/* * Copyright 2011 gitblit.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.gitblit; import java.io.IOException; import java.nio.charset.Charset; import java.security.Principal; import java.text.MessageFormat; import java.util.Enumeration; import java.util.HashMap; import java.util.Map; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.gitblit.models.UserModel; import com.gitblit.utils.Base64; import com.gitblit.utils.StringUtils; /** * The AuthenticationFilter is a servlet filter that preprocesses requests that * match its url pattern definition in the web.xml file. * * http://en.wikipedia.org/wiki/Basic_access_authentication * * @author James Moger * */ public abstract class AuthenticationFilter implements Filter { protected static final String BASIC = "Basic"; protected static final String CHALLENGE = BASIC + " realm=\"" + Constants.NAME + "\""; protected static final String SESSION_SECURED = "com.gitblit.secured"; protected transient Logger logger = LoggerFactory.getLogger(getClass()); /** * doFilter does the actual work of preprocessing the request to ensure that * the user may proceed. * * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ @Override public abstract void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException; /** * Returns the full relative url of the request. * * @param httpRequest * @return url */ protected String getFullUrl(HttpServletRequest httpRequest) { String servletUrl = httpRequest.getContextPath() + httpRequest.getServletPath(); String url = httpRequest.getRequestURI().substring(servletUrl.length()); String params = httpRequest.getQueryString(); if (url.length() > 0 && url.charAt(0) == '/') { url = url.substring(1); } String fullUrl = url + (StringUtils.isEmpty(params) ? "" : ("?" + params)); return fullUrl; } /** * Returns the user making the request, if the user has authenticated. * * @param httpRequest * @return user */ protected UserModel getUser(HttpServletRequest httpRequest) { UserModel user = null; // look for client authorization credentials in header final String authorization = httpRequest.getHeader("Authorization"); if (authorization != null && authorization.startsWith(BASIC)) { // Authorization: Basic base64credentials String base64Credentials = authorization.substring(BASIC.length()).trim(); String credentials = new String(Base64.decode(base64Credentials), Charset.forName("UTF-8")); // credentials = username:password final String[] values = credentials.split(":"); if (values.length == 2) { String username = values[0]; char[] password = values[1].toCharArray(); user = GitBlit.self().authenticate(username, password); if (user != null) { return user; } } if (GitBlit.isDebugMode()) { logger.info(MessageFormat.format("AUTH: invalid credentials ({0})", credentials)); } } return null; } /** * Taken from Jetty's LoginAuthenticator.renewSessionOnAuthentication() */ @SuppressWarnings("unchecked") protected void newSession(HttpServletRequest request, HttpServletResponse response) { HttpSession oldSession = request.getSession(false); if (oldSession != null && oldSession.getAttribute(SESSION_SECURED) == null) { synchronized (this) { Map attributes = new HashMap(); Enumeration e = oldSession.getAttributeNames(); while (e.hasMoreElements()) { String name = e.nextElement(); attributes.put(name, oldSession.getAttribute(name)); oldSession.removeAttribute(name); } oldSession.invalidate(); HttpSession newSession = request.getSession(true); newSession.setAttribute(SESSION_SECURED, Boolean.TRUE); for (Map.Entry entry : attributes.entrySet()) { newSession.setAttribute(entry.getKey(), entry.getValue()); } } } } /** * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ @Override public void init(final FilterConfig config) throws ServletException { } /** * @see javax.servlet.Filter#destroy() */ @Override public void destroy() { } /** * Wraps a standard HttpServletRequest and overrides user principal methods. */ public static class AuthenticatedRequest extends ServletRequestWrapper { private UserModel user; public AuthenticatedRequest(HttpServletRequest req) { super(req); user = new UserModel("anonymous"); } UserModel getUser() { return user; } void setUser(UserModel user) { this.user = user; } @Override public String getRemoteUser() { return user.username; } @Override public boolean isUserInRole(String role) { if (role.equals(Constants.ADMIN_ROLE)) { return user.canAdmin; } // Gitblit does not currently use actual roles in the traditional // servlet container sense. That is the reason this is marked // deprecated, but I may want to revisit this. return user.canAccessRepository(role); } @Override public Principal getUserPrincipal() { return user; } } }