1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package fr.paris.lutece.portal.web.user;
35
36 import java.io.IOException;
37 import java.util.Enumeration;
38 import java.util.HashSet;
39 import java.util.Set;
40 import java.util.StringTokenizer;
41
42 import javax.servlet.Filter;
43 import javax.servlet.FilterChain;
44 import javax.servlet.FilterConfig;
45 import javax.servlet.ServletException;
46 import javax.servlet.ServletRequest;
47 import javax.servlet.ServletResponse;
48 import javax.servlet.http.HttpServletRequest;
49 import javax.servlet.http.HttpServletResponse;
50
51 import org.apache.commons.lang3.StringUtils;
52 import fr.paris.lutece.portal.service.admin.AccessDeniedException;
53 import fr.paris.lutece.portal.service.admin.AdminAuthenticationService;
54 import fr.paris.lutece.portal.service.admin.AdminUserService;
55 import fr.paris.lutece.portal.service.admin.PasswordResetException;
56 import fr.paris.lutece.portal.service.message.AdminMessage;
57 import fr.paris.lutece.portal.service.message.AdminMessageService;
58 import fr.paris.lutece.portal.service.security.SecurityTokenService;
59 import fr.paris.lutece.portal.service.security.UserNotSignedException;
60 import fr.paris.lutece.portal.service.util.AppLogService;
61 import fr.paris.lutece.portal.service.util.AppPathService;
62 import fr.paris.lutece.portal.service.util.AppPropertiesService;
63 import fr.paris.lutece.portal.web.constants.Messages;
64 import fr.paris.lutece.portal.web.constants.Parameters;
65 import fr.paris.lutece.util.url.UrlItem;
66
67
68
69
70 public class AuthenticationFilter implements Filter
71 {
72 private static final String PROPERTY_URL_PREFIX = "path.jsp.admin.public.";
73 private static final String PROPERTY_URL_SUFFIX_LIST = "list";
74 private static final String CONSTANT_LIST_SEPARATOR = ",";
75 private static final String PROPERTY_RESET_EXCEPTION_MESSAGE = "User must reset his password.";
76 private static final String PROPERTY_JSP_URL_ADMIN_LOGOUT = "lutece.admin.logout.url";
77 private static final String JSP_URL_ADMIN_LOGIN = "jsp/admin/AdminLogin.jsp";
78
79
80
81
82 @Override
83 public void init( FilterConfig config ) throws ServletException
84 {
85
86 }
87
88
89
90
91 @Override
92 public void destroy( )
93 {
94
95 }
96
97
98
99
100 @Override
101 public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException
102 {
103 HttpServletRequest req = (HttpServletRequest) request;
104 HttpServletResponse resp = (HttpServletResponse) response;
105
106 AppLogService.debug( "Accessing url : {}", ( ) -> getResquestedUrl( req ) );
107
108 if ( isPrivateUrl( req ) )
109 {
110 try
111 {
112 filterAccess( req );
113 }
114 catch( UserNotSignedException e )
115 {
116 AdminAuthenticationService.getInstance( ).setLoginNextUrl( req );
117
118 String strRedirectUrl = null;
119
120 if ( AdminAuthenticationService.getInstance( ).isExternalAuthentication( ) )
121 {
122 AppLogService.debug( "New session behind external authentication : {}", ( ) -> getResquestedUrl( req ) );
123
124 strRedirectUrl = AdminMessageService.getMessageUrl( req, Messages.MESSAGE_USER_NEW_SESSION, getRedirectUrlExternalAuthentication( req ),
125 AdminMessage.TYPE_INFO );
126 }
127 else
128 {
129 AppLogService.debug( "Access NOT granted to url : {}", ( ) -> getResquestedUrl( req ) );
130
131 strRedirectUrl = AdminMessageService.getMessageUrl( req, Messages.MESSAGE_USER_NOT_AUTHENTICATED, getRedirectUrl( req ),
132 AdminMessage.TYPE_WARNING );
133 }
134
135 resp.sendRedirect( getAbsoluteUrl( req, strRedirectUrl ) );
136
137 return;
138 }
139 catch( AccessDeniedException e )
140 {
141 AppLogService.debug( "Access NOT granted to url : {}", getResquestedUrl( req ) );
142
143 String strRedirectUrl = AdminMessageService.getMessageUrl( req, Messages.MESSAGE_AUTH_FAILURE, getRedirectUrl( req ), AdminMessage.TYPE_ERROR );
144 resp.sendRedirect( getAbsoluteUrl( req, strRedirectUrl ) );
145
146 return;
147 }
148 catch( PasswordResetException e )
149 {
150 if ( !getResquestedUrl( req ).equals( getChangePasswordUrl( req ) ) && !getResquestedUrl( req ).equals( getLoginUrl( req ) ) )
151 {
152 String strRedirectUrl = AdminMessageService.getMessageUrl( req, Messages.MESSAGE_USER_MUST_CHANGE_PASSWORD, getChangePasswordUrl( req ),
153 AdminMessage.TYPE_ERROR );
154 resp.sendRedirect( getAbsoluteUrl( req, strRedirectUrl ) );
155
156 return;
157 }
158 }
159 }
160
161 chain.doFilter( request, response );
162 }
163
164
165
166
167
168
169
170
171 private String getRedirectUrl( HttpServletRequest request )
172 {
173 String strLoginUrl = getLoginUrl( request );
174
175 if ( strLoginUrl == null )
176 {
177 return null;
178 }
179
180 UrlItem/url/UrlItem.html#UrlItem">UrlItem url = new UrlItem( strLoginUrl );
181
182 return url.getUrl( );
183 }
184
185
186
187
188
189
190
191
192
193 private String getLoginUrl( HttpServletRequest request )
194 {
195 String strLoginUrl = AdminAuthenticationService.getInstance( ).getLoginPageUrl( );
196
197 return getAbsoluteUrl( request, strLoginUrl );
198 }
199
200
201
202
203
204
205
206
207 private String getLogoutUrl( HttpServletRequest request )
208 {
209 return getAbsoluteUrl( request, AppPropertiesService.getProperty( PROPERTY_JSP_URL_ADMIN_LOGOUT ) );
210 }
211
212
213
214
215
216
217
218
219
220 private String getChangePasswordUrl( HttpServletRequest request )
221 {
222 String strChangePasswordUrl = AdminAuthenticationService.getInstance( ).getChangePasswordPageUrl( );
223
224 return getAbsoluteUrl( request, strChangePasswordUrl );
225 }
226
227
228
229
230
231
232
233
234
235
236 private boolean isPrivateUrl( HttpServletRequest request )
237 {
238 String strUrl = getResquestedUrl( request );
239 Set<String> allowedUrlSet = createAllowedUrlSet( request );
240 return !allowedUrlSet.contains( strUrl ) && !isInPublicUrlList( request, strUrl );
241 }
242
243 private Set<String> createAllowedUrlSet( HttpServletRequest request )
244 {
245 Set<String> set = new HashSet<>( );
246 set.add( getAbsoluteUrl( request, JSP_URL_ADMIN_LOGIN ) );
247 set.add( getLoginUrl( request ) );
248 set.add( getLogoutUrl( request ) );
249 return set;
250 }
251
252
253
254
255
256
257
258
259
260
261
262
263 private static void filterAccess( HttpServletRequest request ) throws UserNotSignedException, AccessDeniedException
264 {
265 if ( AdminAuthenticationService.getInstance( ).isExternalAuthentication( ) )
266 {
267
268
269 AdminAuthenticationService.getInstance( ).getRemoteUser( request );
270 }
271 else
272 {
273 if ( AdminAuthenticationService.getInstance( ).getRegisteredUser( request ) == null )
274 {
275
276 throw new UserNotSignedException( );
277 }
278
279 if ( AdminUserService.getAdminUser( request ).isPasswordReset( ) )
280 {
281 throw new PasswordResetException( PROPERTY_RESET_EXCEPTION_MESSAGE );
282 }
283 }
284 }
285
286
287
288
289
290
291
292
293
294
295
296 private boolean isInPublicUrlList( HttpServletRequest request, String strRequestedUrl )
297 {
298
299 String strList = AppPropertiesService.getProperty( PROPERTY_URL_PREFIX + PROPERTY_URL_SUFFIX_LIST );
300
301
302 StringTokenizer strTokens = new StringTokenizer( strList, CONSTANT_LIST_SEPARATOR );
303
304 while ( strTokens.hasMoreTokens( ) )
305 {
306 String strName = strTokens.nextToken( );
307 String strUrl = AppPropertiesService.getProperty( PROPERTY_URL_PREFIX + strName );
308 strUrl = getAbsoluteUrl( request, strUrl );
309
310 if ( strRequestedUrl.equals( strUrl ) )
311 {
312 return true;
313 }
314 }
315
316 return false;
317 }
318
319
320
321
322
323
324
325
326
327
328
329
330 private String getAbsoluteUrl( HttpServletRequest request, String strUrl )
331 {
332 if ( ( strUrl != null ) && !strUrl.startsWith( "http://" ) && !strUrl.startsWith( "https://" ) )
333 {
334 return AppPathService.getBaseUrl( request ) + strUrl;
335 }
336
337 return strUrl;
338 }
339
340
341
342
343
344
345
346
347
348 private String getResquestedUrl( HttpServletRequest request )
349 {
350 return AppPathService.getBaseUrl( request ) + request.getServletPath( ).substring( 1 );
351 }
352
353
354
355
356
357
358
359
360
361 private String getRedirectUrlExternalAuthentication( HttpServletRequest request )
362 {
363 String strNextUrl = AdminAuthenticationService.getInstance( ).getLoginNextUrl( request );
364
365 if ( StringUtils.isEmpty( strNextUrl ) )
366 {
367 strNextUrl = AppPathService.getAdminMenuUrl( );
368 }
369
370 return strNextUrl;
371 }
372 }