source.dussan.org Git - archiva.git/blob

   1 package org.apache.maven.archiva.webdav;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import org.apache.jackrabbit.webdav.DavSessionProvider;
  23 import org.apache.jackrabbit.webdav.WebdavRequest;
  24 import org.apache.jackrabbit.webdav.DavException;
  25 import org.apache.jackrabbit.webdav.DavServletRequest;
  26 import org.apache.maven.archiva.webdav.util.WebdavMethodUtil;
  27 import org.apache.maven.archiva.webdav.util.RepositoryPathUtil;
  28 import org.apache.maven.archiva.security.ArchivaRoleConstants;
  29 import org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator;
  30 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
  31 import org.codehaus.plexus.redback.authentication.AuthenticationException;
  32 import org.codehaus.plexus.redback.system.SecuritySystem;
  33 import org.codehaus.plexus.redback.system.SecuritySession;
  34 import org.codehaus.plexus.redback.policy.MustChangePasswordException;
  35 import org.codehaus.plexus.redback.policy.AccountLockedException;
  36 import org.codehaus.plexus.redback.authorization.AuthorizationResult;
  37 import org.codehaus.plexus.redback.authorization.AuthorizationException;
  38 import org.codehaus.plexus.spring.PlexusToSpringUtils;
  39 import org.springframework.web.context.WebApplicationContext;
  40 import org.slf4j.Logger;
  41 import org.slf4j.LoggerFactory;
  42
  43 import javax.servlet.http.HttpServletResponse;
  44 import javax.servlet.ServletException;
  45 import java.io.IOException;
  46
  47 /**
  48  * @author <a href="mailto:james@atlassian.com">James William Dumay</a>
  49  */
  50 public class ArchivaDavSessionProvider implements DavSessionProvider
  51 {
  52     private Logger log = LoggerFactory.getLogger(ArchivaDavSessionProvider.class);
  53
  54     private SecuritySystem securitySystem;
  55
  56     private HttpAuthenticator httpAuth;
  57
  58     public ArchivaDavSessionProvider(WebApplicationContext applicationContext)
  59     {
  60         securitySystem = (SecuritySystem) applicationContext.getBean( PlexusToSpringUtils.buildSpringId( SecuritySystem.ROLE ) );
  61         httpAuth = (HttpAuthenticator) applicationContext.getBean( PlexusToSpringUtils.buildSpringId( HttpAuthenticator.ROLE, "basic" ) );
  62     }
  63
  64     public boolean attachSession(WebdavRequest request) throws DavException
  65     {
  66         final String repositoryId = RepositoryPathUtil.getRepositoryName(removeContextPath(request));
  67         return isAuthenticated(request, repositoryId) && isAuthorized(request, repositoryId);
  68     }
  69
  70     public void releaseSession(WebdavRequest webdavRequest)
  71     {
  72     }
  73
  74     protected boolean isAuthenticated( WebdavRequest request, String repositoryId )
  75         throws DavException
  76     {
  77         // Authentication Tests.
  78         try
  79         {
  80             AuthenticationResult result = httpAuth.getAuthenticationResult(request, null);
  81
  82             if ( result == null || !result.isAuthenticated() )
  83             {
  84                 //Unfortunatly, the DavSessionProvider does not pass in the response
  85                 httpAuth.authenticate(request, null);
  86             }
  87         }
  88         catch ( AuthenticationException e )
  89         {
  90             throw new UnauthorizedDavException(repositoryId, "You are not authenticated");
  91         }
  92         catch ( AccountLockedException e )
  93         {
  94             throw new UnauthorizedDavException(repositoryId, "User account is locked.");
  95         }
  96         catch ( MustChangePasswordException e )
  97         {
  98             throw new UnauthorizedDavException(repositoryId, "You must change your password.");
  99         }
 100
 101         return true;
 102     }
 103
 104     protected boolean isAuthorized( WebdavRequest request, String repositoryId )
 105         throws DavException
 106     {
 107         // Authorization Tests.
 108         final boolean isWriteRequest = WebdavMethodUtil.isWriteMethod( request.getMethod() );
 109
 110         SecuritySession securitySession = httpAuth.getSecuritySession();
 111         try
 112         {
 113             String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
 114
 115             if ( isWriteRequest )
 116             {
 117                 permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
 118             }
 119
 120             //DavServletRequestInfo requestInfo = new DavServletRequestInfo(request);
 121
 122             AuthorizationResult authzResult =
 123                 securitySystem.authorize( securitySession, permission, repositoryId);
 124
 125             if ( !authzResult.isAuthorized() )
 126             {
 127                 if ( authzResult.getException() != null )
 128                 {
 129                     log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",isWriteRequest=" + isWriteRequest +
 130                         ",permission=" + permission + ",repo=" + repositoryId + "] : " +
 131                         authzResult.getException().getMessage() );
 132                 }
 133                 throw new DavException(HttpServletResponse.SC_UNAUTHORIZED, "Access denied for repository " + repositoryId);
 134             }
 135         }
 136         catch ( AuthorizationException e )
 137         {
 138             log.error(e.getMessage(), e);
 139             throw new DavException(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Fatal Authorization Subsystem Error." );
 140         }
 141
 142         return true;
 143     }
 144
 145     private String removeContextPath(final DavServletRequest request)
 146     {
 147         String path = request.getRequestURI();
 148         String ctx = request.getContextPath();
 149         if (path.startsWith(ctx)) {
 150             path = path.substring(ctx.length());
 151         }
 152         return path;
 153     }
 154 }