001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.servlet.HttpHeaders;
020    import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
021    import com.liferay.portal.kernel.util.MapUtil;
022    import com.liferay.portal.kernel.util.StringBundler;
023    import com.liferay.portal.servlet.filters.secure.NonceUtil;
024    import com.liferay.portal.util.Portal;
025    import com.liferay.portal.util.PortalInstances;
026    import com.liferay.portal.util.PortalUtil;
027    
028    import java.util.Properties;
029    
030    import javax.servlet.http.HttpServletRequest;
031    import javax.servlet.http.HttpServletResponse;
032    
033    /**
034     * @author Tomas Polesovsky
035     */
036    @OSGiBeanProperties(
037            portalPropertyPrefix = "auth.verifier.DigestAuthenticationAuthVerifier."
038    )
039    public class DigestAuthenticationAuthVerifier implements AuthVerifier {
040    
041            @Override
042            public String getAuthType() {
043                    return HttpServletRequest.DIGEST_AUTH;
044            }
045    
046            @Override
047            public AuthVerifierResult verify(
048                            AccessControlContext accessControlContext, Properties configuration)
049                    throws AuthException {
050    
051                    try {
052                            AuthVerifierResult authVerifierResult = new AuthVerifierResult();
053    
054                            HttpServletRequest request = accessControlContext.getRequest();
055    
056                            long userId = PortalUtil.getDigestAuthUserId(request);
057    
058                            if (userId == 0) {
059    
060                                    // Deprecated
061    
062                                    boolean forcedDigestAuth = MapUtil.getBoolean(
063                                            accessControlContext.getSettings(), "digest_auth");
064    
065                                    if (forcedDigestAuth) {
066                                            HttpServletResponse response =
067                                                    accessControlContext.getResponse();
068    
069                                            // Must generate a new nonce for each 401 (RFC2617, 3.2.1)
070    
071                                            long companyId = PortalInstances.getCompanyId(request);
072    
073                                            String remoteAddress = request.getRemoteAddr();
074    
075                                            String nonce = NonceUtil.generate(companyId, remoteAddress);
076    
077                                            StringBundler sb = new StringBundler(4);
078    
079                                            sb.append(_DIGEST_REALM);
080                                            sb.append(", nonce=\"");
081                                            sb.append(nonce);
082                                            sb.append("\"");
083    
084                                            response.setHeader(
085                                                    HttpHeaders.WWW_AUTHENTICATE, sb.toString());
086    
087                                            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
088    
089                                            authVerifierResult.setState(
090                                                    AuthVerifierResult.State.INVALID_CREDENTIALS);
091                                    }
092    
093                                    return authVerifierResult;
094                            }
095    
096                            authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
097                            authVerifierResult.setUserId(userId);
098    
099                            return authVerifierResult;
100                    }
101                    catch (PortalException pe) {
102                            throw new AuthException(pe);
103                    }
104                    catch (SystemException se) {
105                            throw new AuthException(se);
106                    }
107            }
108    
109            private static final String _DIGEST_REALM =
110                    "Digest realm=\"" + Portal.PORTAL_REALM + "\"";
111    
112    }