private void processBasicAuth(
HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
Context ctx = new SessionContext(new ServletRequestSessionMap(request));
Identity identity = (Identity) ctx.get(Identity.class);
if (identity == null) {
throw new ServletException(
"Identity not found - please ensure that the Identity component is created on startup.");
}
Credentials credentials = (Credentials) ctx.get(Credentials.class);
boolean requireAuth = false;
String header = request.getHeader("Authorization");
if (header != null && header.startsWith("Basic ")) {
String base64Token = header.substring(6);
String token = new String(Base64.decode(base64Token));
String username = "";
String password = "";
int delim = token.indexOf(":");
if (delim != -1) {
username = token.substring(0, delim);
password = token.substring(delim + 1);
}
// Only reauthenticate if username doesn't match Identity.username and user isn't
// authenticated
if (!username.equals(credentials.getUsername()) || !identity.isLoggedIn()) {
try {
credentials.setPassword(password);
authenticate(request, username);
} catch (Exception ex) {
log.warn("Error authenticating: " + ex.getMessage());
requireAuth = true;
}
}
}
if (!identity.isLoggedIn() && !credentials.isSet()) {
requireAuth = true;
}
try {
if (!requireAuth) {
chain.doFilter(request, response);
return;
}
} catch (NotLoggedInException ex) {
requireAuth = true;
}
if ((requireAuth && !identity.isLoggedIn())) {
response.addHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Not authorized");
}
}
private void processDigestAuth(
HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
Context ctx = new SessionContext(new ServletRequestSessionMap(request));
Identity identity = (Identity) ctx.get(Identity.class);
if (identity == null) {
throw new ServletException(
"Identity not found - please ensure that the Identity component is created on startup.");
}
Credentials credentials = (Credentials) ctx.get(Credentials.class);
boolean requireAuth = false;
boolean nonceExpired = false;
String header = request.getHeader("Authorization");
if (header != null && header.startsWith("Digest ")) {
String section212response = header.substring(7);
String[] headerEntries = section212response.split(",");
Map<String, String> headerMap = new HashMap<String, String>();
for (String entry : headerEntries) {
String[] vals = split(entry, "=");
headerMap.put(vals[0].trim(), vals[1].replace("\"", "").trim());
}
DigestRequest digestRequest = new DigestRequest();
digestRequest.setHttpMethod(request.getMethod());
digestRequest.setSystemRealm(realm);
digestRequest.setRealm(headerMap.get("realm"));
digestRequest.setKey(key);
digestRequest.setNonce(headerMap.get("nonce"));
digestRequest.setUri(headerMap.get("uri"));
digestRequest.setClientDigest(headerMap.get("response"));
digestRequest.setQop(headerMap.get("qop"));
digestRequest.setNonceCount(headerMap.get("nc"));
digestRequest.setClientNonce(headerMap.get("cnonce"));
try {
digestRequest.validate();
request.getSession().setAttribute(DigestRequest.DIGEST_REQUEST, digestRequest);
authenticate(request, headerMap.get("username"));
} catch (DigestValidationException ex) {
log.warn(
String.format(
"Digest validation failed, header [%s]: %s", section212response, ex.getMessage()));
requireAuth = true;
if (ex.isNonceExpired()) nonceExpired = true;
} catch (Exception ex) {
log.warn("Error authenticating: " + ex.getMessage());
requireAuth = true;
}
}
if (!identity.isLoggedIn() && !credentials.isSet()) {
requireAuth = true;
}
try {
if (!requireAuth) {
chain.doFilter(request, response);
return;
}
} catch (NotLoggedInException ex) {
requireAuth = true;
}
if ((requireAuth && !identity.isLoggedIn())) {
long expiryTime = System.currentTimeMillis() + (nonceValiditySeconds * 1000);
String signatureValue = DigestUtils.md5Hex(expiryTime + ":" + key);
String nonceValue = expiryTime + ":" + signatureValue;
String nonceValueBase64 = Base64.encodeBytes(nonceValue.getBytes());
// qop is quality of protection, as defined by RFC 2617.
// we do not use opaque due to IE violation of RFC 2617 in not
// representing opaque on subsequent requests in same session.
String authenticateHeader =
"Digest realm=\"" + realm + "\", " + "qop=\"auth\", nonce=\"" + nonceValueBase64 + "\"";
if (nonceExpired) authenticateHeader = authenticateHeader + ", stale=\"true\"";
response.addHeader("WWW-Authenticate", authenticateHeader);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
