View Javadoc
1   /*
2    * ====================================================================
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *   http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing,
14   * software distributed under the License is distributed on an
15   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16   * KIND, either express or implied.  See the License for the
17   * specific language governing permissions and limitations
18   * under the License.
19   * ====================================================================
20   *
21   * This software consists of voluntary contributions made by many
22   * individuals on behalf of the Apache Software Foundation.  For more
23   * information on the Apache Software Foundation, please see
24   * <http://www.apache.org/>.
25   *
26   */
27  package org.apache.hc.core5.http.io.support;
28  
29  import java.io.IOException;
30  
31  import org.apache.hc.core5.annotation.Contract;
32  import org.apache.hc.core5.annotation.ThreadingBehavior;
33  import org.apache.hc.core5.http.ClassicHttpRequest;
34  import org.apache.hc.core5.http.ClassicHttpResponse;
35  import org.apache.hc.core5.http.Header;
36  import org.apache.hc.core5.http.HttpEntity;
37  import org.apache.hc.core5.http.HttpException;
38  import org.apache.hc.core5.http.HttpHeaders;
39  import org.apache.hc.core5.http.HttpResponse;
40  import org.apache.hc.core5.http.HttpStatus;
41  import org.apache.hc.core5.http.io.HttpFilterChain;
42  import org.apache.hc.core5.http.io.HttpFilterHandler;
43  import org.apache.hc.core5.http.io.entity.EntityUtils;
44  import org.apache.hc.core5.http.io.entity.StringEntity;
45  import org.apache.hc.core5.http.message.BasicClassicHttpResponse;
46  import org.apache.hc.core5.http.protocol.HttpContext;
47  import org.apache.hc.core5.net.URIAuthority;
48  
49  /**
50   * @since 5.0
51   */
52  @Contract(threading = ThreadingBehavior.STATELESS)
53  public abstract class AbstractHttpServerAuthFilter<T> implements HttpFilterHandler {
54  
55      private final boolean respondImmediately;
56  
57      protected AbstractHttpServerAuthFilter(final boolean respondImmediately) {
58          this.respondImmediately = respondImmediately;
59      }
60  
61      protected abstract T parseChallengeResponse(String authorizationValue, HttpContext context) throws HttpException;
62  
63      protected abstract boolean authenticate(T challengeResponse, URIAuthority authority, String requestUri, HttpContext context);
64  
65      protected abstract String generateChallenge(T challengeResponse, URIAuthority authority, String requestUri, HttpContext context);
66  
67      protected HttpEntity generateResponseContent(final HttpResponse unauthorized) {
68          return new StringEntity("Unauthorized");
69      }
70  
71      @Override
72      public final void handle(
73              final ClassicHttpRequest request,
74              final HttpFilterChain.ResponseTrigger responseTrigger,
75              final HttpContext context,
76              final HttpFilterChain chain) throws HttpException, IOException {
77          final Header h = request.getFirstHeader(HttpHeaders.AUTHORIZATION);
78          final T challengeResponse = h != null ? parseChallengeResponse(h.getValue(), context) : null;
79  
80          final URIAuthority authority = request.getAuthority();
81          final String requestUri = request.getRequestUri();
82  
83          final boolean authenticated = authenticate(challengeResponse, authority, requestUri, context);
84          final Header expect = request.getFirstHeader(HttpHeaders.EXPECT);
85          final boolean expectContinue = expect != null && "100-continue".equalsIgnoreCase(expect.getValue());
86  
87          if (authenticated) {
88              if (expectContinue) {
89                  responseTrigger.sendInformation(new BasicClassicHttpResponse(HttpStatus.SC_CONTINUE));
90              }
91              chain.proceed(request, responseTrigger, context);
92          } else {
93              final ClassicHttpResponse unauthorized = new BasicClassicHttpResponse(HttpStatus.SC_UNAUTHORIZED);
94              unauthorized.addHeader(HttpHeaders.WWW_AUTHENTICATE, generateChallenge(challengeResponse, authority, requestUri, context));
95              final HttpEntity responseContent = generateResponseContent(unauthorized);
96              unauthorized.setEntity(responseContent);
97              if (respondImmediately || expectContinue || request.getEntity() == null) {
98                  // Respond immediately
99                  responseTrigger.submitResponse(unauthorized);
100                 // Consume request body later
101                 EntityUtils.consume(request.getEntity());
102             } else {
103                 // Consume request body first
104                 EntityUtils.consume(request.getEntity());
105                 // Respond later
106                 responseTrigger.submitResponse(unauthorized);
107             }
108         }
109     }
110 }