001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.servlet.HttpHeaders;
020 import com.liferay.portal.kernel.util.Base64;
021 import com.liferay.portal.kernel.util.CharPool;
022 import com.liferay.portal.kernel.util.GetterUtil;
023 import com.liferay.portal.kernel.util.MapUtil;
024 import com.liferay.portal.kernel.util.StringUtil;
025 import com.liferay.portal.util.Portal;
026 import com.liferay.portlet.login.util.LoginUtil;
027
028 import java.util.Properties;
029 import java.util.StringTokenizer;
030
031 import javax.servlet.http.HttpServletRequest;
032 import javax.servlet.http.HttpServletResponse;
033
034
067 public class BasicAuthHeaderAutoLogin
068 extends BaseAutoLogin implements AuthVerifier {
069
070 @Override
071 public String getAuthType() {
072 return HttpServletRequest.BASIC_AUTH;
073 }
074
075 @Override
076 public AuthVerifierResult verify(
077 AccessControlContext accessControlContext, Properties properties)
078 throws AuthException {
079
080 try {
081 AuthVerifierResult authVerifierResult = new AuthVerifierResult();
082
083 String[] credentials = login(
084 accessControlContext.getRequest(),
085 accessControlContext.getResponse());
086
087 if (credentials != null) {
088 authVerifierResult.setPassword(credentials[1]);
089 authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
090 authVerifierResult.setUserId(Long.valueOf(credentials[0]));
091 }
092 else {
093
094
095
096 boolean forcedBasicAuth = MapUtil.getBoolean(
097 accessControlContext.getSettings(), "basic_auth");
098
099 if (forcedBasicAuth) {
100 HttpServletResponse response =
101 accessControlContext.getResponse();
102
103 response.setHeader(
104 HttpHeaders.WWW_AUTHENTICATE, _BASIC_REALM);
105
106 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
107
108 authVerifierResult.setState(
109 AuthVerifierResult.State.INVALID_CREDENTIALS);
110 }
111 }
112
113 return authVerifierResult;
114 }
115 catch (AutoLoginException ale) {
116 throw new AuthException(ale);
117 }
118 }
119
120 @Override
121 protected String[] doLogin(
122 HttpServletRequest request, HttpServletResponse response)
123 throws Exception {
124
125
126
127 String authorization = request.getHeader("Authorization");
128
129 if (authorization == null) {
130 return null;
131 }
132
133 StringTokenizer st = new StringTokenizer(authorization);
134
135 if (!st.hasMoreTokens()) {
136 return null;
137 }
138
139 String basic = st.nextToken();
140
141
142
143 if (!StringUtil.equalsIgnoreCase(
144 basic, HttpServletRequest.BASIC_AUTH)) {
145
146 return null;
147 }
148
149 String encodedCredentials = st.nextToken();
150
151 if (_log.isDebugEnabled()) {
152 _log.debug("Encoded credentials are " + encodedCredentials);
153 }
154
155 String decodedCredentials = new String(
156 Base64.decode(encodedCredentials));
157
158 if (_log.isDebugEnabled()) {
159 _log.debug("Decoded credentials are " + decodedCredentials);
160 }
161
162 int pos = decodedCredentials.indexOf(CharPool.COLON);
163
164 if (pos == -1) {
165 return null;
166 }
167
168 String login = GetterUtil.getString(
169 decodedCredentials.substring(0, pos));
170 String password = decodedCredentials.substring(pos + 1);
171
172 long userId = LoginUtil.getAuthenticatedUserId(
173 request, login, password, null);
174
175 String[] credentials = new String[3];
176
177 credentials[0] = String.valueOf(userId);
178 credentials[1] = password;
179 credentials[2] = Boolean.TRUE.toString();
180
181 return credentials;
182 }
183
184 private static final String _BASIC_REALM =
185 "Basic realm=\"" + Portal.PORTAL_REALM + "\"";
186
187 private static Log _log = LogFactoryUtil.getLog(
188 BasicAuthHeaderAutoLogin.class);
189
190 }