@RequestMapping(value = "/people.json", method = RequestMethod.GET)
public ModelAndView getPeople(
@RequestParam("searchTerms[]") List<String> searchTerms,
HttpServletRequest request,
HttpServletResponse response) {
final IPerson person = personManager.getPerson((HttpServletRequest) request);
if (person == null) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
// build a search query from the request parameters
Map<String, Object> query = new HashMap<String, Object>();
for (String term : searchTerms) {
String search = request.getParameter(term);
if (StringUtils.isNotBlank(search)) {
query.put(term, search);
}
}
List<IPersonAttributes> people = lookupHelper.searchForPeople(person, query);
ModelAndView mv = new ModelAndView();
mv.addObject("people", people);
mv.setViewName("json");
return mv;
}
private void setUserInformationInModel(
PortletRequest portletRequest, final Map<String, Object> model) {
final HttpServletRequest servletRequest =
this.portalRequestUtils.getPortletHttpRequest(portletRequest);
final boolean impersonating = this.identitySwapperManager.isImpersonating(servletRequest);
final IPerson person = personManager.getPerson(servletRequest);
logUserInfoDebug(impersonating, person);
model.put("userName", person.getUserName());
model.put("displayName", person.getFullName());
model.put("userImpersonating", impersonating);
}
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
// if there's no session, the user hasn't yet visited the login
// servlet and we should just give up
HttpSession session = request.getSession(false);
if (session == null) {
return null;
}
// otherwise, use the current IPerson as the UserDetails
final IPerson person = personManager.getPerson(request);
final UserDetails details = new PortalPersonUserDetails(person);
return details;
}
@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
// if there's no session, the user hasn't yet visited the login
// servlet and we should just give up
HttpSession session = request.getSession(false);
if (session == null) {
return null;
}
// otherwise, use the person's current SecurityContext as the
// credentials
final IPerson person = personManager.getPerson(request);
return person.getSecurityContext();
}
@RequestMapping(value = "/people/{username}.json", method = RequestMethod.GET)
public ModelAndView getPerson(
@PathVariable String username, HttpServletRequest request, HttpServletResponse response) {
final IPerson searcher = personManager.getPerson((HttpServletRequest) request);
if (searcher == null) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
final IPersonAttributes person = lookupHelper.findPerson(searcher, username);
final ModelAndView mv = new ModelAndView();
mv.addObject("person", person);
mv.setViewName("json");
return mv;
}
private void doPortalAuthentication(HttpServletRequest request) {
// Clear out the existing session for the user if they have one
String targetUid = null;
String originalUid = null;
String originalEventSessionId = null;
boolean swap = false;
String swapperProfile = null;
final String requestedSessionId = request.getRequestedSessionId();
if (request.isRequestedSessionIdValid()) {
if (logger.isDebugEnabled()) {
logger.debug("doPortalAuthentication for valid requested session id " + requestedSessionId);
}
try {
HttpSession s = request.getSession(false);
if (s != null) {
// Check if this is a swapped user hitting the Login servlet
originalUid = this.identitySwapperManager.getOriginalUsername(s);
}
// No original person in session so check for swap request
if (originalUid == null) {
targetUid = this.identitySwapperManager.getTargetUsername(s);
if (targetUid != null) {
final IPerson person = personManager.getPerson(request);
originalUid = person.getName();
swap = true;
swapperProfile = identitySwapperManager.getTargetProfile(s);
}
}
// Original person in session so this must be an un-swap request
else {
if (logger.isDebugEnabled()) {
logger.trace(
"This is an un-swap request swapping back from impersonated "
+ targetUid
+ " to original user "
+ originalUid
+ ".");
}
final IPerson person = personManager.getPerson(request);
targetUid = person.getName();
}
if (s != null) {
if (logger.isDebugEnabled()) {
logger.debug("Invalidating the impersonated session in un-swapping.");
}
s.invalidate();
}
} catch (IllegalStateException ise) {
// ISE indicates session was already invalidated.
// This is fine. This servlet trying to guarantee that the session has been invalidated;
// it doesn't have to insist that it is the one that invalidated it.
if (logger.isTraceEnabled()) {
logger.trace("LoginServlet attempted to invalidate an already invalid session.", ise);
}
}
} else {
if (logger.isTraceEnabled()) {
logger.trace(
"Requested session id "
+ requestedSessionId
+ " was not valid "
+ "so no attempt to apply swapping rules.");
}
}
// Create the user's session
HttpSession s = request.getSession(true);
IPerson person = null;
try {
final HashMap<String, String> principals;
final HashMap<String, String> credentials;
// Get the person object associated with the request
person = personManager.getPerson(request);
// If doing an identity swap
if (targetUid != null && originalUid != null) {
if (swap) {
swapperLog.warn("Swapping identity for '" + originalUid + "' to '" + targetUid + "'");
// Track the originating user
this.identitySwapperManager.setOriginalUser(s, originalUid, targetUid);
// Setup the swapped person
person.setUserName(targetUid);
} else {
swapperLog.warn(
"Reverting swapped identity from '" + targetUid + "' to '" + originalUid + "'");
person.setUserName(originalUid);
}
// Setup the custom security context
final IdentitySwapperPrincipal identitySwapperPrincipal =
new IdentitySwapperPrincipal(person);
final IdentitySwapperSecurityContext identitySwapperSecurityContext =
new IdentitySwapperSecurityContext(identitySwapperPrincipal);
person.setSecurityContext(identitySwapperSecurityContext);
principals = new HashMap<String, String>();
credentials = new HashMap<String, String>();
}
// Norm authN path
else {
// WE grab all of the principals and credentials from the request and load
// them into their respective HashMaps.
principals = getPropertyFromRequest(principalTokens, request);
credentials = getPropertyFromRequest(credentialTokens, request);
}
// Attempt to authenticate using the incoming request
authenticationService.authenticate(request, principals, credentials, person);
} catch (Exception e) {
// Log the exception
logger.error("Exception authenticating the request", e);
// Reset everything
request.getSession(false).invalidate();
// Add the authentication failure
request.getSession(true).setAttribute(LoginController.AUTH_ERROR_KEY, Boolean.TRUE);
}
final String requestedProfile = request.getParameter(LoginController.REQUESTED_PROFILE_KEY);
if (requestedProfile != null) {
final ProfileSelectionEvent event =
new ProfileSelectionEvent(this, requestedProfile, person, request);
this.eventPublisher.publishEvent(event);
} else if (swapperProfile != null) {
final ProfileSelectionEvent event =
new ProfileSelectionEvent(this, swapperProfile, person, request);
this.eventPublisher.publishEvent(event);
} else {
if (logger.isTraceEnabled()) {
logger.trace("No requested or swapper profile requested so no profile selection event.");
}
}
}