1 package org.apache.archiva.web.xmlrpc.security;
\r
4 * Licensed to the Apache Software Foundation (ASF) under one
\r
5 * or more contributor license agreements. See the NOTICE file
\r
6 * distributed with this work for additional information
\r
7 * regarding copyright ownership. The ASF licenses this file
\r
8 * to you under the Apache License, Version 2.0 (the
\r
9 * "License"); you may not use this file except in compliance
\r
10 * with the License. You may obtain a copy of the License at
\r
12 * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * Unless required by applicable law or agreed to in writing,
\r
15 * software distributed under the License is distributed on an
\r
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
\r
17 * KIND, either express or implied. See the License for the
\r
18 * specific language governing permissions and limitations
\r
19 * under the License.
\r
22 import org.apache.maven.archiva.security.ArchivaRoleConstants;
\r
23 import org.apache.xmlrpc.XmlRpcException;
\r
24 import org.apache.xmlrpc.XmlRpcRequest;
\r
25 import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;
\r
26 import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping.AuthenticationHandler;
\r
27 import org.codehaus.plexus.redback.authentication.AuthenticationException;
\r
28 import org.codehaus.plexus.redback.authentication.PasswordBasedAuthenticationDataSource;
\r
29 import org.codehaus.plexus.redback.authorization.AuthorizationException;
\r
30 import org.codehaus.plexus.redback.authorization.AuthorizationResult;
\r
31 import org.codehaus.plexus.redback.policy.AccountLockedException;
\r
32 import org.codehaus.plexus.redback.system.SecuritySession;
\r
33 import org.codehaus.plexus.redback.system.SecuritySystem;
\r
34 import org.codehaus.plexus.redback.users.UserNotFoundException;
\r
36 public class XmlRpcAuthenticator
\r
37 implements AuthenticationHandler
\r
39 private final SecuritySystem securitySystem;
\r
41 public XmlRpcAuthenticator( SecuritySystem securitySystem )
\r
43 this.securitySystem = securitySystem;
\r
46 public boolean isAuthorized( XmlRpcRequest pRequest )
\r
47 throws XmlRpcException
\r
49 if ( pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl )
\r
51 XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl) pRequest.getConfig();
\r
52 SecuritySession session =
\r
53 authenticate( new PasswordBasedAuthenticationDataSource( config.getBasicUserName(),
\r
54 config.getBasicPassword() ) );
\r
55 AuthorizationResult result = authorize( session );
\r
56 return result.isAuthorized();
\r
59 throw new XmlRpcException( "Unsupported transport (must be http)" );
\r
62 private SecuritySession authenticate( PasswordBasedAuthenticationDataSource authenticationDataSource )
\r
63 throws XmlRpcException
\r
67 return securitySystem.authenticate( authenticationDataSource );
\r
69 catch ( AccountLockedException e )
\r
71 throw new XmlRpcException( 401, e.getMessage(), e );
\r
73 catch ( AuthenticationException e )
\r
75 throw new XmlRpcException( 401, e.getMessage(), e );
\r
77 catch ( UserNotFoundException e )
\r
79 throw new XmlRpcException( 401, e.getMessage(), e );
\r
83 private AuthorizationResult authorize( SecuritySession session )
\r
84 throws XmlRpcException
\r
88 //TODO authorization/permissions should be checked depending on the service being accessed
\r
90 return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );
\r
92 catch ( AuthorizationException e )
\r
94 throw new XmlRpcException( 401, e.getMessage(), e );
\r