Source Code of org.springframework.security.remoting.rmi.ContextPropagatingRemoteInvocation

/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.remoting.rmi;

import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.remoting.support.RemoteInvocation;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.SpringSecurityCoreVersion;
import org.springframework.security.core.context.SecurityContextHolder;

import java.lang.reflect.InvocationTargetException;


/**
 * The actual {@code RemoteInvocation} that is passed from the client to the server.
 * <p>
 * The principal and credentials information will be extracted from the current
 * security context and passed to the server as part of the invocation object.
 * <p>
 * To avoid potential serialization-based attacks, this implementation interprets the values as {@code String}s
 * and creates a {@code UsernamePasswordAuthenticationToken} on the server side to hold them. If a different
 * token type is required you can override the {@code createAuthenticationRequest} method.
 *
 * @author James Monaghan
 * @author Ben Alex
 * @author Luke Taylor
 */
public class ContextPropagatingRemoteInvocation extends RemoteInvocation {

    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

    private static final Log logger = LogFactory.getLog(ContextPropagatingRemoteInvocation.class);

    //~ Instance fields ================================================================================================

    private final String principal;
    private final String credentials;

    //~ Constructors ===================================================================================================

    /**
     * Constructs the object, storing the principal and credentials extracted from the client-side
     * security context.
     *
     * @param methodInvocation the method to invoke
     */
    public ContextPropagatingRemoteInvocation(MethodInvocation methodInvocation) {
        super(methodInvocation);
        Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();

        if (currentUser != null) {
            principal = currentUser.getName();
            Object userCredentials = currentUser.getCredentials();
            credentials = userCredentials == null ? null : userCredentials.toString();
        } else {
            principal = credentials = null;
        }

        if (logger.isDebugEnabled()) {
            logger.debug("RemoteInvocation now has principal: " + principal);
            if(credentials == null) {
                logger.debug("RemoteInvocation now has null credentials.");
            }
        }
    }

    //~ Methods ========================================================================================================

    /**
     * Invoked on the server-side.
     * <p>
     * The transmitted principal and credentials will be used to create an unauthenticated {@code Authentication}
     * instance for processing by the {@code AuthenticationManager}.
     *
     * @param targetObject the target object to apply the invocation to
     *
     * @return the invocation result
     *
     * @throws NoSuchMethodException if the method name could not be resolved
     * @throws IllegalAccessException if the method could not be accessed
     * @throws InvocationTargetException if the method invocation resulted in an exception
     */
    public Object invoke(Object targetObject)
            throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {

        if (principal != null) {
            Authentication request = createAuthenticationRequest(principal, credentials);
            request.setAuthenticated(false);
            SecurityContextHolder.getContext().setAuthentication(request);

            if (logger.isDebugEnabled()) {
                logger.debug("Set SecurityContextHolder to contain: " + request);
            }
        }

        try {
            return super.invoke(targetObject);
        } finally {
            SecurityContextHolder.clearContext();

            if (logger.isDebugEnabled()) {
                logger.debug("Cleared SecurityContextHolder.");
            }
        }
    }

    /**
     * Creates the server-side authentication request object.
     */
    protected Authentication createAuthenticationRequest(String principal, String credentials) {
        return new UsernamePasswordAuthenticationToken(principal, credentials);
    }
}