root / src / org / gss_project / gss / server / rest / RequestHandler.java @ 1206:292dec4eae08
History | View | Annotate | Download (25.7 kB)
| 1 |
/*
|
|---|---|
| 2 |
* Copyright 2008, 2009 Electronic Business Systems Ltd.
|
| 3 |
*
|
| 4 |
* This file is part of GSS.
|
| 5 |
*
|
| 6 |
* GSS is free software: you can redistribute it and/or modify
|
| 7 |
* it under the terms of the GNU General Public License as published by
|
| 8 |
* the Free Software Foundation, either version 3 of the License, or
|
| 9 |
* (at your option) any later version.
|
| 10 |
*
|
| 11 |
* GSS is distributed in the hope that it will be useful,
|
| 12 |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
| 13 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
| 14 |
* GNU General Public License for more details.
|
| 15 |
*
|
| 16 |
* You should have received a copy of the GNU General Public License
|
| 17 |
* along with GSS. If not, see <http://www.gnu.org/licenses/>.
|
| 18 |
*/
|
| 19 |
package org.gss_project.gss.server.rest; |
| 20 |
|
| 21 |
import static org.gss_project.gss.server.configuration.GSSConfigurationFactory.getConfiguration; |
| 22 |
import org.gss_project.gss.common.exceptions.InsufficientPermissionsException; |
| 23 |
import org.gss_project.gss.common.exceptions.ObjectNotFoundException; |
| 24 |
import org.gss_project.gss.common.exceptions.RpcException; |
| 25 |
import org.gss_project.gss.server.domain.FileHeader; |
| 26 |
import org.gss_project.gss.server.domain.User; |
| 27 |
|
| 28 |
import java.io.ByteArrayInputStream; |
| 29 |
import java.io.ByteArrayOutputStream; |
| 30 |
import java.io.IOException; |
| 31 |
import java.io.OutputStreamWriter; |
| 32 |
import java.io.PrintWriter; |
| 33 |
import java.io.UnsupportedEncodingException; |
| 34 |
import java.util.Calendar; |
| 35 |
import java.util.Enumeration; |
| 36 |
import java.util.HashMap; |
| 37 |
import java.util.Map; |
| 38 |
|
| 39 |
import javax.crypto.Mac; |
| 40 |
import javax.crypto.spec.SecretKeySpec; |
| 41 |
import javax.servlet.ServletException; |
| 42 |
import javax.servlet.http.HttpServletRequest; |
| 43 |
import javax.servlet.http.HttpServletResponse; |
| 44 |
|
| 45 |
import org.apache.commons.codec.binary.Base64; |
| 46 |
import org.apache.commons.logging.Log; |
| 47 |
import org.apache.commons.logging.LogFactory; |
| 48 |
|
| 49 |
/**
|
| 50 |
* The servlet that handles requests for the REST API.
|
| 51 |
*
|
| 52 |
* @author past
|
| 53 |
*/
|
| 54 |
public class RequestHandler extends Webdav { |
| 55 |
/**
|
| 56 |
* The request attribute containing the flag that will be used to indicate an
|
| 57 |
* authentication bypass has occurred. We will have to check for authentication
|
| 58 |
* later. This is a shortcut for dealing with publicly-readable files.
|
| 59 |
*/
|
| 60 |
protected static final String AUTH_DEFERRED_ATTR = "authDeferred"; |
| 61 |
|
| 62 |
/**
|
| 63 |
* The path for the search subsystem.
|
| 64 |
*/
|
| 65 |
protected static final String PATH_SEARCH = "/search"; |
| 66 |
|
| 67 |
/**
|
| 68 |
* The path for the user search subsystem.
|
| 69 |
*/
|
| 70 |
protected static final String PATH_USERS = "/users"; |
| 71 |
|
| 72 |
/**
|
| 73 |
* The path for the resource manipulation subsystem.
|
| 74 |
*/
|
| 75 |
protected static final String PATH_FILES = FileHeader.PATH_FILES; |
| 76 |
|
| 77 |
/**
|
| 78 |
* The path for the trash virtual folder.
|
| 79 |
*/
|
| 80 |
protected static final String PATH_TRASH = "/trash"; |
| 81 |
|
| 82 |
/**
|
| 83 |
* The path for the subsystem that deals with the user attributes.
|
| 84 |
*/
|
| 85 |
protected static final String PATH_GROUPS = "/groups"; |
| 86 |
|
| 87 |
/**
|
| 88 |
* The path for the shared resources virtual folder.
|
| 89 |
*/
|
| 90 |
protected static final String PATH_SHARED = "/shared"; |
| 91 |
|
| 92 |
/**
|
| 93 |
* The path for the other users' shared resources virtual folder.
|
| 94 |
*/
|
| 95 |
protected static final String PATH_OTHERS = "/others"; |
| 96 |
|
| 97 |
/**
|
| 98 |
* The path for tags created by the user.
|
| 99 |
*/
|
| 100 |
protected static final String PATH_TAGS = "/tags"; |
| 101 |
|
| 102 |
/**
|
| 103 |
* The path for token renewal.
|
| 104 |
*/
|
| 105 |
protected static final String PATH_TOKEN = "/newtoken"; |
| 106 |
|
| 107 |
/**
|
| 108 |
* The GSS-specific header for the request timestamp.
|
| 109 |
*/
|
| 110 |
protected static final String GSS_DATE_HEADER = "X-GSS-Date"; |
| 111 |
|
| 112 |
/**
|
| 113 |
* The RFC 2616 date header.
|
| 114 |
*/
|
| 115 |
protected static final String DATE_HEADER = "Date"; |
| 116 |
|
| 117 |
/**
|
| 118 |
* The Authorization HTTP header.
|
| 119 |
*/
|
| 120 |
protected static final String AUTHORIZATION_HEADER = "Authorization"; |
| 121 |
|
| 122 |
/**
|
| 123 |
* The group parameter name.
|
| 124 |
*/
|
| 125 |
protected static final String GROUP_PARAMETER = "name"; |
| 126 |
|
| 127 |
/**
|
| 128 |
* The username parameter name.
|
| 129 |
*/
|
| 130 |
protected static final String USERNAME_PARAMETER = "name"; |
| 131 |
|
| 132 |
/**
|
| 133 |
* The "new folder name" parameter name.
|
| 134 |
*/
|
| 135 |
protected static final String NEW_FOLDER_PARAMETER = "new"; |
| 136 |
|
| 137 |
/**
|
| 138 |
* The resource update parameter name.
|
| 139 |
*/
|
| 140 |
protected static final String RESOURCE_UPDATE_PARAMETER = "update"; |
| 141 |
|
| 142 |
/**
|
| 143 |
* The resource trash parameter name.
|
| 144 |
*/
|
| 145 |
protected static final String RESOURCE_TRASH_PARAMETER = "trash"; |
| 146 |
|
| 147 |
/**
|
| 148 |
* The resource restore parameter name.
|
| 149 |
*/
|
| 150 |
protected static final String RESOURCE_RESTORE_PARAMETER = "restore"; |
| 151 |
|
| 152 |
/**
|
| 153 |
* The resource copy parameter name.
|
| 154 |
*/
|
| 155 |
protected static final String RESOURCE_COPY_PARAMETER = "copy"; |
| 156 |
|
| 157 |
/**
|
| 158 |
* The resource move parameter name.
|
| 159 |
*/
|
| 160 |
protected static final String RESOURCE_MOVE_PARAMETER = "move"; |
| 161 |
|
| 162 |
/**
|
| 163 |
* The HMAC-SHA1 hash name.
|
| 164 |
*/
|
| 165 |
private static final String HMAC_SHA1 = "HmacSHA1"; |
| 166 |
|
| 167 |
/**
|
| 168 |
* The serial version UID of the class.
|
| 169 |
*/
|
| 170 |
private static final long serialVersionUID = 1L; |
| 171 |
|
| 172 |
/**
|
| 173 |
* The logger.
|
| 174 |
*/
|
| 175 |
private static Log logger = LogFactory.getLog(RequestHandler.class); |
| 176 |
|
| 177 |
/**
|
| 178 |
* Create a mapping between paths and allowed HTTP methods for fast lookup.
|
| 179 |
*/
|
| 180 |
private final Map<String, String> methodsAllowed = new HashMap<String, String>(7); |
| 181 |
|
| 182 |
@Override
|
| 183 |
public void init() throws ServletException { |
| 184 |
super.init();
|
| 185 |
methodsAllowed.put(PATH_FILES, METHOD_GET + ", " + METHOD_POST +
|
| 186 |
", " + METHOD_DELETE + ", " + METHOD_PUT + ", " + METHOD_HEAD); |
| 187 |
methodsAllowed.put(PATH_GROUPS, METHOD_GET + ", " + METHOD_POST +
|
| 188 |
", " + METHOD_DELETE);
|
| 189 |
methodsAllowed.put(PATH_OTHERS, METHOD_GET); |
| 190 |
methodsAllowed.put(PATH_SEARCH, METHOD_GET); |
| 191 |
methodsAllowed.put(PATH_USERS, METHOD_GET); |
| 192 |
methodsAllowed.put(PATH_SHARED, METHOD_GET); |
| 193 |
methodsAllowed.put(PATH_TAGS, METHOD_GET); |
| 194 |
methodsAllowed.put(PATH_TRASH, METHOD_GET + ", " + METHOD_DELETE);
|
| 195 |
methodsAllowed.put(PATH_TOKEN, METHOD_GET); |
| 196 |
} |
| 197 |
|
| 198 |
/**
|
| 199 |
* Return the root of every API request URL.
|
| 200 |
*/
|
| 201 |
protected String getApiRoot() { |
| 202 |
return getConfiguration().getString("restUrl", "http://localhost:8080/gss/rest/"); |
| 203 |
} |
| 204 |
|
| 205 |
@Override
|
| 206 |
public void service(final HttpServletRequest request, final HttpServletResponse response) throws IOException, ServletException { |
| 207 |
String method = request.getMethod();
|
| 208 |
String path = getRelativePath(request);
|
| 209 |
|
| 210 |
if (logger.isDebugEnabled())
|
| 211 |
logger.debug("[" + method + "] " + path); |
| 212 |
|
| 213 |
if (!isRequestValid(request)) {
|
| 214 |
if (!method.equals(METHOD_GET) && !method.equals(METHOD_HEAD) &&
|
| 215 |
!method.equals(METHOD_POST)) {
|
| 216 |
response.sendError(HttpServletResponse.SC_FORBIDDEN); |
| 217 |
return;
|
| 218 |
} |
| 219 |
// Raise a flag to indicate we will have to check for
|
| 220 |
// authentication later. This is a shortcut for dealing
|
| 221 |
// with publicly-readable files.
|
| 222 |
request.setAttribute(AUTH_DEFERRED_ATTR, true);
|
| 223 |
} |
| 224 |
|
| 225 |
// Dispatch to the appropriate method handler.
|
| 226 |
if (method.equals(METHOD_GET))
|
| 227 |
doGet(request, response); |
| 228 |
else if (method.equals(METHOD_POST)) |
| 229 |
doPost(request, response); |
| 230 |
else if (method.equals(METHOD_PUT)) |
| 231 |
doPut(request, response); |
| 232 |
else if (method.equals(METHOD_DELETE)) |
| 233 |
doDelete(request, response); |
| 234 |
else if (method.equals(METHOD_HEAD)) |
| 235 |
doHead(request, response); |
| 236 |
else
|
| 237 |
response.sendError(HttpServletResponse.SC_BAD_REQUEST); |
| 238 |
} |
| 239 |
|
| 240 |
@Override
|
| 241 |
protected void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException { |
| 242 |
boolean authDeferred = getAuthDeferred(req);
|
| 243 |
// Strip the username part
|
| 244 |
String path;
|
| 245 |
try {
|
| 246 |
path = getUserPath(req); |
| 247 |
} catch (ObjectNotFoundException e) {
|
| 248 |
if (authDeferred) {
|
| 249 |
// We do not want to leak information if the request
|
| 250 |
// was not authenticated.
|
| 251 |
resp.sendError(HttpServletResponse.SC_FORBIDDEN); |
| 252 |
return;
|
| 253 |
} |
| 254 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage()); |
| 255 |
return;
|
| 256 |
} |
| 257 |
if (authDeferred && !path.startsWith(PATH_FILES)) {
|
| 258 |
// Only files may be open to the public.
|
| 259 |
resp.sendError(HttpServletResponse.SC_FORBIDDEN); |
| 260 |
return;
|
| 261 |
} |
| 262 |
|
| 263 |
if (path.startsWith(PATH_GROUPS)) {
|
| 264 |
resp.addHeader("Allow", methodsAllowed.get(PATH_GROUPS));
|
| 265 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 266 |
} else if (path.startsWith(PATH_OTHERS)) { |
| 267 |
resp.addHeader("Allow", methodsAllowed.get(PATH_OTHERS));
|
| 268 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 269 |
} else if (path.startsWith(PATH_SEARCH)) { |
| 270 |
resp.addHeader("Allow", methodsAllowed.get(PATH_SEARCH));
|
| 271 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 272 |
} else if (path.startsWith(PATH_TOKEN)) { |
| 273 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TOKEN));
|
| 274 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 275 |
} else if (path.startsWith(PATH_USERS)) { |
| 276 |
resp.addHeader("Allow", methodsAllowed.get(PATH_USERS));
|
| 277 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 278 |
} else if (path.startsWith(PATH_SHARED)) { |
| 279 |
resp.addHeader("Allow", methodsAllowed.get(PATH_SHARED));
|
| 280 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 281 |
} else if (path.startsWith(PATH_TAGS)) { |
| 282 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TAGS));
|
| 283 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 284 |
} else if (path.startsWith(PATH_TRASH)) { |
| 285 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TRASH));
|
| 286 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 287 |
} else if (path.startsWith(PATH_FILES)) |
| 288 |
// Serve the requested resource, without the data content
|
| 289 |
new FilesHandler(getServletContext()).serveResource(req, resp, false); |
| 290 |
else
|
| 291 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, req.getRequestURI()); |
| 292 |
} |
| 293 |
|
| 294 |
/**
|
| 295 |
* Handle storing and updating file resources.
|
| 296 |
*
|
| 297 |
* @param req The servlet request we are processing
|
| 298 |
* @param resp The servlet response we are creating
|
| 299 |
* @throws IOException if the response cannot be sent
|
| 300 |
*/
|
| 301 |
@Override
|
| 302 |
protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { |
| 303 |
// TODO: fix code duplication between doPut() and Webdav.doPut()
|
| 304 |
// Strip the username part
|
| 305 |
String path;
|
| 306 |
try {
|
| 307 |
path = getUserPath(req); |
| 308 |
} catch (ObjectNotFoundException e) {
|
| 309 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage()); |
| 310 |
return;
|
| 311 |
} |
| 312 |
|
| 313 |
if (path.startsWith(PATH_GROUPS)) {
|
| 314 |
resp.addHeader("Allow", methodsAllowed.get(PATH_GROUPS));
|
| 315 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 316 |
} else if (path.startsWith(PATH_OTHERS)) { |
| 317 |
resp.addHeader("Allow", methodsAllowed.get(PATH_OTHERS));
|
| 318 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 319 |
} else if (path.startsWith(PATH_SEARCH)) { |
| 320 |
resp.addHeader("Allow", methodsAllowed.get(PATH_SEARCH));
|
| 321 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 322 |
} else if (path.startsWith(PATH_TOKEN)) { |
| 323 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TOKEN));
|
| 324 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 325 |
} else if (path.startsWith(PATH_USERS)) { |
| 326 |
resp.addHeader("Allow", methodsAllowed.get(PATH_USERS));
|
| 327 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 328 |
} else if (path.startsWith(PATH_SHARED)) { |
| 329 |
resp.addHeader("Allow", methodsAllowed.get(PATH_SHARED));
|
| 330 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 331 |
} else if (path.startsWith(PATH_TAGS)) { |
| 332 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TAGS));
|
| 333 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 334 |
} else if (path.startsWith(PATH_TRASH)) { |
| 335 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TRASH));
|
| 336 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 337 |
} else if (path.startsWith(PATH_FILES)) |
| 338 |
new FilesHandler(getServletContext()).putResource(req, resp);
|
| 339 |
else
|
| 340 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, req.getRequestURI()); |
| 341 |
} |
| 342 |
|
| 343 |
@Override
|
| 344 |
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException { |
| 345 |
boolean authDeferred = getAuthDeferred(req);
|
| 346 |
// Strip the username part
|
| 347 |
String path;
|
| 348 |
try {
|
| 349 |
path = getUserPath(req); |
| 350 |
} catch (ObjectNotFoundException e) {
|
| 351 |
if (authDeferred) {
|
| 352 |
// We do not want to leak information if the request
|
| 353 |
// was not authenticated.
|
| 354 |
resp.sendError(HttpServletResponse.SC_FORBIDDEN); |
| 355 |
return;
|
| 356 |
} |
| 357 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage()); |
| 358 |
return;
|
| 359 |
} |
| 360 |
if (authDeferred && !path.startsWith(PATH_FILES)) {
|
| 361 |
// Only files may be open to the public.
|
| 362 |
resp.sendError(HttpServletResponse.SC_FORBIDDEN); |
| 363 |
return;
|
| 364 |
} |
| 365 |
|
| 366 |
// Dispatch according to the specified namespace
|
| 367 |
if (path.equals("") || path.equals("/")) |
| 368 |
new UserHandler().serveUser(req, resp);
|
| 369 |
else if (path.startsWith(PATH_FILES)) |
| 370 |
// Serve the requested resource, including the data content
|
| 371 |
new FilesHandler(getServletContext()).serveResource(req, resp, true); |
| 372 |
else if (path.startsWith(PATH_TRASH)) |
| 373 |
new TrashHandler().serveTrash(req, resp);
|
| 374 |
else if (path.startsWith(PATH_SEARCH)) |
| 375 |
new SearchHandler().serveSearchResults(req, resp);
|
| 376 |
else if (path.startsWith(PATH_USERS)) |
| 377 |
new UserSearchHandler().serveResults(req, resp);
|
| 378 |
else if (path.startsWith(PATH_GROUPS)) |
| 379 |
new GroupsHandler().serveGroups(req, resp);
|
| 380 |
else if (path.startsWith(PATH_SHARED)) |
| 381 |
new SharedHandler().serveShared(req, resp);
|
| 382 |
else if (path.startsWith(PATH_OTHERS)) |
| 383 |
new OthersHandler().serveOthers(req, resp);
|
| 384 |
else if (path.startsWith(PATH_TAGS)) |
| 385 |
new TagsHandler().serveTags(req, resp);
|
| 386 |
else if (path.startsWith(PATH_TOKEN)) |
| 387 |
new TokenHandler().newToken(req, resp);
|
| 388 |
else
|
| 389 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, req.getRequestURI()); |
| 390 |
} |
| 391 |
|
| 392 |
/**
|
| 393 |
* Handle a Delete request.
|
| 394 |
*
|
| 395 |
* @param req The servlet request we are processing
|
| 396 |
* @param resp The servlet response we are processing
|
| 397 |
* @throws IOException if the response cannot be sent
|
| 398 |
*/
|
| 399 |
@Override
|
| 400 |
protected void doDelete(HttpServletRequest req, HttpServletResponse resp) |
| 401 |
throws IOException { |
| 402 |
// Strip the username part
|
| 403 |
String path;
|
| 404 |
try {
|
| 405 |
path = getUserPath(req); |
| 406 |
} catch (ObjectNotFoundException e) {
|
| 407 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage()); |
| 408 |
return;
|
| 409 |
} |
| 410 |
|
| 411 |
if (path.startsWith(PATH_OTHERS)) {
|
| 412 |
resp.addHeader("Allow", methodsAllowed.get(PATH_OTHERS));
|
| 413 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 414 |
} else if (path.startsWith(PATH_SEARCH)) { |
| 415 |
resp.addHeader("Allow", methodsAllowed.get(PATH_SEARCH));
|
| 416 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 417 |
} else if (path.startsWith(PATH_TOKEN)) { |
| 418 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TOKEN));
|
| 419 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 420 |
} else if (path.startsWith(PATH_USERS)) { |
| 421 |
resp.addHeader("Allow", methodsAllowed.get(PATH_USERS));
|
| 422 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 423 |
} else if (path.startsWith(PATH_SHARED)) { |
| 424 |
resp.addHeader("Allow", methodsAllowed.get(PATH_SHARED));
|
| 425 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 426 |
} else if (path.startsWith(PATH_TAGS)) { |
| 427 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TAGS));
|
| 428 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 429 |
} else if (path.startsWith(PATH_GROUPS)) |
| 430 |
new GroupsHandler().deleteGroup(req, resp);
|
| 431 |
else if (path.startsWith(PATH_TRASH)) |
| 432 |
new TrashHandler().emptyTrash(req, resp);
|
| 433 |
else if (path.startsWith(PATH_FILES)) |
| 434 |
new FilesHandler(getServletContext()).deleteResource(req, resp);
|
| 435 |
else
|
| 436 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, req.getRequestURI()); |
| 437 |
} |
| 438 |
|
| 439 |
@Override
|
| 440 |
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { |
| 441 |
boolean authDeferred = getAuthDeferred(req);
|
| 442 |
// Strip the username part
|
| 443 |
String path;
|
| 444 |
try {
|
| 445 |
path = getUserPath(req); |
| 446 |
} catch (ObjectNotFoundException e) {
|
| 447 |
if (authDeferred) {
|
| 448 |
// We do not want to leak information if the request
|
| 449 |
// was not authenticated.
|
| 450 |
resp.sendError(HttpServletResponse.SC_FORBIDDEN); |
| 451 |
return;
|
| 452 |
} |
| 453 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage()); |
| 454 |
return;
|
| 455 |
} |
| 456 |
if (authDeferred && !path.startsWith(PATH_FILES)) {
|
| 457 |
// Only POST to files may be authenticated without an Authorization header.
|
| 458 |
resp.sendError(HttpServletResponse.SC_FORBIDDEN); |
| 459 |
return;
|
| 460 |
} |
| 461 |
|
| 462 |
if (path.startsWith(PATH_OTHERS)) {
|
| 463 |
resp.addHeader("Allow", methodsAllowed.get(PATH_OTHERS));
|
| 464 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 465 |
} else if (path.startsWith(PATH_SEARCH)) { |
| 466 |
resp.addHeader("Allow", methodsAllowed.get(PATH_SEARCH));
|
| 467 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 468 |
} else if (path.startsWith(PATH_TOKEN)) { |
| 469 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TOKEN));
|
| 470 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 471 |
} else if (path.startsWith(PATH_USERS)) { |
| 472 |
resp.addHeader("Allow", methodsAllowed.get(PATH_USERS));
|
| 473 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 474 |
} else if (path.startsWith(PATH_SHARED)) { |
| 475 |
resp.addHeader("Allow", methodsAllowed.get(PATH_SHARED));
|
| 476 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 477 |
} else if (path.startsWith(PATH_TAGS)) { |
| 478 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TAGS));
|
| 479 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 480 |
} else if (path.startsWith(PATH_GROUPS)) |
| 481 |
new GroupsHandler().postGroup(req, resp);
|
| 482 |
else if (path.startsWith(PATH_TRASH)) { |
| 483 |
resp.addHeader("Allow", methodsAllowed.get(PATH_TRASH));
|
| 484 |
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); |
| 485 |
} else if (path.startsWith(PATH_FILES)) |
| 486 |
new FilesHandler(getServletContext()).postResource(req, resp);
|
| 487 |
else if (path.equals("/")) |
| 488 |
new UserHandler().postUser(req, resp);
|
| 489 |
else
|
| 490 |
resp.sendError(HttpServletResponse.SC_NOT_FOUND, req.getRequestURI()); |
| 491 |
} |
| 492 |
|
| 493 |
/**
|
| 494 |
* Return the path inside the user namespace.
|
| 495 |
*
|
| 496 |
* @param req the HTTP request
|
| 497 |
* @return the path after the username part has been removed
|
| 498 |
* @throws ObjectNotFoundException if the namespace owner was not found
|
| 499 |
*/
|
| 500 |
private String getUserPath(HttpServletRequest req) throws ObjectNotFoundException { |
| 501 |
String path = getRelativePath(req);
|
| 502 |
if (path.length() < 2) |
| 503 |
return path;
|
| 504 |
int slash = path.substring(1).indexOf('/'); |
| 505 |
if (slash == -1) |
| 506 |
return path;
|
| 507 |
String owner = path.substring(1, slash + 1); |
| 508 |
User o; |
| 509 |
try {
|
| 510 |
o = getService().findUser(owner); |
| 511 |
} catch (RpcException e) {
|
| 512 |
logger.error("", e);
|
| 513 |
throw new ObjectNotFoundException("User " + owner + |
| 514 |
" not found, due to internal server error");
|
| 515 |
} |
| 516 |
if (o != null) { |
| 517 |
req.setAttribute(OWNER_ATTRIBUTE, o); |
| 518 |
return path.substring(slash + 1); |
| 519 |
} |
| 520 |
if (!path.startsWith(PATH_SEARCH) && !path.startsWith(PATH_USERS) &&
|
| 521 |
!path.startsWith(PATH_TOKEN)) |
| 522 |
throw new ObjectNotFoundException("User " + owner + " not found"); |
| 523 |
return path;
|
| 524 |
} |
| 525 |
|
| 526 |
/**
|
| 527 |
* Retrieve the request context path with or without a trailing slash
|
| 528 |
* according to the provided argument.
|
| 529 |
*
|
| 530 |
* @param req the HTTP request
|
| 531 |
* @param withTrailingSlash a flag that denotes whether the path should
|
| 532 |
* end with a slash
|
| 533 |
* @return the context path
|
| 534 |
*/
|
| 535 |
protected String getContextPath(HttpServletRequest req, boolean withTrailingSlash) { |
| 536 |
String contextPath = req.getRequestURL().toString();
|
| 537 |
if (withTrailingSlash)
|
| 538 |
return contextPath.endsWith("/")? contextPath: contextPath + '/'; |
| 539 |
return contextPath.endsWith("/")? contextPath.substring(0, contextPath.length()-1): contextPath; |
| 540 |
|
| 541 |
} |
| 542 |
|
| 543 |
/**
|
| 544 |
* @param req
|
| 545 |
* @param resp
|
| 546 |
* @param json
|
| 547 |
* @throws UnsupportedEncodingException
|
| 548 |
* @throws IOException
|
| 549 |
*/
|
| 550 |
protected void sendJson(HttpServletRequest req, HttpServletResponse resp, String json) throws UnsupportedEncodingException, IOException { |
| 551 |
ByteArrayOutputStream stream = new ByteArrayOutputStream(); |
| 552 |
OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8"); |
| 553 |
PrintWriter writer = new PrintWriter(osWriter); |
| 554 |
|
| 555 |
writer.write(json); |
| 556 |
writer.flush(); |
| 557 |
|
| 558 |
resp.setContentType("application/json;charset=UTF-8");
|
| 559 |
resp.setBufferSize(output); |
| 560 |
try {
|
| 561 |
copy(null, new ByteArrayInputStream(stream.toByteArray()), resp.getOutputStream(), req, null); |
| 562 |
} catch (ObjectNotFoundException e) {
|
| 563 |
// This should never happen with a null first parameter.
|
| 564 |
logger.error("", e);
|
| 565 |
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); |
| 566 |
return;
|
| 567 |
} catch (InsufficientPermissionsException e) {
|
| 568 |
// This should never happen with a null first parameter.
|
| 569 |
logger.error("", e);
|
| 570 |
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); |
| 571 |
return;
|
| 572 |
} catch (RpcException e) {
|
| 573 |
logger.error("", e);
|
| 574 |
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); |
| 575 |
return;
|
| 576 |
} |
| 577 |
} |
| 578 |
|
| 579 |
/**
|
| 580 |
* Retrieve the path to the requested resource after removing the user namespace
|
| 581 |
* part and the subsequent namespace part that differentiates resources like files,
|
| 582 |
* groups, trash, etc.
|
| 583 |
*
|
| 584 |
* @param req the HTTP request
|
| 585 |
* @param namespace the subnamespace
|
| 586 |
* @return the inner path
|
| 587 |
*/
|
| 588 |
protected String getInnerPath(HttpServletRequest req, String namespace) { |
| 589 |
// Strip the username part
|
| 590 |
String path;
|
| 591 |
try {
|
| 592 |
path = getUserPath(req); |
| 593 |
} catch (ObjectNotFoundException e) {
|
| 594 |
throw new RuntimeException(e.getMessage()); |
| 595 |
} |
| 596 |
// Chop the resource namespace part
|
| 597 |
path = path.substring(namespace.length()); |
| 598 |
return path;
|
| 599 |
} |
| 600 |
|
| 601 |
/**
|
| 602 |
* Confirms the validity of the request.
|
| 603 |
*
|
| 604 |
* @param request the incoming HTTP request
|
| 605 |
* @return true if the request is valid, false otherwise
|
| 606 |
*/
|
| 607 |
private boolean isRequestValid(HttpServletRequest request) { |
| 608 |
if (logger.isDebugEnabled()) {
|
| 609 |
Enumeration headers = request.getHeaderNames();
|
| 610 |
while (headers.hasMoreElements()) {
|
| 611 |
String h = (String) headers.nextElement(); |
| 612 |
logger.debug(h + ": " + request.getHeader(h));
|
| 613 |
} |
| 614 |
} |
| 615 |
// Fetch the timestamp used to guard against replay attacks.
|
| 616 |
long timestamp = 0; |
| 617 |
boolean useGssDateHeader = true; |
| 618 |
try {
|
| 619 |
timestamp = request.getDateHeader(GSS_DATE_HEADER); |
| 620 |
if (timestamp == -1) { |
| 621 |
useGssDateHeader = false;
|
| 622 |
timestamp = request.getDateHeader(DATE_HEADER); |
| 623 |
} |
| 624 |
} catch (IllegalArgumentException e) { |
| 625 |
return false; |
| 626 |
} |
| 627 |
if (!isTimeValid(timestamp))
|
| 628 |
return false; |
| 629 |
|
| 630 |
// Fetch the Authorization header and find the user specified in it.
|
| 631 |
String auth = request.getHeader(AUTHORIZATION_HEADER);
|
| 632 |
if (auth == null) |
| 633 |
return false; |
| 634 |
String[] authParts = auth.split(" "); |
| 635 |
if (authParts.length != 2) |
| 636 |
return false; |
| 637 |
String username = authParts[0]; |
| 638 |
String signature = authParts[1]; |
| 639 |
User user = null;
|
| 640 |
try {
|
| 641 |
user = getService().findUser(username); |
| 642 |
} catch (RpcException e) {
|
| 643 |
return false; |
| 644 |
} |
| 645 |
if (user == null) |
| 646 |
return false; |
| 647 |
|
| 648 |
request.setAttribute(USER_ATTRIBUTE, user); |
| 649 |
|
| 650 |
// Validate the signature in the Authorization header.
|
| 651 |
String dateHeader = useGssDateHeader? request.getHeader(GSS_DATE_HEADER):
|
| 652 |
request.getHeader(DATE_HEADER); |
| 653 |
String data;
|
| 654 |
// Remove the servlet path from the request URI.
|
| 655 |
String p = request.getRequestURI();
|
| 656 |
String servletPath = request.getContextPath() + request.getServletPath();
|
| 657 |
p = p.substring(servletPath.length()); |
| 658 |
data = request.getMethod() + dateHeader + p; |
| 659 |
return isSignatureValid(signature, user, data);
|
| 660 |
} |
| 661 |
|
| 662 |
/**
|
| 663 |
* Calculates the signature for the specified data String and then
|
| 664 |
* compares it against the provided signature. If the signatures match,
|
| 665 |
* the method returns true. Otherwise it returns false.
|
| 666 |
*
|
| 667 |
* @param signature the signature to compare against
|
| 668 |
* @param user the current user
|
| 669 |
* @param data the data to sign
|
| 670 |
* @return true if the calculated signature matches the supplied one
|
| 671 |
*/
|
| 672 |
protected boolean isSignatureValid(String signature, User user, String data) { |
| 673 |
if (logger.isDebugEnabled())
|
| 674 |
logger.debug("server pre-signing data: "+data);
|
| 675 |
String serverSignature = null; |
| 676 |
// If the authentication token is not valid, the user must get another one.
|
| 677 |
if (user.getAuthToken() == null) |
| 678 |
return false; |
| 679 |
// Get an HMAC-SHA1 key from the authentication token.
|
| 680 |
SecretKeySpec signingKey = new SecretKeySpec(user.getAuthToken(), HMAC_SHA1); |
| 681 |
try {
|
| 682 |
// Get an HMAC-SHA1 Mac instance and initialize with the signing key.
|
| 683 |
Mac mac = Mac.getInstance(HMAC_SHA1); |
| 684 |
mac.init(signingKey); |
| 685 |
// Compute the HMAC on input data bytes.
|
| 686 |
byte[] rawHmac = mac.doFinal(data.getBytes()); |
| 687 |
serverSignature = new String(Base64.encodeBase64(rawHmac), "US-ASCII"); |
| 688 |
} catch (Exception e) { |
| 689 |
logger.error("Error while creating signature", e);
|
| 690 |
return false; |
| 691 |
} |
| 692 |
|
| 693 |
if (logger.isDebugEnabled())
|
| 694 |
logger.debug("Signature: client="+signature+", server="+serverSignature); |
| 695 |
if (!serverSignature.equals(signature))
|
| 696 |
return false; |
| 697 |
|
| 698 |
return true; |
| 699 |
} |
| 700 |
|
| 701 |
/**
|
| 702 |
* A helper method that checks if the timestamp of the request
|
| 703 |
* is within TIME_SKEW milliseconds of the current time. If
|
| 704 |
* the timestamp is older (or even newer) than that, it is
|
| 705 |
* considered invalid.
|
| 706 |
*
|
| 707 |
* @param timestamp the time of the request
|
| 708 |
* @return true if the timestamp is valid
|
| 709 |
*/
|
| 710 |
protected boolean isTimeValid(long timestamp) { |
| 711 |
if (timestamp == -1) |
| 712 |
return false; |
| 713 |
Calendar cal = Calendar.getInstance(); |
| 714 |
if (logger.isDebugEnabled())
|
| 715 |
logger.debug("Time: server=" + cal.getTimeInMillis() + ", client=" + timestamp); |
| 716 |
// Ignore the request if the timestamp is too far off.
|
| 717 |
if (Math.abs(timestamp - cal.getTimeInMillis()) > getConfiguration().getInt("timeSkew", 600000)) |
| 718 |
return false; |
| 719 |
return true; |
| 720 |
} |
| 721 |
|
| 722 |
protected boolean getAuthDeferred(HttpServletRequest req) { |
| 723 |
Boolean attr = (Boolean) req.getAttribute(AUTH_DEFERRED_ATTR); |
| 724 |
return attr == null? false: attr; |
| 725 |
} |
| 726 |
|
| 727 |
/**
|
| 728 |
* Return the actual requested path in the API namespace.
|
| 729 |
*
|
| 730 |
* @param request the servlet request we are processing
|
| 731 |
* @return the relative path
|
| 732 |
*/
|
| 733 |
@Override
|
| 734 |
protected String getRelativePath(HttpServletRequest request) { |
| 735 |
// Remove the servlet path from the request URI.
|
| 736 |
String p = request.getRequestURI();
|
| 737 |
String servletPath = request.getContextPath() + request.getServletPath();
|
| 738 |
String result = p.substring(servletPath.length());
|
| 739 |
if (result == null || result.equals("")) |
| 740 |
result = "/";
|
| 741 |
return result;
|
| 742 |
|
| 743 |
} |
| 744 |
|
| 745 |
/**
|
| 746 |
* Reject illegal resource names, like '.' or '..' or resource names containing '/'.
|
| 747 |
*/
|
| 748 |
protected boolean isValidResourceName(String name) { |
| 749 |
if (".".equals(name) || "..".equals(name) || name.contains("/")) |
| 750 |
return false; |
| 751 |
return true; |
| 752 |
} |
| 753 |
} |