/* * Copyright 2013 Laurens Vrijnsen * Copyright 2013 gitblit.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package com.gitblit.servlet; import java.io.IOException; import java.text.MessageFormat; import com.google.inject.Inject; import com.google.inject.Singleton; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.gitblit.IStoredSettings; import com.gitblit.Keys; import com.gitblit.manager.IAuthenticationManager; import com.gitblit.models.UserModel; /** * This filter enforces authentication via HTTP Basic Authentication, if the settings indicate so. * It looks at the settings "web.authenticateViewPages" and "web.enforceHttpBasicAuthentication"; if * both are true, any unauthorized access will be met with a HTTP Basic Authentication header. * * @author Laurens Vrijnsen * */ @Singleton public class EnforceAuthenticationFilter implements Filter { protected transient Logger logger = LoggerFactory.getLogger(getClass()); private IStoredSettings settings; private IAuthenticationManager authenticationManager; @Inject public EnforceAuthenticationFilter( IStoredSettings settings, IAuthenticationManager authenticationManager) { this.settings = settings; this.authenticationManager = authenticationManager; } @Override public void init(FilterConfig config) { } @Override public void destroy() { } /* * This does the actual filtering: is the user authenticated? If not, enforce HTTP authentication (401) * * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Boolean mustForceAuth = settings.getBoolean(Keys.web.authenticateViewPages, false) && settings.getBoolean(Keys.web.enforceHttpBasicAuthentication, false); HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; UserModel user = authenticationManager.authenticate(httpRequest); if (mustForceAuth && (user == null)) { // not authenticated, enforce now: logger.debug(MessageFormat.format("EnforceAuthFilter: user not authenticated for URL {0}!", request.toString())); String challenge = MessageFormat.format("Basic realm=\"{0}\"", settings.getString(Keys.web.siteName, "")); httpResponse.setHeader("WWW-Authenticate", challenge); httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); return; } else { // user is authenticated, or don't care, continue handling chain.doFilter(request, response); } } }