1 package com.atlassian.seraph.auth;
2
3 import com.atlassian.seraph.config.SecurityConfig;
4
5 import javax.servlet.http.HttpServletRequest;
6
7 /**
8 * If an authType is specified by the user that doesn't match a specific auth type as defined by this enum,
9 * 'NONE' will be returned.
10 *
11 * @since 2.2
12 */
13 public enum AuthType
14 {
15 /**
16 * There has been no authentication type specified for this request. If the user has provided an invalid cookie they
17 * will be allowed to view the page as an anonymous user.
18 */
19 NONE,
20
21 /**
22 * The user is presenting a session cookie that they expect to work. If it doesn't work they want to know that,
23 * rather than silently proceeding as an anonymous user. In practice this means they should get a 401 or 403
24 * if their session has expired.
25 */
26 COOKIE,
27
28 /**
29 * The user is either presenting HTTP BASIC Authentication credentials or wants the application to initial a
30 * BASIC Auth challenge.
31 */
32 BASIC,
33
34 /**
35 * This is sort of like a combination of all three above. If you don't present BASIC Auth or a session cookie
36 * then you will proceed anonymous. If you present one of those and they are invalid then you get a 401 or 403 instead.
37 *
38 * The difference between NONE and ANY is that with NONE you can *think* you are logging in but end up anonymous because
39 * your session has expired. Remote API users (like scripts) don't notice this and just get different results. They would
40 * prefer to get an obvious response code telling them that something isn't quite right.
41 */
42 ANY;
43
44 public static final String DEFAULT_ATTRIBUTE = "os_authTypeDefault";
45
46 public static AuthType getAuthTypeInformation(final HttpServletRequest request, final SecurityConfig config)
47 {
48 final String authTypeParamName = config.getAuthType();
49 String authType = request.getParameter(authTypeParamName);
50 if (authType == null)
51 {
52 authType = (String) request.getAttribute(DEFAULT_ATTRIBUTE);
53 }
54 if (authType == null)
55 {
56 return NONE;
57 }
58 else
59 {
60 try
61 {
62 return AuthType.valueOf(authType.toUpperCase());
63 }
64 catch (IllegalArgumentException e)
65 {
66 // If a non-valid authentication type is specified
67 // do not use any authentication
68 return NONE;
69 }
70 }
71 }
72 }