Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.lucene.gdata.server.authentication; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.security.Provider; import java.security.Security; import java.util.StringTokenizer; import java.util.concurrent.locks.ReentrantLock; import javax.crypto.BadPaddingException; import javax.crypto.Cipher; import javax.crypto.IllegalBlockSizeException; import javax.crypto.KeyGenerator; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.lucene.gdata.data.GDataAccount; import org.apache.lucene.gdata.data.GDataAccount.AccountRole; import org.apache.lucene.gdata.server.registry.Component; import org.apache.lucene.gdata.server.registry.ComponentType; import org.apache.lucene.gdata.server.registry.configuration.Requiered; import sun.misc.BASE64Decoder; import sun.misc.BASE64Encoder; /** * A * {@link org.apache.lucene.gdata.server.authentication.AuthenticationController} * implmentation using a <i>Blowfish</i> algorithmn to en/decrpyt the * authentification token. The <i>Blowfish</i> algorithmn enables a stateless * authetication of the client. The token contains all information to * authenticate the client on possible other hosts. * <p> * The token contains the first 32 bit of the client ip (e.g. 192.168.0), * account name, {@link org.apache.lucene.gdata.data.GDataAccount.AccountRole} * and the cration time as a timestamp. The timestamp will be checked on every * subsequent request. If the timestamp plus the configured timeout is less * than the current time the client has to reauthenticate again. * </p> * <p> * The auth token returned by the * {@link BlowfishAuthenticationController#authenticatAccount(GDataAccount, String)} * method is a BASE64 encoded string. * </p> * * @see javax.crypto.Cipher * @see sun.misc.BASE64Encoder * @see sun.misc.BASE64Decoder * @author Simon Willnauer * */ @Component(componentType = ComponentType.AUTHENTICATIONCONTROLLER) public class BlowfishAuthenticationController implements AuthenticationController { private static final Log LOG = LogFactory.getLog(BlowfishAuthenticationController.class); private static final String ALG = "Blowfish"; private static final String TOKEN_LIMITER = "#"; private static final String ENCODING = "UTF-8"; private Cipher deCrypt; private Cipher enCrypt; private int minuteOffset = 30; private long milisecondOffset; private BASE64Encoder encoder = new BASE64Encoder(); private BASE64Decoder decoder = new BASE64Decoder(); private ReentrantLock lock = new ReentrantLock(); private String key; /** * @see org.apache.lucene.gdata.server.authentication.AuthenticationController#initialize() */ public void initialize() { if (this.key == null) throw new IllegalArgumentException("Auth key must not be null"); if (this.key.length() < 5 || this.key.length() > 16) throw new IllegalArgumentException("Auth key length must be greater than 4 and less than 17"); try { Provider sunJce = new com.sun.crypto.provider.SunJCE(); Security.addProvider(sunJce); KeyGenerator kgen = KeyGenerator.getInstance(ALG); kgen.init(448); // 448 Bit^M byte[] raw = this.key.getBytes(); SecretKeySpec skeySpec = new SecretKeySpec(raw, ALG); this.deCrypt = Cipher.getInstance(ALG); this.enCrypt = Cipher.getInstance(ALG); this.deCrypt.init(Cipher.DECRYPT_MODE, skeySpec); this.enCrypt.init(Cipher.ENCRYPT_MODE, skeySpec); } catch (Exception e) { throw new AuthenticatorException( "Can't initialize BlowfishAuthenticationController -- " + e.getMessage(), e); } calculateTimeOffset(); } /** * @see org.apache.lucene.gdata.server.authentication.AuthenticationController#authenticatAccount(org.apache.lucene.gdata.data.GDataAccount, * java.lang.String) */ public String authenticatAccount(GDataAccount account, String requestIp) { try { String passIp = requestIp.substring(0, requestIp.lastIndexOf('.')); String role = Integer.toString(account.getRolesAsInt()); return calculateAuthToken(passIp, role, account.getName()); } catch (Exception e) { throw new AuthenticatorException("Can not authenticat account -- " + e.getMessage(), e); } } /** * @see org.apache.lucene.gdata.server.authentication.AuthenticationController#authenticateToken(java.lang.String, * java.lang.String, * org.apache.lucene.gdata.data.GDataAccount.AccountRole, * java.lang.String) */ public boolean authenticateToken(final String token, final String requestIp, AccountRole role, String accountName) { if (LOG.isInfoEnabled()) LOG.info("authenticate Token " + token + " for requestIp: " + requestIp); if (token == null || requestIp == null) return false; String passIp = requestIp.substring(0, requestIp.lastIndexOf('.')); String authString = null; try { authString = deCryptAuthToken(token); } catch (Exception e) { throw new AuthenticatorException("Can not decrypt token -- " + e.getMessage(), e); } if (authString == null) return false; try { StringTokenizer tokenizer = new StringTokenizer(authString, TOKEN_LIMITER); if (!tokenizer.nextToken().equals(passIp)) return false; String tempAccountName = tokenizer.nextToken(); int intRole = Integer.parseInt(tokenizer.nextToken()); /* * Authentication goes either for a account role or a account. For * entry manipulation the account name will be retrieved by the * feedId otherwise it will be null If it is null the authentication * goes against the account role */ if (tempAccountName == null || (!tempAccountName.equals(accountName) && !GDataAccount.isInRole(intRole, role))) return false; long timeout = Long.parseLong(tokenizer.nextToken()); return (timeout + this.milisecondOffset) > System.currentTimeMillis(); } catch (Exception e) { LOG.error("Error occured while encrypting token " + e.getMessage(), e); return false; } } private void calculateTimeOffset() { this.milisecondOffset = this.minuteOffset * 60 * 1000; } protected String calculateAuthToken(final String ipAddress, final String role, String accountName) throws IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException { StringBuilder builder = new StringBuilder(); builder.append(ipAddress).append(TOKEN_LIMITER); builder.append(accountName).append(TOKEN_LIMITER); builder.append(role).append(TOKEN_LIMITER); builder.append(System.currentTimeMillis()); this.lock.lock(); try { byte[] toencode = builder.toString().getBytes(ENCODING); byte[] result = this.enCrypt.doFinal(toencode); return this.encoder.encode(result); } finally { this.lock.unlock(); } } protected String deCryptAuthToken(final String authToken) throws IOException, IllegalBlockSizeException, BadPaddingException { this.lock.lock(); try { byte[] input = this.decoder.decodeBuffer(authToken); byte[] result = this.deCrypt.doFinal(input); return new String(result, ENCODING); } finally { this.lock.unlock(); } } /** * @return Returns the minuteOffset. */ @Requiered public int getLoginTimeout() { return this.minuteOffset; } /** * @param minuteOffset * The minuteOffset to set. */ @Requiered public void setLoginTimeout(int minuteOffset) { this.minuteOffset = minuteOffset; calculateTimeOffset(); } /** * @return Returns the key. */ public String getKey() { return this.key; } /** * @param key * The key to set. */ public void setKey(String key) { this.key = key; } /** * @see org.apache.lucene.gdata.server.registry.ServerComponent#destroy() */ public void destroy() { // } }