DefaultAuthenticationStrategy.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.wicket.authentication.strategy;

import org.apache.wicket.Application;
import org.apache.wicket.authentication.IAuthenticationStrategy;
import org.apache.wicket.util.cookies.CookieDefaults;
import org.apache.wicket.util.cookies.CookieUtils;
import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
import org.apache.wicket.util.crypt.ICrypt;
import org.apache.wicket.util.lang.Args;
import org.apache.wicket.util.string.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Wicket's default implementation of an authentication strategy. It'll concatenate username and
 * password, encrypt it and put it into one Cookie.
 * 
 * @author Juergen Donnerstag
 */
public class DefaultAuthenticationStrategy implements IAuthenticationStrategy
{
	private static final Logger logger = LoggerFactory.getLogger(DefaultAuthenticationStrategy.class);

	/** The cookie name to store the username and password */
	protected final String cookieKey;

	/** The key to use for encrypting/decrypting the cookie value  */
	protected final String encryptionKey;

	/** The separator used to concatenate the username and password */
	protected final String VALUE_SEPARATOR = "-sep-";

	/** Cookie utils with default settings */
	private CookieUtils cookieUtils;

	/** Use to encrypt cookie values for username and password. */
	private ICrypt crypt;

	/**
	 * Constructor
	 * 
	 * @param cookieKey
	 *            The name of the cookie
	 */
	public DefaultAuthenticationStrategy(final String cookieKey)
	{
		this(cookieKey, defaultEncryptionKey(cookieKey));
	}

	private static String defaultEncryptionKey(String cookieKey)
	{
		if (Application.exists())
		{
			return Application.get().getName();
		}
		return cookieKey;
	}

	public DefaultAuthenticationStrategy(final String cookieKey, final String encryptionKey)
	{
		this.cookieKey = Args.notEmpty(cookieKey, "cookieKey");
		this.encryptionKey = Args.notEmpty(encryptionKey, "encryptionKey");
	}

	/**
	 * Make sure you always return a valid CookieUtils
	 * 
	 * @return CookieUtils
	 */
	protected CookieUtils getCookieUtils()
	{
		if (cookieUtils == null)
		{
			CookieDefaults settings = new CookieDefaults();
			settings.setHttpOnly(true);
			cookieUtils = new CookieUtils(settings);
		}
		return cookieUtils;
	}

	/**
	 * @return The crypt engine to be used
	 */
	protected ICrypt getCrypt()
	{
		if (crypt == null)
		{
			CachingSunJceCryptFactory cryptFactory = new CachingSunJceCryptFactory(encryptionKey);
			crypt = cryptFactory.newCrypt();
		}
		return crypt;
	}

	@Override
	public String[] load()
	{
		String value = getCookieUtils().load(cookieKey);
		if (Strings.isEmpty(value) == false)
		{
			try
			{
				value = getCrypt().decryptUrlSafe(value);
			}
			catch (RuntimeException e)
			{
				logger.info(
					"Error decrypting login cookie: {}. The cookie will be deleted. Possible cause is that a session-relative encryption key was used to encrypt this cookie while this decryption attempt is happening in a different session, eg user coming back to the application after session expiration",
					cookieKey);
				getCookieUtils().remove(cookieKey);
				value = null;
			}
			return decode(value);
		}

		return null;
	}

	/**
	 * This method will decode decrypted cookie value based on application needs
	 *
	 * @param value decrypted cookie value
	 * @return decomposed values array, or null in case cookie value was empty.
	 */
	protected String[] decode(String value) {
		if (Strings.isEmpty(value) == false)
		{
			String username = null;
			String password = null;

			String[] values = value.split(VALUE_SEPARATOR);
			if ((values.length > 0) && (Strings.isEmpty(values[0]) == false))
			{
				username = values[0];
			}
			if ((values.length > 1) && (Strings.isEmpty(values[1]) == false))
			{
				password = values[1];
			}

			return new String[] { username, password };
		}
		return null;
	}

	@Override
	public void save(final String credential, final String... extraCredentials)
	{
		String encryptedValue = getCrypt().encryptUrlSafe(encode(credential, extraCredentials));

		getCookieUtils().save(cookieKey, encryptedValue);
	}

	/**
	 * This method can be overridden to provide different encoding mechanism
	 *
	 * @param credential
	 * @param extraCredentials
	 * @return String representation of the parameters given
	 */
	protected String encode(final String credential, final String... extraCredentials)
	{
		StringBuilder value = new StringBuilder(credential);
		if (extraCredentials != null)
		{
			for (String extraCredential : extraCredentials)
			{
				value.append(VALUE_SEPARATOR).append(extraCredential);
			}
		}
		return value.toString();
	}

	@Override
	public void remove()
	{
		getCookieUtils().remove(cookieKey);
	}
}