implement a new authentication filter, which uses a set of WebTokenGenerator to handle authentication requests

scm-webapp/src/main/java/sonia/scm/filter/SecurityFilter.java

@@ -41,6 +41,7 @@ import com.google.inject.Singleton;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.Subject;
 
+import sonia.scm.Priority;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.user.User;
@@ -55,14 +56,14 @@ import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import sonia.scm.Priority;
 
 /**
  *
  * @author Sebastian Sdorra
  */
 @Priority(Filters.PRIORITY_AUTHORIZATION)
-@WebElement(value = Filters.PATTERN_RESTAPI, morePatterns = {Filters.PATTERN_DEBUG})
+@WebElement(value = Filters.PATTERN_RESTAPI,
+  morePatterns = { Filters.PATTERN_DEBUG })
 public class SecurityFilter extends HttpFilter
 {
 
@@ -111,7 +112,7 @@ public class SecurityFilter extends HttpFilter
       if (hasPermission(subject))
       {
         chain.doFilter(new SecurityHttpServletRequestWrapper(request,
-          getUser(subject)), response);
+          getUsername(subject)), response);
       }
       else if (subject.isAuthenticated() || subject.isRemembered())
       {
@@ -144,7 +145,9 @@ public class SecurityFilter extends HttpFilter
    */
   protected boolean hasPermission(Subject subject)
   {
-    return ((configuration != null) && configuration.isAnonymousAccessEnabled()) || subject.isAuthenticated() || subject.isRemembered();
+    return ((configuration != null)
+      && configuration.isAnonymousAccessEnabled()) || subject.isAuthenticated()
+        || subject.isRemembered();
   }
 
   /**
@@ -155,20 +158,21 @@ public class SecurityFilter extends HttpFilter
    *
    * @return
    */
-  private User getUser(Subject subject)
+  private String getUsername(Subject subject)
   {
-    User user = null;
+    String username = SCMContext.USER_ANONYMOUS;
 
     if (subject.isAuthenticated() || subject.isRemembered())
     {
-      user = subject.getPrincipals().oneByType(User.class);
-    }
-    else
-    {
-      user = SCMContext.ANONYMOUS;
+      Object obj = subject.getPrincipal();
+
+      if (obj != null)
+      {
+        username = obj.toString();
+      }
     }
 
-    return user;
+    return username;
   }
 
   //~--- fields ---------------------------------------------------------------

scm-webapp/src/main/java/sonia/scm/web/BasicWebTokenGenerator.java

@@ -0,0 +1,117 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.web;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.codec.Base64;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import sonia.scm.plugin.Extension;
+import sonia.scm.util.Util;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+@Extension
+public class BasicWebTokenGenerator extends SchemeBasedWebTokenGenerator
+{
+
+  /** Field description */
+  public static final String AUTHORIZATION_BASIC_PREFIX = "basic";
+
+  /** Field description */
+  public static final String CREDENTIAL_SEPARATOR = ":";
+
+  /**
+   * the logger for BasicWebTokenGenerator
+   */
+  private static final Logger logger =
+    LoggerFactory.getLogger(BasicWebTokenGenerator.class);
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param request
+   * @param scheme
+   * @param authorization
+   *
+   * @return
+   */
+  @Override
+  protected UsernamePasswordToken createToken(HttpServletRequest request,
+    String scheme, String authorization)
+  {
+    UsernamePasswordToken authToken = null;
+
+    if (AUTHORIZATION_BASIC_PREFIX.equalsIgnoreCase(scheme))
+    {
+      String token = new String(Base64.decode(authorization.getBytes()));
+
+      int index = token.indexOf(CREDENTIAL_SEPARATOR);
+
+      if ((index > 0) && (index < token.length()))
+      {
+        String username = token.substring(0, index);
+        String password = token.substring(index + 1);
+
+        if (Util.isNotEmpty(username) && Util.isNotEmpty(password))
+        {
+          logger.trace("try to authenticate user {}", username);
+          authToken = new UsernamePasswordToken(username, password);
+        }
+        else if (logger.isWarnEnabled())
+        {
+          logger.warn("username or password is null/empty");
+        }
+      }
+      else if (logger.isWarnEnabled())
+      {
+        logger.warn("failed to read basic auth credentials");
+      }
+    }
+
+    return authToken;
+  }
+}

scm-webapp/src/main/java/sonia/scm/web/BearerWebTokenGenerator.java

@@ -0,0 +1,80 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.web;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import sonia.scm.security.BearerAuthenticationToken;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.servlet.http.HttpServletRequest;
+import sonia.scm.plugin.Extension;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+@Extension
+public class BearerWebTokenGenerator extends SchemeBasedWebTokenGenerator
+{
+
+  /** Field description */
+  public static final String AUTHORIZATION_BEARER_PREFIX = "BEARER";
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param request
+   * @param scheme
+   * @param authorization
+   *
+   * @return
+   */
+  @Override
+  protected BearerAuthenticationToken createToken(HttpServletRequest request,
+    String scheme, String authorization)
+  {
+    BearerAuthenticationToken token = null;
+
+    if (AUTHORIZATION_BEARER_PREFIX.equalsIgnoreCase(scheme))
+    {
+      token = new BearerAuthenticationToken(authorization);
+    }
+
+    return token;
+  }
+}

scm-webapp/src/main/java/sonia/scm/web/CookieBearerWebTokenGenerator.java

@@ -0,0 +1,89 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.web;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import com.google.common.annotations.VisibleForTesting;
+import sonia.scm.plugin.Extension;
+import sonia.scm.security.BearerAuthenticationToken;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+@Extension
+public class CookieBearerWebTokenGenerator implements WebTokenGenerator
+{
+
+  /** Field description */
+  @VisibleForTesting
+  static final String COOKIE_NAME = "X-Bearer-Token";
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param request
+   *
+   * @return
+   */
+  @Override
+  public BearerAuthenticationToken createToken(HttpServletRequest request)
+  {
+    BearerAuthenticationToken token = null;
+    Cookie[] cookies = request.getCookies();
+
+    if (cookies != null)
+    {
+      for (Cookie cookie : cookies)
+      {
+        if (COOKIE_NAME.equals(cookie.getName()))
+        {
+          token = new BearerAuthenticationToken(cookie.getValue());
+
+          break;
+        }
+      }
+    }
+
+    return token;
+  }
+}

scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java

@@ -41,12 +41,15 @@ import sonia.scm.Priority;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.filter.Filters;
 import sonia.scm.filter.WebElement;
-import sonia.scm.web.filter.BasicAuthenticationFilter;
+import sonia.scm.web.filter.AuthenticationFilter;
+import sonia.scm.web.WebTokenGenerator;
 
 //~--- JDK imports ------------------------------------------------------------
 
 import java.io.IOException;
 
+import java.util.Set;
+
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -57,8 +60,9 @@ import javax.servlet.http.HttpServletResponse;
  * @author Sebastian Sdorra
  */
 @Priority(Filters.PRIORITY_AUTHENTICATION)
-@WebElement(value = Filters.PATTERN_RESTAPI, morePatterns = { Filters.PATTERN_DEBUG })
-public class ApiBasicAuthenticationFilter extends BasicAuthenticationFilter
+@WebElement(value = Filters.PATTERN_RESTAPI,
+  morePatterns = { Filters.PATTERN_DEBUG })
+public class ApiAuthenticationFilter extends AuthenticationFilter
 {
 
   /** Field description */
@@ -77,11 +81,13 @@ public class ApiBasicAuthenticationFilter extends BasicAuthenticationFilter
    *
    *
    * @param configuration
+   * @param tokenGenerators
    */
   @Inject
-  public ApiBasicAuthenticationFilter(ScmConfiguration configuration)
+  public ApiAuthenticationFilter(ScmConfiguration configuration,
+    Set<WebTokenGenerator> tokenGenerators)
   {
-    super(configuration);
+    super(configuration, tokenGenerators);
   }
 
   //~--- methods --------------------------------------------------------------