001    /**
002     * Copyright (c) 2000-2012 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.servlet.HttpHeaders;
020    import com.liferay.portal.kernel.util.MapUtil;
021    import com.liferay.portal.kernel.util.StringBundler;
022    import com.liferay.portal.servlet.filters.secure.NonceUtil;
023    import com.liferay.portal.util.Portal;
024    import com.liferay.portal.util.PortalInstances;
025    import com.liferay.portal.util.PortalUtil;
026    
027    import java.util.Properties;
028    
029    import javax.servlet.http.HttpServletRequest;
030    import javax.servlet.http.HttpServletResponse;
031    
032    /**
033     * @author Tomas Polesovsky
034     */
035    public class DigestAuthenticationAuthVerifier implements AuthVerifier {
036    
037            public String getAuthType() {
038                    return HttpServletRequest.DIGEST_AUTH;
039            }
040    
041            public AuthVerifierResult verify(
042                            AccessControlContext accessControlContext, Properties configuration)
043                    throws AuthException {
044    
045                    try {
046                            AuthVerifierResult authVerifierResult = new AuthVerifierResult();
047    
048                            HttpServletRequest request = accessControlContext.getRequest();
049    
050                            long userId = PortalUtil.getDigestAuthUserId(request);
051    
052                            if (userId == 0) {
053    
054                                    // Deprecated
055    
056                                    boolean forcedDigestAuth = MapUtil.getBoolean(
057                                            accessControlContext.getSettings(), "digest_auth");
058    
059                                    if (forcedDigestAuth) {
060                                            HttpServletResponse response =
061                                                    accessControlContext.getResponse();
062    
063                                            // Must generate a new nonce for each 401 (RFC2617, 3.2.1)
064    
065                                            long companyId = PortalInstances.getCompanyId(request);
066    
067                                            String remoteAddress = request.getRemoteAddr();
068    
069                                            String nonce = NonceUtil.generate(companyId, remoteAddress);
070    
071                                            StringBundler sb = new StringBundler(4);
072    
073                                            sb.append(_DIGEST_REALM);
074                                            sb.append(", nonce=\"");
075                                            sb.append(nonce);
076                                            sb.append("\"");
077    
078                                            response.setHeader(
079                                                    HttpHeaders.WWW_AUTHENTICATE, sb.toString());
080    
081                                            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
082    
083                                            authVerifierResult.setState(
084                                                    AuthVerifierResult.State.INVALID_CREDENTIALS);
085                                    }
086    
087                                    return authVerifierResult;
088                            }
089    
090                            authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
091                            authVerifierResult.setUserId(userId);
092    
093                            return authVerifierResult;
094                    }
095                    catch (PortalException e) {
096                            throw new AuthException(e);
097                    }
098                    catch (SystemException e) {
099                            throw new AuthException(e);
100                    }
101            }
102    
103            private static final String _DIGEST_REALM =
104                    "Digest realm=\"" + Portal.PORTAL_REALM + "\"";
105    
106    }