private User authenticate(HttpServletRequest request, HttpServletResponse response)
throws java.io.IOException {
// First try to validate the principial if passed from the servlet engine
Principal principal = request.getUserPrincipal();
if (principal instanceof XmldbPrincipal) {
String username = ((XmldbPrincipal) principal).getName();
String password = ((XmldbPrincipal) principal).getPassword();
LOG.info("Validating Principle: " + principal.getName());
User user = pool.getSecurityManager().getUser(username);
if (user != null) {
if (password.equalsIgnoreCase(user.getPassword())) {
LOG.info("Valid User: "******"Password invalid for user: "******"User not found: " + principal.getName());
}
}
String auth = request.getHeader("Authorization");
if (auth == null && defaultUser != null) {
return defaultUser;
}
return authenticator.authenticate(request, response);
}
@Override
public void updateUser(User user) throws XMLDBException {
final Account account = new UserAider(user.getName());
account.setPassword(user.getPassword());
// TODO: groups
updateAccount(account);
}
/**
* evaluate the call to the xquery function, it is really the main entry point of this class
*
* @param args arguments from the function call
* @param contextSequence the Context Sequence to operate on (not used here internally!)
* @return A sequence representing the result of the function call
* @see org.exist.xquery.BasicFunction#eval(org.exist.xquery.value.Sequence[],
* org.exist.xquery.value.Sequence)
*/
public Sequence eval(Sequence[] args, Sequence contextSequence) throws XPathException {
String resource = args[0].getStringValue();
String cronExpression = args[1].getStringValue();
User user = context.getUser();
// Check if the user is a DBA
if (!user.hasDbaRole()) {
return (BooleanValue.FALSE);
}
Object job = null;
// scheule-xquery-cron-job
if (isCalledAs("schedule-xquery-cron-job")) {
job = new UserXQueryJob(null, resource, user);
}
// schedule-java-cron-job
else if (isCalledAs("schedule-java-cron-job")) {
try {
// Check if the Class is a UserJob
Class jobClass = Class.forName(resource);
job = jobClass.newInstance();
if (!(job instanceof UserJavaJob)) {
LOG.error(
"Cannot Schedule job. Class "
+ resource
+ " is not an instance of org.exist.scheduler.UserJavaJob");
return (BooleanValue.FALSE);
}
} catch (ClassNotFoundException cnfe) {
LOG.error(cnfe);
return (BooleanValue.FALSE);
} catch (IllegalAccessException iae) {
LOG.error(iae);
return (BooleanValue.FALSE);
} catch (InstantiationException ie) {
LOG.error(ie);
return (BooleanValue.FALSE);
}
}
if (job != null) {
// schedule the job
if (scheduler.createCronJob(cronExpression, (UserJob) job, null)) {
return (BooleanValue.TRUE);
} else {
return (BooleanValue.FALSE);
}
} else {
return (BooleanValue.FALSE);
}
}
private User getDefaultUser() {
if (defaultUsername != null) {
User user = pool.getSecurityManager().getUser(defaultUsername);
if (user != null) {
if (!user.validate(defaultPassword)) {
return null;
}
}
return user;
}
return null;
}
public Sequence eval(Sequence contextSequence, Item contextItem) throws XPathException {
Sequence userSeq = getArgument(0).eval(contextSequence, contextItem);
Sequence passwdSeq = getArgument(1).eval(contextSequence, contextItem);
if (userSeq.isEmpty()) throw new XPathException(getASTNode(), "No user specified");
String userName = userSeq.getStringValue();
String passwd = passwdSeq.getStringValue();
org.exist.security.SecurityManager security =
context.getBroker().getBrokerPool().getSecurityManager();
User user = security.getUser(userName);
if (user == null) throw new XPathException(getASTNode(), "Authentication failed");
if (user.validate(passwd)) {
User oldUser = context.getBroker().getUser();
try {
context.getBroker().setUser(user);
return getArgument(2).eval(contextSequence, contextItem);
} finally {
context.getBroker().setUser(oldUser);
}
} else throw new XPathException(getASTNode(), "Authentication failed");
}
protected void service(HttpServletRequest request, HttpServletResponse response)
throws ServletException {
try {
// Get the path
String path = request.getPathInfo();
if (path == null) {
response.sendError(
HttpServletResponse.SC_BAD_REQUEST, "URL has no extra path information specified.");
return;
}
int firstSlash = path.indexOf('/', 1);
if (firstSlash < 0 && path.length() == 1) {
response.sendError(400, "Module not specified.");
return;
}
String moduleName = firstSlash < 0 ? path.substring(1) : path.substring(1, firstSlash);
path = firstSlash < 0 ? "" : path.substring(firstSlash);
AtomModule module = (AtomModule) modules.get(moduleName);
if (module == null) {
response.sendError(400, "Module " + moduleName + " not found.");
return;
}
User user = null;
if (noAuth.get(moduleName) == null) {
// Authenticate
user = authenticate(request, response);
if (user == null) {
// You now get a challenge if there is no user
return;
}
}
final Principal principal = new UserXmldbPrincipal(WebDAV.BASIC_AUTH, user);
HttpServletRequest wrappedRequest =
new HttpServletRequestWrapper(request) {
public Principal getUserPrincipal() {
return principal;
}
};
// Handle the resource
DBBroker broker = null;
try {
broker = pool.get(user);
module.process(
broker,
new HttpRequestMessage(request, path, '/' + moduleName),
new HttpResponseMessage(response));
} catch (NotFoundException ex) {
LOG.info("Resource " + path + " not found by " + moduleName, ex);
response.sendError(404, ex.getMessage());
} catch (PermissionDeniedException ex) {
LOG.info(
"Permission denied to " + path + " by " + moduleName + " for " + user.getName(), ex);
response.sendError(401, ex.getMessage());
} catch (BadRequestException ex) {
LOG.info("Bad request throw from module " + moduleName, ex);
response.sendError(400, ex.getMessage());
} catch (EXistException ex) {
LOG.fatal("Exception getting broker from pool for user " + user.getName(), ex);
response.sendError(500, "Service is not available.");
} finally {
pool.release(broker);
}
} catch (IOException ex) {
LOG.fatal("I/O exception on request.", ex);
try {
response.sendError(500, "Service is not available.");
} catch (IOException finalEx) {
LOG.fatal("Cannot return 500 on exception.", ex);
}
}
}
public boolean hasRole(String role) {
return user.hasGroup(role);
}
public String getPassword() {
return authMethod == WebDAV.BASIC_AUTH ? user.getPassword() : user.getDigestPassword();
}
public String getName() {
return user.getName();
}
@Override
public void lockResource(Resource res, User u) throws XMLDBException {
final Account account = new UserAider(u.getName());
lockResource(res, account);
}
@Override
public void addUser(User user) throws XMLDBException {
final Account account = new UserAider(user.getName());
addAccount(account);
}