Source code: com/lutris/http/BasicAuth.java

   /*
    * Enhydra Java Application Server Project
    * 
    * The contents of this file are subject to the Enhydra Public License
    * Version 1.1 (the "License"); you may not use this file except in
    * compliance with the License. You may obtain a copy of the License on
    * the Enhydra web site ( http://www.enhydra.org/ ).
    * 
    * Software distributed under the License is distributed on an "AS IS"
   * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See 
   * the License for the specific terms governing rights and limitations
   * under the License.
   * 
   * The Initial Developer of the Enhydra Application Server is Lutris
   * Technologies, Inc. The Enhydra Application Server and portions created
   * by Lutris Technologies, Inc. are Copyright Lutris Technologies, Inc.
   * All Rights Reserved.
   * 
   * Contributor(s):
   * 
   * $Id: BasicAuth.java,v 1.10.14.1 2000/10/19 17:59:07 jasona Exp $
   */
  
  
  
  
  package com.lutris.http;
  
  import com.lutris.appserver.server.httpPresentation.HttpPresentationRequest;
  import com.lutris.appserver.server.httpPresentation.HttpPresentationResponse;
  import com.lutris.appserver.server.httpPresentation.HttpPresentationException;
  import com.lutris.appserver.server.jolt.joltpo.JoltRequest;
  import com.lutris.appserver.server.jolt.joltpo.JoltResponse;
  import com.lutris.util.Convert;
  import javax.servlet.http.*;
  
  /**
   * Methods to be used to implement the HTTP Basic Auth authorization
   * method. This is the standard username/password mechanism in use all
   * over the web. <P>
   *
   * Note: the username and password are sent over the net base64 encoded,
   * which is practically clear text. So this method is no more secure than
   * the communication channel being used. <P>
   *
   * Usage: <BR>
   * When a request comes in, before responding to it, call
   * <CODE>getAuthentication()</CODE>. It will return the username and
   * password that was sent along with the request. If no authorization was
   * sent, null is returned. The caller is then responsible for deciding if
   * the username and password are valid. <P>
   *
   * If the caller decides that the authorization is not sufficient, 
   * a <CODE>PageUnauthorizedException</CODE> should be thrown. <P>
   * 
   * If you are writing a LBS application, the recommended place to put
   * this processing is in your Application's <CODE>requestPreprocessor()</CODE>
   * function. That function is called for every request, before the
   * presentation objects are called.
   *
   * @see com.lutris.appserver.server.httpPresentation.PageUnauthorizedException
   * @version     $Revision: 1.10.14.1 $
   * @author      Andy John
   */
  public class BasicAuth {
  
      // Private constructor, so no instances. Just use the static methods.
      private BasicAuth() {}
  
      /**
       * Checks to see if the authorization matches the given username
       * and password. If not, or if no authorization was sent, false is
       * returned. If req, username or password are null, then it is assumed
       * that authentication is not being used, and all requests are allowed.
       * 
       * @param  req       The request to authenticate.
       * @return  The username and password, or null if no authorization was
       * sent.
       */
      public static BasicAuthResult getAuthentication(
                                          HttpPresentationRequest req) {
          if (req == null)
              return null;
          String authHeader = null;
          try {
              authHeader = req.getHeader("Authorization");
          } catch (HttpPresentationException hpe) {
          }
          return getAuth(authHeader);
      }
  
  
      /**
       * Checks to see if the authorization matches the given username
       * and password. If not, or if no authorization was sent, false is
       * returned. If req, username or password are null, then it is assumed
       * that authentication is not being used, and all requests are allowed.
       * 
       * @param  req       The request to authenticate.
      * @return  The username and password, or null if no authorization was
      * sent.
      */
     public static BasicAuthResult getAuthentication(JoltRequest req) {
         if (req == null)
             return null;
         String authHeader = null;
         try {
             authHeader = req.getHeader("Authorization");
         } catch (HttpPresentationException hpe) {
         }
         return getAuth(authHeader);
     }
 
 
     /**
      * Extracts and returns the username and password using the HTTP
      * Basic Auth method. If no authorization was sent, null is
      * returned. Use this flavor if you are writing a non-Enhydra
      * servlet.
      * 
      * @param  req       The request to authenticate.
      * @return  The username and password, or null if no authorization was
      * sent.
      */
     public static BasicAuthResult getAuthentication(HttpServletRequest req) {
         if (req == null)
             return null;
         return getAuth(req.getHeader("Authorization"));
     }
 
 
     private static BasicAuthResult getAuth(String authHeader) {
         if (authHeader == null)
             // No auth header was sent. Deny the request.
             return null;
         /*
             Now decode the username and password.
         */
         if (!authHeader.startsWith("Basic "))
             // Syntax error in auth header.
             return null;
         authHeader = authHeader.substring(6);
         byte[] bytes = Convert.fromBase64String(authHeader);
         authHeader = new String(bytes);
         int colon = authHeader.indexOf(":");
         if (colon < 0)
             // Syntax error in auth header.
             return null;
         String un = authHeader.substring(0, colon);
         String pw = authHeader.substring(colon + 1);
         return new BasicAuthResult(un, pw);
     }
 
 }