JOSSOProcessingFilter.java

/*
 * JOSSO: Java Open Single Sign-On
 *
 * Copyright 2004-2009, Atricore, Inc.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 *
 */

package org.josso.spring.acegi;

import org.acegisecurity.Authentication;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.event.authentication.InteractiveAuthenticationSuccessEvent;
import org.acegisecurity.ui.AbstractProcessingFilter;
import org.acegisecurity.ui.logout.LogoutHandler;
import org.acegisecurity.ui.savedrequest.SavedRequest;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UserDetailsService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Principal;

/**
 * This is a processing filter that will inject user identity into ACEGI.  The principal is retrived from the incomming
 * HTTP request and JOSSO infrastructure is used to obtain the complete identity information.
 * <p/>
 * User: sgonzalez
 * Date: Sep 28, 2007
 * Time: 10:55:18 AM
 *
 * @author <a href="mailto:sgonzalez@josso.org">Gianluca Brigandi</a>
 */
public class JOSSOProcessingFilter implements Filter, InitializingBean, ApplicationEventPublisherAware {

    private static final Log logger = LogFactory.getLog(JOSSOProcessingFilter.class);

    private ApplicationEventPublisher eventPublisher;

    private UserDetailsService userDetailsService;

    private LogoutHandler[] handlers;


    public void afterPropertiesSet() throws Exception {
        // Nothing to do yet.
    }


    public JOSSOProcessingFilter(LogoutHandler[] handlers) {
        this.handlers = handlers;
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {

        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new IllegalArgumentException("Non HTTP request unsupported by this filter");
        }

        if (!(servletResponse instanceof HttpServletResponse)) {
            throw new IllegalArgumentException("Non HTTP response unsupported by this filter");
        }

        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;

        // We have to provide Authentication information based on JOSSO auth information ...

        // This is the principal as injected by JOSSO in the container :
        Principal principal = request.getUserPrincipal();

        // This is the authentication information used by ACEGI
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        // If authentication information is present, we only need to validate that it is up to date.
        if (authentication != null) {

            if (logger.isDebugEnabled()) {
                logger.debug("Authentication information already present : '"
                        + SecurityContextHolder.getContext().getAuthentication() + "'");
            }

            // If there is no principal, we may need to logout this user ... TODO detect anonymous principals ?
            if (principal == null && authentication.isAuthenticated()) {

                // If an authenticated Authentication is present, we must issue a logout !
                if (logger.isDebugEnabled()) {
                    logger.debug("Logging out user '" + authentication + "'");
                }

                for (int i = 0; i < handlers.length; i++) {
                    handlers[i].logout(request, response, authentication);
                }

            }

            chain.doFilter(request, response);

            return;
        }

        // We have a principal but no ACEGI authentication, propagate identity from JOSSO to ACEGI.
        if (principal != null) {

            // If a saved request is present, we use the saved request to redirect the user to the original resource.
            SavedRequest savedRequest = (SavedRequest) request.getSession().getAttribute(
                    AbstractProcessingFilter.ACEGI_SAVED_REQUEST_KEY);

            if (savedRequest != null)
                logger.debug("Redirecting to original resource " + savedRequest.getFullRequestUrl());


            UserDetails userDetails = userDetailsService.loadUserByUsername(principal.getName());
            String jossoSessionId = (String) request.getAttribute("org.josso.agent.ssoSessionid");

            // New authenticated autentication instance.
            Authentication jossoAuth = new JOSSOAuthenticationToken(jossoSessionId, userDetails, userDetails.getAuthorities());

            // Store to SecurityContextHolder
            SecurityContextHolder.getContext().setAuthentication(jossoAuth);
            if (logger.isDebugEnabled()) {
                logger.debug("SecurityContextHolder populated with JOSSO Authentication Token: '"
                        + SecurityContextHolder.getContext().getAuthentication() + "'");
            }

            // Fire event
            if (this.eventPublisher != null) {
                eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
                        SecurityContextHolder.getContext().getAuthentication(), this.getClass()));
            }


            // We have a saved request, redirect to original URL ...
            if (savedRequest != null)
                response.sendRedirect(savedRequest.getFullRequestUrl());

        } else {
            if (logger.isDebugEnabled())
                logger.debug("No principal found in request !");

        }

        // Move on ...
        chain.doFilter(request, response);

    }


    public UserDetailsService getUserDetailsService() {
        return userDetailsService;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }
}