Source code

001/**
002 * Copyright 2005-2016 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.kuali.rice.kew.web;
017
018import org.kuali.rice.kim.api.identity.IdentityService;
019import org.kuali.rice.kim.api.identity.principal.Principal;
020import org.kuali.rice.kim.api.services.KimApiServiceLocator;
021import org.kuali.rice.krad.UserSession;
022import org.kuali.rice.krad.util.KRADUtils;
023
024import javax.servlet.Filter;
025import javax.servlet.FilterChain;
026import javax.servlet.FilterConfig;
027import javax.servlet.ServletException;
028import javax.servlet.ServletRequest;
029import javax.servlet.ServletResponse;
030import javax.servlet.http.HttpServletRequest;
031import javax.servlet.http.HttpServletRequestWrapper;
032import javax.servlet.http.HttpServletResponse;
033import java.io.IOException;
034
035/**
036 * A login filter which forwards to a login page that allows for the desired
037 * authentication ID to be entered without the need for a password.
038 *
039 * @author Kuali Rice Team (rice.collab@kuali.org)
040 */
041public class DummyLoginFilter implements Filter {
042    private String loginPath;
043    private boolean showPassword = false;
044    @Override
045        public void init(FilterConfig config) throws ServletException {
046        loginPath = config.getInitParameter("loginPath");
047        showPassword = Boolean.valueOf(config.getInitParameter("showPassword")).booleanValue();
048        if (loginPath == null) {
049            loginPath = "/WEB-INF/jsp/dummy_login.jsp";
050        }
051    }
052
053        @Override
054        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
055                this.doFilter((HttpServletRequest) request, (HttpServletResponse) response, chain);
056        }
057    
058        private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
059        final UserSession session = KRADUtils.getUserSessionFromRequest(request);
060        
061        if (session == null) {
062                IdentityService auth = KimApiServiceLocator.getIdentityService();
063                request.setAttribute("showPasswordField", Boolean.valueOf(showPassword));
064            final String user = request.getParameter("__login_user");
065            final String password = request.getParameter("__login_pw");
066            if (user != null && !user.trim().isEmpty()) {
067                // Very simple password checking. Nothing hashed or encrypted. This is strictly for demonstration purposes only.
068                final Principal principal = showPassword ? auth.getPrincipalByPrincipalNameAndPassword(user, password) : auth.getPrincipalByPrincipalName(user);
069                if (principal == null) {
070                        handleInvalidLogin(request, response);  
071                        return;
072                }
073                
074                // wrap the request with the remote user
075                // UserLoginFilter and WebAuthenticationService will create the session
076                request = new HttpServletRequestWrapper(request) {
077                    @Override
078                                        public String getRemoteUser() {
079                        return user;
080                    }
081                };      
082                
083            } else {
084                // no session has been established and this is not a login form submission, so forward to login page
085                request.getRequestDispatcher(loginPath).forward(request, response);
086                return;
087            }
088        } else {
089            request = new HttpServletRequestWrapper(request) {
090                    @Override
091                                        public String getRemoteUser() {
092                        return session.getPrincipalName();
093                    }
094                };
095        }
096        chain.doFilter(request, response);
097    }
098        
099        /**
100         * Handles and invalid login attempt.
101         *  
102         * @param request the incoming request
103         * @param response the outgoing response
104         * @throws ServletException if unable to handle the invalid login
105         * @throws IOException if unable to handle the invalid login
106         */
107        private void handleInvalidLogin(ServletRequest request, ServletResponse response) throws ServletException, IOException {
108                request.setAttribute("invalidAuth", Boolean.TRUE);
109                request.getRequestDispatcher(loginPath).forward(request, response);
110        }
111
112    @Override
113        public void destroy() {
114        loginPath = null;
115    }
116}