001 package org.apache.archiva.security; 002 003 /* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022 import org.apache.archiva.redback.authentication.AuthenticationException; 023 import org.apache.archiva.redback.authentication.AuthenticationResult; 024 import org.apache.archiva.redback.authorization.AuthorizationException; 025 import org.apache.archiva.redback.authorization.AuthorizationResult; 026 import org.apache.archiva.redback.authorization.UnauthorizedException; 027 import org.apache.archiva.redback.policy.AccountLockedException; 028 import org.apache.archiva.redback.policy.MustChangePasswordException; 029 import org.apache.archiva.redback.system.DefaultSecuritySession; 030 import org.apache.archiva.redback.system.SecuritySession; 031 import org.apache.archiva.redback.system.SecuritySystem; 032 import org.apache.archiva.redback.users.User; 033 import org.apache.archiva.redback.users.UserManagerException; 034 import org.apache.archiva.redback.users.UserNotFoundException; 035 import org.slf4j.Logger; 036 import org.slf4j.LoggerFactory; 037 import org.springframework.stereotype.Service; 038 039 import javax.inject.Inject; 040 import javax.servlet.http.HttpServletRequest; 041 042 /** 043 * 044 */ 045 @Service( "servletAuthenticator" ) 046 public class ArchivaServletAuthenticator 047 implements ServletAuthenticator 048 { 049 private Logger log = LoggerFactory.getLogger( ArchivaServletAuthenticator.class ); 050 051 /** 052 * 053 */ 054 @Inject 055 private SecuritySystem securitySystem; 056 057 public boolean isAuthenticated( HttpServletRequest request, AuthenticationResult result ) 058 throws AuthenticationException, AccountLockedException, MustChangePasswordException 059 { 060 if ( result != null && !result.isAuthenticated() ) 061 { 062 throw new AuthenticationException( "User Credentials Invalid" ); 063 } 064 065 return true; 066 } 067 068 public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId, 069 String permission ) 070 throws AuthorizationException, UnauthorizedException 071 { 072 // TODO: also check for permission to proxy the resource when MRM-579 is implemented 073 074 AuthorizationResult authzResult = securitySystem.authorize( securitySession, permission, repositoryId ); 075 076 if ( !authzResult.isAuthorized() ) 077 { 078 if ( authzResult.getException() != null ) 079 { 080 log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",permission=" + permission + ",repo=" 081 + repositoryId + "] : " + authzResult.getException().getMessage() ); 082 083 throw new UnauthorizedException( "Access denied for repository " + repositoryId ); 084 } 085 throw new UnauthorizedException( "User account is locked" ); 086 } 087 088 return true; 089 } 090 091 public boolean isAuthorized( String principal, String repoId, String permission ) 092 throws UnauthorizedException 093 { 094 try 095 { 096 User user = securitySystem.getUserManager().findUser( principal ); 097 if ( user == null ) 098 { 099 throw new UnauthorizedException( 100 "The security system had an internal error - please check your system logs" ); 101 } 102 if ( user.isLocked() ) 103 { 104 throw new UnauthorizedException( "User account is locked." ); 105 } 106 107 AuthenticationResult authn = new AuthenticationResult( true, principal, null ); 108 SecuritySession securitySession = new DefaultSecuritySession( authn, user ); 109 110 return securitySystem.isAuthorized( securitySession, permission, repoId ); 111 } 112 catch ( UserNotFoundException e ) 113 { 114 throw new UnauthorizedException( e.getMessage(), e ); 115 } 116 catch ( AuthorizationException e ) 117 { 118 throw new UnauthorizedException( e.getMessage(), e ); 119 } catch ( UserManagerException e ) 120 { 121 throw new UnauthorizedException( e.getMessage(), e ); 122 } 123 124 } 125 126 127 public SecuritySystem getSecuritySystem() 128 { 129 return securitySystem; 130 } 131 132 public void setSecuritySystem( SecuritySystem securitySystem ) 133 { 134 this.securitySystem = securitySystem; 135 } 136 }