/*
    * Licensed to the Apache Software Foundation (ASF) under one
    * or more contributor license agreements.  See the NOTICE file
    * distributed with this work for additional information
    * regarding copyright ownership.  The ASF licenses this file
    * to you under the Apache License, Version 2.0 (the
    * "License"); you may not use this file except in compliance
    * with the License.  You may obtain a copy of the License at
    *
   *     http://www.apache.org/licenses/LICENSE-2.0
   *
   * Unless required by applicable law or agreed to in writing,
   * software distributed under the License is distributed on an
   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
   * KIND, either express or implied.  See the License for the
   * specific language governing permissions and limitations
   * under the License.
   */
  package org.apache.shiro.web.filter.authc;
  
  import org.apache.shiro.authc.AuthenticationToken;
  import org.apache.shiro.codec.Base64;
  import org.apache.shiro.web.util.WebUtils;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
  
  import javax.servlet.ServletRequest;
  import javax.servlet.ServletResponse;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import java.util.HashSet;
  import java.util.Locale;
  import java.util.Set;
  
  
  /**
   * Requires the requesting user to be {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} for the
   * request to continue, and if they're not, requires the user to login via the HTTP Basic protocol-specific challenge.
   * Upon successful login, they're allowed to continue on to the requested resource/url.
   * <p/>
   * This implementation is a 'clean room' Java implementation of Basic HTTP Authentication specification per
   * <a href="ftp://ftp.isi.edu/in-notes/rfc2617.txt">RFC 2617</a>.
   * <p/>
   * Basic authentication functions as follows:
   * <ol>
   * <li>A request comes in for a resource that requires authentication.</li>
   * <li>The server replies with a 401 response status, sets the <code>WWW-Authenticate</code> header, and the contents of a
   * page informing the user that the incoming resource requires authentication.</li>
   * <li>Upon receiving this <code>WWW-Authenticate</code> challenge from the server, the client then takes a
   * username and a password and puts them in the following format:
   * <p><code>username:password</code></p></li>
   * <li>This token is then base 64 encoded.</li>
   * <li>The client then sends another request for the same resource with the following header:<br/>
   * <p><code>Authorization: Basic <em>Base64_encoded_username_and_password</em></code></p></li>
   * </ol>
   * The {@link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)} method will
   * only be called if the subject making the request is not
   * {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated}
   *
   * @see <a href="https://tools.ietf.org/html/rfc2617">RFC 2617</a>
   * @see <a href="http://en.wikipedia.org/wiki/Basic_access_authentication">Basic Access Authentication</a>
   * @since 0.9
   */
  public class BasicHttpAuthenticationFilter extends HttpAuthenticationFilter {
  
      /**
       * This class's private logger.
       */
      private static final Logger log = LoggerFactory.getLogger(BasicHttpAuthenticationFilter.class);
  
  
      public BasicHttpAuthenticationFilter() {
          setAuthcScheme(HttpServletRequest.BASIC_AUTH);
          setAuthzScheme(HttpServletRequest.BASIC_AUTH);
      }
  
      /**
       * Creates an AuthenticationToken for use during login attempt with the provided credentials in the http header.
       * <p/>
       * This implementation:
       * <ol><li>acquires the username and password based on the request's
       * {@link #getAuthzHeader(javax.servlet.ServletRequest) authorization header} via the
       * {@link #getPrincipalsAndCredentials(String, javax.servlet.ServletRequest) getPrincipalsAndCredentials} method</li>
       * <li>The return value of that method is converted to an <code>AuthenticationToken</code> via the
       * {@link #createToken(String, String, javax.servlet.ServletRequest, javax.servlet.ServletResponse) createToken} method</li>
       * <li>The created <code>AuthenticationToken</code> is returned.</li>
       * </ol>
       *
       * @param request  incoming ServletRequest
       * @param response outgoing ServletResponse
       * @return the AuthenticationToken used to execute the login attempt
       */
      protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
          String authorizationHeader = getAuthzHeader(request);
          if (authorizationHeader == null || authorizationHeader.length() == 0) {
              // Create an empty authentication token since there is no
              // Authorization header.
              return createToken("", "", request, response);
          }
 
         log.debug("Attempting to execute login with auth header");
 
         String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request);
         if (prinCred == null || prinCred.length < 2) {
             // Create an authentication token with an empty password,
             // since one hasn't been provided in the request.
             String username = prinCred == null || prinCred.length == 0 ? "" : prinCred[0];
             return createToken(username, "", request, response);
         }
 
         String username = prinCred[0];
         String password = prinCred[1];
 
         return createToken(username, password, request, response);
     }
 
     /**
      * Returns the username and password pair based on the specified <code>encoded</code> String obtained from
      * the request's authorization header.
      * <p/>
      * Per RFC 2617, the default implementation first Base64 decodes the string and then splits the resulting decoded
      * string into two based on the ":" character.  That is:
      * <p/>
      * <code>String decoded = Base64.decodeToString(encoded);<br/>
      * return decoded.split(":");</code>
      *
      * @param scheme  the {@link #getAuthcScheme() authcScheme} found in the request
      *                {@link #getAuthzHeader(javax.servlet.ServletRequest) authzHeader}.  It is ignored by this implementation,
      *                but available to overriding implementations should they find it useful.
      * @param encoded the Base64-encoded username:password value found after the scheme in the header
      * @return the username (index 0)/password (index 1) pair obtained from the encoded header data.
      */
     protected String[] getPrincipalsAndCredentials(String scheme, String encoded) {
         String decoded = Base64.decodeToString(encoded);
         return decoded.split(":", 2);
     }
 }