Coverage Report

Coverage Report - org.melati.login.HttpBasicAuthenticationAccessHandler

Classes in this File

Line Coverage

Branch Coverage

Complexity

HttpBasicAuthenticationAccessHandler

72%

27/37

37%

9/24

4.4

 /*
  * $Source: /usr/cvsroot/melati/melati/src/main/java/org/melati/login/HttpBasicAuthenticationAccessHandler.java,v $
  * $Revision: 1.40 $
  *
  * Copyright (C) 2000 William Chesters
  *
  * Part of Melati (http://melati.org), a framework for the rapid
  * development of clean, maintainable web applications.
  *
  * Melati is free software; Permission is granted to copy, distribute
  * and/or modify this software under the terms either:
  *
  * a) the GNU General Public License as published by the Free Software
  *    Foundation; either version 2 of the License, or (at your option)
  *    any later version,
  *
  *    or
  *
  * b) any version of the Melati Software License, as published
  *    at http://melati.org
  *
  * You should have received a copy of the GNU General Public License and
  * the Melati Software License along with this program;
  * if not, write to the Free Software Foundation, Inc.,
  * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA to obtain the
  * GNU General Public License and visit http://melati.org to obtain the
  * Melati Software License.
  *
  * Feel free to contact the Developers of Melati (http://melati.org),
  * if you would like to work out a different arrangement than the options
  * outlined here.  It is our intention to allow Melati to be used by as
  * wide an audience as possible.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * Contact details for copyright holder:
  *
  *     William Chesters <williamc At paneris.org>
  *     http://paneris.org/~williamc
  *     Obrechtstraat 114, 2517VX Den Haag, The Netherlands
  */
 
 package org.melati.login;
 
 import java.io.IOException;
 import javax.servlet.http.HttpServletResponse;
 import org.melati.poem.AccessPoemException;
 import org.melati.poem.PoemThread;
 import org.melati.poem.User;
 import org.melati.Melati;
 import org.melati.util.UnexpectedExceptionException;
 
 
 
 /**
  * An {@link AccessHandler} which uses the HTTP Basic Authentication scheme to
  * elicit and maintain the user's login and password.
  *
  * This implementation doesn't use the servlet session at all,
  * so it doesn't try to send cookies or
  * do URL rewriting.
  *
  */
 public class HttpBasicAuthenticationAccessHandler implements AccessHandler {
   private static final String className =
           new HttpBasicAuthenticationAccessHandler().getClass().getName();
 
   final String REALM = className + ".realm";
   final String USER = className + ".user";
 
   /**
    * Change here to use session, if that makes sense.
    * @return false
    */
   protected boolean useSession() {
     return false;
   }
 
   /**
    * Force a login by sending a 401 error back to the browser.
    * 
    * HACK Apache/Netscape appear not to do anything with message, which is
    * why it's just left as a String.
    */
   protected void forceLogin(HttpServletResponse resp,
                             String realm, String message) {
     String desc = realm == null ? "<unknown>"
                                 : realm.replace('"', ' ');
     resp.setHeader("WWW-Authenticate", "Basic realm=\"" + desc + "\"");
     // I don't believe there is a lot we can do about an IO exception here
     try {
       resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, message);
     } catch (IOException e) {
       throw new UnexpectedExceptionException(e);
     }
   }
 
  /**
   * Called when an AccessPoemException is trapped.
   *
   * @param melati the Melati
   * @param accessException the particular access exception to handle
    * {@inheritDoc}
    * @see org.melati.login.AccessHandler#
    *   handleAccessException(org.melati.Melati, 
    *                         org.melati.poem.AccessPoemException)
    */
   public void handleAccessException(Melati melati,
                                     AccessPoemException accessException)
       throws Exception {
     String capName = "melati";
     if (useSession())
       melati.getSession().setAttribute(REALM, capName);
     forceLogin(melati.getResponse(), capName, accessException.getMessage());
   }
 
   /**
    * Get the users details.
    *
    * {@inheritDoc}
    * @see org.melati.login.AccessHandler#establishUser(org.melati.Melati)
    */
   public Melati establishUser(Melati melati) {
 
     HttpAuthorization auth = HttpAuthorization.from(melati.getRequest());
 
     if (auth == null) {
       // No attempt to log in: become `guest'
 
       PoemThread.setAccessToken(melati.getDatabase().guestAccessToken());
       return melati;
     }
     else {
       // They are trying to log in
 
       // If allowed, we store the User in the session to avoid repeating the
       // SELECTion implied by firstWhereEq for every hit
 
       User sessionUser =
           useSession() ? (User)melati.getSession().getAttribute(USER) : null;
       User user = null;
 
       if (sessionUser == null ||
           !sessionUser.getLogin().equals(auth.username))
         user = (User)melati.getDatabase().getUserTable().getLoginColumn().
                    firstWhereEq(auth.username);
       else
         user = sessionUser;
 
       if (user == null || !user.getPassword_unsafe().equals(auth.password)) {
 
         // Login/password authentication failed; we must trigger another
         // attempt.  But do we know the "realm" (= POEM capability name) for
         // which they were originally found not to be authorized?
 
         String storedRealm;
         if (useSession() &&
             (storedRealm = (String)melati.getSession().getAttribute(REALM))
                  != null) {
 
           // The "realm" is stored in the session
 
           forceLogin(melati.getResponse(), storedRealm,
                      "Login/password not recognised");
           return null;
         }
         else {
 
           // We don't know the "realm", so we just let the user try again as
           // `guest' and hopefully trigger the same problem and get the same
           // message all over again.  Not very satisfactory but the alternative
           // is providing a default realm like "<unknown>".
 
           PoemThread.setAccessToken(melati.getDatabase().guestAccessToken());
           return melati;
         }
       }
       else {
 
         // Login/password authentication succeeded
 
         PoemThread.setAccessToken(user);
 
         if (useSession() && user != sessionUser)
           melati.getSession().setAttribute(USER, user);
 
         return melati;
       }
     }
   }
 
   /**
    * If we are allowed in then no need to change request.
    *
    * {@inheritDoc}
    * @see org.melati.login.AccessHandler#buildRequest(org.melati.Melati)
    */
   public void buildRequest(Melati melati)
       throws IOException {
   }
 }

1		/*
2		* $Source: /usr/cvsroot/melati/melati/src/main/java/org/melati/login/HttpBasicAuthenticationAccessHandler.java,v $
3		* $Revision: 1.40 $
4		*
5		* Copyright (C) 2000 William Chesters
6		*
7		* Part of Melati (http://melati.org), a framework for the rapid
8		* development of clean, maintainable web applications.
9		*
10		* Melati is free software; Permission is granted to copy, distribute
11		* and/or modify this software under the terms either:
12		*
13		* a) the GNU General Public License as published by the Free Software
14		* Foundation; either version 2 of the License, or (at your option)
15		* any later version,
16		*
17		* or
18		*
19		* b) any version of the Melati Software License, as published
20		* at http://melati.org
21		*
22		* You should have received a copy of the GNU General Public License and
23		* the Melati Software License along with this program;
24		* if not, write to the Free Software Foundation, Inc.,
25		* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA to obtain the
26		* GNU General Public License and visit http://melati.org to obtain the
27		* Melati Software License.
28		*
29		* Feel free to contact the Developers of Melati (http://melati.org),
30		* if you would like to work out a different arrangement than the options
31		* outlined here. It is our intention to allow Melati to be used by as
32		* wide an audience as possible.
33		*
34		* This program is distributed in the hope that it will be useful,
35		* but WITHOUT ANY WARRANTY; without even the implied warranty of
36		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
37		* GNU General Public License for more details.
38		*
39		* Contact details for copyright holder:
40		*
41		* William Chesters <williamc At paneris.org>
42		* http://paneris.org/~williamc
43		* Obrechtstraat 114, 2517VX Den Haag, The Netherlands
44		*/
45
46		package org.melati.login;
47
48		import java.io.IOException;
49		import javax.servlet.http.HttpServletResponse;
50		import org.melati.poem.AccessPoemException;
51		import org.melati.poem.PoemThread;
52		import org.melati.poem.User;
53		import org.melati.Melati;
54		import org.melati.util.UnexpectedExceptionException;
55
56
57
58		/**
59		* An {@link AccessHandler} which uses the HTTP Basic Authentication scheme to
60		* elicit and maintain the user's login and password.
61		*
62		* This implementation doesn't use the servlet session at all,
63		* so it doesn't try to send cookies or
64		* do URL rewriting.
65		*
66		*/
67	12	public class HttpBasicAuthenticationAccessHandler implements AccessHandler {
68	1	private static final String className =
69		new HttpBasicAuthenticationAccessHandler().getClass().getName();
70
71	12	final String REALM = className + ".realm";
72	12	final String USER = className + ".user";
73
74		/**
75		* Change here to use session, if that makes sense.
76		* @return false
77		*/
78		protected boolean useSession() {
79	5	return false;
80		}
81
82		/**
83		* Force a login by sending a 401 error back to the browser.
84		*
85		* HACK Apache/Netscape appear not to do anything with message, which is
86		* why it's just left as a String.
87		*/
88		protected void forceLogin(HttpServletResponse resp,
89		String realm, String message) {
90	3	String desc = realm == null ? "<unknown>"
91		: realm.replace('"', ' ');
92	3	resp.setHeader("WWW-Authenticate", "Basic realm=\"" + desc + "\"");
93		// I don't believe there is a lot we can do about an IO exception here
94		try {
95	3	resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, message);
96	0	} catch (IOException e) {
97	0	throw new UnexpectedExceptionException(e);
98	3	}
99	3	}
100
101		/**
102		* Called when an AccessPoemException is trapped.
103		*
104		* @param melati the Melati
105		* @param accessException the particular access exception to handle
106		* {@inheritDoc}
107		* @see org.melati.login.AccessHandler#
108		* handleAccessException(org.melati.Melati,
109		* org.melati.poem.AccessPoemException)
110		*/
111		public void handleAccessException(Melati melati,
112		AccessPoemException accessException)
113		throws Exception {
114	3	String capName = "melati";
115	3	if (useSession())
116	0	melati.getSession().setAttribute(REALM, capName);
117	3	forceLogin(melati.getResponse(), capName, accessException.getMessage());
118	3	}
119
120		/**
121		* Get the users details.
122		*
123		* {@inheritDoc}
124		* @see org.melati.login.AccessHandler#establishUser(org.melati.Melati)
125		*/
126		public Melati establishUser(Melati melati) {
127
128	31	HttpAuthorization auth = HttpAuthorization.from(melati.getRequest());
129
130	28	if (auth == null) {
131		// No attempt to log in: become `guest'
132
133	27	PoemThread.setAccessToken(melati.getDatabase().guestAccessToken());
134	27	return melati;
135		}
136		else {
137		// They are trying to log in
138
139		// If allowed, we store the User in the session to avoid repeating the
140		// SELECTion implied by firstWhereEq for every hit
141
142	1	User sessionUser =
143		useSession() ? (User)melati.getSession().getAttribute(USER) : null;
144	1	User user = null;
145
146	1	if (sessionUser == null \|\|
147		!sessionUser.getLogin().equals(auth.username))
148	1	user = (User)melati.getDatabase().getUserTable().getLoginColumn().
149		firstWhereEq(auth.username);
150		else
151	0	user = sessionUser;
152
153	1	if (user == null \|\| !user.getPassword_unsafe().equals(auth.password)) {
154
155		// Login/password authentication failed; we must trigger another
156		// attempt. But do we know the "realm" (= POEM capability name) for
157		// which they were originally found not to be authorized?
158
159		String storedRealm;
160	0	if (useSession() &&
161		(storedRealm = (String)melati.getSession().getAttribute(REALM))
162		!= null) {
163
164		// The "realm" is stored in the session
165
166	0	forceLogin(melati.getResponse(), storedRealm,
167		"Login/password not recognised");
168	0	return null;
169		}
170		else {
171
172		// We don't know the "realm", so we just let the user try again as
173		// `guest' and hopefully trigger the same problem and get the same
174		// message all over again. Not very satisfactory but the alternative
175		// is providing a default realm like "<unknown>".
176
177	0	PoemThread.setAccessToken(melati.getDatabase().guestAccessToken());
178	0	return melati;
179		}
180		}
181		else {
182
183		// Login/password authentication succeeded
184
185	1	PoemThread.setAccessToken(user);
186
187	1	if (useSession() && user != sessionUser)
188	0	melati.getSession().setAttribute(USER, user);
189
190	1	return melati;
191		}
192		}
193		}
194
195		/**
196		* If we are allowed in then no need to change request.
197		*
198		* {@inheritDoc}
199		* @see org.melati.login.AccessHandler#buildRequest(org.melati.Melati)
200		*/
201		public void buildRequest(Melati melati)
202		throws IOException {
203	28	}
204		}