1 /* 2 * $Source$ 3 * $Revision$ 4 * 5 * Copyright (C) 2000 William Chesters 6 * 7 * Part of Melati (http://melati.org), a framework for the rapid 8 * development of clean, maintainable web applications. 9 * 10 * Melati is free software; Permission is granted to copy, distribute 11 * and/or modify this software under the terms either: 12 * 13 * a) the GNU General Public License as published by the Free Software 14 * Foundation; either version 2 of the License, or (at your option) 15 * any later version, 16 * 17 * or 18 * 19 * b) any version of the Melati Software License, as published 20 * at http://melati.org 21 * 22 * You should have received a copy of the GNU General Public License and 23 * the Melati Software License along with this program; 24 * if not, write to the Free Software Foundation, Inc., 25 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA to obtain the 26 * GNU General Public License and visit http://melati.org to obtain the 27 * Melati Software License. 28 * 29 * Feel free to contact the Developers of Melati (http://melati.org), 30 * if you would like to work out a different arrangement than the options 31 * outlined here. It is our intention to allow Melati to be used by as 32 * wide an audience as possible. 33 * 34 * This program is distributed in the hope that it will be useful, 35 * but WITHOUT ANY WARRANTY; without even the implied warranty of 36 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 37 * GNU General Public License for more details. 38 * 39 * Contact details for copyright holder: 40 * 41 * William Chesters <williamc At paneris.org> 42 * http://paneris.org/~williamc 43 * Obrechtstraat 114, 2517VX Den Haag, The Netherlands 44 */ 45 46 package org.melati.login; 47 48 import java.io.IOException; 49 import javax.servlet.http.HttpServletResponse; 50 import org.melati.poem.AccessPoemException; 51 import org.melati.poem.PoemThread; 52 import org.melati.poem.User; 53 import org.melati.Melati; 54 import org.melati.util.UnexpectedExceptionException; 55 56 57 58 /** 59 * An {@link AccessHandler} which uses the HTTP Basic Authentication scheme to 60 * elicit and maintain the user's login and password. 61 * 62 * This implementation doesn't use the servlet session at all, 63 * so it doesn't try to send cookies or 64 * do URL rewriting. 65 * 66 */ 67 public class HttpBasicAuthenticationAccessHandler implements AccessHandler { 68 private static final String className = 69 new HttpBasicAuthenticationAccessHandler().getClass().getName(); 70 71 final String REALM = className + ".realm"; 72 final String USER = className + ".user"; 73 74 /** 75 * Change here to use session, if that makes sense. 76 * @return false 77 */ 78 protected boolean useSession() { 79 return false; 80 } 81 82 /** 83 * Force a login by sending a 401 error back to the browser. 84 * 85 * HACK Apache/Netscape appear not to do anything with message, which is 86 * why it's just left as a String. 87 */ 88 protected void forceLogin(HttpServletResponse resp, 89 String realm, String message) { 90 String desc = realm == null ? "<unknown>" 91 : realm.replace('"', ' '); 92 resp.setHeader("WWW-Authenticate", "Basic realm=\"" + desc + "\""); 93 // I don't believe there is a lot we can do about an IO exception here 94 try { 95 resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, message); 96 } catch (IOException e) { 97 throw new UnexpectedExceptionException(e); 98 } 99 } 100 101 /** 102 * Called when an AccessPoemException is trapped. 103 * 104 * @param melati the Melati 105 * @param accessException the particular access exception to handle 106 * @see org.melati.login.AccessHandler#handleAccessException 107 */ 108 public void handleAccessException(Melati melati, 109 AccessPoemException accessException) 110 throws Exception { 111 String capName = "melati"; 112 if (useSession()) 113 melati.getSession().setAttribute(REALM, capName); 114 forceLogin(melati.getResponse(), capName, accessException.getMessage()); 115 } 116 117 @Override 118 public Melati establishUser(Melati melati) { 119 120 HttpAuthorization auth = HttpAuthorization.from(melati.getRequest()); 121 122 if (auth == null) { 123 // No attempt to log in: become `guest' 124 125 PoemThread.setAccessToken(melati.getDatabase().guestAccessToken()); 126 return melati; 127 } 128 else { 129 // They are trying to log in 130 131 // If allowed, we store the User in the session to avoid repeating the 132 // SELECTion implied by firstWhereEq for every hit 133 134 User sessionUser = 135 useSession() ? (User)melati.getSession().getAttribute(USER) : null; 136 User user = null; 137 138 if (sessionUser == null || 139 !sessionUser.getLogin().equals(auth.username)) 140 user = (User)melati.getDatabase().getUserTable().getLoginColumn(). 141 firstWhereEq(auth.username); 142 else 143 user = sessionUser; 144 145 if (user == null || !user.getPassword_unsafe().equals(auth.password)) { 146 147 // Login/password authentication failed; we must trigger another 148 // attempt. But do we know the "realm" (= POEM capability name) for 149 // which they were originally found not to be authorized? 150 151 String storedRealm; 152 if (useSession() && 153 (storedRealm = (String)melati.getSession().getAttribute(REALM)) 154 != null) { 155 156 // The "realm" is stored in the session 157 158 forceLogin(melati.getResponse(), storedRealm, 159 "Login/password not recognised"); 160 return null; 161 } 162 else { 163 164 // We don't know the "realm", so we just let the user try again as 165 // `guest' and hopefully trigger the same problem and get the same 166 // message all over again. Not very satisfactory but the alternative 167 // is providing a default realm like "<unknown>". 168 169 PoemThread.setAccessToken(melati.getDatabase().guestAccessToken()); 170 return melati; 171 } 172 } 173 else { 174 175 // Login/password authentication succeeded 176 177 PoemThread.setAccessToken(user); 178 179 if (useSession() && user != sessionUser) 180 melati.getSession().setAttribute(USER, user); 181 182 return melati; 183 } 184 } 185 } 186 187 @Override 188 public void buildRequest(Melati melati) 189 throws IOException { 190 } 191 }