Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.wicketstuff.security.login.http; import javax.servlet.http.HttpServletResponse; import org.apache.wicket.Application; import org.apache.wicket.RestartResponseAtInterceptPageException; import org.apache.wicket.Session; import org.apache.wicket.markup.html.WebPage; import org.apache.wicket.markup.html.form.Form; import org.apache.wicket.markup.html.link.Link; import org.apache.wicket.markup.html.pages.AccessDeniedPage; import org.apache.wicket.model.IModel; import org.apache.wicket.request.cycle.RequestCycle; import org.apache.wicket.request.http.WebRequest; import org.apache.wicket.request.http.WebResponse; import org.apache.wicket.request.mapper.parameter.PageParameters; import org.apache.wicket.util.crypt.Base64; import org.apache.wicket.util.string.Strings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.wicketstuff.security.WaspSession; import org.wicketstuff.security.authentication.LoginException; import org.wicketstuff.security.strategies.WaspAuthorizationStrategy; /** * Login Page that uses httpauthentication to login. Currently it only supports Basic Http * authentication as defined in RFC 2616 section 14.47 HTTP 1.1. But the way it is setup it should * be able to support addition protocols like RFC 2617. Thanks go to Jesse Barnum and Johan * Compagner. * * @author marrink * @see <a href="http://tools.ietf.org/html/rfc2616#section-14.47">rfc2616</a> */ public abstract class HttpAuthenticationLoginPage extends WebPage { private static final long serialVersionUID = 1L; private static final Logger log = LoggerFactory.getLogger(HttpAuthenticationLoginPage.class); private boolean doAuthentication = false; /** * Basic constructor. * * @see WebPage#WebPage() */ public HttpAuthenticationLoginPage() { } /** * Constructor. * * @param model * @see WebPage#WebPage(IModel) */ protected HttpAuthenticationLoginPage(IModel<?> model) { super(model); } /** * Constructor. * * @param parameters * @see WebPage#WebPage(PageParameters) */ protected HttpAuthenticationLoginPage(PageParameters parameters) { super(parameters); } @Override protected void configureResponse(final WebResponse response) { super.configureResponse(response); if (doAuthentication) { WebRequest request = (WebRequest) RequestCycle.get().getRequest(); String auth = request.getHeader("Authorization"); if (Strings.isEmpty(auth)) requestAuthentication(request, response); else { int index = auth.indexOf(' '); if (index < 1) requestAuthentication(request, response); String type = auth.substring(0, index); try { handleAuthentication(request, response, type, auth.substring(index + 1)); } catch (LoginException e) { log.error(type + " Http authentication failed", e); error(e); requestAuthentication(request, response); } } } } /** * Sets a flag to handle authentication headers and sets response to request authentication if * required. This method needs to be called manually. I recommend 1 of these 2 locations to call * this method from.<br/> * <ol> * <li>from within the constructor</li> * <li>from within a {@link Link#onClick()} or {@link Form#onSubmit()}</li> * </ol> * The benefit of the second method is that you can render the login page at least once before * activating the http authentication by the click of a button. Using the first option, this * page is not shown by the browser. */ protected final void doAuthentication() { doAuthentication = true; } /** * Sets the statuscode of the response to 401. setting headers is delegated to * {@link #addBasicHeaders(WebRequest, WebResponse)}. Subclasses should override this method to * set their custom headers. * * @param request * @param response */ protected void requestAuthentication(WebRequest request, WebResponse response) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); addBasicHeaders(request, response); // add more "WWW-Authenticate" headers as required } /** * Adds a "WWW-Authenticate" header for basic authentication to the response. * * @param request * @param response */ protected void addBasicHeaders(WebRequest request, WebResponse response) { response.setHeader("WWW-Authenticate", "Basic realm=\"" + getRealm(request, response) + "\""); } /** * The authentication realm. The realm is required by the authentication headers and will be * shown by the browser. * * @param request * @param response * * @return the realm */ public abstract String getRealm(WebRequest request, WebResponse response); /** * Delegates authentication. Subclasses should first try there custom authentication scheme * before letting super handle the call. Subclasses should either return a boolean value (see * {@link #handleBasicAuthentication(WebRequest, WebResponse, String, String)} ) if processing * should continue or throw an exception. * * @param request * @param response * @param scheme * the authentication scheme like "Basic" or "Digest" * @param param * the parameters after the scheme from the header * @throws LoginException * if the user could not be logged in. * @throws RestartResponseAtInterceptPageException * to an {@link AccessDeniedPage} if the scheme is not supported */ protected void handleAuthentication(WebRequest request, WebResponse response, String scheme, String param) throws LoginException { if (!handleBasicAuthentication(request, response, scheme, param)) return; log.error("Unsupported Http authentication type: " + scheme); throw new RestartResponseAtInterceptPageException( Application.get().getApplicationSettings().getAccessDeniedPage()); } /** * Handles authentication for the "Basic" scheme. If the scheme is not the basic scheme true is * returned so another implementation may try it. In general authentication attempts by the next * scheme should only proceed if the scheme was of the wrong type. False will generally be * returned when a) the user has been authenticated or b) the scheme is correct but another * problem arises, like missing additional headers. * * @param request * @param response * @param scheme * @param param * username:password in base 64 * @return true if authentication by another scheme should be attempted, false if authentication * by another scheme should not be attempted. * @throws LoginException * If the supplied credentials do not grant enough credits for the requested * resource * @throws RestartResponseAtInterceptPageException * to the home page if the login was successfull but when there is no page to * continue to. */ protected boolean handleBasicAuthentication(WebRequest request, WebResponse response, String scheme, String param) throws LoginException { if (!"Basic".equalsIgnoreCase(scheme)) return true; if (param == null) { log.error("Username, password not supplied"); return false; } byte[] decoded = Base64.decodeBase64(param.getBytes()); String[] split = new String(decoded).split(":"); if (split == null || split.length != 2) throw new LoginException("Could not decrypt username / password"); Object loginContext = getBasicLoginContext(split[0], split[1]); Session session = Session.get(); if (session instanceof WaspSession) { if (!isAuthenticated()) ((WaspSession) session).login(loginContext); continueToOriginalDestination(); // or throw new RestartResponseAtInterceptPageException(Application.get().getHomePage()); } else log.error("Unable to find WaspSession"); return false; } /** * Check if already someone is authenticated to prevent duplicate logins. By default this checks * if the home page is authenticated. * * @return true if the user is already authenticated, false otherwise */ protected boolean isAuthenticated() { WaspAuthorizationStrategy strategy = (WaspAuthorizationStrategy) Session.get().getAuthorizationStrategy(); return strategy.isClassAuthenticated(Application.get().getHomePage()); } /** * Delivers a context suitable for logging in with the specified username and password. Please * refer to your specific wasp implementation for a suitable context. * * @param username * @param password * @return the login context or null if none could be created */ protected abstract Object getBasicLoginContext(String username, String password); }