1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.jboss.web.tomcat.security;
18
19 import java.io.IOException;
20 import java.security.Principal;
21 import java.util.StringTokenizer;
22
23 import javax.management.JMException;
24 import javax.management.ObjectName;
25 import javax.servlet.http.Cookie;
26 import javax.servlet.http.HttpServletRequest;
27 import javax.servlet.http.HttpServletResponse;
28
29 import org.apache.catalina.Realm;
30 import org.apache.catalina.Session;
31 import org.apache.catalina.authenticator.Constants;
32 import org.apache.catalina.connector.Request;
33 import org.apache.catalina.deploy.LoginConfig;
34 import org.jboss.logging.Logger;
35
36 import org.jboss.as.web.security.ExtendedFormAuthenticator;
37 import org.jboss.security.plugins.HostThreadLocal;
38
39
40
41
42
43
44
45
46
47
48
49
50
51 public class GenericHeaderAuthenticator extends ExtendedFormAuthenticator {
52 protected static Logger log = Logger.getLogger(GenericHeaderAuthenticator.class);
53
54
55
56 private String httpHeaderForSSOAuth = null;
57
58 private String sessionCookieForSSOAuth = null;
59
60
61
62
63
64
65
66
67
68
69
70
71 public String getHttpHeaderForSSOAuth() {
72 return httpHeaderForSSOAuth;
73 }
74
75
76
77
78
79
80
81
82
83
84
85
86
87 public void setHttpHeaderForSSOAuth(String httpHeaderForSSOAuth) {
88 this.httpHeaderForSSOAuth = httpHeaderForSSOAuth;
89 }
90
91
92
93
94
95
96
97
98
99
100
101
102 public String getSessionCookieForSSOAuth() {
103 return sessionCookieForSSOAuth;
104 }
105
106
107
108
109
110
111
112
113
114
115
116
117
118 public void setSessionCookieForSSOAuth(String sessionCookieForSSOAuth) {
119 this.sessionCookieForSSOAuth = sessionCookieForSSOAuth;
120 }
121
122
123
124
125
126
127 public GenericHeaderAuthenticator() {
128 super();
129 }
130
131 public boolean authenticate(Request request, HttpServletResponse response,
132 LoginConfig config) throws IOException {
133
134 HostThreadLocal.set(request.getRemoteAddr());
135
136 log.trace("Authenticating user");
137
138 Principal principal = request.getUserPrincipal();
139 if (principal != null) {
140 log.trace("Already authenticated '" + principal.getName() + "'");
141 return true;
142 }
143
144 Realm realm = context.getRealm();
145 Session session = request.getSessionInternal(true);
146
147 String username = getUserId(request);
148 String password = getSessionCookie(request);
149
150
151 if (username == null || password == null) {
152 log.trace("Username is null or password(sessionkey) is null:fallback to form auth");
153 return super.authenticate(request, response, config);
154 }
155 principal = realm.authenticate(username, password);
156
157 if (principal == null) {
158 forwardToErrorPage(request, response, config);
159 return false;
160 }
161
162 session.setNote(Constants.SESS_USERNAME_NOTE, username);
163 session.setNote(Constants.SESS_PASSWORD_NOTE, password);
164 request.setUserPrincipal(principal);
165
166 register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);
167 return true;
168 }
169
170
171
172
173
174
175
176 protected String getUserId(Request request) {
177 String ssoid = null;
178
179 String ids = "";
180 try {
181 ids = this.getIdentityHeaderId();
182 } catch (JMException e) {
183 log.trace("getUserId exception", e);
184 }
185 if (ids == null || ids.length() == 0)
186 throw new IllegalStateException(
187 "Http headers configuration in tomcat service missing");
188
189 StringTokenizer st = new StringTokenizer(ids, ",");
190 while (st.hasMoreTokens()) {
191 ssoid = request.getHeader(st.nextToken());
192 if (ssoid != null)
193 break;
194 }
195 log.trace("SSOID-" + ssoid);
196 return ssoid;
197 }
198
199
200
201
202
203
204
205 protected String getSessionCookie(Request request) {
206 Cookie[] cookies = request.getCookies();
207 log.trace("Cookies:" + cookies);
208 int numCookies = cookies != null ? cookies.length : 0;
209
210
211 String ids = "";
212 try {
213 ids = this.getSessionCookieId();
214 log.trace("Session Cookie Ids=" + ids);
215 } catch (JMException e) {
216 log.trace("checkSessionCookie exception", e);
217 }
218 if (ids == null || ids.length() == 0)
219 throw new IllegalStateException(
220 "Session cookies configuration in tomcat service missing");
221
222 StringTokenizer st = new StringTokenizer(ids, ",");
223 while (st.hasMoreTokens()) {
224 String cookieToken = st.nextToken();
225 String val = getCookieValue(cookies, numCookies, cookieToken);
226 if (val != null)
227 return val;
228 }
229 log.trace("Session Cookie not found");
230 return null;
231 }
232
233
234
235
236
237
238
239 protected String getIdentityHeaderId() throws JMException {
240 if (this.httpHeaderForSSOAuth != null)
241 return this.httpHeaderForSSOAuth;
242 return (String) mserver.getAttribute(new ObjectName(
243 "jboss.web:service=WebServer"), "HttpHeaderForSSOAuth");
244 }
245
246
247
248
249
250
251
252 protected String getSessionCookieId() throws JMException {
253 if (this.sessionCookieForSSOAuth != null)
254 return this.sessionCookieForSSOAuth;
255 return (String) mserver.getAttribute(new ObjectName(
256 "jboss.web:service=WebServer"), "SessionCookieForSSOAuth");
257 }
258
259
260
261
262
263
264
265
266
267
268
269
270 protected String getCookieValue(Cookie[] cookies, int numCookies,
271 String token) {
272 for (int i = 0; i < numCookies; i++) {
273 Cookie cookie = cookies[i];
274 log.trace("Matching cookieToken:" + token + " with cookie name="
275 + cookie.getName());
276 if (token.equals(cookie.getName())) {
277 log.trace("Cookie-" + token + " value=" + cookie.getValue());
278 return cookie.getValue();
279 }
280 }
281 return null;
282 }
283 }