HttpAuthFilter xref


1   package com.atlassian.seraph.filter;
2   
3   import com.opensymphony.user.provider.ejb.util.Base64;
4   
5   import java.util.StringTokenizer;
6   import javax.servlet.http.HttpServletRequest;
7   
8   /**
9    * This is a filter that logs the user in. It parses a standard HTTP based authentication requst and logs the user in.
10   * At the moment it supports only a BASIC authentication scheme. The simple way of using it manually is to request a URL in the following form:
11   * protocol://user:password@host[:port]/path
12   * e.g.:
13   * https://juancho:sillyPass@bamboo.developer.atlassian.com/
14   * <p>
15   * If authentication is successful, the user will be redirected by the filter to the URL given
16   * by the session attribute at SecurityFilter.ORIGINAL_URL_KEY.
17   * <p>
18   * If this URL doesn't exist, it will look for a parameter 'os_destination' to use as the redirected URL instead.
19   * <p>
20   * If neither is found, it is assumed that the page will check the authorisation status and handle redirection itself.
21   * <p>
22   * From the any other filter in the request, or the servlet/JSP/action which processes the request, you can look up the
23   * status of the authorisation attempt. The status is a String request attribute, with the key 'os_authstatus'.
24   * <p>
25   * The possible statuses are:
26   * <ul>
27   *  <li> LoginFilter.LOGIN_SUCCESS - the login was processed, and user was logged in
28   *  <li> LoginFilter.LOGIN_FAILURE - the login was processed, the user gave a bad username or password
29   *  <li> LoginFilter.LOGIN_ERROR - the login was processed, an exception occurred trying to log the user in
30   *  <li> LoginFilter.LOGIN_NOATTEMPT - the login was no processed, no form parameters existed
31   * </ul>
32   */
33  public class HttpAuthFilter extends PasswordBasedLoginFilter
34  {
35  	UserPasswordPair extractUserPasswordPair(HttpServletRequest request)
36  	{
37          String auth = request.getHeader("Authorization");
38  		if (auth != null)
39  		{
40  			if (auth.toUpperCase().startsWith("BASIC "))
41  			{
42  				// Get encoded user and password, comes after "BASIC "
43  				String userpassEncoded = auth.substring("BASIC ".length());
44  
45  				// Decode it, using any base 64 decoder
46  				byte[] decodedBytes = Base64.decode(userpassEncoded.getBytes());
47  				String userpassDecoded = new String(decodedBytes);
48  
49  				if (userpassDecoded.length() != 0 && (userpassDecoded.indexOf(':') != -1))
50  				{
51  					StringTokenizer tokenizer = new StringTokenizer(userpassDecoded, ":");
52  					String username = tokenizer.nextToken();
53  					String password = tokenizer.nextToken();
54  					return new UserPasswordPair(username, password, false);
55  				}
56  			}
57  		}
58  		return null;
59  	}
60  }