HttpAuthFilter xref

View Javadoc

1   package com.atlassian.seraph.filter;
2   
3   import java.util.StringTokenizer;
4   
5   import javax.servlet.http.HttpServletRequest;
6   
7   import com.opensymphony.user.provider.ejb.util.Base64;
8   
9   /**
10   * This is a filter that logs the user in. It parses a standard HTTP based authentication requst and logs the user in.
11   * At the moment it supports only a BASIC authentication scheme. The simple way of using it manually is to request a URL in the following form:
12   * protocol://user:password@host[:port]/path
13   * e.g.:
14   * https://juancho:sillyPass@bamboo.developer.atlassian.com/
15   * <p>
16   * If authentication is successful, the user will be redirected by the filter to the URL given
17   * by the session attribute at SecurityFilter.ORIGINAL_URL_KEY.
18   * <p>
19   * If this URL doesn't exist, it will look for a parameter 'os_destination' to use as the redirected URL instead.
20   * <p>
21   * If neither is found, it is assumed that the page will check the authorisation status and handle redirection itself.
22   * <p>
23   * From the any other filter in the request, or the servlet/JSP/action which processes the request, you can look up the
24   * status of the authorisation attempt. The status is a String request attribute, with the key 'os_authstatus'.
25   * <p>
26   * The possible statuses are:
27   * <ul>
28   *  <li> LoginFilter.LOGIN_SUCCESS - the login was processed, and user was logged in
29   *  <li> LoginFilter.LOGIN_FAILURE - the login was processed, the user gave a bad username or password
30   *  <li> LoginFilter.LOGIN_ERROR - the login was processed, an exception occurred trying to log the user in
31   *  <li> LoginFilter.LOGIN_NOATTEMPT - the login was no processed, no form parameters existed
32   * </ul>
33   */
34  public class HttpAuthFilter extends PasswordBasedLoginFilter
35  {
36  	UserPasswordPair extractUserPasswordPair(HttpServletRequest request)
37  	{
38          String auth = request.getHeader("Authorization");
39  		if (auth != null)
40  		{
41  			if (auth.toUpperCase().startsWith("BASIC "))
42  			{
43  				// Get encoded user and password, comes after "BASIC "
44  				String userpassEncoded = auth.substring("BASIC ".length());
45  
46  				// Decode it, using any base 64 decoder
47  				byte[] decodedBytes = Base64.decode(userpassEncoded.getBytes());
48  				String userpassDecoded = new String(decodedBytes);
49  
50  				if (userpassDecoded.length() != 0 && (userpassDecoded.indexOf(':') != -1))
51  				{
52  					StringTokenizer tokenizer = new StringTokenizer(userpassDecoded, ":");
53  					String username = tokenizer.nextToken();
54  					String password = tokenizer.nextToken();
55  					return new UserPasswordPair(username, password, false);
56  				}
57  			}
58  		}
59  		return null;
60  	}
61  }