/* http-oauth - OAuth Extensions to jdk.httpserver Copyright (C) 2021 Ulrich Hilger This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with this program. If not, see . */ package de.uhilger.httpserver.oauth; import com.google.gson.Gson; import com.sun.net.httpserver.Headers; import com.sun.net.httpserver.HttpContext; import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpHandler; import de.uhilger.httpserver.auth.realm.User; import de.uhilger.httpserver.base.handler.HttpHelper; import de.uhilger.httpserver.base.handler.HttpResponder; import java.io.IOException; import java.util.logging.Level; import java.util.logging.Logger; /** * Ein Login Handler, der zur Authentifizierung ein Objekt der Klasse * BearerAuthenticator im HttpContext benoetigt. * * Der Authenticator wird mit der Methode * context.getAttributes().get(ATTR_AUTHENTICATOR); * aus dem HttpContext entnommen, d.h., der Authenticator muss zuvor dort * eingetragen werden. Das kann wie folgt vonstatten gehen: * * HttpContext context = server.createContext("/myapp/secure/service", new SomeServiceHandler()); * BearerApiAuthenticator auth = new BearerAuthenticator(); * context.setAuthenticator(auth); * * ...und danach... * * context = server.createContext("/myapp/login", new BearerLoginHandler()); * context.getAttributes().put(LoginHandler.ATTR_AUTHENTICATOR, auth); * * @author Ulrich Hilger * @version 1, 08.06.2021 */ public class BearerLoginHandler implements HttpHandler { private static final Logger logger = Logger.getLogger(BearerLoginHandler.class.getName()); public static final String ATTR_AUTHENTICATOR = "authenticator"; public static final String CACHE_CONTROL = "Cache-Control"; public static final String NO_STORE = "no-store"; public static final String PRAGMA = "Pragma"; public static final String NO_CACHE = "no-cache"; public static final String BEARER_CONTENT_TYPE = "application/json;charset=UTF-8"; /* gemaess RFC 6750 lautet die Antwort auf eine erfolgreiche Anmeldung wie folgt: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" } */ @Override public void handle(HttpExchange exchange) throws IOException { HttpContext context = exchange.getHttpContext(); Object o = context.getAttributes().get(ATTR_AUTHENTICATOR); if (o instanceof BearerAuthenticator) { BearerAuthenticator auth = (BearerAuthenticator) o; User user = getUser(exchange); LoginResponse response = auth.login(user.getName(), user.getPassword()); handleLoginResponse(exchange, response); /* if(response != null) { // hier erfolg melden // 200 OK setLoginHeader(exchange); HttpResponder r = new HttpResponder(); r.antwortSenden(exchange, 200, response.toJson()); } else { HttpResponder r = new HttpResponder(); r.antwortSenden(exchange, 406, "Login failed."); } */ } else { HttpResponder r = new HttpResponder(); r.antwortSenden(exchange, 500, "No suitable authenticator."); } } protected void handleLoginResponse(HttpExchange exchange, LoginResponse response) throws IOException { if(response != null) { // hier erfolg melden // 200 OK setLoginHeader(exchange); HttpResponder r = new HttpResponder(); r.antwortSenden(exchange, 200, response.toJson()); } else { HttpResponder r = new HttpResponder(); r.antwortSenden(exchange, 406, "Login failed."); } } private void setLoginHeader(HttpExchange exchange) { Headers headers = exchange.getResponseHeaders(); headers.add(HttpHelper.CONTENT_TYPE, BEARER_CONTENT_TYPE); headers.add(CACHE_CONTROL, NO_STORE); headers.add(PRAGMA, NO_CACHE); } private User getUser(HttpExchange exchange) throws IOException { /* Wenn ein JSON-Inhalt im Body uebermittelt wird, steht dort evtl. etwas wie {"name": "fred", "password": "secret"} das kann wie folgt gelesen werden */ String body = new HttpHelper().bodyLesen(exchange); Gson gson = new Gson(); User user = gson.fromJson(body, User.class); return user; } }