ServletSecurityProvider.java (Apache Axis 1.4)

File	Doc	Category	Size	Date	Package
ServletSecurityProvider.java	API Doc	Apache Axis 1.4	3156	Sat Apr 22 18:57:28 BST 2006	org.apache.axis.security.servlet
ServletSecurityProvider.java

/*
 * Copyright 2001-2004 The Apache Software Foundation.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.axis.security.servlet;

import org.apache.axis.MessageContext;
import org.apache.axis.components.logger.LogFactory;
import org.apache.axis.security.AuthenticatedUser;
import org.apache.axis.security.SecurityProvider;
import org.apache.axis.transport.http.HTTPConstants;
import org.apache.axis.utils.Messages;
import org.apache.commons.logging.Log;

import javax.servlet.http.HttpServletRequest;
import java.security.Principal;
import java.util.HashMap;


/**
 * A ServletSecurityProvider, combined with the ServletAuthenticatedUser
 * class, allows the standard servlet security mechanisms (isUserInRole(),
 * etc.) to integrate with Axis' access control mechanism.
 *
 * By utilizing this class (which the AxisServlet can be configured to
 * do automatically), authentication and role information will come from
 * your servlet engine.
 *
 * @author Glen Daniels (gdaniels@apache.org)
 */
public class ServletSecurityProvider implements SecurityProvider {
    protected static Log log =
        LogFactory.getLog(ServletSecurityProvider.class.getName());

    static HashMap users = null;

    /** Authenticate a user from a username/password pair.
     *
     * @param username the user name to check
     * @param password the password to check
     * @return an AuthenticatedUser or null
     */
    public AuthenticatedUser authenticate(MessageContext msgContext) {
        HttpServletRequest req = (HttpServletRequest)msgContext.getProperty(
                                      HTTPConstants.MC_HTTP_SERVLETREQUEST);

        if (req == null)
            return null;

        log.debug(Messages.getMessage("got00", "HttpServletRequest"));

        Principal principal = req.getUserPrincipal();
        if (principal == null) {
            log.debug(Messages.getMessage("noPrincipal00"));
            return null;
        }

        log.debug(Messages.getMessage("gotPrincipal00",  principal.getName()));

        return new ServletAuthenticatedUser(req);
    }

    /** See if a user matches a principal name.  The name might be a user
     * or a group.
     *
     * @return true if the user matches the passed name
     */
    public boolean userMatches(AuthenticatedUser user, String principal) {
        if (user == null) return principal == null;

        if (user instanceof ServletAuthenticatedUser) {
            ServletAuthenticatedUser servletUser = (ServletAuthenticatedUser)user;
            return servletUser.getRequest().isUserInRole(principal);
        }

        return false;
    }
}