1 package org.apache.archiva.web.xmlrpc.security;
\r
4 * Licensed to the Apache Software Foundation (ASF) under one
\r
5 * or more contributor license agreements. See the NOTICE file
\r
6 * distributed with this work for additional information
\r
7 * regarding copyright ownership. The ASF licenses this file
\r
8 * to you under the Apache License, Version 2.0 (the
\r
9 * "License"); you may not use this file except in compliance
\r
10 * with the License. You may obtain a copy of the License at
\r
12 * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * Unless required by applicable law or agreed to in writing,
\r
15 * software distributed under the License is distributed on an
\r
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
\r
17 * KIND, either express or implied. See the License for the
\r
18 * specific language governing permissions and limitations
\r
19 * under the License.
\r
22 import java.util.List;
\r
24 import org.apache.maven.archiva.security.ArchivaRoleConstants;
\r
25 import org.apache.maven.archiva.security.ArchivaSecurityException;
\r
26 import org.apache.maven.archiva.security.UserRepositories;
\r
27 import org.apache.xmlrpc.XmlRpcException;
\r
28 import org.apache.xmlrpc.XmlRpcRequest;
\r
29 import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;
\r
30 import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping.AuthenticationHandler;
\r
31 import org.codehaus.plexus.redback.authentication.AuthenticationException;
\r
32 import org.codehaus.plexus.redback.authentication.PasswordBasedAuthenticationDataSource;
\r
33 import org.codehaus.plexus.redback.authorization.AuthorizationException;
\r
34 import org.codehaus.plexus.redback.authorization.AuthorizationResult;
\r
35 import org.codehaus.plexus.redback.policy.AccountLockedException;
\r
36 import org.codehaus.plexus.redback.system.SecuritySession;
\r
37 import org.codehaus.plexus.redback.system.SecuritySystem;
\r
38 import org.codehaus.plexus.redback.users.UserNotFoundException;
\r
41 * XmlRpcAuthenticator
\r
43 * Custom authentication and authorization handler for xmlrpc requests.
\r
47 public class XmlRpcAuthenticator
\r
48 implements AuthenticationHandler
\r
50 private final SecuritySystem securitySystem;
\r
52 private UserRepositories userRepositories;
\r
54 private String username;
\r
56 public XmlRpcAuthenticator( SecuritySystem securitySystem, UserRepositories userRepositories )
\r
58 this.securitySystem = securitySystem;
\r
59 this.userRepositories = userRepositories;
\r
62 public boolean isAuthorized( XmlRpcRequest pRequest )
\r
63 throws XmlRpcException
\r
65 if ( pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl )
\r
67 XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl) pRequest.getConfig();
\r
68 username = config.getBasicUserName();
\r
69 SecuritySession session =
\r
70 authenticate( new PasswordBasedAuthenticationDataSource( username,
\r
71 config.getBasicPassword() ) );
\r
73 String method = pRequest.getMethodName();
\r
74 AuthorizationResult result = authorize( session, method, username );
\r
76 return result.isAuthorized();
\r
79 throw new XmlRpcException( "Unsupported transport (must be http)" );
\r
82 private SecuritySession authenticate( PasswordBasedAuthenticationDataSource authenticationDataSource )
\r
83 throws XmlRpcException
\r
87 return securitySystem.authenticate( authenticationDataSource );
\r
89 catch ( AccountLockedException e )
\r
91 throw new XmlRpcException( 401, e.getMessage(), e );
\r
93 catch ( AuthenticationException e )
\r
95 throw new XmlRpcException( 401, e.getMessage(), e );
\r
97 catch ( UserNotFoundException e )
\r
99 throw new XmlRpcException( 401, e.getMessage(), e );
\r
103 private AuthorizationResult authorize( SecuritySession session, String methodName, String username )
\r
104 throws XmlRpcException
\r
108 // sample attempt at simplifying authorization checking of requested service method
\r
109 if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION.contains( methodName ) )
\r
111 return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
\r
113 else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER.contains( methodName ) )
\r
115 return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_RUN_INDEXER );
\r
117 else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_REPOSITORY_ACCESS.contains( methodName ) )
\r
121 List<String> observableRepos = userRepositories.getObservableRepositoryIds( username );
\r
122 if( observableRepos != null && observableRepos.size() > 1 )
\r
124 return new AuthorizationResult( true, username, null );
\r
128 return new AuthorizationResult( false, username, null );
\r
131 catch ( ArchivaSecurityException e )
\r
133 throw new XmlRpcException( 401, e.getMessage() );
\r
138 return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );
\r
141 catch ( AuthorizationException e )
\r
143 throw new XmlRpcException( 401, e.getMessage(), e );
\r
147 public String getActiveUser()
\r