1 package org.apache.archiva.security;
4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 * KIND, either express or implied. See the License for the
18 * specific language governing permissions and limitations
22 import javax.inject.Inject;
23 import javax.servlet.http.HttpServletRequest;
25 import org.codehaus.plexus.redback.authentication.AuthenticationException;
26 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
27 import org.codehaus.plexus.redback.authorization.AuthorizationException;
28 import org.codehaus.plexus.redback.authorization.AuthorizationResult;
29 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
30 import org.codehaus.plexus.redback.policy.AccountLockedException;
31 import org.codehaus.plexus.redback.policy.MustChangePasswordException;
32 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
33 import org.codehaus.plexus.redback.system.SecuritySession;
34 import org.codehaus.plexus.redback.system.SecuritySystem;
35 import org.codehaus.plexus.redback.users.User;
36 import org.codehaus.plexus.redback.users.UserNotFoundException;
37 import org.slf4j.Logger;
38 import org.slf4j.LoggerFactory;
39 import org.springframework.stereotype.Service;
43 * plexus.component role="org.apache.archiva.security.ServletAuthenticator" role-hint="default"
45 @Service("servletAuthenticator")
46 public class ArchivaServletAuthenticator
47 implements ServletAuthenticator
49 private Logger log = LoggerFactory.getLogger( ArchivaServletAuthenticator.class );
55 private SecuritySystem securitySystem;
57 public boolean isAuthenticated( HttpServletRequest request, AuthenticationResult result )
58 throws AuthenticationException, AccountLockedException, MustChangePasswordException
60 if ( result != null && !result.isAuthenticated() )
62 throw new AuthenticationException( "User Credentials Invalid" );
68 public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
70 throws AuthorizationException, UnauthorizedException
72 // TODO: also check for permission to proxy the resource when MRM-579 is implemented
74 AuthorizationResult authzResult = securitySystem.authorize( securitySession, permission, repositoryId );
76 if ( !authzResult.isAuthorized() )
78 if ( authzResult.getException() != null )
80 log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",permission=" + permission
81 + ",repo=" + repositoryId + "] : " + authzResult.getException().getMessage() );
83 throw new UnauthorizedException( "Access denied for repository " + repositoryId );
85 throw new UnauthorizedException( "User account is locked" );
91 public boolean isAuthorized( String principal, String repoId, String permission )
92 throws UnauthorizedException
96 User user = securitySystem.getUserManager().findUser( principal );
99 throw new UnauthorizedException( "The security system had an internal error - please check your system logs" );
101 if ( user.isLocked() )
103 throw new UnauthorizedException( "User account is locked." );
106 AuthenticationResult authn = new AuthenticationResult( true, principal, null );
107 SecuritySession securitySession = new DefaultSecuritySession( authn, user );
109 return securitySystem.isAuthorized( securitySession, permission, repoId );
111 catch ( UserNotFoundException e )
113 throw new UnauthorizedException( e.getMessage() );
115 catch ( AuthorizationException e )
117 throw new UnauthorizedException( e.getMessage() );
122 public SecuritySystem getSecuritySystem()
124 return securitySystem;
127 public void setSecuritySystem( SecuritySystem securitySystem )
129 this.securitySystem = securitySystem;