001/* 002 Licensed to the Apache Software Foundation (ASF) under one 003 or more contributor license agreements. See the NOTICE file 004 distributed with this work for additional information 005 regarding copyright ownership. The ASF licenses this file 006 to you under the Apache License, Version 2.0 (the 007 "License"); you may not use this file except in compliance 008 with the License. You may obtain a copy of the License at 009 010 http://www.apache.org/licenses/LICENSE-2.0 011 012 Unless required by applicable law or agreed to in writing, 013 software distributed under the License is distributed on an 014 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 KIND, either express or implied. See the License for the 016 specific language governing permissions and limitations 017 under the License. 018 */ 019package org.apache.wiki.auth.login; 020 021import org.apache.logging.log4j.LogManager; 022import org.apache.logging.log4j.Logger; 023import org.apache.wiki.auth.WikiPrincipal; 024import org.apache.wiki.util.HttpUtil; 025 026import javax.security.auth.callback.Callback; 027import javax.security.auth.callback.UnsupportedCallbackException; 028import javax.security.auth.login.LoginException; 029import javax.servlet.http.HttpServletRequest; 030import javax.servlet.http.HttpSession; 031import java.io.IOException; 032 033/** 034 * <p> 035 * Logs in a user based solely on IP address; no other authentication is 036 * performed. Barring a mis-configuration or I/O error, this LoginModule 037 * <em>always</em> succeeds. 038 * </p> 039 * This module must be used with a CallbackHandler (such as 040 * {@link WebContainerCallbackHandler}) that supports the following Callback 041 * types: 042 * </p> 043 * <ol> 044 * <li>{@link HttpRequestCallback}- supplies the IP address, which is used as 045 * a backup in case no name is supplied.</li> 046 * </ol> 047 * <p> 048 * After authentication, a generic WikiPrincipal based on the IP address will be 049 * created and associated with the Subject. 050 * @see javax.security.auth.spi.LoginModule#commit() 051 * </p> 052 * @since 2.3 053 */ 054public class AnonymousLoginModule extends AbstractLoginModule 055{ 056 057 /** 058 * Bogus prompt sent to the callback handler. 059 */ 060 public static final String PROMPT = "User name"; 061 062 protected static final Logger log = LogManager.getLogger( AnonymousLoginModule.class ); 063 064 /** 065 * {@inheritDoc} 066 * 067 * Logs in the user by calling back to the registered CallbackHandler with an 068 * HttpRequestCallback. The CallbackHandler must supply the current servlet 069 * HTTP request as its response. 070 * @return the result of the login; this will always be <code>true</code>. 071 * @see javax.security.auth.spi.LoginModule#login() 072 * @throws LoginException if unable to handle callback 073 */ 074 public boolean login() throws LoginException 075 { 076 // Let's go and make a Principal based on the IP address 077 final HttpRequestCallback hcb = new HttpRequestCallback(); 078 final Callback[] callbacks = new Callback[]{ hcb }; 079 try { 080 m_handler.handle( callbacks ); 081 final HttpServletRequest request = hcb.getRequest(); 082 final WikiPrincipal ipAddr = new WikiPrincipal( HttpUtil.getRemoteAddress(request) ); 083 final HttpSession session = request.getSession( false ); 084 final String sid = (session == null) ? NULL : session.getId(); 085 log.debug("Logged in session ID={}; IP={}", sid, ipAddr); 086 // If login succeeds, commit these principals/roles 087 m_principals.add( ipAddr ); 088 return true; 089 } catch( final IOException e ) { 090 log.error("IOException: " + e.getMessage()); 091 return false; 092 } catch( final UnsupportedCallbackException e ) { 093 final String message = "Unable to handle callback, disallowing login."; 094 log.error( message, e ); 095 throw new LoginException( message ); 096 } 097 } 098 099}