1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package fr.paris.lutece.portal.web.user;
35
36 import fr.paris.lutece.portal.service.admin.AccessDeniedException;
37 import fr.paris.lutece.portal.service.admin.AdminAuthenticationService;
38 import fr.paris.lutece.portal.service.admin.AdminUserService;
39 import fr.paris.lutece.portal.service.admin.PasswordResetException;
40 import fr.paris.lutece.portal.service.message.AdminMessage;
41 import fr.paris.lutece.portal.service.message.AdminMessageService;
42 import fr.paris.lutece.portal.service.security.UserNotSignedException;
43 import fr.paris.lutece.portal.service.util.AppLogService;
44 import fr.paris.lutece.portal.service.util.AppPathService;
45 import fr.paris.lutece.portal.service.util.AppPropertiesService;
46 import fr.paris.lutece.portal.web.constants.Messages;
47 import fr.paris.lutece.portal.web.constants.Parameters;
48 import fr.paris.lutece.util.url.UrlItem;
49
50 import java.io.IOException;
51
52 import java.util.Enumeration;
53 import java.util.StringTokenizer;
54
55 import javax.servlet.Filter;
56 import javax.servlet.FilterChain;
57 import javax.servlet.FilterConfig;
58 import javax.servlet.ServletException;
59 import javax.servlet.ServletRequest;
60 import javax.servlet.ServletResponse;
61 import javax.servlet.http.HttpServletRequest;
62 import javax.servlet.http.HttpServletResponse;
63
64
65
66
67
68 public class AuthenticationFilter implements Filter
69 {
70 private static final String PROPERTY_URL_PREFIX = "path.jsp.admin.public.";
71 private static final String PROPERTY_URL_SUFFIX_LIST = "list";
72 private static final String CONSTANT_LIST_SEPARATOR = ",";
73 private static final String LOGGER_NAME = "lutece.authentication";
74 private static final String PROPERTY_RESET_EXCEPTION_MESSAGE = "User must reset his password.";
75 private static final String PROPERTY_JSP_URL_ADMIN_LOGOUT = "lutece.admin.logout.url";
76
77
78
79
80 @Override
81 public void init( FilterConfig config ) throws ServletException
82 {
83
84 }
85
86
87
88
89 @Override
90 public void destroy( )
91 {
92
93 }
94
95
96
97
98 @Override
99 public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain )
100 throws IOException, ServletException
101 {
102 HttpServletRequest req = (HttpServletRequest) request;
103 HttpServletResponse resp = (HttpServletResponse) response;
104
105 AppLogService.debug( LOGGER_NAME, "Accessing url : " + getResquestedUrl( req ) );
106
107 if ( isPrivateUrl( req ) )
108 {
109 try
110 {
111 filterAccess( req );
112 }
113 catch ( UserNotSignedException e )
114 {
115 AdminAuthenticationService.getInstance( ).setLoginNextUrl( req );
116
117 String strRedirectUrl = null;
118
119 if ( AdminAuthenticationService.getInstance( ).isExternalAuthentication( ) )
120 {
121 AppLogService.debug( LOGGER_NAME,
122 "New session behind external authentication : " + getResquestedUrl( req ) );
123
124 strRedirectUrl = AdminMessageService.getMessageUrl( req, Messages.MESSAGE_USER_NEW_SESSION,
125 AppPathService.getAdminMenuUrl( ), AdminMessage.TYPE_INFO );
126 }
127 else
128 {
129 AppLogService.debug( LOGGER_NAME, "Access NOT granted to url : " + getResquestedUrl( req ) );
130
131 strRedirectUrl = AdminMessageService.getMessageUrl( req, Messages.MESSAGE_USER_NOT_AUTHENTICATED,
132 getRedirectUrl( req ), AdminMessage.TYPE_WARNING );
133 }
134
135 resp.sendRedirect( getAbsoluteUrl( req, strRedirectUrl ) );
136
137 return;
138 }
139 catch ( AccessDeniedException e )
140 {
141 AppLogService.debug( LOGGER_NAME, "Access NOT granted to url : " + getResquestedUrl( req ) );
142
143 String strRedirectUrl = AdminMessageService.getMessageUrl( req, Messages.MESSAGE_AUTH_FAILURE,
144 getRedirectUrl( req ), AdminMessage.TYPE_ERROR );
145 resp.sendRedirect( getAbsoluteUrl( req, strRedirectUrl ) );
146
147 return;
148 }
149 catch ( PasswordResetException e )
150 {
151 if ( !getResquestedUrl( req ).equals( getChangePasswordUrl( req ) ) &&
152 !getResquestedUrl( req ).equals( getLoginUrl( req ) ) )
153 {
154 String strRedirectUrl = AdminMessageService.getMessageUrl( req,
155 Messages.MESSAGE_USER_MUST_CHANGE_PASSWORD, getChangePasswordUrl( req ),
156 AdminMessage.TYPE_ERROR );
157 resp.sendRedirect( getAbsoluteUrl( req, strRedirectUrl ) );
158
159 return;
160 }
161 }
162 }
163
164 chain.doFilter( request, response );
165 }
166
167
168
169
170
171
172
173 private String getRedirectUrl( HttpServletRequest request )
174 {
175 UrlItem url = new UrlItem( getLoginUrl( request ) );
176
177 Enumeration<String> enumParams = request.getParameterNames( );
178
179 String strParamName;
180
181 while ( enumParams.hasMoreElements( ) )
182 {
183 strParamName = enumParams.nextElement( );
184
185 if ( !strParamName.equals( Parameters.ACCESS_CODE ) && !strParamName.equals( Parameters.PASSWORD ) )
186 {
187 url.addParameter( strParamName, request.getParameter( strParamName ) );
188 }
189 }
190
191 return url.getUrl( );
192 }
193
194
195
196
197
198
199
200
201 private String getLoginUrl( HttpServletRequest request )
202 {
203 String strLoginUrl = AdminAuthenticationService.getInstance( ).getLoginPageUrl( );
204
205 return getAbsoluteUrl( request, strLoginUrl );
206 }
207
208
209
210
211
212
213
214 private String getLogoutUrl( HttpServletRequest request )
215 {
216 return getAbsoluteUrl( request, AppPropertiesService.getProperty( PROPERTY_JSP_URL_ADMIN_LOGOUT ) );
217 }
218
219
220
221
222
223
224
225
226 private String getChangePasswordUrl( HttpServletRequest request )
227 {
228 String strChangePasswordUrl = AdminAuthenticationService.getInstance( ).getChangePasswordPageUrl( );
229
230 return getAbsoluteUrl( request, strChangePasswordUrl );
231 }
232
233
234
235
236
237
238
239
240
241 private boolean isPrivateUrl( HttpServletRequest request )
242 {
243 boolean bIsRestricted = true;
244 String strUrl = getResquestedUrl( request );
245
246 if ( strUrl.equals( getLoginUrl( request ) ) || strUrl.equals( getLogoutUrl( request ) ) )
247 {
248 bIsRestricted = false;
249 }
250 else if ( isInPublicUrlList( request, strUrl ) )
251 {
252 bIsRestricted = false;
253 }
254
255 return bIsRestricted;
256 }
257
258
259
260
261
262
263
264
265 private static void filterAccess( HttpServletRequest request )
266 throws UserNotSignedException, AccessDeniedException
267 {
268 if ( AdminAuthenticationService.getInstance( ).isExternalAuthentication( ) )
269 {
270
271
272 AdminAuthenticationService.getInstance( ).getRemoteUser( request );
273 }
274 else
275 {
276 if ( AdminAuthenticationService.getInstance( ).getRegisteredUser( request ) == null )
277 {
278
279 throw new UserNotSignedException( );
280 }
281
282 if ( AdminUserService.getAdminUser( request ).isPasswordReset( ) )
283 {
284 throw new PasswordResetException( PROPERTY_RESET_EXCEPTION_MESSAGE );
285 }
286 }
287 }
288
289
290
291
292
293
294
295
296
297 private boolean isInPublicUrlList( HttpServletRequest request, String strRequestedUrl )
298 {
299
300 String strList = AppPropertiesService.getProperty( PROPERTY_URL_PREFIX + PROPERTY_URL_SUFFIX_LIST );
301
302
303 StringTokenizer strTokens = new StringTokenizer( strList, CONSTANT_LIST_SEPARATOR );
304
305 while ( strTokens.hasMoreTokens( ) )
306 {
307 String strName = strTokens.nextToken( );
308 String strUrl = AppPropertiesService.getProperty( PROPERTY_URL_PREFIX + strName );
309 strUrl = getAbsoluteUrl( request, strUrl );
310
311 if ( strRequestedUrl.equals( strUrl ) )
312 {
313 return true;
314 }
315 }
316
317 return false;
318 }
319
320
321
322
323
324
325
326
327
328
329 private String getAbsoluteUrl( HttpServletRequest request, String strUrl )
330 {
331 if ( ( strUrl != null ) && !strUrl.startsWith( "http://" ) && !strUrl.startsWith( "https://" ) )
332 {
333 return AppPathService.getBaseUrl( request ) + strUrl;
334 }
335
336 return strUrl;
337 }
338
339
340
341
342
343
344
345 private String getResquestedUrl( HttpServletRequest request )
346 {
347 return AppPathService.getBaseUrl( request ) + request.getServletPath( ).substring( 1 );
348 }
349 }