View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements.  See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache License, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License.  You may obtain a copy of the License at
8    * 
9    *      http://www.apache.org/licenses/LICENSE-2.0
10   * 
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  package org.apache.jetspeed.security.impl;
18  
19  import java.security.Principal;
20  import java.util.HashSet;
21  import java.util.Set;
22  
23  import javax.security.auth.Subject;
24  
25  import org.apache.jetspeed.administration.PortalAuthenticationConfiguration;
26  import org.apache.jetspeed.pipeline.valve.SecurityValve;
27  import org.apache.jetspeed.profiler.Profiler;
28  import org.apache.jetspeed.request.RequestContext;
29  import org.apache.jetspeed.security.SecurityException;
30  import org.apache.jetspeed.security.SecurityHelper;
31  import org.apache.jetspeed.security.User;
32  import org.apache.jetspeed.security.UserManager;
33  import org.apache.jetspeed.security.UserPrincipal;
34  import org.apache.jetspeed.statistics.PortalStatistics;
35  
36  /***
37   * SecurityValve
38   * 
39   * @author <a href="mailto:taylor@apache.org">David Sean Taylor </a>
40   * @author <a href="mailto:rwatler@finali.com">Randy Walter </a>
41   * @author <a href="mailto:weaver@apache.org">Scott T. Weaver</a>
42   * @version $Id: SecurityValveImpl.java 544250 2007-06-04 20:30:43Z taylor $
43   */
44  public class SecurityValveImpl extends AbstractSecurityValve implements SecurityValve
45  {
46      private UserManager userMgr;
47      private PortalStatistics statistics;
48  
49      public SecurityValveImpl(Profiler profiler, UserManager userMgr, PortalStatistics statistics, 
50                              PortalAuthenticationConfiguration authenticationConfiguration)
51      {
52          this.userMgr = userMgr;
53          this.statistics = statistics;
54          this.authenticationConfiguration = authenticationConfiguration;
55      }
56      
57      public SecurityValveImpl( Profiler profiler, UserManager userMgr, PortalStatistics statistics )
58      {
59          this.userMgr = userMgr;
60          this.statistics = statistics;
61      }
62  
63      public SecurityValveImpl(Profiler profiler, UserManager userMgr)
64      {
65          this.userMgr = userMgr;
66          this.statistics = null;
67      }
68      
69      public String toString()
70      {
71          return "SecurityValve";
72      }
73      
74      /***
75       * 
76       * <p>
77       * getSubject
78       * </p>
79       * Check for previously established session subject and
80       * invalidate if subject and current user principals do
81       * not match
82       * @param request
83       * @return 
84       * @throws Exception
85       */
86      protected final Subject getSubject(RequestContext request) throws Exception
87      {
88          Principal userPrincipal = getUserPrincipal(request);
89          
90          Subject subject = getSubjectFromSession(request);
91          if (subject != null)
92          {
93              Principal subjectUserPrincipal = SecurityHelper.getPrincipal(subject, UserPrincipal.class);
94              if ((subjectUserPrincipal == null) || !subjectUserPrincipal.getName().equals(getUserPrincipal(request).getName()))
95              {
96                  subject = null;
97              }
98          }
99          
100         // create new session subject for user principal if required
101         if (subject == null)
102         {
103             // attempt to get complete subject for user principal
104             // from user manager
105             try
106             {
107                 User user = userMgr.getUser(userPrincipal.getName());
108                 if ( user != null )
109                 {
110                     subject = user.getSubject();
111                 }
112             }
113             catch (SecurityException sex)
114             {
115                 subject = null;
116             }       
117             
118             // if subject not available, generate default subject using
119             // request or default profiler anonymous user principal
120             if (subject == null)
121             {
122                 Set principals = new HashSet();
123                 principals.add(userPrincipal);
124                 subject = new Subject(true, principals, new HashSet(), new HashSet());
125             } 
126             
127             // create a new statistics *user* session
128             if (statistics != null)
129             {
130                 statistics.logUserLogin(request, 0);
131             }
132             // put IP address in session for logout
133             request.setSessionAttribute(IP_ADDRESS, request.getRequest().getRemoteAddr());            
134         }               
135         return subject;
136     }
137             
138     /***
139      * 
140      * <p>
141      * getUserPrincipal
142      * </p>
143      * Aaccess request user principal if defined or default
144      * to profiler anonymous user
145      * @param request
146      * @return
147      */
148     protected Principal getUserPrincipal(RequestContext request) throws Exception
149     {
150         Principal userPrincipal = request.getRequest().getUserPrincipal();
151         if (userPrincipal == null)
152         {
153             userPrincipal = new UserPrincipalImpl(userMgr.getAnonymousUser());
154         }
155         return userPrincipal;
156     }
157 
158 }