Cleaned up basic authentication.
Change-Id: I023a8554f1c1c2f2cfaadaab234eb792fa1a5a7c
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/BasicAuthentication.java b/full/src/main/java/de/ids_mannheim/korap/authentication/BasicAuthentication.java
index 1d15ca2..6aa2d88 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/BasicAuthentication.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/BasicAuthentication.java
@@ -2,105 +2,79 @@
import java.util.Map;
-import org.apache.commons.codec.binary.Base64;
import org.springframework.beans.factory.annotation.Autowired;
+import de.ids_mannheim.korap.authentication.framework.HttpAuthorizationHandler;
+import de.ids_mannheim.korap.authentication.framework.TransferEncoding;
import de.ids_mannheim.korap.config.Attributes;
import de.ids_mannheim.korap.config.AuthenticationType;
import de.ids_mannheim.korap.config.KustvaktConfiguration;
import de.ids_mannheim.korap.config.Scopes;
+import de.ids_mannheim.korap.dao.UserDao;
import de.ids_mannheim.korap.exceptions.KustvaktException;
import de.ids_mannheim.korap.exceptions.StatusCodes;
import de.ids_mannheim.korap.interfaces.AuthenticationIface;
import de.ids_mannheim.korap.interfaces.EncryptionIface;
-import de.ids_mannheim.korap.interfaces.db.EntityHandlerIface;
import de.ids_mannheim.korap.user.KorAPUser;
import de.ids_mannheim.korap.user.TokenContext;
import de.ids_mannheim.korap.user.User;
import de.ids_mannheim.korap.utils.StringUtils;
import de.ids_mannheim.korap.utils.TimeUtils;
-/** EM: do not use at the moment, there is no authentication
- * checking, formerly used a database. Should separate between
- * authentication procedure and the real authentication checking
- * method.
+/**
+ * Implementation of encoding and decoding access token is moved to
+ * {@link TransferEncoding}. Moreover, implementation of HTTP
+ * Authentication framework, i.e. creation of authorization header,
+ * is defined in {@link HttpAuthorizationHandler}.
*
+ * Basic authentication is intended to be used with a database. It is
+ * currently only used for testing using a dummy DAO (@see {@link UserDao}).
+ *
+ *
+ * @author margaretha
+ * @date 15/11/2017
*
* @author hanl
* @date 28/04/2015
*/
-// todo: bean injection!
-public class BasicHttpAuth implements AuthenticationIface {
+public class BasicAuthentication implements AuthenticationIface {
@Autowired
+ private TransferEncoding transferEncoding;
+ @Autowired
private KustvaktConfiguration config;
@Autowired
private EncryptionIface crypto;
@Autowired
- private EntityHandlerIface dao;
-
- public BasicHttpAuth() {
+ private UserDao dao;
- }
-
- public BasicHttpAuth(KustvaktConfiguration config) {
+ public BasicAuthentication (KustvaktConfiguration config) {
this.config = config;
}
-
- public static String[] decode (String token) {
- //return OAuthUtils.decodeClientAuthenticationHeader(token);
- String[] tokens = token.split(" ");
- String encodedCred = null;
- if (!token.equals(tokens[0])) {
- if (tokens[0] != null && !tokens[0].isEmpty()) {
- if (!tokens[0].toLowerCase().equalsIgnoreCase("basic")) {
- return null;
- }
- encodedCred = tokens[1];
- }
- } else {
- encodedCred = tokens[0];
- }
- if(encodedCred != null && !"".equals(encodedCred)) {
- String decodedCreds = new String(Base64.decodeBase64(encodedCred));
- if(decodedCreds.contains(":") && decodedCreds.split(":").length == 2) {
- String[] creds = decodedCreds.split(":");
- if ((creds[0] != null && !creds[0].isEmpty()) && (creds[1] != null && !creds[1].isEmpty()))
- return decodedCreds.split(":");
- }
- }
- return null;
- }
-
-
- public static String encode (String user, String pass) {
- String s = user + ":" + pass;
- return Attributes.BASIC_AUTHENTICATION + " "
- + new String(Base64.encodeBase64(s.getBytes()));
- }
-
-
@Override
- public TokenContext getTokenContext(String authToken)
+ public TokenContext getTokenContext (String authToken)
throws KustvaktException {
- //fixme: handle via constructor
- String[] values = decode(authToken);
+ // Hanl: fixme: handle via constructor
+ // EM: ?
+ String[] values = transferEncoding.decodeBase64(authToken);
if (values != null) {
TokenContext c = new TokenContext();
User user = dao.getAccount(values[0]);
- if (user instanceof KorAPUser && ((KorAPUser) user).getPassword() != null) {
+ if (user instanceof KorAPUser
+ && ((KorAPUser) user).getPassword() != null) {
boolean check = crypto.checkHash(values[1],
((KorAPUser) user).getPassword());
- if (!check)
- return null;
+ if (!check) return null;
}
c.setUsername(values[0]);
- c.setExpirationTime(TimeUtils.plusSeconds(this.config.getTokenTTL()).getMillis());
- c.setAuthenticationType(AuthenticationType.DATABASE);
+ c.setExpirationTime(TimeUtils.plusSeconds(this.config.getTokenTTL())
+ .getMillis());
+ c.setAuthenticationType(AuthenticationType.BASIC);
// todo: for production mode, set true
c.setSecureRequired(false);
+ // EM: is this secure?
c.setToken(StringUtils.stripTokenType(authToken));
// fixme: you can make queries, but user sensitive data is off limits?!
c.addContextParameter(Attributes.SCOPES,
@@ -113,7 +87,7 @@
// not supported!
@Override
- public TokenContext createTokenContext(User user, Map<String, Object> attr)
+ public TokenContext createTokenContext (User user, Map<String, Object> attr)
throws KustvaktException {
return null;
}
@@ -126,13 +100,14 @@
@Override
- public TokenContext refresh (TokenContext context) throws KustvaktException {
+ public TokenContext refresh (TokenContext context)
+ throws KustvaktException {
return null;
}
@Override
public AuthenticationType getIdentifier () {
- return AuthenticationType.DATABASE;
+ return AuthenticationType.BASIC;
}
}