1
2
3
4
5
6
7 package org.mule.transport.http.filters;
8
9 import org.mule.api.MuleEvent;
10 import org.mule.api.MuleMessage;
11 import org.mule.api.lifecycle.InitialisationException;
12 import org.mule.api.security.Authentication;
13 import org.mule.api.security.SecurityContext;
14 import org.mule.api.security.SecurityException;
15 import org.mule.api.security.SecurityProviderNotFoundException;
16 import org.mule.api.security.UnauthorisedException;
17 import org.mule.api.security.UnknownAuthenticationTypeException;
18 import org.mule.api.security.UnsupportedAuthenticationSchemeException;
19 import org.mule.config.i18n.CoreMessages;
20 import org.mule.security.AbstractEndpointSecurityFilter;
21 import org.mule.security.DefaultMuleAuthentication;
22 import org.mule.security.MuleCredentials;
23 import org.mule.transport.http.HttpConnector;
24 import org.mule.transport.http.HttpConstants;
25 import org.mule.transport.http.i18n.HttpMessages;
26
27 import org.apache.commons.codec.binary.Base64;
28 import org.apache.commons.logging.Log;
29 import org.apache.commons.logging.LogFactory;
30
31
32
33
34
35 public class HttpBasicAuthenticationFilter extends AbstractEndpointSecurityFilter
36 {
37
38
39
40 protected static final Log logger = LogFactory.getLog(HttpBasicAuthenticationFilter.class);
41
42 private String realm;
43
44 private boolean realmRequired = true;
45
46 public HttpBasicAuthenticationFilter()
47 {
48 super();
49 }
50
51 public HttpBasicAuthenticationFilter(String realm)
52 {
53 this.realm = realm;
54 }
55
56 @Override
57 protected void doInitialise() throws InitialisationException
58 {
59 if (realm == null)
60 {
61 if (isRealmRequired())
62 {
63 throw new InitialisationException(HttpMessages.authRealmMustBeSetOnFilter(), this);
64 }
65 else
66 {
67 logger.warn("There is no security realm set, using default: null");
68 }
69 }
70 }
71
72 public String getRealm()
73 {
74 return realm;
75 }
76
77 public void setRealm(String realm)
78 {
79 this.realm = realm;
80 }
81
82 public boolean isRealmRequired()
83 {
84 return realmRequired;
85 }
86
87 public void setRealmRequired(boolean realmRequired)
88 {
89 this.realmRequired = realmRequired;
90 }
91
92
93
94
95
96
97
98
99 @Override
100 public void authenticateInbound(MuleEvent event)
101 throws SecurityException, SecurityProviderNotFoundException, UnknownAuthenticationTypeException
102 {
103 String header = event.getMessage().getInboundProperty(HttpConstants.HEADER_AUTHORIZATION);
104
105 if (logger.isDebugEnabled())
106 {
107 logger.debug("Authorization header: " + header);
108 }
109
110 if ((header != null) && header.startsWith("Basic "))
111 {
112 String base64Token = header.substring(6);
113 String token = new String(Base64.decodeBase64(base64Token.getBytes()));
114
115 String username = "";
116 String password = "";
117 int delim = token.indexOf(":");
118
119 if (delim != -1)
120 {
121 username = token.substring(0, delim);
122 password = token.substring(delim + 1);
123 }
124
125 Authentication authResult;
126 Authentication authentication = createAuthentication(username, password, event);
127
128 try
129 {
130 authResult = getSecurityManager().authenticate(authentication);
131 }
132 catch (UnauthorisedException e)
133 {
134
135 if (logger.isDebugEnabled())
136 {
137 logger.debug("Authentication request for user: " + username + " failed: " + e.toString());
138 }
139 setUnauthenticated(event);
140 throw new UnauthorisedException(CoreMessages.authFailedForUser(username), e);
141 }
142
143
144 if (logger.isDebugEnabled())
145 {
146 logger.debug("Authentication success: " + authResult.toString());
147 }
148
149 SecurityContext context = getSecurityManager().createSecurityContext(authResult);
150 context.setAuthentication(authResult);
151 event.getSession().setSecurityContext(context);
152 }
153 else if (header == null)
154 {
155 setUnauthenticated(event);
156 throw new UnauthorisedException(event, event.getSession().getSecurityContext(), this);
157 }
158 else
159 {
160 setUnauthenticated(event);
161 throw new UnsupportedAuthenticationSchemeException(
162 HttpMessages.basicFilterCannotHandleHeader(header), event);
163 }
164 }
165
166 protected Authentication createAuthentication(String username, String password, MuleEvent event)
167 {
168 return new DefaultMuleAuthentication(new MuleCredentials(username, password.toCharArray()));
169 }
170
171 protected void setUnauthenticated(MuleEvent event)
172 {
173 String realmHeader = "Basic realm=";
174 if (realm != null)
175 {
176 realmHeader += "\"" + realm + "\"";
177 }
178 MuleMessage msg = event.getMessage();
179 msg.setOutboundProperty(HttpConstants.HEADER_WWW_AUTHENTICATE, realmHeader);
180 msg.setOutboundProperty(HttpConnector.HTTP_STATUS_PROPERTY, HttpConstants.SC_UNAUTHORIZED);
181 }
182
183
184
185
186
187
188
189
190 @Override
191 public void authenticateOutbound(MuleEvent event)
192 throws SecurityException, SecurityProviderNotFoundException
193 {
194 SecurityContext securityContext = event.getSession().getSecurityContext();
195 if (securityContext == null)
196 {
197 if (isAuthenticate())
198 {
199 throw new UnauthorisedException(event, securityContext, this);
200 }
201 else
202 {
203 return;
204 }
205 }
206
207 Authentication auth = securityContext.getAuthentication();
208 if (isAuthenticate())
209 {
210 auth = getSecurityManager().authenticate(auth);
211 if (logger.isDebugEnabled())
212 {
213 logger.debug("Authentication success: " + auth.toString());
214 }
215 }
216
217 StringBuffer header = new StringBuffer(128);
218 header.append("Basic ");
219 String token = auth.getCredentials().toString();
220 header.append(new String(Base64.encodeBase64(token.getBytes())));
221
222 event.getMessage().setOutboundProperty(HttpConstants.HEADER_AUTHORIZATION, header.toString());
223 }
224
225 }