src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/SlingWebConsoleSecurityProvider2.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.sling.extensions.webconsolesecurityprovider.internal;

import java.util.Iterator;

import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.felix.webconsole.WebConsoleSecurityProvider2;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.auth.core.AuthenticationSupport;

/**
 * The <code>SlingWebConsoleSecurityProvider</code> is security provider for the
 * Apache Felix Web Console which validates the user name and password by loging
 * into the repository and the checking whether the user is allowed access.
 * Access granted by the {@link #authenticate(String, String)} method applies to
 * all of the Web Console since the {@link #authorize(Object, String)} method
 * always returns <code>true</code>.
 * <p>
 * This security provider requires a JCR Repository to operate. Therefore it is
 * only registered as a security provider service once such a JCR Repository is
 * available.
 */
public class SlingWebConsoleSecurityProvider2
    extends AbstractWebConsoleSecurityProvider
    implements WebConsoleSecurityProvider2 {

    private final AuthenticationSupport authentiationSupport;

    private final Authenticator authenticator;

    public SlingWebConsoleSecurityProvider2(final Object support, final Object authenticator) {
        this.authentiationSupport = (AuthenticationSupport)support;
        this.authenticator = (Authenticator)authenticator;
    }

    /**
     * @see org.apache.felix.webconsole.WebConsoleSecurityProvider2#authenticate(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
     */
    public boolean authenticate(final HttpServletRequest request,
            final HttpServletResponse response) {
        if ( this.authentiationSupport.handleSecurity(request, response) ) {
            // get ResourceResolver (set by AuthenticationSupport)
            Object resolverObject = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
            final ResourceResolver resolver = (resolverObject instanceof ResourceResolver)
                    ? (ResourceResolver) resolverObject
                    : null;
            if ( resolver != null ) {
                final Session session = resolver.adaptTo(Session.class);
                if ( session != null ) {
                    try {
                        final User u = this.authenticate(session);
                        if ( u != null ) {
                            request.setAttribute(USER_ATTRIBUTE, u);
                            return true;
                        }
                    } catch (final Exception re) {
                        logger.info("authenticate: Generic problem trying grant User "
                            + " access to the Web Console", re);
                    }
                }
            }

            this.authenticator.login(request, response);
        }
        return false;
    }

    public User authenticate(String userName, String password) {
        return null; // this method is never invoked
    }

    private User authenticate(final Session session) throws RepositoryException {
        String userId = session.getUserID();
        if (session instanceof JackrabbitSession) {
            UserManager umgr = ((JackrabbitSession) session).getUserManager();
            Authorizable a = umgr.getAuthorizable(userId);
            if (a instanceof User) {

                // check users
                if (users.contains(userId)) {
                    return (User)a;
                }

                // check groups
                @SuppressWarnings("unchecked")
                Iterator<Group> gi = a.memberOf();
                while (gi.hasNext()) {
                    if (groups.contains(gi.next().getID())) {
                        return (User)a;
                    }
                }

                logger.info(
                    "authenticate: User {} is denied Web Console access",
                    userId);
            } else {
                logger.error(
                    "authenticate: Expected user ID {} to refer to a user",
                    userId);
            }
        } else {
            logger.info(
                "authenticate: Jackrabbit Session required to grant access to the Web Console for {}; got {}",
                userId, session.getClass());
        }
        return null;
    }

    /**
     * All users authenticated with the repository and being a member of the
     * authorized groups are granted access for all roles in the Web Console.
     */
    public boolean authorize(Object user, String role) {
        logger.debug("authorize: Grant user {} access for role {}", user, role);
        return true;
    }
}