/*
    * $Source: /usr/cvsroot/melati/melati/src/main/java/org/melati/login/HttpBasicAuthenticationAccessHandler.java,v $
    * $Revision: 1.35 $
    *
    * Copyright (C) 2000 William Chesters
    *
    * Part of Melati (http://melati.org), a framework for the rapid
    * development of clean, maintainable web applications.
    *
   * Melati is free software; Permission is granted to copy, distribute
   * and/or modify this software under the terms either:
   *
   * a) the GNU General Public License as published by the Free Software
   *    Foundation; either version 2 of the License, or (at your option)
   *    any later version,
   *
   *    or
   *
   * b) any version of the Melati Software License, as published
   *    at http://melati.org
   *
   * You should have received a copy of the GNU General Public License and
   * the Melati Software License along with this program;
   * if not, write to the Free Software Foundation, Inc.,
   * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA to obtain the
   * GNU General Public License and visit http://melati.org to obtain the
   * Melati Software License.
   *
   * Feel free to contact the Developers of Melati (http://melati.org),
   * if you would like to work out a different arrangement than the options
   * outlined here.  It is our intention to allow Melati to be used by as
   * wide an audience as possible.
   *
   * This program is distributed in the hope that it will be useful,
   * but WITHOUT ANY WARRANTY; without even the implied warranty of
   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   * GNU General Public License for more details.
   *
   * Contact details for copyright holder:
   *
   *     William Chesters <williamc At paneris.org>
   *     http://paneris.org/~williamc
   *     Obrechtstraat 114, 2517VX Den Haag, The Netherlands
   */
  
  package org.melati.login;
  
  import java.io.IOException;
  import javax.servlet.http.HttpServletResponse;
  import org.melati.poem.AccessPoemException;
  import org.melati.poem.PoemThread;
  import org.melati.poem.User;
  import org.melati.Melati;
  import org.melati.util.MelatiRuntimeException;
  import org.melati.util.StringUtils;
  import org.melati.util.UnexpectedExceptionException;
  
  /**
   * Flags up when something was illegal or not supported about an incoming HTTP
   * authorization.
   */
  class HttpAuthorizationMelatiException extends MelatiRuntimeException {
  
    private static final long serialVersionUID = 1L;
  
    /**
     * Constructor.
     *
     * @param message the message to pass up to super constructor
     */
    public HttpAuthorizationMelatiException(String message) {
      super(message, null);
    }
  }
  
  
  /**
   * An {@link AccessHandler} which uses the HTTP Basic Authentication scheme to
   * elicit and maintain the user's login and password.
   *
   * This implementation doesn't use the servlet session at all,
   * so it doesn't try to send cookies or
   * do URL rewriting.
   *
   */
  public class HttpBasicAuthenticationAccessHandler implements AccessHandler {
    private static final String className =
            new HttpBasicAuthenticationAccessHandler().getClass().getName();
  
    final String REALM = className + ".realm";
    final String USER = className + ".user";
  
    /**
     * Change here to use session, if that makes sense.
     * @return false
     */
    protected boolean useSession() {
      return false;
    }
 
   /**
    * Force a login by sending a 401 error back to the browser.
    * 
    * HACK Apache/Netscape appear not to do anything with message, which is
    * why it's just left as a String.
    */
   protected void forceLogin(HttpServletResponse resp,
                             String realm, String message) {
     String desc = realm == null ? "<unknown>"
                                 : StringUtils.tr(realm, '"', ' ');
     resp.setHeader("WWW-Authenticate", "Basic realm=\"" + desc + "\"");
     // I don't believe there is a lot we can do about an IO exception here,
     // so i am simply going to log it
     try {
       resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, message);
     } catch (IOException e) {
       e.printStackTrace(System.err);
       throw new UnexpectedExceptionException(e);
     }
   }
 
  /**
   * Called when an AccessPoemException is trapped.
   *
   * @param melati the Melati
   * @param accessException the particular access exception to handle
    * {@inheritDoc}
    * @see org.melati.login.AccessHandler#
    *   handleAccessException(org.melati.Melati, 
    *                         org.melati.poem.AccessPoemException)
    */
   public void handleAccessException(Melati melati,
                                     AccessPoemException accessException)
       throws Exception {
     String capName = "melati";
     if (useSession())
       melati.getSession().setAttribute(REALM, capName);
     forceLogin(melati.getResponse(), capName, accessException.getMessage());
   }
 
   /**
    * Get the users details.
    *
    * {@inheritDoc}
    * @see org.melati.login.AccessHandler#establishUser(org.melati.Melati)
    */
   public Melati establishUser(Melati melati) {
 
     HttpAuthorization auth = HttpAuthorization.from(melati.getRequest());
 
     if (auth == null) {
       // No attempt to log in: become `guest'
 
       PoemThread.setAccessToken(melati.getDatabase().guestAccessToken());
       return melati;
     }
     else {
       // They are trying to log in
 
       // If allowed, we store the User in the session to avoid repeating the
       // SELECTion implied by firstWhereEq for every hit
 
       User sessionUser =
           useSession() ? (User)melati.getSession().getAttribute(USER) : null;
       User user = null;
 
       if (sessionUser == null ||
           !sessionUser.getLogin().equals(auth.username))
         user = (User)melati.getDatabase().getUserTable().getLoginColumn().
                    firstWhereEq(auth.username);
       else
         user = sessionUser;
 
       if (user == null || !user.getPassword_unsafe().equals(auth.password)) {
 
         // Login/password authentication failed; we must trigger another
         // attempt.  But do we know the "realm" (= POEM capability name) for
         // which they were originally found not to be authorized?
 
         String storedRealm;
         if (useSession() &&
             (storedRealm = (String)melati.getSession().getAttribute(REALM))
                  != null) {
 
           // The "realm" is stored in the session
 
           forceLogin(melati.getResponse(), storedRealm,
                      "Login/password not recognised");
           return null;
         }
         else {
 
           // We don't know the "realm", so we just let the user try again as
           // `guest' and hopefully trigger the same problem and get the same
           // message all over again.  Not very satisfactory but the alternative
           // is providing a default realm like "<unknown>".
 
           PoemThread.setAccessToken(melati.getDatabase().guestAccessToken());
           return melati;
         }
       }
       else {
 
         // Login/password authentication succeeded
 
         PoemThread.setAccessToken(user);
 
         if (useSession() && user != sessionUser)
           melati.getSession().setAttribute(USER, user);
 
         return melati;
       }
     }
   }
 
   /**
    * If we are allowed in then no need to change request.
    *
    * {@inheritDoc}
    * @see org.melati.login.AccessHandler#buildRequest(org.melati.Melati)
    */
   public void buildRequest(Melati melati)
       throws IOException {
   }
 }