Fortytools-Blog mit News für Handwerker und Dienstleister

Hier finden Sie aktuelle Informationen, Tipps und Tricks rund um Büro, Verwaltung, Einsatzplanung und mehr!

Servlet filter for HTTP basic auth

A few days ago, I quickly wanted to protect something on a development system with a password. Nothing very secure, nothing sophisticated. Usually one solves this by putting some rules into .htaccess. Done. But unfortunately, there was no Apache. And I didn’t really feel like fiddling around with roles and tomcat-users.xml…

So being quite naive I thought “you cannot be the only one with this problem, Google should find something”. Surprisingly enough, it didn’t (or my Google skills are way off). Hence I ramped my own:

package com.fortytools.servlet;

import java.io.IOException;

import javax.annotation.Nonnull;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;

import com.google.common.base.Charsets;

/**
* A very simple Servlet Filter for HTTP Basic Auth. Only supports exactly one user
* with a password. Please note, HTTP Basic Auth is not encrypted and hence unsafe!
*
* @author Timo B. Huebel (me@tbh.name) (initial creation)
*/
public class BasicAuthFilter implements Filter {

   public static final String PARAM_USER = "user";
   public static final String PARAM_PASSWORD = "password";
   public static final String PARAM_REALM = "realm";

   private String _user;
   private String _password;
   private String _realm;

   @Override
   public void destroy() {
       // Nothing to do.
   }

   @Override
   public void doFilter( @Nonnull final ServletRequest request, @Nonnull final ServletResponse response,
           @Nonnull final FilterChain chain ) throws IOException, ServletException {

       final HttpServletRequest httpRequest = (HttpServletRequest) request;
       final HttpServletResponse httpResponse = (HttpServletResponse) response;

       final String auth = httpRequest.getHeader( "Authorization" );
       if ( auth != null ) {

           final int index = auth.indexOf( ' ' );
           if ( index > 0 ) {
               final String[] credentials =
                       StringUtils.split( new String( Base64.decodeBase64( auth.substring( index ) ), Charsets.UTF_8 ), ':' );

               if ( credentials.length == 2 && _user.equals( credentials[0] ) && _password.equals( credentials[1] ) ) {
                   chain.doFilter( httpRequest, httpResponse );
                   return;
               }
           }
       }

       httpResponse.setHeader( "WWW-Authenticate", "Basic realm=\"" + _realm + "\"" );
       httpResponse.sendError( HttpServletResponse.SC_UNAUTHORIZED );
   }

   @Override
   public void init( @Nonnull final FilterConfig config ) throws ServletException {

       _user = config.getInitParameter( PARAM_USER );
       _password = config.getInitParameter( PARAM_PASSWORD );
       _realm = config.getInitParameter( PARAM_REALM );

       if ( StringUtils.isBlank( _user ) ) {
           throw new ServletException( "No user provided in filter configuration" );
       }

       if ( StringUtils.isBlank( _password ) ) {
           throw new ServletException( "No password provided in filter configuration" );
       }

       if ( StringUtils.isBlank( _realm ) ) {
           throw new ServletException( "No realm provided in filter configuration" );
       }
   }
}

Throw it into your web.xml like this:

<filter>
<filter-name>auth</filter-name>
<filter-class>com.fortytools.servlet.BasicAuthFilter</filter-class>
<init-param realm="Secret Stuff"/>
<init-param user="aladdin"/>
<init-param password="opensesame"/>
</filter>

Now add a mapping to protect the very secret stuff in your webapp. Feel free to copy, modify or do whatever you want with this code.

Über den Autor

Bewertet mit durchschnittlich
4.3
Sternen von
19
Lesern.

Fortytools für Ihre Branche

No items found.

Testen Sie 30 Tage kostenlos und unverbindlich! Fortytools ist die smarte Software für Dienstleister und Handwerker.

Sie können Fortytools 30 Tage kostenlos und unverbindlich testen. Dabei stehen Ihnen alle Funktionen uneingeschränkt zur Verfügung.
Heute kostenlos testen!
Nutzerbewertung: 4,8 von 5 Sternen

Fortytools läuft komplett im Internet-Browser: Keine Software-Installation, keine Probleme mit Updates. Einfach Einloggen und fertig. Von jedem internetfähigen Gerät.

Kostenlos und unverbindlich
Professionelle Rechnungen schreiben
Kunden-Daten verwalten
Mitarbeiter-Daten verwalten
Aufgaben- und Terminplanung
Professionelle Angebote schreiben
Einsätze planen und Zeiten erfassen