Fortytools-Blog mit News zu Gebäudereinigung, Betreuungsdiensten, Alltagshilfe und andere Dienstleistern
Hier finden Sie aktuelle Informationen, Tipps und Tricks rund um Büro, Verwaltung, Einsatzplanung und mehr!
Servlet filter for HTTP basic auth
A few days ago, I quickly wanted to protect something on a development system with a password. Nothing very secure, nothing sophisticated. Usually one solves this by putting some rules into .htaccess. Done. But unfortunately, there was no Apache. And I didn’t really feel like fiddling around with roles and tomcat-users.xml…
So being quite naive I thought “you cannot be the only one with this problem, Google should find something”. Surprisingly enough, it didn’t (or my Google skills are way off). Hence I ramped my own:
package com.fortytools.servlet;
import java.io.IOException;
import javax.annotation.Nonnull;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import com.google.common.base.Charsets;
/**
* A very simple Servlet Filter for HTTP Basic Auth. Only supports exactly one user
* with a password. Please note, HTTP Basic Auth is not encrypted and hence unsafe!
*
* @author Timo B. Huebel (me@tbh.name) (initial creation)
*/
public class BasicAuthFilter implements Filter {
public static final String PARAM_USER = "user";
public static final String PARAM_PASSWORD = "password";
public static final String PARAM_REALM = "realm";
private String _user;
private String _password;
private String _realm;
@Override
public void destroy() {
// Nothing to do.
}
@Override
public void doFilter( @Nonnull final ServletRequest request, @Nonnull final ServletResponse response,
@Nonnull final FilterChain chain ) throws IOException, ServletException {
final HttpServletRequest httpRequest = (HttpServletRequest) request;
final HttpServletResponse httpResponse = (HttpServletResponse) response;
final String auth = httpRequest.getHeader( "Authorization" );
if ( auth != null ) {
final int index = auth.indexOf( ' ' );
if ( index > 0 ) {
final String[] credentials =
StringUtils.split( new String( Base64.decodeBase64( auth.substring( index ) ), Charsets.UTF_8 ), ':' );
if ( credentials.length == 2 && _user.equals( credentials[0] ) && _password.equals( credentials[1] ) ) {
chain.doFilter( httpRequest, httpResponse );
return;
}
}
}
httpResponse.setHeader( "WWW-Authenticate", "Basic realm=\"" + _realm + "\"" );
httpResponse.sendError( HttpServletResponse.SC_UNAUTHORIZED );
}
@Override
public void init( @Nonnull final FilterConfig config ) throws ServletException {
_user = config.getInitParameter( PARAM_USER );
_password = config.getInitParameter( PARAM_PASSWORD );
_realm = config.getInitParameter( PARAM_REALM );
if ( StringUtils.isBlank( _user ) ) {
throw new ServletException( "No user provided in filter configuration" );
}
if ( StringUtils.isBlank( _password ) ) {
throw new ServletException( "No password provided in filter configuration" );
}
if ( StringUtils.isBlank( _realm ) ) {
throw new ServletException( "No realm provided in filter configuration" );
}
}
}
Throw it into your web.xml like this:
<filter>
<filter-name>auth</filter-name>
<filter-class>com.fortytools.servlet.BasicAuthFilter</filter-class>
<init-param realm="Secret Stuff"/>
<init-param user="aladdin"/>
<init-param password="opensesame"/>
</filter>
Now add a mapping to protect the very secret stuff in your webapp. Feel free to copy, modify or do whatever you want with this code.
