This project has retired. For details please refer to its Attic page.
AuthenticatedService.java

AuthenticatedService.java

/*
 * Copyright 2001-2008 The Apache Software Foundation.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */
package org.apache.juddi.api.impl;

import java.util.Date;
import javax.annotation.Resource;

import javax.persistence.EntityManager;
import javax.servlet.http.HttpServletRequest;
import javax.xml.datatype.DatatypeConfigurationException;
import javax.xml.datatype.DatatypeFactory;
import javax.xml.ws.WebServiceContext;
import javax.xml.ws.handler.MessageContext;

import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.juddi.config.AppConfig;
import org.apache.juddi.config.Property;
import org.apache.juddi.model.UddiEntityPublisher;
import org.apache.juddi.v3.auth.Authenticator;
import org.apache.juddi.v3.auth.AuthenticatorFactory;
import org.apache.juddi.v3.error.AuthTokenRequiredException;
import org.apache.juddi.v3.error.AuthTokenExpiredException;
import org.apache.juddi.v3.error.ErrorMessage;
import org.uddi.v3_service.DispositionReportFaultMessage;

/**
 * Although this class is abstract, it provides token validation
 *
 * @author <a href="mailto:jfaath@apache.org">Jeff Faath</a>
 *
 * @author <a href="mailto:alexoree@apache.org">Alex O'Ree</a> - modified to
 * include token expiration validation
 */
public abstract class AuthenticatedService {

        /**
         * @return the node
         */
        public String getNode() {
            return node;
        }

        public static final String UTF8 = "UTF-8";
        public static final int AUTHTOKEN_ACTIVE = 1;
        public static final int AUTHTOKEN_RETIRED = 0;
        static final Log logger = LogFactory.getLog(AuthenticatedService.class);
        /**
         * the node id of this server instance, as loaded from the config file
         */
        private String node = "UNDEFINED_NODE_NAME";
        protected String baseUrlSSL = "UNDEFINED";
        protected String baseUrl = "UNDEFINED";
        protected DatatypeFactory df = null;

        public AuthenticatedService() {
                try {
                        node = AppConfig.getConfiguration().getString(Property.JUDDI_NODE_ID, "UNDEFINED_NODE_NAME");
                        node = node.trim();
                        baseUrlSSL = AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL_SECURE, Property.DEFAULT_BASE_URL_SECURE);
                        baseUrlSSL = baseUrlSSL.trim();
                } catch (ConfigurationException ex) {
                        logger.fatal(null, ex);
                }
                init();
        }
        
        /**
         * this method can be used to explicitly set a request context. this is useful
         * in unit tests, embedded and in-vm scenarios only
         * @param ctx 
         * @since 3.3.8
         */
        public void setContext(WebServiceContext ctx) {
                this.ctx = ctx;
        }
        
        private synchronized  void init() {
            try {
                df = DatatypeFactory.newInstance();
            } catch (DatatypeConfigurationException ex) {
                logger.fatal(null, ex);
            }
        }

        @Resource
        protected WebServiceContext ctx;

        public UddiEntityPublisher getEntityPublisher(EntityManager em, String authInfo) throws DispositionReportFaultMessage {
                boolean useAuthInfo = true;
                try {
                        useAuthInfo = AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTHENTICATOR_USE_TOKEN, true);
                } catch (ConfigurationException ex) {

                }
                if (useAuthInfo) {

                        if (authInfo == null || authInfo.length() == 0) {
                                throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthRequired"));
                        }

                        org.apache.juddi.model.AuthToken modelAuthToken = em.find(org.apache.juddi.model.AuthToken.class, authInfo);
                        if (modelAuthToken == null) {
                                throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
                        }

                        int allowedMinutesOfInactivity = 0;
                        try {
                                allowedMinutesOfInactivity = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_TIMEOUT, 0);
                        } catch (ConfigurationException ce) {
                                logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from "
                                        + "the application's configuration. No automatic timeout token invalidation will occur. "
                                        + ce.getMessage(), ce);
                        }
                        int maxMinutesOfAge = 0;
                        try {
                                maxMinutesOfAge = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_EXPIRATION, 0);
                        } catch (ConfigurationException ce) {
                                logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from "
                                        + "the application's configuration. No automatic timeout token invalidation will occur. "
                                        + ce.getMessage(), ce);
                        }
                        Date now = new Date();
                        // 0 or negative means token does not expire
                        if (allowedMinutesOfInactivity > 0) {
                                // expire tokens after # minutes of inactivity
                                // compare the time in milli-seconds
                                if (now.getTime() > modelAuthToken.getLastUsed().getTime() + allowedMinutesOfInactivity * 60000l) {
                                        logger.info("AUDIT: FAILTURE Token " + modelAuthToken.getAuthToken() + " expired due to inactivity " + getRequestorsIPAddress());
                                        modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
                                }
                        }
                        if (maxMinutesOfAge > 0) {
                                // expire tokens when max age is reached
                                // compare the time in milli-seconds
                                if (now.getTime() > modelAuthToken.getCreated().getTime() + maxMinutesOfAge * 60000l) {

                                        logger.info("AUDIT: FAILURE - Token " + modelAuthToken.getAuthorizedName() + " expired due to old age " + getRequestorsIPAddress());
                                        modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
                                }
                        }

                        if (modelAuthToken.getTokenState() == AUTHTOKEN_RETIRED) {

                                throw new AuthTokenExpiredException(new ErrorMessage("errors.auth.AuthTokenExpired"));
                        }
                        if (ctx != null) {
                                try {
                                        boolean check = true;
                                        try {
                                                check = AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP, true);
                                        } catch (ConfigurationException ex) {
                                                logger.warn("Error loading config property " + Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP
                                                        + " Enforcing Same IP for Auth Tokens will be enabled by default", ex);
                                        }
                                        if (check) {
                                                MessageContext mc = ctx.getMessageContext();
                                                HttpServletRequest req = null;
                                                if (mc != null) {
                                                        req = (HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST);
                                                }
                                                if (req != null
                                                        && req.getRemoteAddr() != null
                                                        && modelAuthToken.getIPAddress() != null
                                                        && !modelAuthToken.getIPAddress().equalsIgnoreCase(req.getRemoteAddr())) {
                                                        modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
                                                        logger.error("AUDIT FAILURE - Security Alert - Attempt to use issued auth token from a different IP address, user "
                                                                + modelAuthToken.getAuthorizedName() + ", issued IP " + modelAuthToken.getIPAddress()
                                                                + ", attempted use from " + req.getRemoteAddr() + ", forcing reauthentication.");
                                                        throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
                                                        //invalidate the token, someone's intercepted it or it was reused on another ip
                                                }
                                        }
                                } catch (Exception ex) {
                                        if (ex instanceof AuthTokenRequiredException) {
                                                throw (AuthTokenRequiredException) ex;
                                        }
                                        logger.error("unexpected error caught looking up requestor's ip address", ex);
                                }

                        }
                        Authenticator authenticator = AuthenticatorFactory.getAuthenticator();
                        UddiEntityPublisher entityPublisher = authenticator.identify(authInfo, modelAuthToken.getAuthorizedName(), ctx);

                        // Must make sure the returned publisher has all the necessary fields filled
                        if (entityPublisher == null) {
                                logger.warn("AUDIT FAILURE - Auth token invalid, publisher does not exist " + getRequestorsIPAddress());
                                throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
                        }
                        if (entityPublisher.getAuthorizedName() == null) {
                                logger.warn("AUDIT FAILURE - Auth token invalid, username does exist" + getRequestorsIPAddress());
                                throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
                        }
                        // Auth token is being used.  Adjust appropriate values so that it's internal 'expiration clock' is reset.
                        modelAuthToken.setLastUsed(new Date());
                        modelAuthToken.setNumberOfUses(modelAuthToken.getNumberOfUses() + 1);
                        return entityPublisher;
                } else {
                        //use non-token based authentication
                        Authenticator authenticator = AuthenticatorFactory.getAuthenticator();
                        UddiEntityPublisher entityPublisher = authenticator.identify(null, null, ctx);
                        // Must make sure the returned publisher has all the necessary fields filled
                        if (entityPublisher == null) {
                                logger.warn("AUDIT FAILURE - Auth token invalid, publisher does not exist " + getRequestorsIPAddress());
                                throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
                        }
                        if (entityPublisher.getAuthorizedName() == null) {
                                logger.warn("AUDIT FAILURE - Auth token invalid, username does exist" + getRequestorsIPAddress());
                                throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
                        }
                        return entityPublisher;

                }

        }

        /**
         * Attempts to get the requestor's ip address from the servlet context,
         * defaults to null it it can't be retrieved
         *
         * @return requestor's ip address or null if it's not available
         */
        public String getRequestorsIPAddress() {
                try {
                        MessageContext mc = ctx.getMessageContext();
                        HttpServletRequest req = null;
                        if (mc != null) {
                                req = (HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST);
                        }
                        if (req != null) {
                                return req.getRemoteAddr();
                        }
                } catch (Exception ex) {
                        logger.debug("Error caught looking up the requestor's ip address", ex);
                }
                return null;
        }
}