[Yanel-commits] rev 21294 - public/yanel/trunk/src/core/java/org/wyona/yanel/servlet

Sun Dec 31 00:58:47 CET 2006

Author: michi
Date: 2006-12-31 00:58:46 +0100 (Sun, 31 Dec 2006)
New Revision: 21294

Modified:
   public/yanel/trunk/src/core/java/org/wyona/yanel/servlet/YanelServlet.java
Log:
BASIC authentication/authorization fixed

Modified: public/yanel/trunk/src/core/java/org/wyona/yanel/servlet/YanelServlet.java
===================================================================

--- public/yanel/trunk/src/core/java/org/wyona/yanel/servlet/YanelServlet.java	2006-12-30 23:19:19 UTC (rev 21293)
+++ public/yanel/trunk/src/core/java/org/wyona/yanel/servlet/YanelServlet.java	2006-12-30 23:58:46 UTC (rev 21294)
@@ -811,8 +811,10 @@
         }
 
         boolean authorized = false;
+        Realm realm = map.getRealm(new Path(request.getServletPath()));
 
-        // HTTP BASIC Authorization (For clients without session handling, e.g. OpenOffice or cadaver)
+        // HTTP BASIC Authorization (For clients such as for instance Sunbird, OpenOffice or cadaver)
+        // IMPORT NOTE: BASIC Authentication needs to be checked on every request, because clients often do not support session handling
         String authorization = request.getHeader("Authorization");
         log.debug("Checking for Authorization Header: " + authorization);
         if (authorization != null) {
@@ -824,26 +826,35 @@
                 sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
                 String userpassDecoded = new String(dec.decodeBuffer(userpassEncoded));
                 log.error("DEBUG: userpassDecoded: " + userpassDecoded);
-                // TODO: Use security package and remove hardcoded ...
-        // Authenticate every request ...
-                //if (im.authenticate(...)) {
-                if (userpassDecoded.equals("lenya:levi")) {
-                    //return pm.authorize(new org.wyona.commons.io.Path(request.getServletPath()), new Identity(...), new Role("view"));
-                    authorized = true;
-                    return null;
+                String[] up = userpassDecoded.split(":");
+                String username = up[0];
+                String password = up[1];
+                log.error("DEBUG: username: " + username + ", password: " + password);
+                if (im.authenticate(username, password, realm.getID())) {
+                    authorized = pm.authorize(new org.wyona.commons.io.Path(request.getServletPath()), new Identity(username, null), new Role("view"));
+                    if(authorized) {
+                        return null;
+                    } else {
+                        log.warn("HTTP BASIC Authorization failed for " + username + "!");
+                        response.setHeader("WWW-Authenticate", "BASIC realm=\"" + realm.getName() + "\"");
+                        response.sendError(response.SC_UNAUTHORIZED);
+                        PrintWriter writer = response.getWriter();
+                        writer.print("BASIC Authorization Failed!");
+                        return response;
+                    }
+                } else {
+                    log.warn("HTTP BASIC Authentication failed for " + username + "!");
+                    response.setHeader("WWW-Authenticate", "BASIC realm=\"" + realm.getName() + "\"");
+                    response.sendError(response.SC_UNAUTHORIZED);
+                    PrintWriter writer = response.getWriter();
+                    writer.print("BASIC Authentication Failed!");
+                    return response;
                 }
-                authorized = false;
-
-                response.setHeader("WWW-Authenticate", "BASIC realm=\"yanel\"");
-                response.sendError(response.SC_UNAUTHORIZED);
-                PrintWriter writer = response.getWriter();
-                writer.print("BASIC Authorization/Authentication Failed!");
-                return response;
             } else if (authorization.toUpperCase().startsWith("DIGEST")) {
                 log.error("DIGEST is not implemented");
                 authorized = false;
                 response.sendError(response.SC_UNAUTHORIZED);
-                response.setHeader("WWW-Authenticate", "DIGEST realm=\"yanel\"");
+                response.setHeader("WWW-Authenticate", "DIGEST realm=\"" + realm.getName() + "\"");
                 PrintWriter writer = response.getWriter();
                 writer.print("DIGEST is not implemented!");
                 return response;
@@ -896,7 +907,6 @@
             StringBuffer sb = new StringBuffer("");
             String neutronVersions = request.getHeader("Neutron");
             String clientSupportedAuthScheme = request.getHeader("WWW-Authenticate");
-            Realm realm = map.getRealm(new Path(request.getServletPath()));
             if (clientSupportedAuthScheme != null && clientSupportedAuthScheme.equals("Neutron-Auth")) {
                 log.debug("Neutron Versions supported by client: " + neutronVersions);
                 log.debug("Authentication Scheme supported by client: " + clientSupportedAuthScheme);
@@ -1050,6 +1060,7 @@
 
     /**
      * Authentication
+     * @return null when authentication successful, otherwise return response
      */
     public HttpServletResponse doAuthenticate(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
 
@@ -1066,10 +1077,6 @@
             } else {
                 log.warn("Login failed: " + loginUsername);
                 getXHTMLAuthenticationForm(request, response, realm, "Login failed!");
-/*
-                response.setHeader("WWW-Authenticate", "BASIC realm=\"yanel\"");
-                response.sendError(response.SC_UNAUTHORIZED);
-*/
                 return response;
             }
         }


