Examples with MultiReadHttpServletRequest - org.pentaho.platform.web.http.request.MultiReadHttpServletRequest

Example 1 with MultiReadHttpServletRequest

use of org.pentaho.platform.web.http.request.MultiReadHttpServletRequest in project pentaho-platform by pentaho.

the class RequestParameterAuthenticationFilter method doFilter.

public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
    IConfiguration config = this.systemConfig.getConfiguration("security");
    if (!isRequestAuthenticationParameterLoaded) {
        String strParameter = config.getProperties().getProperty("requestParameterAuthenticationEnabled");
        isRequestParameterAuthenticationEnabled = Boolean.valueOf(strParameter);
        isRequestAuthenticationParameterLoaded = true;
    }
    if (isRequestParameterAuthenticationEnabled) {
        if (!(request instanceof HttpServletRequest)) {
            throw new ServletException(Messages.getInstance().getErrorString(// $NON-NLS-1$
            "RequestParameterAuthenticationFilter.ERROR_0005_HTTP_SERVLET_REQUEST_REQUIRED"));
        }
        if (!(response instanceof HttpServletResponse)) {
            throw new ServletException(Messages.getInstance().getErrorString(// $NON-NLS-1$
            "RequestParameterAuthenticationFilter.ERROR_0006_HTTP_SERVLET_RESPONSE_REQUIRED"));
        }
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        MultiReadHttpServletRequest wrapper = new MultiReadHttpServletRequest(httpRequest);
        String username = wrapper.getParameter(this.userNameParameter);
        String password = wrapper.getParameter(this.passwordParameter);
        if (RequestParameterAuthenticationFilter.logger.isDebugEnabled()) {
            RequestParameterAuthenticationFilter.logger.debug(Messages.getInstance().getString("RequestParameterAuthenticationFilter.DEBUG_AUTH_USERID", // $NON-NLS-1$
            username));
        }
        if ((username != null) && (password != null)) {
            // Only reauthenticate if username doesn't match SecurityContextHolder and user isn't authenticated (see SEC-53)
            Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
            password = Encr.decryptPasswordOptionallyEncrypted(password);
            if ((existingAuth == null) || !existingAuth.getName().equals(username) || !existingAuth.isAuthenticated()) {
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
                authRequest.setDetails(new WebAuthenticationDetails(httpRequest));
                Authentication authResult;
                try {
                    authResult = authenticationManager.authenticate(authRequest);
                } catch (AuthenticationException failed) {
                    // Authentication failed
                    if (RequestParameterAuthenticationFilter.logger.isDebugEnabled()) {
                        RequestParameterAuthenticationFilter.logger.debug(Messages.getInstance().getString("RequestParameterAuthenticationFilter.DEBUG_AUTHENTICATION_REQUEST", username, // $NON-NLS-1$
                        failed.toString()));
                    }
                    SecurityContextHolder.getContext().setAuthentication(null);
                    if (ignoreFailure) {
                        chain.doFilter(wrapper, response);
                    } else {
                        authenticationEntryPoint.commence(wrapper, (HttpServletResponse) response, failed);
                    }
                    return;
                }
                // Authentication success
                if (RequestParameterAuthenticationFilter.logger.isDebugEnabled()) {
                    RequestParameterAuthenticationFilter.logger.debug(Messages.getInstance().getString("RequestParameterAuthenticationFilter.DEBUG_AUTH_SUCCESS", // $NON-NLS-1$
                    authResult.toString()));
                }
                SecurityContextHolder.getContext().setAuthentication(authResult);
            }
        }
        chain.doFilter(wrapper, response);
    } else {
        chain.doFilter(request, response);
    }
}

Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) MultiReadHttpServletRequest(org.pentaho.platform.web.http.request.MultiReadHttpServletRequest) ServletException(javax.servlet.ServletException) MultiReadHttpServletRequest(org.pentaho.platform.web.http.request.MultiReadHttpServletRequest) AuthenticationException(org.springframework.security.core.AuthenticationException) Authentication(org.springframework.security.core.Authentication) WebAuthenticationDetails(org.springframework.security.web.authentication.WebAuthenticationDetails) HttpServletResponse(javax.servlet.http.HttpServletResponse) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) IConfiguration(org.pentaho.platform.api.engine.IConfiguration)

Aggregations

ServletException (javax.servlet.ServletException)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 IConfiguration (org.pentaho.platform.api.engine.IConfiguration)1 MultiReadHttpServletRequest (org.pentaho.platform.web.http.request.MultiReadHttpServletRequest)1 UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)1 Authentication (org.springframework.security.core.Authentication)1 AuthenticationException (org.springframework.security.core.AuthenticationException)1 WebAuthenticationDetails (org.springframework.security.web.authentication.WebAuthenticationDetails)1