| /* |
| * Copyright 2013 Laurens Vrijnsen |
| * Copyright 2013 gitblit.com. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */package com.gitblit.servlet; |
| |
| import java.io.IOException; |
| import java.text.MessageFormat; |
| |
| import com.google.inject.Inject; |
| import com.google.inject.Singleton; |
| import javax.servlet.Filter; |
| import javax.servlet.FilterChain; |
| import javax.servlet.FilterConfig; |
| import javax.servlet.ServletException; |
| import javax.servlet.ServletRequest; |
| import javax.servlet.ServletResponse; |
| import javax.servlet.http.HttpServletRequest; |
| import javax.servlet.http.HttpServletResponse; |
| |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import com.gitblit.IStoredSettings; |
| import com.gitblit.Keys; |
| import com.gitblit.manager.IAuthenticationManager; |
| import com.gitblit.models.UserModel; |
| |
| /** |
| * This filter enforces authentication via HTTP Basic Authentication, if the settings indicate so. |
| * It looks at the settings "web.authenticateViewPages" and "web.enforceHttpBasicAuthentication"; if |
| * both are true, any unauthorized access will be met with a HTTP Basic Authentication header. |
| * |
| * @author Laurens Vrijnsen |
| * |
| */ |
| @Singleton |
| public class EnforceAuthenticationFilter implements Filter { |
| |
| protected transient Logger logger = LoggerFactory.getLogger(getClass()); |
| |
| private IStoredSettings settings; |
| |
| private IAuthenticationManager authenticationManager; |
| |
| @Inject |
| public EnforceAuthenticationFilter( |
| IStoredSettings settings, |
| IAuthenticationManager authenticationManager) { |
| |
| this.settings = settings; |
| this.authenticationManager = authenticationManager; |
| } |
| |
| @Override |
| public void init(FilterConfig config) { |
| } |
| |
| @Override |
| public void destroy() { |
| } |
| |
| /* |
| * This does the actual filtering: is the user authenticated? If not, enforce HTTP authentication (401) |
| * |
| * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) |
| */ |
| @Override |
| public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { |
| |
| Boolean mustForceAuth = settings.getBoolean(Keys.web.authenticateViewPages, false) |
| && settings.getBoolean(Keys.web.enforceHttpBasicAuthentication, false); |
| |
| HttpServletRequest httpRequest = (HttpServletRequest) request; |
| HttpServletResponse httpResponse = (HttpServletResponse) response; |
| UserModel user = authenticationManager.authenticate(httpRequest); |
| |
| if (mustForceAuth && (user == null)) { |
| // not authenticated, enforce now: |
| logger.debug(MessageFormat.format("EnforceAuthFilter: user not authenticated for URL {0}!", request.toString())); |
| String challenge = MessageFormat.format("Basic realm=\"{0}\"", settings.getString(Keys.web.siteName, "")); |
| httpResponse.setHeader("WWW-Authenticate", challenge); |
| httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); |
| return; |
| |
| } else { |
| // user is authenticated, or don't care, continue handling |
| chain.doFilter(request, response); |
| } |
| } |
| } |