Source Code of org.apache.isis.runtimes.dflt.webapp.auth.AuthenticationSessionLookupStrategyDefault

/*
 *  Licensed to the Apache Software Foundation (ASF) under one
 *  or more contributor license agreements.  See the NOTICE file
 *  distributed with this work for additional information
 *  regarding copyright ownership.  The ASF licenses this file
 *  to you under the Apache License, Version 2.0 (the
 *  "License"); you may not use this file except in compliance
 *  with the License.  You may obtain a copy of the License at
 *
 *        http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing,
 *  software distributed under the License is distributed on an
 *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 *  KIND, either express or implied.  See the License for the
 *  specific language governing permissions and limitations
 *  under the License.
 */

package org.apache.isis.runtimes.dflt.webapp.auth;

import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.isis.applib.fixtures.LogonFixture;
import org.apache.isis.core.commons.authentication.AuthenticationSession;
import org.apache.isis.core.runtime.authentication.AuthenticationManager;
import org.apache.isis.runtimes.dflt.runtime.authentication.exploration.AuthenticationRequestExploration;
import org.apache.isis.runtimes.dflt.runtime.fixtures.authentication.AuthenticationRequestLogonFixture;
import org.apache.isis.runtimes.dflt.runtime.system.IsisSystem;
import org.apache.isis.runtimes.dflt.runtime.system.context.IsisContext;
import org.apache.isis.runtimes.dflt.webapp.WebAppConstants;

/**
 * Returns a valid {@link AuthenticationSession} through a number of mechanisms.
 *
 * <p>
 * Specifically:
 * <ul>
 * <li>it looks up from the {@link HttpSession} using the value
 * {@value WebAppConstants#HTTP_SESSION_AUTHENTICATION_SESSION_KEY}</li>
 * <li>failing that, if in exploration mode, then returns an exploration session</li>
 * <li>failing that, if a {@link LogonFixture} has been provided and not already used,
 * will provide an session for that fixture.  The {@link HttpSession} also stores the value
 * {@value WebAppConstants#HTTP_SESSION_LOGGED_ON_PREVIOUSLY_USING_LOGON_FIXTURE_KEY} in the session
 * to track whether this has been done</li>
 * </ul>
 * <p>
 */
public class AuthenticationSessionLookupStrategyDefault extends AuthenticationSessionLookupStrategyAbstract {

    @Override
    public AuthenticationSession lookup(final ServletRequest servletRequest, final ServletResponse servletResponse) {

        // use previously authenticated session if available.
        final HttpSession httpSession = getHttpSession(servletRequest);
        AuthenticationSession authSession =
            (AuthenticationSession) httpSession.getAttribute(WebAppConstants.HTTP_SESSION_AUTHENTICATION_SESSION_KEY);
        if (authSession != null) {
            final boolean sessionValid = getAuthenticationManager().isSessionValid(authSession);
            if (sessionValid) {
                return authSession;
            }
        }

        // otherwise, look for LogonFixture and try to authenticate
        final ServletContext servletContext = getServletContext(servletRequest);
        final IsisSystem system = (IsisSystem) servletContext.getAttribute(WebAppConstants.ISIS_SYSTEM_KEY);
        if (system == null) {
            // not expected to happen...
            return null;
        }
        final LogonFixture logonFixture = system.getLogonFixture();

        // see if exploration is supported
        if (system.getDeploymentType().isExploring()) {
            authSession = getAuthenticationManager().authenticate(new AuthenticationRequestExploration(logonFixture));
            if (authSession != null) {
                return authSession;
            }
        }

        final boolean loggedInUsingLogonFixture =
            httpSession.getAttribute(WebAppConstants.HTTP_SESSION_LOGGED_ON_PREVIOUSLY_USING_LOGON_FIXTURE_KEY) != null;
        if (logonFixture != null && !loggedInUsingLogonFixture) {
            httpSession.setAttribute(WebAppConstants.HTTP_SESSION_LOGGED_ON_PREVIOUSLY_USING_LOGON_FIXTURE_KEY, true);
            return getAuthenticationManager().authenticate(new AuthenticationRequestLogonFixture(logonFixture));
        }

        return null;
    }

    @Override
    public void bind(final ServletRequest servletRequest, final ServletResponse servletResponse,
        final AuthenticationSession authSession) {
        final HttpSession httpSession = getHttpSession(servletRequest);
        httpSession.setAttribute(WebAppConstants.HTTP_SESSION_AUTHENTICATION_SESSION_KEY, authSession);
    }

    // //////////////////////////////////////////////////////////
    // Dependencies (from context)
    // //////////////////////////////////////////////////////////

    protected AuthenticationManager getAuthenticationManager() {
        return IsisContext.getAuthenticationManager();
    }

}