UserServiceAuthenticationProvider.java

package it.geosolutions.geostore.services.rest.security;

import it.geosolutions.geostore.core.model.User;
import it.geosolutions.geostore.core.security.password.PwEncoder;
import it.geosolutions.geostore.services.UserService;

import java.util.ArrayList;
import java.util.List;

import org.apache.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/**
 * Wrap geostore Rest Services to allow Authentication using Geostore Users
 * 
 * @author Lorenzo Natali
 * 
 */
public class UserServiceAuthenticationProvider implements AuthenticationProvider {

    private final static Logger LOGGER = Logger.getLogger(UserServiceAuthenticationProvider.class);
    
    @Autowired
    UserService userService;

    /**
     * Message shown if the user credentials are wrong. TODO: Localize it
     */
    private static final String UNAUTHORIZED_MSG = "Bad credentials";

    /**
     * Message shown if the user it's not found. TODO: Localize it
     */
    public static final String USER_NOT_FOUND_MSG = "User not found. Please check your credentials";
    public static final String USER_NOT_ENABLED = "The user present but not enabled";

    @Override
    public boolean supports(Class<? extends Object> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }

    @Override
    public Authentication authenticate(Authentication authentication) {
        String pw = (String) authentication.getCredentials();
        String us = (String) authentication.getPrincipal();

        // We use the credentials for all the session in the GeoStore client
        User user = null;
        try {
            user = userService.get(us);
            LOGGER.info("US: " + us );//+ " PW: " + PwEncoder.encode(pw) + " -- " + user.getPassword());
            if (user.getPassword() == null || !PwEncoder.isPasswordValid(user.getPassword(),pw)) {
                throw new BadCredentialsException(UNAUTHORIZED_MSG);
            }
            if(!user.isEnabled()){
            	throw new DisabledException(USER_NOT_FOUND_MSG);
            }
        } catch (Exception e) {
            LOGGER.info(USER_NOT_FOUND_MSG);
            user = null;
        }

        if (user != null) {
            String role = user.getRole().toString();
            // return null;
            List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            authorities.add(new GrantedAuthorityImpl("ROLE_" + role));
            Authentication a = new UsernamePasswordAuthenticationToken(user, pw, authorities);
            // a.setAuthenticated(true);
            return a;
        } else {
            throw new UsernameNotFoundException(USER_NOT_FOUND_MSG);
        }

    }

    // GETTERS AND SETTERS

}