View Javadoc
1   /*
2    * Copyright (c) 2002-2021, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.util.signrequest;
35  
36  import java.util.ArrayList;
37  import java.util.Date;
38  import java.util.List;
39  import java.util.Map;
40  
41  import javax.servlet.http.HttpServletRequest;
42  
43  /**
44   * RequestHashAuthenticator
45   */
46  public class RequestHashAuthenticator extends AbstractPrivateKeyAuthenticator implements RequestAuthenticator
47  {
48      private static final String PARAMETER_SIGNATURE = "signature";
49      private static final String PARAMETER_TIMESTAMP = "timestamp";
50  
51      /**
52       * {@inheritDoc }
53       */
54      @Override
55      public boolean isRequestAuthenticated( HttpServletRequest request )
56      {
57          String strHash1 = request.getParameter( PARAMETER_SIGNATURE );
58          String strTimestamp = request.getParameter( PARAMETER_TIMESTAMP );
59  
60          // no signature or timestamp
61          if ( ( strHash1 == null ) || ( strTimestamp == null ) )
62          {
63              LOGGER.info( "SignRequest - Invalid signature" );
64  
65              return false;
66          }
67  
68          if ( !isValidTimestamp( strTimestamp ) )
69          {
70              LOGGER.info( "SignRequest - Invalid timestamp : " + strTimestamp );
71  
72              return false;
73          }
74  
75          List<String> listElements = new ArrayList<String>( );
76  
77          for ( String strParameter : getSignatureElements( ) )
78          {
79              String strValue = request.getParameter( strParameter );
80  
81              if ( strValue != null )
82              {
83                  listElements.add( strValue );
84              }
85          }
86  
87          String strHash2 = buildSignature( listElements, strTimestamp, getPrivateKey( ) );
88  
89          return strHash1.equals( strHash2 );
90      }
91  
92      /**
93       * {@inheritDoc }
94       */
95      @Override
96      public AuthenticateRequestInformations  getSecurityInformations( List<String> elements )
97      {
98      	
99          String strTimestamp = String.valueOf( new Date( ).getTime( ) );
100         String strSignature = buildSignature( elements, strTimestamp, getPrivateKey( ) );
101         
102         return new AuthenticateRequestInformations().addSecurityParameter(PARAMETER_TIMESTAMP,strTimestamp).addSecurityParameter(PARAMETER_SIGNATURE, strSignature);
103         		
104         
105         
106     }
107 
108     /**
109      * Add extra URL parameters
110      * 
111      * @param strUrl
112      *            The URL
113      * @param listElements
114      *            extra elements
115      * @return The new URL
116      */
117     public String addExtrasUrlParameters( String strUrl, List<String> listElements )
118     {
119         StringBuilder sbExtrasParameters = new StringBuilder( );
120 
121         if ( strUrl.contains( "=" ) )
122         {
123             sbExtrasParameters.append( strUrl ).append( '&' );
124         }
125         else
126         {
127             sbExtrasParameters.append( strUrl ).append( '?' );
128         }
129 
130         String strTimestamp = String.valueOf( new Date( ).getTime( ) );
131         sbExtrasParameters.append( PARAMETER_TIMESTAMP ).append( '=' ).append( strTimestamp );
132 
133         String strSignature = buildSignature( listElements, strTimestamp, getPrivateKey( ) );
134         sbExtrasParameters.append( '&' ).append( PARAMETER_SIGNATURE ).append( '=' ).append( strSignature );
135 
136         return sbExtrasParameters.toString( );
137     }
138 
139   
140 }