/*
* Weblounge: Web Content Management System
* Copyright (c) 2011 The Weblounge Team
* http://weblounge.o2it.ch
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program; if not, write to the Free Software Foundation
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package ch.entwine.weblounge.kernel.security;
import ch.entwine.weblounge.common.impl.security.Guest;
import ch.entwine.weblounge.common.impl.security.RoleImpl;
import ch.entwine.weblounge.common.impl.security.SystemRole;
import ch.entwine.weblounge.common.impl.security.UserImpl;
import ch.entwine.weblounge.common.security.Role;
import ch.entwine.weblounge.common.security.Security;
import ch.entwine.weblounge.common.security.SecurityService;
import ch.entwine.weblounge.common.security.User;
import ch.entwine.weblounge.common.site.Site;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import java.io.IOException;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/**
* Filter that for every request will set the Site on the security service.
*/
public class UserContextFilter implements Filter {
/** The logger */
private static final Logger logger = LoggerFactory.getLogger(UserContextFilter.class);
/** The security service */
protected SecurityService securityService = null;
/**
* Creates a new weblounge security filter, which is populating the required
* fields for the current request in the security service.
*
* @param securityService
* the security service
*/
public UserContextFilter(SecurityService securityService) {
this.securityService = securityService;
}
/**
* {@inheritDoc}
*
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig filterConfig) throws ServletException {
// Is not being called
}
/**
* {@inheritDoc}
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
* javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// Make sure we have a site
Site site = securityService.getSite();
if (site == null)
throw new IllegalStateException("Site context is not available at user lookup");
User user = null;
// Extract the user from the request
if (request instanceof HttpServletRequest) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
user = getUser(site);
if (user != null)
logger.debug("Processing {} as user '{}'", httpRequest.getPathInfo(), site.getIdentifier());
else
logger.debug("No user found for request to {}", httpRequest.getPathInfo());
}
// Set the site and the user on the request
securityService.setUser(user);
chain.doFilter(request, response);
// Make sure the thread is not associated with the site or the user anymore
securityService.setUser(null);
}
/**
* {@inheritDoc}
*
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {
// Nothing to do
}
/**
* Loads the user from the given site.
*
* @param site
* the site
* @return the user
*/
protected User getUser(Site site) {
logger.trace("Looking up user from spring security context");
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
User user = null;
Set<Role> roles = new HashSet<Role>();
if (!securityService.isEnabled()) {
user = new UserImpl(Security.ADMIN_USER, Security.SYSTEM_CONTEXT, Security.ADMIN_NAME);
roles.add(SystemRole.SYSTEMADMIN);
roles.add(getLocalRole(site, SystemRole.SYSTEMADMIN));
} else if (auth == null) {
logger.debug("No spring security context available, setting current user to anonymous");
String realm = site != null ? site.getIdentifier() : Security.SYSTEM_CONTEXT;
user = new UserImpl(Security.ANONYMOUS_USER, realm, Security.ANONYMOUS_NAME);
roles.add(SystemRole.GUEST);
roles.add(getLocalRole(site, SystemRole.GUEST));
} else {
Object principal = auth.getPrincipal();
if (principal == null) {
logger.warn("No principal found in spring security context, setting current user to anonymous");
user = new Guest(site.getIdentifier());
roles.add(getLocalRole(site, SystemRole.GUEST));
} else if (principal instanceof SpringSecurityUser) {
user = ((SpringSecurityUser) principal).getUser();
logger.debug("Principal was identified as '{}'", user.getLogin());
} else if (principal instanceof UserDetails) {
UserDetails userDetails = (UserDetails) principal;
user = new UserImpl(userDetails.getUsername());
logger.debug("Principal was identified as '{}'", user.getLogin());
Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
if (authorities != null && authorities.size() > 0) {
for (GrantedAuthority ga : authorities) {
logger.debug("Principal '{}' gained role '{}'", user.getLogin(), ga.getAuthority());
roles.add(new RoleImpl(ga.getAuthority()));
}
}
} else if (Security.ANONYMOUS_USER.equals(principal)) {
user = new Guest(site.getIdentifier());
roles.add(getLocalRole(site, SystemRole.GUEST));
} else {
logger.warn("Principal was not compatible with spring security, setting current user to anonymous");
user = new Guest(site.getIdentifier());
roles.add(getLocalRole(site, SystemRole.GUEST));
}
}
for (Role role : roles) {
user.addPublicCredentials(role);
}
return user;
}
/**
* Returns the local role for the given system role or the system role itself,
* if no local role was defined.
*
* @param site
* the site
* @param role
* the system role
* @return the local role
*/
protected Role getLocalRole(Site site, Role role) {
String localRole = site.getLocalRole(role.getIdentifier());
if (StringUtils.isNotBlank(localRole))
return new RoleImpl(site.getIdentifier(), localRole);
return role;
}
}