📄 whiteboardservlet.java
字号:
// Copyright 2003 Nokia Corporation.
//
// THIS SOURCE CODE IS PROVIDED 'AS IS', WITH NO WARRANTIES WHATSOEVER,
// EXPRESS OR IMPLIED, INCLUDING ANY WARRANTY OF MERCHANTABILITY, FITNESS
// FOR ANY PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE
// OR TRADE PRACTICE, RELATING TO THE SOURCE CODE OR ANY WARRANTY OTHERWISE
// ARISING OUT OF ANY PROPOSAL, SPECIFICATION, OR SAMPLE AND WITH NO
// OBLIGATION OF NOKIA TO PROVIDE THE LICENSEE WITH ANY MAINTENANCE OR
// SUPPORT. FURTHERMORE, NOKIA MAKES NO WARRANTY THAT EXERCISE OF THE
// RIGHTS GRANTED HEREUNDER DOES NOT INFRINGE OR MAY NOT CAUSE INFRINGEMENT
// OF ANY PATENT OR OTHER INTELLECTUAL PROPERTY RIGHTS OWNED OR CONTROLLED
// BY THIRD PARTIES
//
// Furthermore, information provided in this source code is preliminary,
// and may be changed substantially prior to final release. Nokia Corporation
// retains the right to make changes to this source code at
// any time, without notice. This source code is provided for informational
// purposes only.
//
// Nokia and Nokia Connecting People are registered trademarks of Nokia
// Corporation.
// Java and all Java-based marks are trademarks or registered trademarks of
// Sun Microsystems, Inc.
// Other product and company names mentioned herein may be trademarks or
// trade names of their respective owners.
//
// A non-exclusive, non-transferable, worldwide, limited license is hereby
// granted to the Licensee to download, print, reproduce and modify the
// source code. The licensee has the right to market, sell, distribute and
// make available the source code in original or modified form only when
// incorporated into the programs developed by the Licensee. No other
// license, express or implied, by estoppel or otherwise, to any other
// intellectual property rights is granted herein.
package whiteboard;
import java.io.*;
import java.text.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import org.bouncycastle.crypto.*;
import org.bouncycastle.crypto.digests.*;
import org.bouncycastle.util.encoders.Hex;
// Simple servlet serving GET and POST requests
// Version 1.3: Custom authentication based on Digest Authentication logic
public class WhiteboardServlet
extends HttpServlet
{
private Whiteboard whiteboard;
private ServletConfig context;
private DateFormat format = null;
private String key = null;
private UserDatabase userDB = null;
private long internalKey, counter;
private Random random;
public void init()
{
context = getServletConfig();
String dateformat = context.getInitParameter("dateformat");
if (dateformat != null)
{
try
{
format = new SimpleDateFormat(dateformat);
}
catch (Exception e)
{
// ignore, we'll check it later
}
}
if (format == null)
{
format = DateFormat.getTimeInstance(DateFormat.SHORT);
}
// init the whiteboard data structure
whiteboard = Whiteboard.getInstance();
userDB = new UserDatabase();
// insert a mock up user
userDB.createUser("guest", "password");
// It could use SecureRandom as well
random = new Random();
internalKey = random.nextLong();
}
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, java.io.IOException
{
String username = authenticateUsername(req, resp, "GET");
if (username != null)
{
String response = buildResponse();
resp.setContentType("text/plain");
ServletOutputStream out = resp.getOutputStream();
out.println(response);
}
}
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, java.io.IOException
{
String username = authenticateUsername(req, resp, "POST");
if (username != null)
{
String msg = req.getParameter("msg");
if (msg != null)
{
whiteboard.addMessage(new Message(username, new Date(), msg));
String response = buildResponse();
resp.setContentType("text/plain");
ServletOutputStream out = resp.getOutputStream();
out.println(response);
}
else
{
resp.sendError(HttpServletResponse.SC_BAD_REQUEST,
"Missing msg parameter");
}
}
}
// Creates the response containing a list of messages
private String buildResponse()
{
Collection messages = whiteboard.getMessages();
// if no count parameter or error during parsing
if (messages == null)
{
messages = whiteboard.getMessages();
}
ValueGenerator generator = new ValueGenerator();
generator.addValue("" + messages.size());
Iterator i = messages.iterator();
while (i.hasNext())
{
Message msg = (Message) i.next();
generator.addValue(msg.getUser());
generator.addValue(format.format(msg.getTimestamp()));
generator.addValue(msg.getContent());
}
// print the text
return generator.getString();
}
// It attempts to validate the user in the request. If it is possible it will return
// the username. If not it will return null and set the appropriate response
// including an SC_UNAUTHORIZED error code and a X-WWW-Authenticate challenge
private String authenticateUsername(HttpServletRequest req, HttpServletResponse resp, String method)
throws IOException
{
String username = null;
// Check if the user is trying to authenticate
if (req.getHeader("X-Authorization") == null)
{
// no X-Authorization header implies the request is not authorized
resp.setHeader("X-WWW-Authenticate", createDigestChallenge());
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
else
{
// The request contains an authorization header
String xauth = req.getHeader("X-Authorization");
// Try to validate the authorization
username = validateDigestResponse(xauth, method);
if (username == null)
{
resp.setHeader("X-WWW-Authenticate", createDigestChallenge());
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
return username;
}
// It creates a digest challenge to be passed in the
// X-WWW-Authorization header. Uses the principles under RFC 2617
private synchronized String createDigestChallenge()
{
StringBuffer challenge = new StringBuffer("X-Digest realm=\"").append(getServletName()).append("\", qop=\"auth\", ");
// Create a nonce. The counter value ensures that even requests within a milisec
// will have a different nonce
String nonce = (System.currentTimeMillis() + counter++) + ":" + internalKey;
// calculates nonce's digest and encode as HEX
Digest digest = new MD5Digest();
byte[] result = new byte[digest.getDigestSize()];
digest.update(nonce.getBytes(), 0, nonce.getBytes().length);
digest.doFinal(result, 0);
nonce = new String(Hex.encode(result));
challenge.append("nonce=\"").append(nonce).append("\", ");
// Create opaque
String opaque = "" + random.nextLong();
digest.update(opaque.getBytes(), 0, opaque.getBytes().length);
digest.doFinal(result, 0);
opaque = new String(Hex.encode(result));
challenge.append("opaque=\"").append(opaque).append("\"");
return challenge.toString();
}
// It validates the user's response and returns a username.
// If null the user was not authenticated
private synchronized String validateDigestResponse(String challengeResponse, String method)
{
if (!challengeResponse.startsWith("X-Digest"))
{
return null;
}
challengeResponse = challengeResponse.substring(8).trim();
// parse the response components
StringTokenizer tokenizer = new StringTokenizer(challengeResponse, ",");
String nonce = null;
String realm = null;
String opaque = null;
String uri = null;
String username = null;
String response = null;
// parses the response
while (tokenizer.hasMoreTokens())
{
String nextToken = tokenizer.nextToken().trim();
if (nextToken.startsWith("nonce"))
{
nonce = nextToken.substring(7, nextToken.length() - 1);
}
if (nextToken.startsWith("opaque"))
{
opaque = nextToken.substring(8, nextToken.length() - 1);
}
if (nextToken.startsWith("uri"))
{
uri = nextToken.substring(5, nextToken.length() - 1);
}
if (nextToken.startsWith("username"))
{
username = nextToken.substring(10, nextToken.length() - 1);
}
if (nextToken.startsWith("response"))
{
response = nextToken.substring(10, nextToken.length() - 1);
}
if (nextToken.startsWith("realm"))
{
realm = nextToken.substring(7, nextToken.length() - 1);
}
}
// all components are required
if (realm == null || nonce == null || opaque == null || uri == null || username == null || response == null)
{
return null;
}
// Check the realm
if (!realm.equals(getServletName()))
{
return null;
}
// try to find a username
User user = userDB.getUser(username);
if (user == null)
{
return null;
}
// If the username is found, we calculate the digest as in RFC 2617
// Calculate A1
// A1 could also be calculated by User to avoid exposing the password at this level
String A1 = username + ":" + realm + ":" + user.getPassword();
Digest digest = new MD5Digest();
int size = digest.getDigestSize();
byte[] allbytes = A1.getBytes();
byte[] result = new byte[size];
digest.update(allbytes, 0, allbytes.length);
digest.doFinal(result, 0);
A1 = new String(Hex.encode(result));
// Calculate A2
String A2 = method + ":" + uri;
allbytes = A2.getBytes();
digest.update(allbytes, 0, allbytes.length);
digest.doFinal(result, 0);
A2 = new String(Hex.encode(result));
// Calculate response
String calculatedResponse = A1 + ":" + nonce + ":" + A2;
allbytes = calculatedResponse.getBytes();
digest.update(allbytes, 0, allbytes.length);
digest.doFinal(result, 0);
calculatedResponse = new String(Hex.encode(result));
// Compare servers digest with client's digest
if (calculatedResponse.equals(response))
{
return username;
}
return null;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -