View Javadoc

1   /**
2    * Copyright 2011-2013 The Kuali Foundation Licensed under the
3    * Educational Community License, Version 2.0 (the "License"); you may
4    * not use this file except in compliance with the License. You may
5    * obtain a copy of the License at
6    *
7    * http://www.osedu.org/licenses/ECL-2.0
8    *
9    * Unless required by applicable law or agreed to in writing,
10   * software distributed under the License is distributed on an "AS IS"
11   * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
12   * or implied. See the License for the specific language governing
13   * permissions and limitations under the License.
14   */
15  
16  package org.kuali.mobility.security.authn.interceptors;
17  
18  import org.apache.log4j.Logger;
19  import org.kuali.mobility.security.authn.util.AuthenticationConstants;
20  import org.kuali.mobility.security.user.api.User;
21  import org.kuali.mobility.security.user.api.UserDao;
22  import org.kuali.mobility.security.user.entity.UserImpl;
23  import org.springframework.beans.factory.annotation.Autowired;
24  import org.springframework.beans.factory.annotation.Qualifier;
25  import org.springframework.web.servlet.HandlerInterceptor;
26  import org.springframework.web.servlet.ModelAndView;
27  
28  import javax.servlet.http.HttpServletRequest;
29  import javax.servlet.http.HttpServletResponse;
30  
31  /**
32   * The RemoteUserInterceptor looks for a remote_user and creates a user 
33   * object in the session for it.  It is the base hook to start an authenticated 
34   * session. All authN and authZ should either be added to it or come after 
35   * it in the filter/interceptor chain.
36   */
37  public class RemoteUserInterceptor implements HandlerInterceptor {
38  	private static final Logger LOG = Logger.getLogger( RemoteUserInterceptor.class );
39  
40  	@Autowired
41  	@Qualifier("kmeUserDao")
42  	private UserDao userDao;
43  
44  	@Override
45  	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
46  		User user = (User)request.getSession(true).getAttribute( AuthenticationConstants.KME_USER_KEY );
47  		if( user == null )
48  		{
49  			user = new UserImpl();
50  			request.getSession().setAttribute( AuthenticationConstants.KME_USER_KEY, user );
51  		}
52  		if( request.getRemoteUser() != null && !request.getRemoteUser().isEmpty() )
53  		{
54  			if( user.isPublicUser() )
55  			{
56  				User existingUser = getUserDao().loadUserByLoginName(request.getRemoteUser());
57  				if( existingUser == null ) {
58  					user.setLoginName(request.getRemoteUser());
59  					getUserDao().saveUser(user);
60  				} else {
61  					request.getSession().setAttribute( AuthenticationConstants.KME_USER_KEY, existingUser );
62  				}
63  			}
64  			else if( !request.getRemoteUser().equalsIgnoreCase( user.getLoginName() ) )
65  			{
66  				LOG.info( "Identify mismatch. Expected ["+user.getLoginName()+"] recieved ["+request.getRemoteUser()+"]" );
67  				user.invalidateUser();
68  				request.getSession().invalidate();
69  				request.getSession(true);
70  				response.sendError(401, "Identity Mismatch.  Attempting to override existing user with a new one." );
71  			}
72  		}
73  		else
74  		{
75  			if( user.getLoginName() != null )
76  			{
77  				if( !user.getLoginName().startsWith( AuthenticationConstants.PUBLIC_USER ) )
78  				{
79  					LOG.info( "Identity mismatch. Session user populated when no REMOTE_USER provided. User removed from session." );
80  					user.setLoginName(AuthenticationConstants.PUBLIC_USER + request.getSession().getId());
81  				}
82  				else if( !user.getLoginName().equalsIgnoreCase( AuthenticationConstants.PUBLIC_USER + request.getSession().getId() ) )
83  				{
84  					LOG.info( "Identity mismatch. Public user key does not match expected id. User updated in session.");
85  					user.invalidateUser();
86  					user.setLoginName(AuthenticationConstants.PUBLIC_USER + request.getSession().getId());
87  				}
88  			}
89  		}
90  		return true;
91  	}
92  
93  	@Override
94  	public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {}
95  
96  	@Override
97  	public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {}
98  
99  	public UserDao getUserDao() {
100 		return userDao;
101 	}
102 
103 	public void setUserDao(UserDao userDao) {
104 		this.userDao = userDao;
105 	}
106 }