View Javadoc

1   /**
2    * Copyright 2011-2013 The Kuali Foundation Licensed under the
3    * Educational Community License, Version 2.0 (the "License"); you may
4    * not use this file except in compliance with the License. You may
5    * obtain a copy of the License at
6    *
7    * http://www.osedu.org/licenses/ECL-2.0
8    *
9    * Unless required by applicable law or agreed to in writing,
10   * software distributed under the License is distributed on an "AS IS"
11   * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
12   * or implied. See the License for the specific language governing
13   * permissions and limitations under the License.
14   */
15  
16  package org.kuali.mobility.security.authn.interceptors;
17  
18  import javax.servlet.http.HttpServletRequest;
19  import javax.servlet.http.HttpServletResponse;
20  
21  import org.apache.log4j.Logger;
22  import org.kuali.mobility.security.authn.entity.User;
23  import org.kuali.mobility.security.authn.entity.UserImpl;
24  import org.kuali.mobility.security.authn.util.AuthenticationConstants;
25  import org.springframework.web.servlet.HandlerInterceptor;
26  import org.springframework.web.servlet.ModelAndView;
27  
28  /**
29   * The RemoteUserInterceptor looks for a remote_user and creates a user 
30   * object in the session for it.  It is the base hook to start an authenticated 
31   * session. All authN and authZ should either be added to it or come after 
32   * it in the filter/interceptor chain.
33   */
34  public class RemoteUserInterceptor implements HandlerInterceptor {
35  	private static final Logger LOG = Logger.getLogger( RemoteUserInterceptor.class );
36  
37  	@Override
38  	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
39  		User user = (User)request.getSession(true).getAttribute( AuthenticationConstants.KME_USER_KEY );
40  		if( user == null )
41  		{
42  			user = new UserImpl();
43  			request.getSession().setAttribute( AuthenticationConstants.KME_USER_KEY, user );
44  		}
45  		if( request.getRemoteUser() != null && !request.getRemoteUser().isEmpty() )
46  		{
47  			if( user.isPublicUser() )
48  			{
49  				user.setPrincipalName( request.getRemoteUser() );
50  			}
51  			else if( !request.getRemoteUser().equalsIgnoreCase( user.getPrincipalName() ) )
52  			{
53  				LOG.info( "Identify mismatch. Expected ["+user.getPrincipalName()+"] recieved ["+request.getRemoteUser()+"]" );
54  				user.invalidateUser();
55  				request.getSession().invalidate();
56  				request.getSession(true);
57  				response.sendError(401, "Identity Mismatch.  Attempting to override existing user with a new one." );
58  			}
59  		}
60  		else
61  		{
62  			if( user.getPrincipalName() != null )
63  			{
64  				if( !user.getPrincipalName().startsWith( AuthenticationConstants.PUBLIC_USER ) )
65  				{
66  					LOG.info( "Identity mismatch. Session user populated when no REMOTE_USER provided. User removed from session." );
67  					user.setPrincipalName( AuthenticationConstants.PUBLIC_USER + request.getSession().getId() );
68  				}
69  				else if( !user.getPrincipalName().equalsIgnoreCase( AuthenticationConstants.PUBLIC_USER + request.getSession().getId() ) )
70  				{
71  					LOG.info( "Identity mismatch. Public user key does not match expected id. User updated in session.");
72  					user.invalidateUser();
73  					user.setPrincipalName( AuthenticationConstants.PUBLIC_USER + request.getSession().getId() );
74  				}
75  			}
76  		}
77  		return true;
78  	}
79  
80  	@Override
81  	public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {}
82  
83  	@Override
84  	public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {}
85  
86  }