1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 */ 19 package org.apache.shiro.web.filter.authc; 20 21 import org.apache.shiro.authc.BearerToken; 22 import org.apache.shiro.authc.AuthenticationToken; 23 import org.slf4j.Logger; 24 import org.slf4j.LoggerFactory; 25 26 import javax.servlet.ServletRequest; 27 import javax.servlet.ServletResponse; 28 29 30 /** 31 * Requires the requesting user to be {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} for the 32 * request to continue, and if they're not, requires the user to login via the HTTP Bearer protocol-specific challenge. 33 * Upon successful login, they're allowed to continue on to the requested resource/url. 34 * <p/> 35 * The {@link #onAccessDenied(ServletRequest, ServletResponse)} method will 36 * only be called if the subject making the request is not 37 * {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} 38 * 39 * @see <a href="https://tools.ietf.org/html/rfc2617">RFC 2617</a> 40 * @see <a href="https://tools.ietf.org/html/rfc6750#section-2.1">OAuth2 Authorization Request Header Field</a> 41 * @since 1.5 42 */ 43 public class BearerHttpAuthenticationFilter extends HttpAuthenticationFilter { 44 45 /** 46 * This class's private logger. 47 */ 48 private static final Logger log = LoggerFactory.getLogger(BearerHttpAuthenticationFilter.class); 49 50 private static final String BEARER = "Bearer"; 51 52 public BearerHttpAuthenticationFilter() { 53 setAuthcScheme(BEARER); 54 setAuthzScheme(BEARER); 55 } 56 57 /** 58 * Creates an AuthenticationToken for use during login attempt with the provided credentials in the http header. 59 * <p/> 60 * This implementation: 61 * <ol><li>acquires the username and password based on the request's 62 * {@link #getAuthzHeader(ServletRequest) authorization header} via the 63 * {@link #getPrincipalsAndCredentials(String, ServletRequest) getPrincipalsAndCredentials} method</li> 64 * <li>The return value of that method is converted to an <code>AuthenticationToken</code> via the 65 * {@link #createToken(String, String, ServletRequest, ServletResponse) createToken} method</li> 66 * <li>The created <code>AuthenticationToken</code> is returned.</li> 67 * </ol> 68 * 69 * @param request incoming ServletRequest 70 * @param response outgoing ServletResponse 71 * @return the AuthenticationToken used to execute the login attempt 72 */ 73 protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) { 74 String authorizationHeader = getAuthzHeader(request); 75 if (authorizationHeader == null || authorizationHeader.length() == 0) { 76 // Create an empty authentication token since there is no 77 // Authorization header. 78 return createBearerToken("", request); 79 } 80 81 log.debug("Attempting to execute login with auth header"); 82 83 String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request); 84 if (prinCred == null || prinCred.length < 1) { 85 // Create an authentication token with an empty password, 86 // since one hasn't been provided in the request. 87 return createBearerToken("", request); 88 } 89 90 String token = prinCred[0] != null ? prinCred[0] : ""; 91 return createBearerToken(token, request); 92 } 93 @Override 94 protected String[] getPrincipalsAndCredentials(String scheme, String token) { 95 return new String[] {token}; 96 } 97 98 protected AuthenticationToken createBearerToken(String token, ServletRequest request) { 99 return new BearerToken(token, request.getRemoteHost()); 100 } 101 }