2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.auth.locate;
24 import java.security.Principal;
26 import javax.servlet.http.HttpServletRequest;
27 import javax.servlet.http.HttpServletResponse;
29 import org.eclipse.jetty.http.HttpStatus;
30 import org.onap.aaf.auth.env.AuthzTrans;
31 import org.onap.aaf.auth.locate.facade.LocateFacade;
32 import org.onap.aaf.cadi.Symm;
33 import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
34 import org.onap.aaf.cadi.principal.BasicPrincipal;
35 import org.onap.aaf.cadi.principal.X509Principal;
37 public class BasicAuthCode extends LocateCode {
38 private AAFAuthn<?> authn;
40 public BasicAuthCode(AAFAuthn<?> authn, LocateFacade facade) {
41 super(facade, "AAF Basic Auth",true);
46 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
47 Principal p = trans.getUserPrincipal();
49 trans.error().log("Transaction not Authenticated... no Principal");
50 } else if (p instanceof BasicPrincipal) {
51 // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok
52 // otherwise, it wouldn't have gotten here.
53 resp.setStatus(HttpStatus.OK_200);
55 } else if (p instanceof X509Principal) {
56 // Since X509Principal has priority, BasicAuth Info might be there, but not validated.
58 if ((ba=req.getHeader("Authorization"))!=null && ba.startsWith("Basic ")) {
59 ba = Symm.base64noSplit.decode(ba.substring(6));
60 int colon = ba.indexOf(':');
63 if ((err=authn.validate(ba.substring(0, colon), ba.substring(colon+1),trans))==null) {
64 resp.setStatus(HttpStatus.OK_200);
66 trans.audit().log(ba.substring(0,colon),": ",err);
67 resp.setStatus(HttpStatus.UNAUTHORIZED_401);
73 trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");
74 // For Auth Security questions, we don't give any info to client on why failed
75 resp.setStatus(HttpStatus.FORBIDDEN_403);