001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.shiro.web.filter.authc;
020
021import org.apache.shiro.authc.BearerToken;
022import org.apache.shiro.authc.AuthenticationToken;
023import org.slf4j.Logger;
024import org.slf4j.LoggerFactory;
025
026import javax.servlet.ServletRequest;
027import javax.servlet.ServletResponse;
028
029
030/**
031 * Requires the requesting user to be {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} for the
032 * request to continue, and if they're not, requires the user to login via the HTTP Bearer protocol-specific challenge.
033 * Upon successful login, they're allowed to continue on to the requested resource/url.
034 * <p/>
035 * The {@link #onAccessDenied(ServletRequest, ServletResponse)} method will
036 * only be called if the subject making the request is not
037 * {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated}
038 *
039 * @see <a href="https://tools.ietf.org/html/rfc2617">RFC 2617</a>
040 * @see <a href="https://tools.ietf.org/html/rfc6750#section-2.1">OAuth2 Authorization Request Header Field</a>
041 * @since 1.5
042 */
043public class BearerHttpAuthenticationFilter extends HttpAuthenticationFilter {
044
045    /**
046     * This class's private logger.
047     */
048    private static final Logger log = LoggerFactory.getLogger(BearerHttpAuthenticationFilter.class);
049
050    private static final String BEARER = "Bearer";
051
052    public BearerHttpAuthenticationFilter() {
053        setAuthcScheme(BEARER);
054        setAuthzScheme(BEARER);
055    }
056
057    /**
058     * Creates an AuthenticationToken for use during login attempt with the provided credentials in the http header.
059     * <p/>
060     * This implementation:
061     * <ol><li>acquires the username and password based on the request's
062     * {@link #getAuthzHeader(ServletRequest) authorization header} via the
063     * {@link #getPrincipalsAndCredentials(String, ServletRequest) getPrincipalsAndCredentials} method</li>
064     * <li>The return value of that method is converted to an <code>AuthenticationToken</code> via the
065     * {@link #createToken(String, String, ServletRequest, ServletResponse) createToken} method</li>
066     * <li>The created <code>AuthenticationToken</code> is returned.</li>
067     * </ol>
068     *
069     * @param request  incoming ServletRequest
070     * @param response outgoing ServletResponse
071     * @return the AuthenticationToken used to execute the login attempt
072     */
073    protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
074        String authorizationHeader = getAuthzHeader(request);
075        if (authorizationHeader == null || authorizationHeader.length() == 0) {
076            // Create an empty authentication token since there is no
077            // Authorization header.
078            return createBearerToken("", request);
079        }
080
081        log.debug("Attempting to execute login with auth header");
082
083        String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request);
084        if (prinCred == null || prinCred.length < 1) {
085            // Create an authentication token with an empty password,
086            // since one hasn't been provided in the request.
087            return createBearerToken("", request);
088        }
089
090        String token = prinCred[0] != null ? prinCred[0] : "";
091        return createBearerToken(token, request);
092    }
093    @Override
094    protected String[] getPrincipalsAndCredentials(String scheme, String token) {
095        return new String[] {token};
096    }
097
098    protected AuthenticationToken createBearerToken(String token, ServletRequest request) {
099        return new BearerToken(token, request.getRemoteHost());
100    }
101}