source.dussan.org Git - archiva.git/blob

   1 package org.apache.maven.archiva.security;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import javax.servlet.http.HttpServletRequest;
  23
  24 import org.apache.maven.archiva.security.ArchivaRoleConstants;
  25 import org.codehaus.plexus.redback.authentication.AuthenticationException;
  26 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
  27 import org.codehaus.plexus.redback.authorization.AuthorizationException;
  28 import org.codehaus.plexus.redback.authorization.AuthorizationResult;
  29 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
  30 import org.codehaus.plexus.redback.policy.AccountLockedException;
  31 import org.codehaus.plexus.redback.policy.MustChangePasswordException;
  32 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
  33 import org.codehaus.plexus.redback.system.SecuritySession;
  34 import org.codehaus.plexus.redback.system.SecuritySystem;
  35 import org.codehaus.plexus.redback.users.User;
  36 import org.codehaus.plexus.redback.users.UserNotFoundException;
  37 import org.slf4j.Logger;
  38 import org.slf4j.LoggerFactory;
  39
  40 /**
  41  * @version
  42  * @plexus.component role="org.apache.maven.archiva.security.ServletAuthenticator" role-hint="default"
  43  */
  44 public class ArchivaServletAuthenticator
  45     implements ServletAuthenticator
  46 {
  47     private Logger log = LoggerFactory.getLogger( ArchivaServletAuthenticator.class );
  48
  49     /**
  50      * @plexus.requirement
  51      */
  52     private SecuritySystem securitySystem;
  53
  54     public boolean isAuthenticated( HttpServletRequest request, AuthenticationResult result )
  55         throws AuthenticationException, AccountLockedException, MustChangePasswordException
  56     {
  57         if ( result != null && !result.isAuthenticated() )
  58         {
  59             throw new AuthenticationException( "User Credentials Invalid" );
  60         }
  61
  62         return true;
  63     }
  64
  65     public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
  66                                  boolean isWriteRequest )
  67         throws AuthorizationException, UnauthorizedException
  68     {
  69         // TODO: also check for permission to proxy the resource when MRM-579 is implemented
  70
  71         String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
  72
  73         if ( isWriteRequest )
  74         {
  75             permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
  76         }
  77
  78         AuthorizationResult authzResult = securitySystem.authorize( securitySession, permission, repositoryId );
  79
  80         if ( !authzResult.isAuthorized() )
  81         {
  82             if ( authzResult.getException() != null )
  83             {
  84                 log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",isWriteRequest=" + isWriteRequest +
  85                     ",permission=" + permission + ",repo=" + repositoryId + "] : " +
  86                     authzResult.getException().getMessage() );
  87
  88                 throw new UnauthorizedException( "Access denied for repository " + repositoryId );
  89             }
  90             throw new UnauthorizedException( "User account is locked" );
  91         }
  92
  93         return true;
  94     }
  95
  96     public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest )
  97         throws UnauthorizedException
  98     {
  99         try
 100         {
 101             String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
 102
 103             if ( isWriteRequest )
 104             {
 105                 permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
 106             }
 107
 108             User user = securitySystem.getUserManager().findUser( principal );
 109             if ( user.isLocked() )
 110             {
 111                 throw new UnauthorizedException( "User account is locked." );
 112             }
 113
 114             AuthenticationResult authn = new AuthenticationResult( true, principal, null );
 115             SecuritySession securitySession = new DefaultSecuritySession( authn, user );
 116
 117             return securitySystem.isAuthorized( securitySession, permission, repoId );
 118         }
 119         catch ( UserNotFoundException e )
 120         {
 121             throw new UnauthorizedException( e.getMessage() );
 122         }
 123         catch ( AuthorizationException e )
 124         {
 125             throw new UnauthorizedException( e.getMessage() );
 126         }
 127     }
 128 }