blowfishauthenticationcontroller.java

一套java版本的搜索引擎源码

/**
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.lucene.gdata.server.authentication;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.Provider;
import java.security.Security;
import java.util.StringTokenizer;
import java.util.concurrent.locks.ReentrantLock;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.lucene.gdata.data.GDataAccount;
import org.apache.lucene.gdata.data.GDataAccount.AccountRole;
import org.apache.lucene.gdata.server.registry.Component;
import org.apache.lucene.gdata.server.registry.ComponentType;
import org.apache.lucene.gdata.server.registry.configuration.Requiered;

import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;

/**
 * A
 * {@link org.apache.lucene.gdata.server.authentication.AuthenticationController}
 * implmentation using a <i>Blowfish</i> algorithmn to en/decrpyt the
 * authentification token. The <i>Blowfish</i> algorithmn enables a stateless
 * authetication of the client. The token contains all information to
 * authenticate the client on possible other hosts.
 * <p>
 * The token contains the first 32 bit of the client ip (e.g. 192.168.0),
 * account name, {@link org.apache.lucene.gdata.data.GDataAccount.AccountRole}
 * and the cration time as a timestamp. The timestamp will be checked on every
 * subsequent request. If the timestamp plus the configured timeout is less
 * than the current time the client has to reauthenticate again.
 * </p>
 * <p>
 * The auth token returned by the
 * {@link BlowfishAuthenticationController#authenticatAccount(GDataAccount, String)}
 * method is a BASE64 encoded string.
 * </p>
 * 
 * @see javax.crypto.Cipher
 * @see sun.misc.BASE64Encoder
 * @see sun.misc.BASE64Decoder
 * @author Simon Willnauer
 * 
 */
@Component(componentType = ComponentType.AUTHENTICATIONCONTROLLER)
public class BlowfishAuthenticationController implements
        AuthenticationController {
    private static final Log LOG = LogFactory
            .getLog(BlowfishAuthenticationController.class);

    private static final String ALG = "Blowfish";

    private static final String TOKEN_LIMITER = "#";

    private static final String ENCODING = "UTF-8";

    private Cipher deCrypt;

    private Cipher enCrypt;

    private int minuteOffset = 30;

    private long milisecondOffset;

    private BASE64Encoder encoder = new BASE64Encoder();

    private BASE64Decoder decoder = new BASE64Decoder();

    private ReentrantLock lock = new ReentrantLock();

    
    private  String key;

    /**
     * @see org.apache.lucene.gdata.server.authentication.AuthenticationController#initialize()
     */
    public void initialize() {
        if (this.key == null)
            throw new IllegalArgumentException("Auth key must not be null");
        if (this.key.length() < 5 || this.key.length() > 16)
            throw new IllegalArgumentException(
                    "Auth key length must be greater than 4 and less than 17");

        try {
            Provider sunJce = new com.sun.crypto.provider.SunJCE();
            Security.addProvider(sunJce);
            KeyGenerator kgen = KeyGenerator.getInstance(ALG);
            kgen.init(448); // 448 Bit^M
            byte[] raw = this.key.getBytes();
            SecretKeySpec skeySpec = new SecretKeySpec(raw, ALG);
            this.deCrypt = Cipher.getInstance(ALG);
            this.enCrypt = Cipher.getInstance(ALG);
            this.deCrypt.init(Cipher.DECRYPT_MODE, skeySpec);
            this.enCrypt.init(Cipher.ENCRYPT_MODE, skeySpec);
        } catch (Exception e) {
            throw new AuthenticatorException(
                    "Can't initialize BlowfishAuthenticationController -- "
                            + e.getMessage(), e);

        }
        calculateTimeOffset();
    }

    /**
     * @see org.apache.lucene.gdata.server.authentication.AuthenticationController#authenticatAccount(org.apache.lucene.gdata.data.GDataAccount,
     *      java.lang.String)
     */
    public String authenticatAccount(GDataAccount account, String requestIp) {
        try {
            String passIp = requestIp.substring(0, requestIp.lastIndexOf('.'));
            String role = Integer.toString(account.getRolesAsInt());

            return calculateAuthToken(passIp, role, account.getName());
        } catch (Exception e) {
            throw new AuthenticatorException("Can not authenticat account -- "
                    + e.getMessage(), e);

        }
    }

    /**
     * @see org.apache.lucene.gdata.server.authentication.AuthenticationController#authenticateToken(java.lang.String,
     *      java.lang.String,
     *      org.apache.lucene.gdata.data.GDataAccount.AccountRole,
     *      java.lang.String)
     */
    public boolean authenticateToken(final String token,
            final String requestIp, AccountRole role, String accountName) {
        if (LOG.isInfoEnabled())
            LOG.info("authenticate Token " + token + " for requestIp: "
                    + requestIp);
        if (token == null || requestIp == null)
            return false;
        String passIp = requestIp.substring(0, requestIp.lastIndexOf('.'));
        String authString = null;
        try {
            authString = deCryptAuthToken(token);
        } catch (Exception e) {
            throw new AuthenticatorException("Can not decrypt token -- "
                    + e.getMessage(), e);
        }
        if (authString == null)
            return false;
        try {
            StringTokenizer tokenizer = new StringTokenizer(authString,
                    TOKEN_LIMITER);
            if (!tokenizer.nextToken().equals(passIp))
                return false;
            String tempAccountName = tokenizer.nextToken();
            int intRole = Integer.parseInt(tokenizer.nextToken());
            /*
             * Authentication goes either for a account role or a account. For
             * entry manipulation the account name will be retrieved by the
             * feedId otherwise it will be null If it is null the authentication
             * goes against the account role
             */
            if (tempAccountName == null
                    || (!tempAccountName.equals(accountName) && !GDataAccount
                            .isInRole(intRole, role)))
                return false;
            long timeout = Long.parseLong(tokenizer.nextToken());

            return (timeout + this.milisecondOffset) > System
                    .currentTimeMillis();
        } catch (Exception e) {
            LOG.error("Error occured while encrypting token " + e.getMessage(),
                    e);
            return false;
        }

    }

    private void calculateTimeOffset() {
        this.milisecondOffset = this.minuteOffset * 60 * 1000;
    }

    protected String calculateAuthToken(final String ipAddress,
            final String role, String accountName)
            throws IllegalBlockSizeException, BadPaddingException,
            UnsupportedEncodingException {
        StringBuilder builder = new StringBuilder();
        builder.append(ipAddress).append(TOKEN_LIMITER);
        builder.append(accountName).append(TOKEN_LIMITER);
        builder.append(role).append(TOKEN_LIMITER);
        builder.append(System.currentTimeMillis());

        this.lock.lock();
        try {
            byte[] toencode = builder.toString().getBytes(ENCODING);
            byte[] result = this.enCrypt.doFinal(toencode);
            return this.encoder.encode(result);
        } finally {
            this.lock.unlock();

        }

    }

    protected String deCryptAuthToken(final String authToken)
            throws IOException, IllegalBlockSizeException, BadPaddingException {
        this.lock.lock();
        try {
            byte[] input = this.decoder.decodeBuffer(authToken);
            byte[] result = this.deCrypt.doFinal(input);
            return new String(result, ENCODING);
        } finally {
            this.lock.unlock();
        }

    }

    /**
     * @return Returns the minuteOffset.
     */
    @Requiered
    public int getLoginTimeout() {
        return this.minuteOffset;
    }

    /**
     * @param minuteOffset
     *            The minuteOffset to set.
     */
    @Requiered
    public void setLoginTimeout(int minuteOffset) {
        this.minuteOffset = minuteOffset;
        calculateTimeOffset();
    }

    /**
     * @return Returns the key.
     */
    public String getKey() {
        return this.key;
    }

    /**
     * @param key
     *            The key to set.
     */
    public void setKey(String key) {
        this.key = key;
    }

    /**
     * @see org.apache.lucene.gdata.server.registry.ServerComponent#destroy()
     */
    public void destroy() {
        //
    }

}