001/* 002 Licensed to the Apache Software Foundation (ASF) under one 003 or more contributor license agreements. See the NOTICE file 004 distributed with this work for additional information 005 regarding copyright ownership. The ASF licenses this file 006 to you under the Apache License, Version 2.0 (the 007 "License"); you may not use this file except in compliance 008 with the License. You may obtain a copy of the License at 009 010 http://www.apache.org/licenses/LICENSE-2.0 011 012 Unless required by applicable law or agreed to in writing, 013 software distributed under the License is distributed on an 014 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 KIND, either express or implied. See the License for the 016 specific language governing permissions and limitations 017 under the License. 018 */ 019package org.apache.wiki.auth.login; 020 021import org.apache.logging.log4j.LogManager; 022import org.apache.logging.log4j.Logger; 023import org.apache.wiki.auth.WikiPrincipal; 024import org.apache.wiki.util.HttpUtil; 025 026import javax.security.auth.callback.Callback; 027import javax.security.auth.callback.UnsupportedCallbackException; 028import javax.security.auth.login.LoginException; 029import javax.servlet.http.HttpServletRequest; 030import javax.servlet.http.HttpSession; 031import java.io.IOException; 032 033/** 034 * <p> 035 * Logs in a user based solely on IP address; no other authentication is 036 * performed. Barring a mis-configuration or I/O error, this LoginModule 037 * <em>always</em> succeeds. 038 * </p> 039 * This module must be used with a CallbackHandler (such as 040 * {@link WebContainerCallbackHandler}) that supports the following Callback 041 * types: 042 * </p> 043 * <ol> 044 * <li>{@link HttpRequestCallback}- supplies the IP address, which is used as 045 * a backup in case no name is supplied.</li> 046 * </ol> 047 * <p> 048 * After authentication, a generic WikiPrincipal based on the IP address will be 049 * created and associated with the Subject. 050 * @see javax.security.auth.spi.LoginModule#commit() 051 * </p> 052 * @since 2.3 053 */ 054public class AnonymousLoginModule extends AbstractLoginModule 055{ 056 057 /** 058 * Bogus prompt sent to the callback handler. 059 */ 060 public static final String PROMPT = "User name"; 061 062 protected static final Logger log = LogManager.getLogger( AnonymousLoginModule.class ); 063 064 /** 065 * Logs in the user by calling back to the registered CallbackHandler with an 066 * HttpRequestCallback. The CallbackHandler must supply the current servlet 067 * HTTP request as its response. 068 * @return the result of the login; this will always be <code>true</code>. 069 * @see javax.security.auth.spi.LoginModule#login() 070 * @throws {@inheritDoc} 071 */ 072 public boolean login() throws LoginException 073 { 074 // Let's go and make a Principal based on the IP address 075 final HttpRequestCallback hcb = new HttpRequestCallback(); 076 final Callback[] callbacks = new Callback[] 077 { hcb }; 078 try 079 { 080 m_handler.handle( callbacks ); 081 final HttpServletRequest request = hcb.getRequest(); 082 final WikiPrincipal ipAddr = new WikiPrincipal( HttpUtil.getRemoteAddress(request) ); 083 if ( log.isDebugEnabled() ) 084 { 085 final HttpSession session = request.getSession( false ); 086 final String sid = (session == null) ? NULL : session.getId(); 087 log.debug("Logged in session ID=" + sid + "; IP=" + ipAddr); 088 } 089 // If login succeeds, commit these principals/roles 090 m_principals.add( ipAddr ); 091 return true; 092 } 093 catch( final IOException e ) 094 { 095 log.error("IOException: " + e.getMessage()); 096 return false; 097 } 098 catch( final UnsupportedCallbackException e ) 099 { 100 final String message = "Unable to handle callback, disallowing login."; 101 log.error( message, e ); 102 throw new LoginException( message ); 103 } 104 105 } 106 107}