {
        IOpenAMValidateToken validateTokenResponse = this.openAMConnector.validateToken(token);
        if (!validateTokenResponse.isValid()) {
            throw new ServerInternalFault("Token is not valid");
        } else {
            logger.debug("::::::::::::::::::::::::Token : {} is valid.\n", token);
        }
    }
}