View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.web.filter.authc;
20  
21  import org.apache.shiro.authc.BearerToken;
22  import org.apache.shiro.authc.AuthenticationToken;
23  import org.slf4j.Logger;
24  import org.slf4j.LoggerFactory;
25  
26  import javax.servlet.ServletRequest;
27  import javax.servlet.ServletResponse;
28  
29  
30  /**
31   * Requires the requesting user to be {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} for the
32   * request to continue, and if they're not, requires the user to login via the HTTP Bearer protocol-specific challenge.
33   * Upon successful login, they're allowed to continue on to the requested resource/url.
34   * <p/>
35   * The {@link #onAccessDenied(ServletRequest, ServletResponse)} method will
36   * only be called if the subject making the request is not
37   * {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated}
38   *
39   * @see <a href="https://tools.ietf.org/html/rfc2617">RFC 2617</a>
40   * @see <a href="https://tools.ietf.org/html/rfc6750#section-2.1">OAuth2 Authorization Request Header Field</a>
41   * @since 1.5
42   */
43  public class BearerHttpAuthenticationFilter extends HttpAuthenticationFilter {
44  
45      /**
46       * This class's private logger.
47       */
48      private static final Logger log = LoggerFactory.getLogger(BearerHttpAuthenticationFilter.class);
49  
50      private static final String BEARER = "Bearer";
51  
52      public BearerHttpAuthenticationFilter() {
53          setAuthcScheme(BEARER);
54          setAuthzScheme(BEARER);
55      }
56  
57      /**
58       * Creates an AuthenticationToken for use during login attempt with the provided credentials in the http header.
59       * <p/>
60       * This implementation:
61       * <ol><li>acquires the username and password based on the request's
62       * {@link #getAuthzHeader(ServletRequest) authorization header} via the
63       * {@link #getPrincipalsAndCredentials(String, ServletRequest) getPrincipalsAndCredentials} method</li>
64       * <li>The return value of that method is converted to an <code>AuthenticationToken</code> via the
65       * {@link #createToken(String, String, ServletRequest, ServletResponse) createToken} method</li>
66       * <li>The created <code>AuthenticationToken</code> is returned.</li>
67       * </ol>
68       *
69       * @param request  incoming ServletRequest
70       * @param response outgoing ServletResponse
71       * @return the AuthenticationToken used to execute the login attempt
72       */
73      protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
74          String authorizationHeader = getAuthzHeader(request);
75          if (authorizationHeader == null || authorizationHeader.length() == 0) {
76              // Create an empty authentication token since there is no
77              // Authorization header.
78              return createBearerToken("", request);
79          }
80  
81          log.debug("Attempting to execute login with auth header");
82  
83          String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request);
84          if (prinCred == null || prinCred.length < 1) {
85              // Create an authentication token with an empty password,
86              // since one hasn't been provided in the request.
87              return createBearerToken("", request);
88          }
89  
90          String token = prinCred[0] != null ? prinCred[0] : "";
91          return createBearerToken(token, request);
92      }
93      @Override
94      protected String[] getPrincipalsAndCredentials(String scheme, String token) {
95          return new String[] {token};
96      }
97  
98      protected AuthenticationToken createBearerToken(String token, ServletRequest request) {
99          return new BearerToken(token, request.getRemoteHost());
100     }
101 }