realm.
*/
protected String loaded_realm = null ;
/**
* Get a pointer to our realm, and initialize our ipmatcher.
*/
protected synchronized void acquireRealm() {
// Get our catalog:
if ( catalog == null ) {
httpd server = ((HTTPResource) getTargetResource()).getServer() ;
catalog = server.getRealmsCatalog() ;
}
// Check that our realm name is valid:
String name = getRealm() ;
if ( name == null )
return ;
if ((realm != null) && name.equals(loaded_realm))
return ;
// Load the realm and create the ipmtacher object
realm = catalog.loadRealm(name) ;
ipmatcher = new IPMatcher() ;
Enumeration enum = realm.enumerateUserNames() ;
while (enum.hasMoreElements()) {
String uname = (String) enum.nextElement() ;
AuthUser user = (AuthUser) realm.loadUser(uname) ;
short ips[][] = user.getIPTemplates() ;
if ( ips != null ) {
for (int i = 0 ; i < ips.length ; i++)
ipmatcher.add(ips[i], user) ;
}
}
}
/**
*Checks to see whether or not the a valid preexisting nonce is coming in from a specific IP.
*@param ip The clients ip address.
*@returns A Vector containing two objects, a boolean specifying whether or not it succeeded, and a nonce if it did succeed and is null if it didn't.
*/
public Vector checkIP_Nonce(InetAddress ip, Vector allowed_nonces)
{
Boolean flag = new Boolean(false);
String nonce = null;
Vector return_vector = new Vector(2);
Date current_time = new Date();
int i = 0;
while (i < allowed_nonces.size())
{
Vector current_nonce = (Vector) allowed_nonces.elementAt(i);
String Vector_nonce = (String) current_nonce.elementAt(0);
Date Vector_date = (Date) current_nonce.elementAt(1);
InetAddress Vector_ip = (InetAddress) current_nonce.elementAt(2);
if (ip.equals(Vector_ip))
if (checkTime(current_time, Vector_date))
{
flag = new Boolean(true);
nonce = Vector_nonce;
}
else
{
allowed_nonces.removeElementAt(i);
}
i++;
}
return_vector.insertElementAt(flag, 0);
return_vector.insertElementAt(nonce, 1);
return return_vector;
}
/**
*Creates a new nonce or issues the same one depending on whether or not an existing nonce is still valid for that IP.
*@param request The client's request.
*@return String containing the proper nonce.
*/
private synchronized String createNonce(Request request) {
InetAddress IP = request.getClient().getInetAddress();
Date date = new Date();
Md5 creator = new Md5(IP.toString()+date.toString()+"myprivatekey");
creator.processString();
String nonce = creator.getStringDigest();
Vector element = new Vector(3);
element.insertElementAt(nonce, 0);
element.insertElementAt(date, 1);
element.insertElementAt(IP, 2);
if (getNonces() == null)
{
Vector allowed_nonces = new Vector(1, 1);
allowed_nonces.addElement(element);
setValue(ATTR_ALLOWED_NONCES, allowed_nonces);
return nonce;
}
else
{
Vector checkNonceVector = checkIP_Nonce(IP, getNonces());
Boolean IPcheck = (Boolean) checkNonceVector.elementAt(0);
if (IPcheck.booleanValue())
{
return (String) checkNonceVector.elementAt(1);
}
else
{
Vector allowed_nonces = getNonces();
allowed_nonces.addElement(element);
setValue(ATTR_ALLOWED_NONCES, allowed_nonces);
return nonce;
}
}
}
/**
* Check that our realm does exist.
* Otherwise we are probably being initialized, and we don't authenticate
* yet.
* @return A boolean true if realm can be initialized.
*/
protected synchronized boolean checkRealm() {
acquireRealm() ;
return (ipmatcher != null) ;
}
/**
* Get the list of allowed users.
*/
public String[] getAllowedUsers() {
return (String[]) getValue(ATTR_ALLOWED_USERS, null) ;
}
/**
* Get the list of allowed groups.
*/
public String[] getAllowedGroups() {
return (String[]) getValue(ATTR_ALLOWED_GROUPS, null) ;
}
/**
*Gets the list of allowed nonces.
*/
public Vector getNonces() {
return (Vector) getValue(ATTR_ALLOWED_NONCES, null);
}
/**
* Lookup a user by its IP address.
* @param ipaddr The IP address to look for.
* @return An AuthUser instance or null.
*/
public synchronized AuthUser lookupUser (InetAddress ipaddr) {
if ( ipmatcher == null )
acquireRealm() ;
return (AuthUser) ipmatcher.lookup(ipaddr.getAddress()) ;
}
/**
* Lookup a user by its name.
* @param name The user's name.
* @return An AuthUser instance, or null.
*/
public synchronized AuthUser lookupUser (String name) {
if ( realm == null )
acquireRealm() ;
return (AuthUser) realm.loadUser(name) ;
}
/**
*Checks the timestamp of the nonce to see whether or not its valid.
*@param date The current date.
*@param Nonce_date The nonce's date.
*@return boolean specifying whether the nonce's date was within time limits.
*/
public boolean checkTime(Date date, Date Nonce_date)
{
long totaltime_nonce = Nonce_date.getTime();
long totaltime_current = date.getTime();
if ( (totaltime_current - totaltime_nonce) < 60000)
{return true;
}
else
{return false;
}
}
/**
*Checks the clients nonce to see whether or not it is the correct one from that client/user.
*@param ctxt The Digest auth context
*@param ip The client's IP address.
*@return boolean whether or not the nonce succeeded.
*/
public boolean checkNonce(DigestAuthContext ctxt, InetAddress ip)
{
Date current_time = new Date();
String nonce = ctxt.nonce;
Vector allowed_nonces = getNonces();
if (allowed_nonces == null)
{return false;
}
else
{
int i = 0;
while (i < allowed_nonces.size())
{
Vector current_nonce = (Vector) allowed_nonces.elementAt(i);
String Vector_nonce = (String) current_nonce.elementAt(0);
Date Vector_date = (Date) current_nonce.elementAt(1);
InetAddress Vector_ip = (InetAddress) current_nonce.elementAt(2);
if (nonce.equals(Vector_nonce)){
if (ip.equals(Vector_ip)){
if (checkTime(current_time, Vector_date))
{
return true;
}
else
{
allowed_nonces.removeElementAt(i);
setValue(ATTR_ALLOWED_NONCES, allowed_nonces);
}
}
}
i++;
}
return false;
}
}
/**
* Check the given Digest context against our database.
* @param ctxt The Digest auth context to check.
* @param method The method used to access this resource.
* @return A AuthUser instance if check succeeded, null
* otherwise.
*/
protected AuthUser checkDigestAuth (DigestAuthContext ctxt, String method)
{
AuthUser user = lookupUser(ctxt.user) ;
// This user doesn't even exists !
if ( user == null )
{return null ;}
// If it has a password check it
String password = "";
if ( user.definesAttribute("password") )
{
password = user.getPassword();
}
//Construct response on server to see if they match
Md5 A1 = new Md5(ctxt.user + ":" + ctxt.realm + ":" + password);
Md5 A2 = new Md5(method + ":" + ctxt.uri);
A1.processString();
A2.processString();
String HA1 = A1.getStringDigest();
String HA2 = A2.getStringDigest();
Md5 final_response_string = new Md5(HA1 + ":" + ctxt.nonce + ":" + HA2);
final_response_string.processString();
if (ctxt.response.equals(final_response_string.getStringDigest()))
{
return user;
}
else
{
return null;
}
}
/**
* Is this user allowed in the realm ?
* First check in the list of allowed users (if any), than in the list
* of allowed groups (if any). If no allowed users or allowed groups
* are defined, than simply check for the existence of this user.
* @return A boolean true if access allowed.
*/
protected boolean checkUser(AuthUser user) {
String allowed_users[] = getAllowedUsers() ;
// Check in the list of allowed users:
if ( allowed_users != null ) {
for (int i = 0 ; i < allowed_users.length ; i++) {
if (allowed_users[i].equals(user.getName()))
return true ;
}
}
// Check in the list of allowed groups:
String allowed_groups[] = getAllowedGroups() ;
if ( allowed_groups != null ) {
String ugroups[] = user.getGroups() ;
if ( ugroups != null ) {
for (int i = 0 ; i < ugroups.length ; i++) {
for (int j = 0 ; j < allowed_groups.length ; j++) {
if ( allowed_groups[j].equals(ugroups[i]) )
return true ;
}
}
}
}
// If no users or groups specified, return true
if ((allowed_users == null) && (allowed_groups == null))
return true ;
return false ;
}
/**
* Authenticate the given request.
* We first check for valid authentication information. If no
* authentication is provided, than we try to map the IP address to some
* of the ones we know about. If the IP address is not found, we challenge
* the client for a password.
* If the IP address is found, than either our user entry requires an * extra password step (in wich case we challenge it), or simple IP * based authentication is enough, so we allow the request. * @param request The request to be authentified. */ public void authenticate (Request request) throws HTTPException { // Are we being edited ? if ( ! checkRealm() ) return ; // Internal requests always allowed: Client client = request.getClient() ; if ( client == null ) return ; // Check for User by IP address: boolean ipchecked = false ; AuthUser user = lookupUser(client.getInetAddress()); if ( user != null ) { ipchecked = true ; // Good the user exists, does it need more authentication ? if ( ! user.definesAttribute("password") && checkUser(user)) { request.defineField("authuser", user.getName()) ; request.defineField("authtype", "ip"); return ; } } // Check the basic authentication informations: if ( request.hasField("authorization") ) { System.out.println("@@@@@@@@@@ it has authorization header!!!!"); DigestAuthContext ctxt = null ; try { ctxt = new DigestAuthContext(request) ; } catch (DigestAuthContextException ex) { ctxt = null ; } // Is that user allowed ? if ( ctxt != null ) { user = checkDigestAuth(ctxt, request.getMethod()) ; if (checkUser(user) && (user != null) && checkNonce(ctxt, client.getInetAddress())) { // Check that if IP auth was required, it succeeded: boolean iprequired = user.definesAttribute("ipaddress") ; if ( ( ! iprequired) || ipchecked ) { // Set the request fields, and continue: request.defineField("authuser", ctxt.user); request.defineField("authtype", "Digest") ; return ; } } } } // Every possible scheme has failed for this request, emit an error Reply e = request.makeReply(HTTP.UNAUTHORISED); HtmlGenerator g = new HtmlGenerator("Unauthorised"); e.setWWWAuthenticate ("Digest", "realm=\"" + getRealm() + "\"," + "nonce=\"" + createNonce(request) + "\"," + "algorithm=\"" + "\"Md5\"" ) ; g.append ("
You are denied access to this resource."); e.setStream(g); throw new HTTPException (e); } /** * Initialize the filter. */ public void initialize(Object values[]) { super.initialize(values) ; } }