mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-14 17:58:59 +00:00
ad267ea682
127562 jkaabimofrad: Merged API-STRIKES-BACK (5.2.0) to HEAD (5.2)
125748 jkaabimofrad: RA-933, RA-934, RA-972: Modified the logout and validate ticket API to support only "-me-" (dummy parameter) in the URL path rather than ticket id. Also, renamed the JSON attributes.
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@127656 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
193 lines
6.8 KiB
Java
193 lines
6.8 KiB
Java
/*
|
|
* Copyright (C) 2005-2016 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
package org.alfresco.rest.api.impl;
|
|
|
|
import org.alfresco.repo.security.authentication.AuthenticationException;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
|
import org.alfresco.repo.security.authentication.Authorization;
|
|
import org.alfresco.repo.security.authentication.TicketComponent;
|
|
import org.alfresco.rest.api.Authentications;
|
|
import org.alfresco.rest.api.People;
|
|
import org.alfresco.rest.api.model.LoginTicket;
|
|
import org.alfresco.rest.api.model.LoginTicketResponse;
|
|
import org.alfresco.rest.framework.core.exceptions.InvalidArgumentException;
|
|
import org.alfresco.rest.framework.core.exceptions.PermissionDeniedException;
|
|
import org.alfresco.rest.framework.resource.parameters.Parameters;
|
|
import org.alfresco.rest.framework.webscripts.WithResponse;
|
|
import org.alfresco.service.cmr.security.AuthenticationService;
|
|
import org.alfresco.util.PropertyCheck;
|
|
import org.apache.commons.lang.StringUtils;
|
|
import org.springframework.extensions.surf.util.Base64;
|
|
import org.springframework.extensions.webscripts.Status;
|
|
|
|
/**
|
|
* @author Jamal Kaabi-Mofrad
|
|
*/
|
|
public class AuthenticationsImpl implements Authentications
|
|
{
|
|
private static final String AUTHORIZATION_HEADER = "Authorization";
|
|
private static final String PARAM_ALF_TICKET = "alf_ticket";
|
|
|
|
private AuthenticationService authenticationService;
|
|
private TicketComponent ticketComponent;
|
|
|
|
public void setAuthenticationService(AuthenticationService authenticationService)
|
|
{
|
|
this.authenticationService = authenticationService;
|
|
}
|
|
|
|
public void setTicketComponent(TicketComponent ticketComponent)
|
|
{
|
|
this.ticketComponent = ticketComponent;
|
|
}
|
|
|
|
public void init()
|
|
{
|
|
PropertyCheck.mandatory(this, "authenticationService", authenticationService);
|
|
PropertyCheck.mandatory(this, "ticketComponent", ticketComponent);
|
|
}
|
|
|
|
@Override
|
|
public LoginTicketResponse createTicket(LoginTicket loginRequest, Parameters parameters)
|
|
{
|
|
validateLoginRequest(loginRequest);
|
|
try
|
|
{
|
|
// get ticket
|
|
authenticationService.authenticate(loginRequest.getUserId(), loginRequest.getPassword().toCharArray());
|
|
|
|
LoginTicketResponse response = new LoginTicketResponse();
|
|
response.setUserId(loginRequest.getUserId());
|
|
response.setId(authenticationService.getCurrentTicket());
|
|
|
|
return response;
|
|
}
|
|
catch (AuthenticationException e)
|
|
{
|
|
throw new PermissionDeniedException("Login failed");
|
|
}
|
|
finally
|
|
{
|
|
AuthenticationUtil.clearCurrentSecurityContext();
|
|
}
|
|
}
|
|
|
|
@Override
|
|
public LoginTicketResponse validateTicket(String me, Parameters parameters, WithResponse withResponse)
|
|
{
|
|
if (!People.DEFAULT_USER.equals(me))
|
|
{
|
|
throw new InvalidArgumentException("Invalid parameter: " + me);
|
|
}
|
|
|
|
final String ticket = getTicket(parameters);
|
|
try
|
|
{
|
|
final String ticketUser = ticketComponent.validateTicket(ticket);
|
|
|
|
final String currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
|
|
// do not go any further if tickets are different
|
|
// or the user is not fully authenticated
|
|
if (currentUser == null || !currentUser.equals(ticketUser))
|
|
{
|
|
withResponse.setStatus(Status.STATUS_NOT_FOUND);
|
|
}
|
|
}
|
|
catch (AuthenticationException e)
|
|
{
|
|
withResponse.setStatus(Status.STATUS_NOT_FOUND);
|
|
}
|
|
LoginTicketResponse response = new LoginTicketResponse();
|
|
response.setId(ticket);
|
|
return response;
|
|
}
|
|
|
|
@Override
|
|
public void deleteTicket(String me, Parameters parameters, WithResponse withResponse)
|
|
{
|
|
if (!People.DEFAULT_USER.equals(me))
|
|
{
|
|
throw new InvalidArgumentException("Invalid parameter: " + me);
|
|
}
|
|
|
|
final String ticket = getTicket(parameters);
|
|
try
|
|
{
|
|
final String ticketUser = ticketComponent.validateTicket(ticket);
|
|
|
|
final String currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
|
|
// do not go any further if tickets are different
|
|
// or the user is not fully authenticated
|
|
if (currentUser == null || !currentUser.equals(ticketUser))
|
|
{
|
|
withResponse.setStatus(Status.STATUS_NOT_FOUND);
|
|
}
|
|
else
|
|
{
|
|
// delete the ticket
|
|
authenticationService.invalidateTicket(ticket);
|
|
}
|
|
}
|
|
catch (AuthenticationException e)
|
|
{
|
|
withResponse.setStatus(Status.STATUS_NOT_FOUND);
|
|
}
|
|
}
|
|
|
|
protected void validateLoginRequest(LoginTicket loginTicket)
|
|
{
|
|
if (loginTicket == null || loginTicket.getUserId() == null || loginTicket.getPassword() == null)
|
|
{
|
|
throw new InvalidArgumentException("Invalid login details.");
|
|
}
|
|
}
|
|
|
|
protected String getTicket(Parameters parameters)
|
|
{
|
|
// First check the alf_ticket in the URL
|
|
final String alfTicket = parameters.getParameter(PARAM_ALF_TICKET);
|
|
if (StringUtils.isNotEmpty(alfTicket))
|
|
{
|
|
return alfTicket;
|
|
}
|
|
|
|
// Check the Authorization header
|
|
final String authorization = parameters.getRequest().getHeader(AUTHORIZATION_HEADER);
|
|
if (StringUtils.isEmpty(authorization))
|
|
{
|
|
throw new InvalidArgumentException("Authorization header is required.");
|
|
}
|
|
|
|
final String[] authorizationParts = authorization.split(" ");
|
|
if (!authorizationParts[0].equalsIgnoreCase("basic"))
|
|
{
|
|
throw new InvalidArgumentException("Authorization '" + authorizationParts[0] + "' not supported.");
|
|
}
|
|
|
|
final String decodedAuthorisation = new String(Base64.decode(authorizationParts[1]));
|
|
Authorization authObj = new Authorization(decodedAuthorisation);
|
|
if (!authObj.isTicket())
|
|
{
|
|
throw new InvalidArgumentException("Ticket base authentication required.");
|
|
}
|
|
return authObj.getTicket();
|
|
}
|
|
}
|