in framework/authority-servlet/src/main/java/org/apache/manifoldcf/authorityservlet/UserACLServlet.java [101:454]
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
try
{
// Set up the environment
//ManifoldCF.initializeEnvironment();
Logging.authorityService.debug("Received request");
Map<String,String> domainMap = new HashMap<String,String>();
// Legacy mode: single user name with optional domain
String userID = request.getParameter("username");
if (userID != null)
{
String domain = request.getParameter("domain");
if (domain == null)
domain = "";
domainMap.put(domain,userID);
}
// Now, go through enumerated username/domain pairs
int q = 0;
while (true)
{
String enumUserName = request.getParameter("username_"+q);
if (enumUserName == null)
break;
String enumDomain = request.getParameter("domain_"+q);
if (enumDomain == null)
enumDomain = "";
domainMap.put(enumDomain,enumUserName);
q++;
}
if (domainMap.size() == 0)
{
response.sendError(response.SC_BAD_REQUEST);
return;
}
boolean idneeded = false;
boolean aclneeded = true;
String idneededValue = request.getParameter("idneeded");
if (idneededValue != null)
{
if (idneededValue.equals("true"))
idneeded = true;
else if (idneededValue.equals("false"))
idneeded = false;
}
String aclneededValue = request.getParameter("aclneeded");
if (aclneededValue != null)
{
if (aclneededValue.equals("true"))
aclneeded = true;
else if (aclneededValue.equals("false"))
aclneeded = false;
}
if (Logging.authorityService.isDebugEnabled())
{
StringBuilder sb2 = new StringBuilder("[");
boolean first = true;
for (String domain : domainMap.keySet())
{
if (first)
first = false;
else
sb2.append(",");
sb2.append("'").append(domain).append("':'").append(domainMap.get(domain)).append("'");
}
sb2.append("]");
Logging.authorityService.debug("Received authority request for domain:user set "+sb2.toString());
}
RequestQueue<MappingRequest> mappingQueue = ManifoldCF.getMappingRequestQueue();
if (mappingQueue == null)
{
// System wasn't started; return unauthorized
throw new ManifoldCFException("System improperly initialized");
}
RequestQueue<AuthRequest> queue = ManifoldCF.getRequestQueue();
if (queue == null)
{
// System wasn't started; return unauthorized
throw new ManifoldCFException("System improperly initialized");
}
IThreadContext itc = ThreadContextFactory.make();
IMappingConnectionManager mappingConnManager = MappingConnectionManagerFactory.make(itc);
IAuthorityConnectionManager authConnManager = AuthorityConnectionManagerFactory.make(itc);
// Get all mapping connections; we may not need them all but we do need to be able to look them all up
IMappingConnection[] mappingConnections = mappingConnManager.getAllConnections();
// One thread per connection, which is responsible for starting the mapping process when it is ready.
List<MappingOrderThread> mappingThreads = new ArrayList<MappingOrderThread>();
// One thread per authority, which is responsible for starting the auth request when it is ready.
List<AuthOrderThread> authThreads = new ArrayList<AuthOrderThread>();
Map<MapperDescription,MappingRequest> mappingRequests = new HashMap<MapperDescription,MappingRequest>();
Map<String,AuthRequest> authRequests = new HashMap<String,AuthRequest>();
Map<String,IMappingConnection> mappingConnMap = new HashMap<String,IMappingConnection>();
// Fill in mappingConnMap, since we need to be able to find connections given connection names
for (IMappingConnection c : mappingConnections)
{
mappingConnMap.put(c.getName(),c);
}
// Set of connections we need to fire off
Set<MapperDescription> activeConnections = new HashSet<MapperDescription>();
// We do the minimal set of mapping requests and authorities. Since it is the authority tokens we are
// looking for, we start there, and build authority requests first, then mapping requests that support them,
// etc.
// Create auth requests
for (String authDomain : domainMap.keySet())
{
IAuthorityConnection[] connections = authConnManager.getDomainConnections(authDomain);
for (int i = 0; i < connections.length; i++)
{
IAuthorityConnection thisConnection = connections[i];
String identifyingString = thisConnection.getDescription();
if (identifyingString == null || identifyingString.length() == 0)
identifyingString = thisConnection.getName();
// Create a request
AuthRequest ar = new AuthRequest(thisConnection,identifyingString);
authRequests.put(thisConnection.getName(), ar);
// We create an auth thread if there are prerequisites to meet.
// Otherwise, we just fire off the request
String domainUserID = domainMap.get(authDomain);
if (thisConnection.getPrerequisiteMapping() == null)
{
ar.setUserID(domainUserID);
queue.addRequest(ar);
}
else
{
MapperDescription md = new MapperDescription(thisConnection.getPrerequisiteMapping(),authDomain);
AuthOrderThread thread = new AuthOrderThread(identifyingString,
ar, md,
queue, mappingRequests);
authThreads.add(thread);
// The same mapper can be used for multiple domains, although this is likely to be uncommon. Nevertheless,
// mapper invocations need to be segregated to prevent trouble
activeConnections.add(md);
}
}
}
// Create mapping requests
while (!activeConnections.isEmpty())
{
Iterator<MapperDescription> connectionIter = activeConnections.iterator();
MapperDescription mapperDesc = connectionIter.next();
String connectionName = mapperDesc.mapperName;
String authDomain = mapperDesc.authDomain;
IMappingConnection thisConnection = mappingConnMap.get(connectionName);
String identifyingString = thisConnection.getDescription();
if (identifyingString == null || identifyingString.length() == 0)
identifyingString = connectionName;
// Create a request
MappingRequest mr = new MappingRequest(thisConnection,identifyingString);
mappingRequests.put(mapperDesc, mr);
// Either start up a thread, or just fire it off immediately.
if (thisConnection.getPrerequisiteMapping() == null)
{
mr.setUserID(domainMap.get(authDomain));
mappingQueue.addRequest(mr);
}
else
{
//System.out.println("Mapper: prerequisite found: '"+thisConnection.getPrerequisiteMapping()+"'");
MapperDescription p = new MapperDescription(thisConnection.getPrerequisiteMapping(),authDomain);
MappingOrderThread thread = new MappingOrderThread(identifyingString,
mr, p, mappingQueue, mappingRequests);
mappingThreads.add(thread);
if (mappingRequests.get(p) == null)
activeConnections.add(p);
}
activeConnections.remove(mapperDesc);
}
// Start threads. We have to wait until all the requests have been
// at least created before we do this.
for (MappingOrderThread thread : mappingThreads)
{
thread.start();
}
for (AuthOrderThread thread : authThreads)
{
thread.start();
}
// Wait for the threads to finish up. This will guarantee that all entities have run to completion.
for (MappingOrderThread thread : mappingThreads)
{
thread.finishUp();
}
for (AuthOrderThread thread : authThreads)
{
thread.finishUp();
}
// This is probably unnecessary, but we do it anyway just to adhere to the contract
for (MappingRequest mr : mappingRequests.values())
{
mr.waitForComplete();
}
// Handle all exceptions thrown during mapping. In general this just means logging them, because
// the downstream authorities will presumably not find what they are looking for and error out that way.
for (MappingRequest mr : mappingRequests.values())
{
Throwable exception = mr.getAnswerException();
if (exception != null)
{
Logging.authorityService.warn("Mapping exception logged from "+mr.getIdentifyingString()+": "+exception.getMessage()+"; mapper aborted", exception);
}
}
// Now, work through the returning answers.
// Ask all the interrogated authorities for their ACLs, and merge the final list together.
StringBuilder sb = new StringBuilder();
// Set response mime type
response.setContentType("text/plain; charset=ISO8859-1");
ServletOutputStream out = response.getOutputStream();
try
{
for (String connectionName : authRequests.keySet())
{
AuthRequest ar = authRequests.get(connectionName);
if (Logging.authorityService.isDebugEnabled())
Logging.authorityService.debug("Waiting for answer from authority connection "+ar.getIdentifyingString()+" for user '"+ar.getUserID()+"'");
ar.waitForComplete();
if (Logging.authorityService.isDebugEnabled())
Logging.authorityService.debug("Received answer from authority connection "+ar.getIdentifyingString()+" for user '"+ar.getUserID()+"'");
Throwable exception = ar.getAnswerException();
AuthorizationResponse reply = ar.getAnswerResponse();
if (exception != null)
{
// Exceptions are always bad now
// The ManifoldCFException here must disable access to the UI without causing a generic badness thing to happen, so use 403.
if (exception instanceof ManifoldCFException)
response.sendError(response.SC_FORBIDDEN,"From "+ar.getIdentifyingString()+": "+exception.getMessage());
else
response.sendError(response.SC_INTERNAL_SERVER_ERROR,"From "+ar.getIdentifyingString()+": "+exception.getMessage());
return;
}
String authGroup = ar.getAuthorityConnection().getAuthGroup();
// A null reply means the same as USERNOTFOUND; it occurs because a user mapping failed somewhere.
if (reply == null)
{
if (Logging.authorityService.isDebugEnabled())
Logging.authorityService.debug("User '"+ar.getUserID()+"' mapping failed for authority '"+ar.getIdentifyingString()+"'");
sb.append(USERNOTFOUND_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n");
}
else if (reply.getResponseStatus() == AuthorizationResponse.RESPONSE_UNREACHABLE)
{
Logging.authorityService.warn("Authority '"+ar.getIdentifyingString()+"' is unreachable for user '"+ar.getUserID()+"'");
sb.append(UNREACHABLE_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n");
}
else if (reply.getResponseStatus() == AuthorizationResponse.RESPONSE_USERUNAUTHORIZED)
{
if (Logging.authorityService.isDebugEnabled())
Logging.authorityService.debug("Authority '"+ar.getIdentifyingString()+"' does not authorize user '"+ar.getUserID()+"'");
sb.append(UNAUTHORIZED_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n");
}
else if (reply.getResponseStatus() == AuthorizationResponse.RESPONSE_USERNOTFOUND)
{
if (Logging.authorityService.isDebugEnabled())
Logging.authorityService.debug("User '"+ar.getUserID()+"' unknown to authority '"+ar.getIdentifyingString()+"'");
sb.append(USERNOTFOUND_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n");
}
else
sb.append(AUTHORIZED_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n");
String[] acl = reply.getAccessTokens();
if (acl != null)
{
if (aclneeded)
{
int j = 0;
while (j < acl.length)
{
if (Logging.authorityService.isDebugEnabled())
Logging.authorityService.debug(" User '"+ar.getUserID()+"' has Acl = '"+acl[j]+"' from authority '"+ar.getIdentifyingString()+"'");
sb.append(TOKEN_PREFIX).append(URLEncoder.encode(authGroup)).append(":").append(URLEncoder.encode(acl[j++])).append("\n");
}
}
}
}
// Maintained for backwards compatibility only; no practical use that I can determine here
if (idneeded && userID != null)
sb.append(ID_PREFIX).append(URLEncoder.encode(userID)).append("\n");
byte[] responseValue = sb.toString().getBytes(StandardCharsets.ISO_8859_1);
response.setIntHeader("Content-Length", (int)responseValue.length);
out.write(responseValue,0,responseValue.length);
out.flush();
}
finally
{
out.close();
}
if (Logging.authorityService.isDebugEnabled())
{
StringBuilder sb2 = new StringBuilder("[");
boolean first = true;
for (String domain : domainMap.keySet())
{
if (first)
first = false;
else
sb2.append(",");
sb2.append("'").append(domain).append("':'").append(domainMap.get(domain)).append("'");
}
sb2.append("]");
Logging.authorityService.debug("Done with request for domain:user set "+sb2.toString());
}
}
catch (InterruptedException e)
{
// Shut down and don't bother to respond
}
catch (ManifoldCFException e)
{
Logging.authorityService.error("User ACL servlet error: "+e.getMessage(),e);
response.sendError(response.SC_INTERNAL_SERVER_ERROR,e.getMessage());
}
}