BasicAuthModule.java example

Explorer

omnisecurity-master
- src
  - main
    - java
      - org
        omnifaces
        security
        cdi
        Beans.java
        constraints
        EJBSecurityBean.java
        RolesAllowed.java
        RolesAllowedValidator.java
        events
        AuthenticatedEvent.java
        LoggedOutEvent.java
        SecurityEvent.java
        jaspic
        Utils.java
        authmodules
        BasicAuthModule.java
        OmniServerAuthModule.java
        TokenAuthModule.java
        config
        AuthStacks.java
        AuthStacksBuilder.java
        ControlFlag.java
        Module.java
        core
        AuthParameters.java
        AuthResult.java
        HttpMsgContext.java
        HttpServerAuthModule.java
        Jaspic.java
        SamServices.java
        ServerAuthModuleWrapper.java
        ServiceType.java
        exceptions
        ProfileIncompleteException.java
        RegistrationException.java
        factory
        OmniAuthConfigProvider.java
        OmniServerAuthConfig.java
        OmniServerAuthContext.java
        filters
        HttpFilter.java
        OmniServerAuthFilter.java
        listeners
        BaseServletContextListener.java
        SamAutoDeregistrationListener.java
        request
        BaseCookieDAO.java
        HttpServletRequestDelegator.java
        LoginTokenCookieDAO.java
        RememberMeSettingCookieDAO.java
        RequestCopier.java
        RequestData.java
        RequestDataDAO.java
        StateCookieDAO.java
        user
        Authenticator.java
        TokenAuthenticator.java
        UsernameOnlyAuthenticator.java
        UsernamePasswordAuthenticator.java
        wrappers
        AutoRegisterSessionWrapper.java
        RememberMeWrapper.java
        SaveAndRedirectWrapper.java

/*
 * Copyright 2015 OmniFaces.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
 * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */
package org.omnifaces.security.jaspic.authmodules;

import static javax.xml.bind.DatatypeConverter.parseBase64Binary;
import static org.omnifaces.security.cdi.Beans.getReferenceOrNull;
import static org.omnifaces.security.jaspic.Utils.isEmpty;

import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.omnifaces.security.jaspic.core.HttpMsgContext;
import org.omnifaces.security.jaspic.core.HttpServerAuthModule;
import org.omnifaces.security.jaspic.user.UsernamePasswordAuthenticator;

/**
 * Authentication module that authenticates using basic authentication
 * 
 * <p>
 * Token to username/roles mapping is delegated to an implementation of {@link UsernamePasswordAuthenticator}, which
 * should be registered as CDI bean.
 * 
 * <p>
 * <b>NOTE:</b> This module makes the simplifying assumption that CDI is available in a SAM. Unfortunately
 * this is not true for every implementation. See https://java.net/jira/browse/JASPIC_SPEC-14
 * 
 * @author Arjan Tijms
 *
 */
public class BasicAuthModule extends HttpServerAuthModule {
	
	
	@Override
	public AuthStatus validateHttpRequest(HttpServletRequest request, HttpServletResponse response, HttpMsgContext httpMsgContext) throws AuthException {
		
		String[] credentials = getCredentials(request);
		if (!isEmpty(credentials)) {
			
			UsernamePasswordAuthenticator identityStore = getReferenceOrNull(UsernamePasswordAuthenticator.class);
			if (identityStore != null) {
				if (identityStore.authenticate(credentials[0], credentials[1])) {
					return httpMsgContext.notifyContainerAboutLogin(identityStore.getUserName(), identityStore.getApplicationRoles());
				}				
			}			
		}
		
		if (httpMsgContext.isProtected()) {
			response.setHeader("WWW-Authenticate", "Basic realm=\"test realm:\"");
			return httpMsgContext.responseUnAuthorized();
		}
		
		return httpMsgContext.doNothing();
	}
	
	private String[] getCredentials(HttpServletRequest request) {
		
		String authorizationHeader = request.getHeader("Authorization");
		if (!isEmpty(authorizationHeader) && authorizationHeader.startsWith("Basic ") ) {
			return new String(parseBase64Binary(authorizationHeader.substring(6))).split(":");
		}
		
		return null;
	}

}