trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/browser/token/SimpleTokenHandlerSessionHelper.java - chemistry-opencmis - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.chemistry.opencmis.server.impl.browser.token;

 import java.net.URL;
 import java.security.SecureRandom;

 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;

 public class SimpleTokenHandlerSessionHelper {

     public static final String ATTR_CMIS_USER = "cmis-token.user";
     public static final String ATTR_CMIS_AUTH_TIMESTAMP = "cmis-token.timestamp";
     public static final String ATTR_CMIS_TOKEN = "cmis-token.token";
     public static final String ATTR_CMIS_LOGIN_KEY = "cmis-token.token.loginkey";
     public static final String ATTR_CMIS_FORM_KEY = "cmis-token.formkey";
     public static final String ATTR_CMIS_APP_URL = "cmis-token.appurl";
     public static final String ATTR_CMIS_APP_KEY = "cmis-token.appkey";

     public static final String ATTR_SEPARATOR = "\n";

     public static final String PARAM_KEY = "key";
     public static final String PARAM_TOKEN = "token";
     public static final String PARAM_URL = "url";
     public static final String PARAM_USER = "user";
     public static final String PARAM_PASSWORD = "password";
     public static final String PARAM_TRUSTAPP = "trustapp";

     public static final int APP_ID_BYTES = 10;
     public static final int APP_ID_LENGTH = APP_ID_BYTES * 2;
     public static final int KEY_BYTES = 20;
     public static final int KEY_LENGTH = KEY_BYTES * 2;

     public static String getApplicationIdFromKey(String key) {
         if (key == null || key.length() != APP_ID_LENGTH + KEY_LENGTH) {
             return null;
         }

         return key.substring(0, APP_ID_LENGTH);
     }

     public static String getLoginKey(HttpServletRequest request, String appId) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return null;
         }

         return (String) hs.getAttribute(ATTR_CMIS_LOGIN_KEY + appId);
     }

     public static void setLoginKey(HttpServletRequest request, String loginKey, String formKey, URL appURL) {
         HttpSession hs = request.getSession();

         String appId = getApplicationIdFromKey(loginKey);

         hs.setAttribute(ATTR_CMIS_LOGIN_KEY + appId, loginKey);
         hs.setAttribute(ATTR_CMIS_FORM_KEY + appId, formKey);
         hs.setAttribute(ATTR_CMIS_APP_URL + appId, appURL);
     }

     public static boolean checkLoginKey(HttpServletRequest request) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return false;
         }

         String key = getKey(request);

         if (key == null) {
             return false;
         }

         String appId = getApplicationIdFromKey(key);
         if (appId == null) {
             return false;
         }

         return key.equals(hs.getAttribute(ATTR_CMIS_LOGIN_KEY + appId));
     }

     public static void removeLoginKey(HttpServletRequest request, String appId) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return;
         }

         hs.removeAttribute(ATTR_CMIS_LOGIN_KEY + appId);
     }

     public static boolean checkFormKey(HttpServletRequest request) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return false;
         }

         String formKey = getKey(request);

         if (formKey == null) {
             return false;
         }

         String appId = getApplicationIdFromKey(formKey);
         if (appId == null) {
             return false;
         }

         return formKey.equals(hs.getAttribute(ATTR_CMIS_FORM_KEY + appId));
     }

     public static void removeFormKey(HttpServletRequest request, String appId) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return;
         }

         hs.removeAttribute(ATTR_CMIS_FORM_KEY + appId);
     }

     public static String getUser(HttpServletRequest request, String appId) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return null;
         }

         return (String) hs.getAttribute(ATTR_CMIS_USER + appId);
     }

     public static void setUser(HttpServletRequest request, String appId, String user) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return;
         }

         hs.setAttribute(ATTR_CMIS_USER + appId, user);
         hs.setAttribute(ATTR_CMIS_AUTH_TIMESTAMP + appId, System.currentTimeMillis());
     }

     public static String getApplicationKey(HttpServletRequest request, String appId) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return null;
         }

         return (String) hs.getAttribute(ATTR_CMIS_APP_KEY + appId);
     }

     public static void setApplicationKey(HttpServletRequest request, String key) {
         HttpSession hs = request.getSession();

         String appId = getApplicationIdFromKey(key);

         hs.setAttribute(ATTR_CMIS_APP_KEY + appId, key);
     }

     public static boolean checkApplicationKey(HttpServletRequest request) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return false;
         }

         String key = getKey(request);

         if (key == null) {
             return false;
         }

         String appId = getApplicationIdFromKey(key);
         if (appId == null) {
             return false;
         }

         return key.equals(hs.getAttribute(ATTR_CMIS_APP_KEY + appId));
     }

     public static void removeApplicationKey(HttpServletRequest request, String appId) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return;
         }

         hs.removeAttribute(ATTR_CMIS_APP_KEY + appId);
         hs.removeAttribute(ATTR_CMIS_APP_URL + appId);
         hs.removeAttribute(ATTR_CMIS_USER + appId);
         hs.removeAttribute(ATTR_CMIS_AUTH_TIMESTAMP + appId);
     }

     public static URL getApplicationURL(HttpServletRequest request, String appId) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return null;
         }

         return (URL) hs.getAttribute(ATTR_CMIS_APP_URL + appId);
     }

     /**
      * Retrieves the token from the requests and tests if this token belongs to
      * the current session. If the token is associated with the session, the
      * token will be removed from the session and cannot be reused again.
      *
      * @return <code>true</code> if the request contains a token and this token
      *         belongs to the session, <code>false</code> otherwise
      */
     public static boolean testAndInvalidateToken(HttpServletRequest request) {
         HttpSession hs = request.getSession(false);
         if (hs == null) {
             return false;
         }

         String token = getToken(request);

         if (token == null) {
             return false;
         }

         String tokenKey = ATTR_CMIS_TOKEN + token;

         Long tokenCreationTimestamp = (Long) hs.getAttribute(tokenKey);
         if (tokenCreationTimestamp != null) {
             // if the token exists, remove it
             hs.removeAttribute(tokenKey);

             // PARANOIA: don't accept tokens that are older than 8 hours
             return System.currentTimeMillis() - tokenCreationTimestamp < 8 * 60 * 60 * 1000;
         }

         return false;
     }

     /**
      * Adds a token to the session.
      */
     public static void addToken(HttpServletRequest request, String token) {
         HttpSession hs = request.getSession();

         String tokenKey = ATTR_CMIS_TOKEN + token;

         // set the token and retain creation timestamp
         hs.setAttribute(tokenKey, System.currentTimeMillis());
     }

     /**
      * Gets the key parameter from the request and checks its validity.
      */
     public static String getKey(HttpServletRequest request) {
         String key = request.getParameter(PARAM_KEY);
         return normalizeKey(key);
     }

     /**
      * Gets the domain parameter from the request and checks its validity.
      */
     public static String getToken(HttpServletRequest request) {
         String token = request.getParameter(PARAM_TOKEN);
         return normalizeKey(token);
     }

     public static String normalizeKey(String key) {
         if (key == null) {
             return null;
         }

         key = key.trim();

         if (key.length() != APP_ID_LENGTH + KEY_LENGTH || !key.matches("^[0-9a-f]+$")) {
             return null;
         }

         return key;
     }

     public static String generateAppId() {
         SecureRandom random = new SecureRandom();

         byte[] bytes = new byte[APP_ID_BYTES];
         random.nextBytes(bytes);

         StringBuilder sb = new StringBuilder();

         for (byte b : bytes) {
             String s = Integer.toHexString(b & 0xff);
             if (s.length() < 2) {
                 sb.append('0');
             }
             sb.append(s);
         }

         return sb.toString();
     }

     public static String generateKey(String appId) {
         SecureRandom random = new SecureRandom();

         byte[] bytes = new byte[KEY_BYTES];
         random.nextBytes(bytes);

         StringBuilder sb = new StringBuilder(appId);

         for (byte b : bytes) {
             String s = Integer.toHexString(b & 0xff);
             if (s.length() < 2) {
                 sb.append('0');
             }
             sb.append(s);
         }

         return sb.toString();
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.chemistry.opencmis.server.impl.browser.token;

	import java.net.URL;
	import java.security.SecureRandom;

	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpSession;

	public class SimpleTokenHandlerSessionHelper {

	public static final String ATTR_CMIS_USER = "cmis-token.user";
	public static final String ATTR_CMIS_AUTH_TIMESTAMP = "cmis-token.timestamp";
	public static final String ATTR_CMIS_TOKEN = "cmis-token.token";
	public static final String ATTR_CMIS_LOGIN_KEY = "cmis-token.token.loginkey";
	public static final String ATTR_CMIS_FORM_KEY = "cmis-token.formkey";
	public static final String ATTR_CMIS_APP_URL = "cmis-token.appurl";
	public static final String ATTR_CMIS_APP_KEY = "cmis-token.appkey";

	public static final String ATTR_SEPARATOR = "\n";

	public static final String PARAM_KEY = "key";
	public static final String PARAM_TOKEN = "token";
	public static final String PARAM_URL = "url";
	public static final String PARAM_USER = "user";
	public static final String PARAM_PASSWORD = "password";
	public static final String PARAM_TRUSTAPP = "trustapp";

	public static final int APP_ID_BYTES = 10;
	public static final int APP_ID_LENGTH = APP_ID_BYTES * 2;
	public static final int KEY_BYTES = 20;
	public static final int KEY_LENGTH = KEY_BYTES * 2;

	public static String getApplicationIdFromKey(String key) {
	if (key == null \|\| key.length() != APP_ID_LENGTH + KEY_LENGTH) {
	return null;
	}

	return key.substring(0, APP_ID_LENGTH);
	}

	public static String getLoginKey(HttpServletRequest request, String appId) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return null;
	}

	return (String) hs.getAttribute(ATTR_CMIS_LOGIN_KEY + appId);
	}

	public static void setLoginKey(HttpServletRequest request, String loginKey, String formKey, URL appURL) {
	HttpSession hs = request.getSession();

	String appId = getApplicationIdFromKey(loginKey);

	hs.setAttribute(ATTR_CMIS_LOGIN_KEY + appId, loginKey);
	hs.setAttribute(ATTR_CMIS_FORM_KEY + appId, formKey);
	hs.setAttribute(ATTR_CMIS_APP_URL + appId, appURL);
	}

	public static boolean checkLoginKey(HttpServletRequest request) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return false;
	}

	String key = getKey(request);

	if (key == null) {
	return false;
	}

	String appId = getApplicationIdFromKey(key);
	if (appId == null) {
	return false;
	}

	return key.equals(hs.getAttribute(ATTR_CMIS_LOGIN_KEY + appId));
	}

	public static void removeLoginKey(HttpServletRequest request, String appId) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return;
	}

	hs.removeAttribute(ATTR_CMIS_LOGIN_KEY + appId);
	}

	public static boolean checkFormKey(HttpServletRequest request) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return false;
	}

	String formKey = getKey(request);

	if (formKey == null) {
	return false;
	}

	String appId = getApplicationIdFromKey(formKey);
	if (appId == null) {
	return false;
	}

	return formKey.equals(hs.getAttribute(ATTR_CMIS_FORM_KEY + appId));
	}

	public static void removeFormKey(HttpServletRequest request, String appId) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return;
	}

	hs.removeAttribute(ATTR_CMIS_FORM_KEY + appId);
	}

	public static String getUser(HttpServletRequest request, String appId) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return null;
	}

	return (String) hs.getAttribute(ATTR_CMIS_USER + appId);
	}

	public static void setUser(HttpServletRequest request, String appId, String user) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return;
	}

	hs.setAttribute(ATTR_CMIS_USER + appId, user);
	hs.setAttribute(ATTR_CMIS_AUTH_TIMESTAMP + appId, System.currentTimeMillis());
	}

	public static String getApplicationKey(HttpServletRequest request, String appId) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return null;
	}

	return (String) hs.getAttribute(ATTR_CMIS_APP_KEY + appId);
	}

	public static void setApplicationKey(HttpServletRequest request, String key) {
	HttpSession hs = request.getSession();

	String appId = getApplicationIdFromKey(key);

	hs.setAttribute(ATTR_CMIS_APP_KEY + appId, key);
	}

	public static boolean checkApplicationKey(HttpServletRequest request) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return false;
	}

	String key = getKey(request);

	if (key == null) {
	return false;
	}

	String appId = getApplicationIdFromKey(key);
	if (appId == null) {
	return false;
	}

	return key.equals(hs.getAttribute(ATTR_CMIS_APP_KEY + appId));
	}

	public static void removeApplicationKey(HttpServletRequest request, String appId) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return;
	}

	hs.removeAttribute(ATTR_CMIS_APP_KEY + appId);
	hs.removeAttribute(ATTR_CMIS_APP_URL + appId);
	hs.removeAttribute(ATTR_CMIS_USER + appId);
	hs.removeAttribute(ATTR_CMIS_AUTH_TIMESTAMP + appId);
	}

	public static URL getApplicationURL(HttpServletRequest request, String appId) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return null;
	}

	return (URL) hs.getAttribute(ATTR_CMIS_APP_URL + appId);
	}

	/**
	* Retrieves the token from the requests and tests if this token belongs to
	* the current session. If the token is associated with the session, the
	* token will be removed from the session and cannot be reused again.
	*
	* @return <code>true</code> if the request contains a token and this token
	* belongs to the session, <code>false</code> otherwise
	*/
	public static boolean testAndInvalidateToken(HttpServletRequest request) {
	HttpSession hs = request.getSession(false);
	if (hs == null) {
	return false;
	}

	String token = getToken(request);

	if (token == null) {
	return false;
	}

	String tokenKey = ATTR_CMIS_TOKEN + token;

	Long tokenCreationTimestamp = (Long) hs.getAttribute(tokenKey);
	if (tokenCreationTimestamp != null) {
	// if the token exists, remove it
	hs.removeAttribute(tokenKey);

	// PARANOIA: don't accept tokens that are older than 8 hours
	return System.currentTimeMillis() - tokenCreationTimestamp < 8 * 60 * 60 * 1000;
	}

	return false;
	}

	/**
	* Adds a token to the session.
	*/
	public static void addToken(HttpServletRequest request, String token) {
	HttpSession hs = request.getSession();

	String tokenKey = ATTR_CMIS_TOKEN + token;

	// set the token and retain creation timestamp
	hs.setAttribute(tokenKey, System.currentTimeMillis());
	}

	/**
	* Gets the key parameter from the request and checks its validity.
	*/
	public static String getKey(HttpServletRequest request) {
	String key = request.getParameter(PARAM_KEY);
	return normalizeKey(key);
	}

	/**
	* Gets the domain parameter from the request and checks its validity.
	*/
	public static String getToken(HttpServletRequest request) {
	String token = request.getParameter(PARAM_TOKEN);
	return normalizeKey(token);
	}

	public static String normalizeKey(String key) {
	if (key == null) {
	return null;
	}

	key = key.trim();

	if (key.length() != APP_ID_LENGTH + KEY_LENGTH \|\| !key.matches("^[0-9a-f]+$")) {
	return null;
	}

	return key;
	}

	public static String generateAppId() {
	SecureRandom random = new SecureRandom();

	byte[] bytes = new byte[APP_ID_BYTES];
	random.nextBytes(bytes);

	StringBuilder sb = new StringBuilder();

	for (byte b : bytes) {
	String s = Integer.toHexString(b & 0xff);
	if (s.length() < 2) {
	sb.append('0');
	}
	sb.append(s);
	}

	return sb.toString();
	}

	public static String generateKey(String appId) {
	SecureRandom random = new SecureRandom();

	byte[] bytes = new byte[KEY_BYTES];
	random.nextBytes(bytes);

	StringBuilder sb = new StringBuilder(appId);

	for (byte b : bytes) {
	String s = Integer.toHexString(b & 0xff);
	if (s.length() < 2) {
	sb.append('0');
	}
	sb.append(s);
	}

	return sb.toString();
	}
	}