rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJersey.java - brooklyn-server - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.brooklyn.rest.filter;

 import java.io.IOException;
 import java.util.Set;
 import java.util.stream.Collectors;

 import javax.annotation.Priority;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.ext.ContextResolver;
 import javax.ws.rs.ext.Provider;

 import com.google.common.collect.ImmutableSet;
 import org.apache.brooklyn.api.mgmt.ManagementContext;
 import org.apache.brooklyn.rest.security.provider.SecurityProvider;
 import org.apache.brooklyn.rest.security.provider.SecurityProvider.SecurityProviderDeniedAuthentication;
 import org.apache.brooklyn.util.text.Strings;
 import org.eclipse.jetty.http.HttpHeader;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 /** See {@link BrooklynSecurityProviderFilterHelper} */
 @Provider
 @Priority(100)
 public class BrooklynSecurityProviderFilterJersey implements ContainerRequestFilter {

     private static final Logger log = LoggerFactory.getLogger(BrooklynSecurityProviderFilterJersey.class);
     public static final String LOGIN_PAGE_HEADER = "X_BROOKLYN_LOGIN_PAGE";

     private final Set<String> headersToForward = ImmutableSet.of(
             HttpHeaders.WWW_AUTHENTICATE, // defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource
             SecurityProvider.UNAUTHORIZED_MESSAGE_HEADER // helper message from the security provider
             );

     @Context
     HttpServletRequest webRequest;

     @Context
     private ContextResolver<ManagementContext> mgmtC;

     @SuppressWarnings("resource")
     @Override
     public void filter(ContainerRequestContext requestContext) throws IOException {
         log.trace("BrooklynSecurityProviderFilterJersey.filter {}", requestContext);
         ManagementContext mgmt = mgmtC.getContext(ManagementContext.class);
         try {
             new BrooklynSecurityProviderFilterHelper().run(webRequest, mgmt);
         } catch (SecurityProviderDeniedAuthentication e) {
             Response rin = e.getResponse();
             if (rin==null) rin = Response.status(Status.UNAUTHORIZED).build();

             if (rin.getStatus()==Status.FOUND.getStatusCode()) {
                 String location = rin.getHeaderString(HttpHeader.LOCATION.asString());
                 if (location!=null) {
                     log.trace("Redirect to {} for authentication",location);
                     final UriBuilder uriBuilder = UriBuilder.fromPath(location);
                     rin = Response.temporaryRedirect(uriBuilder.build()).entity("Authentication is required at "+location).build();
                 } else {
                     log.trace("Unauthorized");
                     rin = Response.status(Status.UNAUTHORIZED).entity("Authentication is required").build();
                 }
             }
             if (rin.getStatus()==Status.UNAUTHORIZED.getStatusCode() &&
                     Strings.isNonBlank(mgmt.getConfig().getConfig(BrooklynSecurityProviderFilterJavax.LOGIN_FORM))) {
                 rin = Response.status(Status.UNAUTHORIZED).entity("Authentication is required").header(LOGIN_PAGE_HEADER, mgmt.getConfig().getConfig(BrooklynSecurityProviderFilterJavax.LOGIN_FORM)).build();
             }
             // adding headers in `headersToForward` if they are present in the original response
             MultivaluedMap<String, Object> responseHeaders = e.getResponse().getHeaders();
             if(responseHeaders != null && !responseHeaders.isEmpty()){
                 for(String headerKey: headersToForward) {
                     if(responseHeaders.containsKey(headerKey)) {
                         rin = Response.fromResponse(rin).header(headerKey, responseHeaders.get(headerKey).stream().map(Object::toString).collect(Collectors.joining(", "))).build();
                     }
                 };
             }
             requestContext.abortWith(rin);
         }
     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.brooklyn.rest.filter;

	import java.io.IOException;
	import java.util.Set;
	import java.util.stream.Collectors;

	import javax.annotation.Priority;
	import javax.servlet.http.HttpServletRequest;
	import javax.ws.rs.container.ContainerRequestContext;
	import javax.ws.rs.container.ContainerRequestFilter;
	import javax.ws.rs.core.Context;
	import javax.ws.rs.core.HttpHeaders;
	import javax.ws.rs.core.MultivaluedMap;
	import javax.ws.rs.core.Response;
	import javax.ws.rs.core.Response.Status;
	import javax.ws.rs.core.UriBuilder;
	import javax.ws.rs.ext.ContextResolver;
	import javax.ws.rs.ext.Provider;

	import com.google.common.collect.ImmutableSet;
	import org.apache.brooklyn.api.mgmt.ManagementContext;
	import org.apache.brooklyn.rest.security.provider.SecurityProvider;
	import org.apache.brooklyn.rest.security.provider.SecurityProvider.SecurityProviderDeniedAuthentication;
	import org.apache.brooklyn.util.text.Strings;
	import org.eclipse.jetty.http.HttpHeader;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	/** See {@link BrooklynSecurityProviderFilterHelper} */
	@Provider
	@Priority(100)
	public class BrooklynSecurityProviderFilterJersey implements ContainerRequestFilter {

	private static final Logger log = LoggerFactory.getLogger(BrooklynSecurityProviderFilterJersey.class);
	public static final String LOGIN_PAGE_HEADER = "X_BROOKLYN_LOGIN_PAGE";

	private final Set<String> headersToForward = ImmutableSet.of(
	HttpHeaders.WWW_AUTHENTICATE, // defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource
	SecurityProvider.UNAUTHORIZED_MESSAGE_HEADER // helper message from the security provider
	);

	@Context
	HttpServletRequest webRequest;

	@Context
	private ContextResolver<ManagementContext> mgmtC;

	@SuppressWarnings("resource")
	@Override
	public void filter(ContainerRequestContext requestContext) throws IOException {
	log.trace("BrooklynSecurityProviderFilterJersey.filter {}", requestContext);
	ManagementContext mgmt = mgmtC.getContext(ManagementContext.class);
	try {
	new BrooklynSecurityProviderFilterHelper().run(webRequest, mgmt);
	} catch (SecurityProviderDeniedAuthentication e) {
	Response rin = e.getResponse();
	if (rin==null) rin = Response.status(Status.UNAUTHORIZED).build();

	if (rin.getStatus()==Status.FOUND.getStatusCode()) {
	String location = rin.getHeaderString(HttpHeader.LOCATION.asString());
	if (location!=null) {
	log.trace("Redirect to {} for authentication",location);
	final UriBuilder uriBuilder = UriBuilder.fromPath(location);
	rin = Response.temporaryRedirect(uriBuilder.build()).entity("Authentication is required at "+location).build();
	} else {
	log.trace("Unauthorized");
	rin = Response.status(Status.UNAUTHORIZED).entity("Authentication is required").build();
	}
	}
	if (rin.getStatus()==Status.UNAUTHORIZED.getStatusCode() &&
	Strings.isNonBlank(mgmt.getConfig().getConfig(BrooklynSecurityProviderFilterJavax.LOGIN_FORM))) {
	rin = Response.status(Status.UNAUTHORIZED).entity("Authentication is required").header(LOGIN_PAGE_HEADER, mgmt.getConfig().getConfig(BrooklynSecurityProviderFilterJavax.LOGIN_FORM)).build();
	}
	// adding headers in `headersToForward` if they are present in the original response
	MultivaluedMap<String, Object> responseHeaders = e.getResponse().getHeaders();
	if(responseHeaders != null && !responseHeaders.isEmpty()){
	for(String headerKey: headersToForward) {
	if(responseHeaders.containsKey(headerKey)) {
	rin = Response.fromResponse(rin).header(headerKey, responseHeaders.get(headerKey).stream().map(Object::toString).collect(Collectors.joining(", "))).build();
	}
	};
	}
	requestContext.abortWith(rin);
	}
	}

	}