getAuthUser.java example

Explorer
openbd-core-master
- src
/* 
 *  Copyright (C) 2000 - 2008 TagServlet Ltd
 *
 *  This file is part of Open BlueDragon (OpenBD) CFML Server Engine.
 *  
 *  OpenBD is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  Free Software Foundation,version 3.
 *  
 *  OpenBD is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with OpenBD.  If not, see http://www.gnu.org/licenses/
 *  
 *  Additional permission under GNU GPL version 3 section 7
 *  
 *  If you modify this Program, or any covered work, by linking or combining 
 *  it with any of the JARS listed in the README.txt (or a modified version of 
 *  (that library), containing parts covered by the terms of that JAR, the 
 *  licensors of this Program grant you additional permission to convey the 
 *  resulting work. 
 *  README.txt @ http://www.openbluedragon.org/license/README.txt
 *  
 *  http://www.openbluedragon.org/
 */

/*
 * Created on Aug 26, 2004
 *
 * Macromedia livedocs for CFMX 6.1 say this about GetAuthUser():
 * ---
 * This function works with cflogin authentication or web server authentication. It checks for a logged-in user as follows:
 *
 *  1. It checks for a login made with cfloginuser.
 *  2. If no user was logged in with cfloginuser, it checks for a web server login (cgi.remote_user).

 * ---
 */
package com.naryx.tagfusion.expression.function;

import java.util.List;
import java.util.Map;

import com.nary.net.Base64;
import com.naryx.tagfusion.cfm.engine.cfData;
import com.naryx.tagfusion.cfm.engine.cfSession;
import com.naryx.tagfusion.cfm.engine.cfStringData;
import com.naryx.tagfusion.cfm.engine.cfmRunTimeException;
import com.naryx.tagfusion.cfm.tag.cfLOGIN;
import com.naryx.tagfusion.cfm.tag.cfLOGINUSER;

/**
 * In order for this function to work properly, it must execute with the same
 * application settings that were used on the page where the user was logged in
 * via <cfloginuser> Specifically, the appName and loginStorage values must
 * be the same.
 * 
 */
public class getAuthUser extends functionBase {
	private static final long serialVersionUID = 1L;

	public getAuthUser() {
		min = max = 0;
	}

	public java.util.Map getInfo(){
		return makeInfo(
				"security", 
				"Returns the currently logged in authenicated user", 
				ReturnType.STRING );
	}
	
	public static String getLoginTokenValue(cfSession _session) {
		String loginTokenValue = null;
		Object o = _session.getDataBin(cfLOGINUSER.DATA_BIN_KEY); // this was set by
																															// cfLOGINUSER.render()

		if (o != null)
			loginTokenValue = (String) o;
		else
			loginTokenValue = cfLOGIN.getLoginTokenValue(_session); // look in the
																															// cookie or J2EE
																															// session scope

		return loginTokenValue;
	}

	public cfData execute(cfSession _session, List<cfData> parameters) throws cfmRunTimeException {
		String username = null;
		String loginTokenValue = getLoginTokenValue(_session);

		if (loginTokenValue != null) {
			// make sure that there are some roles defined for the user... if not then
			// they are not logged in
			Map<String, String> data = _session.getDataFromSecurityStore(loginTokenValue);
			if (data != null) {
				// decode it
				String loginTokenValueDecoded = Base64.base64Decode(loginTokenValue);

				if (loginTokenValueDecoded != null) {
					// loginTokenValueDecoded now represents
					// "<username>:<password>:<applicationTokenValue>"

					/*
					 * To be truly correct here, we should validate the
					 * <applicationTokenValue> to ensure that it matches the value of the
					 * appToken attribute of the cflogin tag [see cfLOGIN.isUserLoggedIn()
					 * for more details of this] But this function has no way to learn the
					 * value of that attribute so we can't do that here.
					 */
					int pos = loginTokenValueDecoded.indexOf(":");

					if (pos > 0)
						username = loginTokenValueDecoded.substring(0, pos);
				}
			}
		}

		/*
		 * The next bit of code would support the 2nd requirement of this function,
		 * as stated by the Macromedia livedocs for CFMX 6.1:
		 * "If no user was logged in with cfloginuser, it checks for a web server login (cgi.remote_user)."
		 * But it's been commented out for the following reason:
		 * 
		 * Calling HttpServletRequest.getRemoteUser() on the underlying servlet
		 * container can give different results depending on the container and the
		 * request. For example if the request includes a Basic Authorization header
		 * , SE's getRemoteUser() will give the username even if they've not been
		 * logged-in in SE. CFMX 6.1 gives an empty string.
		 * 
		 * Paul recommended that the actual behavior of CFMX 6.1 be mimicked in this
		 * case.
		 */
		/*
		 * if(username == null) username = _session.REQ.getRemoteUser();
		 */

		if (username == null)
			username = "";

		return new cfStringData(username);
	}
}