1/*2 * Licensed to the Apache Software Foundation (ASF) under one or more3 * contributor license agreements. See the NOTICE file distributed with4 * this work for additional information regarding copyright ownership.5 * The ASF licenses this file to You under the Apache License, Version 2.06 * (the "License"); you may not use this file except in compliance with7 * the License. You may obtain a copy of the License at8 * 9 * http://www.apache.org/licenses/LICENSE-2.010 * 11 * Unless required by applicable law or agreed to in writing, software12 * distributed under the License is distributed on an "AS IS" BASIS,13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.14 * See the License for the specific language governing permissions and15 * limitations under the License.16 */17packageorg.apache.jetspeed.security.impl.ntlm;
1819import java.security.Principal;
2021import javax.servlet.http.HttpServletRequest;
22import javax.servlet.http.HttpServletRequestWrapper;
2324import org.apache.commons.lang.ArrayUtils;
25import org.apache.commons.lang.StringUtils;
2627/***28 * NtlmHttpServletRequestWrapper should be used in combination with an Ntml authentication filter (jCIFS).29 * This filter wraps the original request, setting the principal and remoteUser retrieved by Ntml 30 * authentication with the client. The wrapper Request sets the principal and remoteUser, <i>regardless</i> 31 * of the principal already present in the original request. This HttpServletRequestWrapper returns the principal 32 * from the original request when it's there, and otherwise returns the Ntml principal. When the33 * the Ntml principal is actually returned can be influenced by a comma-separated list of servlet urls: 34 * only for these urls the Ntlm principal / remoteUser is ignored. 35 * @see NtlmHttpServletRequestFilter36 * @author <a href="mailto:d.dam@hippo.nl">Dennis Dam</a>37 * @version $Id$38 */39publicclassNtlmHttpServletRequestWrapperextends HttpServletRequestWrapper {
40private Principal principal;
41private String remoteUser;
4243publicNtlmHttpServletRequestWrapper(HttpServletRequest req, String ignoreNtmlUrls) {
44super(req);
45if (req instanceof HttpServletRequestWrapper){
46 String[] urls = ignoreNtmlUrls != null ? StringUtils.split(ignoreNtmlUrls, ',') : new String[]{};
47 String servletUrl = req.getServletPath();
48 Principal reqPrincipal = req.getUserPrincipal();
49 HttpServletRequest originalRequest = (HttpServletRequest)((HttpServletRequestWrapper) req).getRequest();
50/*51 * Original request principal has precedence over Ntml authenticated principal. This is needed52 * in the case that the Ntlm authenticated principal is not authorized by Jetspeed: a fallback login 53 * method can then be used. If Ntml authentication succeeds, then the principal from the54 * original request will be null.55 */56if (originalRequest.getUserPrincipal() != null){
57 principal = originalRequest.getUserPrincipal();
58 } else59/*60 * If no principal in the original request, take principal from Ntlm authentication, but61 * only if the current servlet url is not in the ignore list. The last62 * requirement is necessary when falling back to another authentication method, e.g. container-based63 * form authentication: these authentication methods might only work if there is no 64 * principal in the request. 65 */66if (!ArrayUtils.contains(urls,servletUrl) && reqPrincipal != null && req.getRemoteUser() != null){
67 principal = reqPrincipal;
68 remoteUser = req.getRemoteUser();
69 }
70 } else {
71 principal = super.getUserPrincipal();
72 }
73 }
7475public Principal getUserPrincipal() {
76return principal;
77 }
7879public String getRemoteUser() {
80return remoteUser;
81 }
8283 }