Closes #106: Header base authentication

docs-web/src/main/java/com/sismics/docs/rest/resource/BaseResource.java

@@ -1,19 +1,18 @@
 package com.sismics.docs.rest.resource;
 
-import java.security.Principal;
-import java.util.List;
-import java.util.Set;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.Context;
-
 import com.google.common.collect.Lists;
 import com.sismics.docs.rest.constant.BaseFunction;
 import com.sismics.rest.exception.ForbiddenClientException;
 import com.sismics.security.IPrincipal;
 import com.sismics.security.UserPrincipal;
-import com.sismics.util.filter.TokenBasedSecurityFilter;
+import com.sismics.util.filter.SecurityFilter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
+import java.security.Principal;
+import java.util.List;
+import java.util.Set;
 
 /**
  * Base class of REST resources.
@@ -67,7 +66,7 @@ public abstract class BaseResource {
      * @return True if the user is authenticated and not anonymous
      */
     protected boolean authenticate() {
-        Principal principal = (Principal) request.getAttribute(TokenBasedSecurityFilter.PRINCIPAL_ATTRIBUTE);
+        Principal principal = (Principal) request.getAttribute(SecurityFilter.PRINCIPAL_ATTRIBUTE);
         if (principal != null && principal instanceof IPrincipal) {
             this.principal = (IPrincipal) principal;
             return !this.principal.isAnonymous();

docs-web/src/main/webapp/WEB-INF/web.xml

@@ -26,18 +26,33 @@
     <url-pattern>*.jsp</url-pattern>
   </filter-mapping>
 
-  <!-- This filter is used to secure URLs -->
+  <!-- These filters are used to secure URLs -->
   <filter>
     <filter-name>tokenBasedSecurityFilter</filter-name>
     <filter-class>com.sismics.util.filter.TokenBasedSecurityFilter</filter-class>
     <async-supported>true</async-supported>
   </filter>
+
+  <filter>
+    <filter-name>headerBasedSecurityFilter</filter-name>
+    <filter-class>com.sismics.util.filter.HeaderBasedSecurityFilter</filter-class>
+    <async-supported>true</async-supported>
+    <init-param>
+      <param-name>enabled</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </filter>
   
   <filter-mapping>
     <filter-name>tokenBasedSecurityFilter</filter-name>
     <url-pattern>/api/*</url-pattern>
   </filter-mapping>
 
+  <filter-mapping>
+    <filter-name>headerBasedSecurityFilter</filter-name>
+    <url-pattern>/api/*</url-pattern>
+  </filter-mapping>
+
   <!-- Jersey -->
   <servlet>
     <servlet-name>JerseyServlet</servlet-name>

docs-web/src/test/java/com/sismics/docs/rest/TestSecurity.java

@@ -6,6 +6,7 @@ import javax.ws.rs.core.Form;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 
+import com.sismics.util.filter.HeaderBasedSecurityFilter;
 import org.junit.Assert;
 
 import org.apache.commons.lang.StringUtils;
@@ -28,7 +29,7 @@ public class TestSecurity extends BaseJerseyTest {
         clientUtil.createUser("testsecurity");
 
         // Changes a user's email KO : the user is not connected
-        Response response = target().path("/user/update").request()
+        Response response = target().path("/user").request()
                 .post(Entity.form(new Form().param("email", "testsecurity2@docs.com")));
         Assert.assertEquals(Status.FORBIDDEN, Status.fromStatusCode(response.getStatus()));
         JsonObject json = response.readEntity(JsonObject.class);
@@ -73,4 +74,29 @@ public class TestSecurity extends BaseJerseyTest {
         // User testsecurity logs out
         clientUtil.logout(testSecurityToken);
     }
+
+    @Test
+    public void testHeaderBasedAuthentication() {
+        clientUtil.createUser("header_auth_test");
+
+        Assert.assertEquals(Status.FORBIDDEN.getStatusCode(), target()
+                .path("/user/session")
+                .request()
+                .get()
+                .getStatus());
+
+        Assert.assertEquals(Status.OK.getStatusCode(), target()
+                .path("/user/session")
+                .request()
+                .header(HeaderBasedSecurityFilter.AUTHENTICATED_USER_HEADER, "header_auth_test")
+                .get()
+                .getStatus());
+
+        Assert.assertEquals(Status.FORBIDDEN.getStatusCode(), target()
+                .path("/user/session")
+                .request()
+                .header(HeaderBasedSecurityFilter.AUTHENTICATED_USER_HEADER, "idontexist")
+                .get()
+                .getStatus());
+    }
 }