package ru.ydn.wicket.wicketorientdb; import java.util.Base64; import org.apache.wicket.MetaDataKey; import org.apache.wicket.authorization.AuthorizationException; import org.apache.wicket.request.IRequestHandler; import org.apache.wicket.request.cycle.IRequestCycleListener; import org.apache.wicket.request.cycle.RequestCycle; import org.apache.wicket.request.http.WebRequest; /** * {@link IRequestCycleListener} for transparent/lazy authentication of a request. * It checks for HTTP Basic Authentication header and authorize if it's present. */ public class LazyAuthorizationRequestCycleListener implements IRequestCycleListener { public static final MetaDataKey<Boolean> LAZY_AUTHORIZED = new MetaDataKey<Boolean>() { private static final long serialVersionUID = 1L; }; public static final String AUTHORIZATION_HEADER = "Authorization"; private static class LazyAuthorizationException extends AuthorizationException { private static final long serialVersionUID = 1L; public LazyAuthorizationException() { super("Deny: HTTP Basic Authorization"); } } @Override public void onBeginRequest(RequestCycle cycle) { WebRequest request = (WebRequest) cycle.getRequest(); String authorization = request.getHeader(AUTHORIZATION_HEADER); if(authorization!=null && authorization.startsWith("Basic")) { String[] pair = new String(Base64.getDecoder().decode(authorization.substring(6).trim())).split(":"); if (pair.length == 2) { String userName = pair[0]; String password = pair[1]; OrientDbWebSession session = OrientDbWebSession.get(); if(!session.signIn(userName, password)) { cycle.setMetaData(LAZY_AUTHORIZED, false); } } } } @Override public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler) { Boolean lazyAuthorized = cycle.getMetaData(LAZY_AUTHORIZED); if(lazyAuthorized!=null && !lazyAuthorized) { cycle.setMetaData(LAZY_AUTHORIZED, null); throw new LazyAuthorizationException(); } } }