File AbstractXWikiAuthService.java
Coverage histogram
54% of files have more coverage
Classes
| Class | Line # | Actions | |||||
|---|---|---|---|---|---|---|---|
| AbstractXWikiAuthService | 41 | 13 | 0% | 6 | 4 |
Contributing tests
This file is covered by 6 tests.
.
Source view
| 1 | /* | |
| 2 | * See the NOTICE file distributed with this work for additional | |
| 3 | * information regarding copyright ownership. | |
| 4 | * | |
| 5 | * This is free software; you can redistribute it and/or modify it | |
| 6 | * under the terms of the GNU Lesser General Public License as | |
| 7 | * published by the Free Software Foundation; either version 2.1 of | |
| 8 | * the License, or (at your option) any later version. | |
| 9 | * | |
| 10 | * This software is distributed in the hope that it will be useful, | |
| 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 13 | * Lesser General Public License for more details. | |
| 14 | * | |
| 15 | * You should have received a copy of the GNU Lesser General Public | |
| 16 | * License along with this software; if not, write to the Free | |
| 17 | * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA | |
| 18 | * 02110-1301 USA, or see the FSF site: http://www.fsf.org. | |
| 19 | */ | |
| 20 | package com.xpn.xwiki.user.impl.xwiki; | |
| 21 | ||
| 22 | import java.security.Principal; | |
| 23 | ||
| 24 | import org.apache.commons.lang3.StringUtils; | |
| 25 | import org.securityfilter.realm.SimplePrincipal; | |
| 26 | import org.slf4j.Logger; | |
| 27 | import org.slf4j.LoggerFactory; | |
| 28 | import org.xwiki.model.reference.DocumentReference; | |
| 29 | import org.xwiki.model.reference.DocumentReferenceResolver; | |
| 30 | ||
| 31 | import com.xpn.xwiki.XWikiContext; | |
| 32 | import com.xpn.xwiki.user.api.XWikiAuthService; | |
| 33 | import com.xpn.xwiki.user.api.XWikiRightService; | |
| 34 | import com.xpn.xwiki.web.Utils; | |
| 35 | ||
| 36 | /** | |
| 37 | * Common methods useful to all Authentication services implementations. | |
| 38 | * | |
| 39 | * @version $Id: 336c0f8e256582abc02e3c2cc4b92c1d926df2bf $ | |
| 40 | */ | |
| 41 | public abstract class AbstractXWikiAuthService implements XWikiAuthService | |
| 42 | { | |
| 43 | /** | |
| 44 | * Logging tool. | |
| 45 | */ | |
| 46 | private static final Logger LOGGER = LoggerFactory.getLogger(AbstractXWikiAuthService.class); | |
| 47 | ||
| 48 | /** | |
| 49 | * The XWiki config property for storing the superadmin password. | |
| 50 | */ | |
| 51 | private static final String SUPERADMIN_PASSWORD_CONFIG = "xwiki.superadminpassword"; | |
| 52 | ||
| 53 | /** | |
| 54 | * @param username the username to check for superadmin access. Examples: "xwiki:XWiki.superadmin", | |
| 55 | * "XWiki.superAdmin", "superadmin", etc | |
| 56 | * @return true if the username is that of the superadmin (whatever the case) or false otherwise | |
| 57 | */ | |
| 58 | 6374 |  protected boolean isSuperAdmin(String username) |
| 59 | { | |
| 60 | // FIXME: this method should probably use a XWikiRightService#isSuperadmin(String) method, see | |
| 61 | // XWikiRightServiceImpl#isSuperadmin(String) | |
| 62 | ||
| 63 | // Note 1: we use the default document reference resolver here but it doesn't matter since we only care about | |
| 64 | // the resolved page name. | |
| 65 | // Note 2: we use a resolver since the passed username could contain the wiki and/or space too and we want | |
| 66 | // to retrieve only the page name | |
| 67 | 6374 | DocumentReference documentReference = |
| 68 | Utils.<DocumentReferenceResolver<String>>getComponent(DocumentReferenceResolver.TYPE_STRING).resolve( | |
| 69 | username); | |
| 70 | 6374 | return StringUtils.equalsIgnoreCase(documentReference.getName(), XWikiRightService.SUPERADMIN_USER); |
| 71 | } | |
| 72 | ||
| 73 | /** | |
| 74 | * @param password the superadmin password to check against the superadmin password located in XWiki's config file | |
| 75 | * @param context the XWiki context object, allowing access to XWiki's config | |
| 76 | * @return a null Principal is the user hasn't been validated as Superadmin or a Super Admin Principal otherwise | |
| 77 | */ | |
| 78 | 3733 | protected Principal authenticateSuperAdmin(String password, XWikiContext context) |
| 79 | { | |
| 80 | 3733 | if (LOGGER.isTraceEnabled()) { |
| 81 | 0 | LOGGER.trace("Authenticate superadmin"); |
| 82 | } | |
| 83 | ||
| 84 | 3733 | Principal principal; |
| 85 | ||
| 86 | // Security check: only decide that the passed user is the super admin if the | |
| 87 | // super admin password is configured in XWiki's configuration. | |
| 88 | 3733 | String superadminpassword = context.getWiki().Param(SUPERADMIN_PASSWORD_CONFIG); |
| 89 | 3733 | if ((superadminpassword != null) && (superadminpassword.equals(password))) { |
| 90 | 3730 | if (context.isMainWiki()) { |
| 91 | 3730 | principal = new SimplePrincipal(XWikiRightService.SUPERADMIN_USER_FULLNAME); |
| 92 | } else { | |
| 93 | 0 | principal = |
| 94 | new SimplePrincipal(context.getMainXWiki() + ":" + XWikiRightService.SUPERADMIN_USER_FULLNAME); | |
| 95 | } | |
| 96 | } else { | |
| 97 | 3 | principal = null; |
| 98 | 3 | context.put("message", "invalidcredentials"); |
| 99 | } | |
| 100 | ||
| 101 | 3733 | return principal; |
| 102 | } | |
| 103 | } |