Source Code of org.jspresso.framework.security.LoginServlet

/*
 * Copyright (c) 2005-2011 Vincent Vandenschrick. All rights reserved.
 *
 *  This file is part of the Jspresso framework.
 *
 *  Jspresso is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU Lesser General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  Jspresso is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU Lesser General Public License for more details.
 *
 *  You should have received a copy of the GNU Lesser General Public License
 *  along with Jspresso.  If not, see <http://www.gnu.org/licenses/>.
 */
package org.jspresso.framework.security;

import java.io.IOException;

import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletConfig;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Servlet that performs a JAAS login. The name of the JAAS configuration is
 * read from the servlet config. After succesful login, username and password
 * are put in the session. Note that, in contrast to the
 * <code>SecurityContextFilter</code>, the login module used here is supposed to
 * perform a real authentication. With JBoss, you could use the
 * <code>UsersRolesLoginModule</code> for example. <br>
 * Note that this is sample implementation, and is written only in order to demo
 * the use of the {@link SecurityContextFilter} class. In a real life
 * implementation, one would probably never hard-code names of redirect url's,
 * names of form parameters and names of session attributes.
 */
public class LoginServlet extends HttpServlet {

  /**
   * <code>ERROR_DEFAULT</code>="login-error.html".
   */
  public static final String ERROR_DEFAULT        = "/login-error.html";

  /**
   * <code>ERROR_PARAM_NAME</code>"error.redirect".
   */
  public static final String ERROR_PARAM_NAME     = "error.redirect";
  /**
   * <code>JAAS_APPL_DEFAULT</code>="other".
   */
  public static final String JAAS_APPL_DEFAULT    = "other";

  /**
   * <code>JAAS_APPL_PARAM_NAME</code>="jaas-application".
   */
  public static final String JAAS_APPL_PARAM_NAME = "jaas-application";
  /**
   * <code>SUCCESS_DEFAULT</code>="main.html".
   */
  public static final String SUCCESS_DEFAULT      = "/main.html";

  /**
   * <code>SUCCESS_PARAM_NAME</code>="success.redirect".
   */
  public static final String SUCCESS_PARAM_NAME   = "success.redirect";
  private static final long  serialVersionUID     = 6326611145492998226L;

  private String             errorRedirectUrl;

  /**
   * The name of the JAAS application, the key for finding the JAAS module
   * configuration (e.g. in an auth.conf file). In JBoss this matches the
   * security domain name in the login-config.xml file.
   */
  private String             jaasApplicationName;
  private String             successRedirectUrl;

  /**
   * Processes the login form. The form is supposed to have two input values:
   * username and password.
   * <p>
   * {@inheritDoc}
   */
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    if (jaasApplicationName != null) {
      // retrieve form parameter values from request
      String username = request.getParameter("username");
      String password = request.getParameter("password");

      // just for demo purposes: do never login if no username is set
      if (username.trim().equals("")) {
        // redirect to the error page
        response.sendRedirect(request.getContextPath() + errorRedirectUrl);
        return;
      }

      // create a JAAS callback handler and hand it over username and password
      UsernamePasswordHandler callbackHandler = new UsernamePasswordHandler();
      callbackHandler.setUsername(username);
      callbackHandler.setPassword(password);

      // perform the JAAS login; it will callback on the callbackHandler to
      // obtain
      // username and password
      try {
        LoginContext loginContext = new LoginContext(jaasApplicationName,
            callbackHandler);
        loginContext.login();

        request.getSession().setAttribute("SUBJECT", loginContext.getSubject());

        // redirect to the main menu page
        response.sendRedirect(request.getContextPath() + successRedirectUrl);
      } catch (LoginException le) {
        // redirect to the error page
        response.sendRedirect(request.getContextPath() + errorRedirectUrl);
      }
    } else {
      request.getSession().setAttribute("SUBJECT",
          SecurityHelper.createAnonymousSubject());

      // redirect to the main menu page
      response.sendRedirect(request.getContextPath() + successRedirectUrl);
    }
  }

  /**
   * Initializes the servlet. Reads the name of the JAAS configuration.
   * <p>
   * {@inheritDoc}
   */
  @Override
  public void init(ServletConfig config) {
    jaasApplicationName = config.getInitParameter(JAAS_APPL_PARAM_NAME);
    if (jaasApplicationName == null) {
      jaasApplicationName = JAAS_APPL_DEFAULT;
    }

    successRedirectUrl = config.getInitParameter(SUCCESS_PARAM_NAME);
    if (successRedirectUrl == null) {
      successRedirectUrl = SUCCESS_DEFAULT;
    }

    errorRedirectUrl = config.getInitParameter(ERROR_PARAM_NAME);
    if (errorRedirectUrl == null) {
      errorRedirectUrl = ERROR_DEFAULT;
    }
  }
}