View Javadoc
1   /*
2    * Copyright (c) 2002-2021, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.util.signrequest;
35  
36  import java.util.ArrayList;
37  import java.util.Date;
38  import java.util.List;
39  
40  import javax.servlet.http.HttpServletRequest;
41  
42  import fr.paris.lutece.util.signrequest.service.ClientKeyService;
43  
44  /**
45   * Client Header Hash Authenticator
46   */
47  public class ClientHeaderHashAuthenticator extends AbstractAuthenticator implements RequestAuthenticator
48  {
49      private static final String HEADER_SIGNATURE = "Lutece-Request-Signature";
50      private static final String HEADER_TIMESTAMP = "Lutece-Request-Timestamp";
51      private static final String HEADER_CLIENT_ID = "Lutece-Request-ClientID";
52  
53      private String _strClientId;
54      private ClientKeyService _clientKeyService;
55  
56      /**
57       * Set the client ID This setter should be used in the Spring context file of the CLIENT to declare the client ID.
58       * 
59       * @param strClientId
60       *            The client ID
61       */
62      public void setClientId( String strClientId )
63      {
64          _strClientId = strClientId;
65      }
66  
67      /**
68       * Set the clientKeyService This setter should be used in the Spring context file of the SERVER to provide a lookup service to find keys for given client
69       * ids.
70       * 
71       * @param clientKeyService
72       *            The client key service
73       */
74      public void setClientKeyService( ClientKeyService clientKeyService )
75      {
76          _clientKeyService = clientKeyService;
77      }
78  
79      /**
80       * {@inheritDoc }
81       */
82      @Override
83      public boolean isRequestAuthenticated( HttpServletRequest request )
84      {
85          String strHash1 = request.getHeader( HEADER_SIGNATURE );
86          String strTimestamp = request.getHeader( HEADER_TIMESTAMP );
87          String strClientId = request.getHeader( HEADER_CLIENT_ID );
88  
89          // no signature or timestamp
90          if ( ( strHash1 == null ) || ( strTimestamp == null ) || ( strClientId == null ) )
91          {
92              LOGGER.info( "SignRequest - Invalid signature" );
93  
94              return false;
95          }
96  
97          if ( !isValidTimestamp( strTimestamp ) )
98          {
99              LOGGER.info( "SignRequest - Invalid timestamp : " + strTimestamp );
100 
101             return false;
102         }
103 
104         List<String> listElements = new ArrayList<String>( );
105 
106         for ( String strParameter : getSignatureElements( ) )
107         {
108             String strValue = request.getParameter( strParameter );
109 
110             if ( strValue != null )
111             {
112                 listElements.add( strValue );
113             }
114         }
115 
116         String strClientKey = _clientKeyService.getKey( strClientId );
117         String strHash2 = buildSignature( listElements, strTimestamp, strClientKey );
118 
119         return strHash1.equals( strHash2 );
120     }
121 
122     /**
123      * {@inheritDoc }
124      */
125     @Override
126     public AuthenticateRequestInformations  getSecurityInformations( List<String> elements )
127     {
128         String strTimestamp = String.valueOf( new Date( ).getTime( ) );
129         String strClientKey = _clientKeyService.getKey( _strClientId );
130         String strSignature = buildSignature( elements, strTimestamp, strClientKey );
131         
132         return new AuthenticateRequestInformations().addSecurityHeader(HEADER_TIMESTAMP, strTimestamp ).addSecurityHeader(HEADER_CLIENT_ID, _strClientId).addSecurityHeader(HEADER_SIGNATURE, strSignature);
133         
134 
135     }
136 }