001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.servlet.HttpHeaders;
020 import com.liferay.portal.kernel.util.Base64;
021 import com.liferay.portal.kernel.util.CharPool;
022 import com.liferay.portal.kernel.util.GetterUtil;
023 import com.liferay.portal.kernel.util.MapUtil;
024 import com.liferay.portal.util.Portal;
025 import com.liferay.portlet.login.util.LoginUtil;
026
027 import java.util.Properties;
028 import java.util.StringTokenizer;
029
030 import javax.servlet.http.HttpServletRequest;
031 import javax.servlet.http.HttpServletResponse;
032
033
066 public class BasicAuthHeaderAutoLogin
067 extends BaseAutoLogin implements AuthVerifier {
068
069 @Override
070 public String getAuthType() {
071 return HttpServletRequest.BASIC_AUTH;
072 }
073
074 @Override
075 public AuthVerifierResult verify(
076 AccessControlContext accessControlContext, Properties properties)
077 throws AuthException {
078
079 try {
080 AuthVerifierResult authVerifierResult = new AuthVerifierResult();
081
082 String[] credentials = login(
083 accessControlContext.getRequest(),
084 accessControlContext.getResponse());
085
086 if (credentials != null) {
087 authVerifierResult.setPassword(credentials[1]);
088 authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
089 authVerifierResult.setUserId(Long.valueOf(credentials[0]));
090 }
091 else {
092
093
094
095 boolean forcedBasicAuth = MapUtil.getBoolean(
096 accessControlContext.getSettings(), "basic_auth");
097
098 if (forcedBasicAuth) {
099 HttpServletResponse response =
100 accessControlContext.getResponse();
101
102 response.setHeader(
103 HttpHeaders.WWW_AUTHENTICATE, _BASIC_REALM);
104
105 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
106
107 authVerifierResult.setState(
108 AuthVerifierResult.State.INVALID_CREDENTIALS);
109 }
110 }
111
112 return authVerifierResult;
113 }
114 catch (AutoLoginException ale) {
115 throw new AuthException(ale);
116 }
117 }
118
119 @Override
120 protected String[] doLogin(
121 HttpServletRequest request, HttpServletResponse response)
122 throws Exception {
123
124
125
126 String authorization = request.getHeader("Authorization");
127
128 if (authorization == null) {
129 return null;
130 }
131
132 StringTokenizer st = new StringTokenizer(authorization);
133
134 if (!st.hasMoreTokens()) {
135 return null;
136 }
137
138 String basic = st.nextToken();
139
140
141
142 if (!basic.equalsIgnoreCase(HttpServletRequest.BASIC_AUTH)) {
143 return null;
144 }
145
146 String encodedCredentials = st.nextToken();
147
148 if (_log.isDebugEnabled()) {
149 _log.debug("Encoded credentials are " + encodedCredentials);
150 }
151
152 String decodedCredentials = new String(
153 Base64.decode(encodedCredentials));
154
155 if (_log.isDebugEnabled()) {
156 _log.debug("Decoded credentials are " + decodedCredentials);
157 }
158
159 int pos = decodedCredentials.indexOf(CharPool.COLON);
160
161 if (pos == -1) {
162 return null;
163 }
164
165 String login = GetterUtil.getString(
166 decodedCredentials.substring(0, pos));
167 String password = decodedCredentials.substring(pos + 1);
168
169 long userId = LoginUtil.getAuthenticatedUserId(
170 request, login, password, null);
171
172 String[] credentials = new String[3];
173
174 credentials[0] = String.valueOf(userId);
175 credentials[1] = password;
176 credentials[2] = Boolean.TRUE.toString();
177
178 return credentials;
179 }
180
181 private static final String _BASIC_REALM =
182 "Basic realm=\"" + Portal.PORTAL_REALM + "\"";
183
184 private static Log _log = LogFactoryUtil.getLog(
185 BasicAuthHeaderAutoLogin.class);
186
187 }