* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *      http://www.apache.org/licenses/LICENSE-2.0
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * See the License for the specific language governing permissions and
 * limitations under the License.
package org.apache.aries.jax.rs.shiro.authc.impl;

import static javax.ws.rs.core.HttpHeaders.SET_COOKIE;
import static org.apache.aries.jax.rs.shiro.authc.impl.ShiroAuthenticationFeature.SESSION_COOKIE_NAME;

import java.io.IOException;

import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.ResponseBuilder;
import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.UriInfo;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

 * This Filter is used to:
 * <ul>
 *   <li>Associate a SecurityManager with the request</li>
 *   <li>Set up the current user if a cookie is detected</li>
 *   <li>Remove the user cookie after the request if the user is logged out</li>
 * </ul>
public class SecurityManagerAssociatingFilter implements ContainerRequestFilter, ContainerResponseFilter {

    private static final Logger _LOG = LoggerFactory.getLogger(
    private final SecurityManager manager;
    public SecurityManagerAssociatingFilter(SecurityManager manager) {
        this.manager = manager;

     * Set up the incoming request context
    public void filter(ContainerRequestContext requestContext) throws IOException {
        _LOG.debug("Establishing Shiro Security Context");
        // Bind the security manager
        Cookie cookie = requestContext.getCookies().get(SESSION_COOKIE_NAME);
        // If we have a session cookie then use it to prime the session value
        if(cookie != null) {
            _LOG.debug("Found a Shiro Security Context cookie: {}. Establishing user context", cookie);
            _LOG.debug("Establishing user context:");
            Subject subject = new Subject.Builder(manager).sessionId(cookie.getValue()).buildSubject();
            if(_LOG.isDebugEnabled()) {
                _LOG.debug("Established user context for: {}", subject.getPrincipal());
        UriInfo info = requestContext.getUriInfo();
        if("security/authenticate".equals(info.getPath())) {
            requestContext.abortWith(authenticate(info, requestContext.getHeaderString("user"), requestContext.getHeaderString("password")));
        } else if("security/logout".equals(info.getPath())) {
     * Clean up after the request
    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
            throws IOException {
        _LOG.debug("Cleaning up the Shiro Security Context");
        Subject subject = ThreadContext.getSubject();
        if(subject != null && !subject.isAuthenticated()) {
            // Not authenticated. Check for incoming session cookie
            Cookie cookie = requestContext.getCookies().get(SESSION_COOKIE_NAME);
            // If we have a session cookie then it should be deleted
            if(cookie != null) {
                _LOG.debug("The subject associated with this request is not authenticated, removing the session cookie");
                responseContext.getHeaders().add(SET_COOKIE, getDeletionCookie(requestContext));

    private NewCookie getDeletionCookie(ContainerRequestContext requestContext) {
        return new NewCookie(SESSION_COOKIE_NAME, "deleteMe", 
                        requestContext.getUriInfo().getBaseUri().getPath(), null, -1, null, -1, null, false, true);
    private Response authenticate(UriInfo info, String user, String password) {
        _LOG.debug("Received a login request for user {}", user);
        Subject currentUser = SecurityUtils.getSubject();
        ResponseBuilder rb;
        if (!currentUser.isAuthenticated()) {
            _LOG.debug("Authenticating user {}", user);
            UsernamePasswordToken token = new UsernamePasswordToken(user, password);
            rb = Response.ok()
                    .cookie(new NewCookie(SESSION_COOKIE_NAME, currentUser.getSession().getId().toString(), 
                            info.getBaseUri().getPath(), null, -1, null, -1, null, false, true));
        } else {
            _LOG.debug("The login request for user {} was already authenticated as user {}", user, currentUser.getPrincipal());
            rb = Response.status(Status.CONFLICT);
        return rb.build();

    private void logout() {
        _LOG.debug("Received a logout request");
        Subject currentUser = SecurityUtils.getSubject();
        if (currentUser.isAuthenticated()) {
            _LOG.debug("Logging out user {}", currentUser.getPrincipal());