001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.servlet.HttpHeaders;
020    import com.liferay.portal.kernel.util.MapUtil;
021    import com.liferay.portal.kernel.util.StringBundler;
022    import com.liferay.portal.servlet.filters.secure.NonceUtil;
023    import com.liferay.portal.util.Portal;
024    import com.liferay.portal.util.PortalInstances;
025    import com.liferay.portal.util.PortalUtil;
026    
027    import java.util.Properties;
028    
029    import javax.servlet.http.HttpServletRequest;
030    import javax.servlet.http.HttpServletResponse;
031    
032    /**
033     * @author Tomas Polesovsky
034     */
035    public class DigestAuthenticationAuthVerifier implements AuthVerifier {
036    
037            @Override
038            public String getAuthType() {
039                    return HttpServletRequest.DIGEST_AUTH;
040            }
041    
042            @Override
043            public AuthVerifierResult verify(
044                            AccessControlContext accessControlContext, Properties configuration)
045                    throws AuthException {
046    
047                    try {
048                            AuthVerifierResult authVerifierResult = new AuthVerifierResult();
049    
050                            HttpServletRequest request = accessControlContext.getRequest();
051    
052                            long userId = PortalUtil.getDigestAuthUserId(request);
053    
054                            if (userId == 0) {
055    
056                                    // Deprecated
057    
058                                    boolean forcedDigestAuth = MapUtil.getBoolean(
059                                            accessControlContext.getSettings(), "digest_auth");
060    
061                                    if (forcedDigestAuth) {
062                                            HttpServletResponse response =
063                                                    accessControlContext.getResponse();
064    
065                                            // Must generate a new nonce for each 401 (RFC2617, 3.2.1)
066    
067                                            long companyId = PortalInstances.getCompanyId(request);
068    
069                                            String remoteAddress = request.getRemoteAddr();
070    
071                                            String nonce = NonceUtil.generate(companyId, remoteAddress);
072    
073                                            StringBundler sb = new StringBundler(4);
074    
075                                            sb.append(_DIGEST_REALM);
076                                            sb.append(", nonce=\"");
077                                            sb.append(nonce);
078                                            sb.append("\"");
079    
080                                            response.setHeader(
081                                                    HttpHeaders.WWW_AUTHENTICATE, sb.toString());
082    
083                                            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
084    
085                                            authVerifierResult.setState(
086                                                    AuthVerifierResult.State.INVALID_CREDENTIALS);
087                                    }
088    
089                                    return authVerifierResult;
090                            }
091    
092                            authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
093                            authVerifierResult.setUserId(userId);
094    
095                            return authVerifierResult;
096                    }
097                    catch (PortalException pe) {
098                            throw new AuthException(pe);
099                    }
100                    catch (SystemException se) {
101                            throw new AuthException(se);
102                    }
103            }
104    
105            private static final String _DIGEST_REALM =
106                    "Digest realm=\"" + Portal.PORTAL_REALM + "\"";
107    
108    }