/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
    *
    * Licensed under the Apache License, Version 2.0 (the "License");
    * you may not use this file except in compliance with the License.
    * You may obtain a copy of the License at
    *
    *     http://www.apache.org/licenses/LICENSE-2.0
    *
    * Unless required by applicable law or agreed to in writing, software
   * distributed under the License is distributed on an "AS IS" BASIS,
   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   * See the License for the specific language governing permissions and
   * limitations under the License.
   */
  
  package org.acegisecurity.ui.webapp;
  
  import org.acegisecurity.AuthenticationException;
  
  import org.acegisecurity.ui.AuthenticationEntryPoint;
  
  import org.acegisecurity.util.PortMapper;
  import org.acegisecurity.util.PortMapperImpl;
  import org.acegisecurity.util.PortResolver;
  import org.acegisecurity.util.PortResolverImpl;
  
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;
  
  import org.springframework.beans.factory.InitializingBean;
  
  import org.springframework.util.Assert;
  
  import java.io.IOException;
  
  import javax.servlet.RequestDispatcher;
  import javax.servlet.ServletException;
  import javax.servlet.ServletRequest;
  import javax.servlet.ServletResponse;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  
  /**
   * <p>
   * Used by the <code>SecurityEnforcementFilter</code> to commence
   * authentication via the {@link AuthenticationProcessingFilter}. This object
   * holds the location of the login form, relative to the web app context path,
   * and is used to commence a redirect to that form.
   * </p>
   * <p>
   * By setting the <em>forceHttps</em> property to true, you may configure the
   * class to force the protocol used for the login form to be <code>HTTPS</code>,
   * even if the original intercepted request for a resource used the
   * <code>HTTP</code> protocol. When this happens, after a successful login
   * (via HTTPS), the original resource will still be accessed as HTTP, via the
   * original request URL. For the forced HTTPS feature to work, the {@link
   * PortMapper} is consulted to determine the HTTP:HTTPS pairs.
   * </p>
   * 
   * @author Ben Alex
   * @author colin sampaleanu
   * @author Omri Spector
   * @version $Id: AuthenticationProcessingFilterEntryPoint.java 1873 2007-05-25
   * 03:21:17Z benalex $
   */
  public class AuthenticationProcessingFilterEntryPoint implements AuthenticationEntryPoint, InitializingBean {
  	// ~ Static fields/initializers
  	// =====================================================================================
  
  	private static final Log logger = LogFactory.getLog(AuthenticationProcessingFilterEntryPoint.class);
  
  	// ~ Instance fields
  	// ================================================================================================
  
  	private PortMapper portMapper = new PortMapperImpl();
  
  	private PortResolver portResolver = new PortResolverImpl();
  
  	private String loginFormUrl;
  
  	private boolean forceHttps = false;
  
  	private boolean serverSideRedirect = false;
  
  	// ~ Methods
  	// ========================================================================================================
  
  	public void afterPropertiesSet() throws Exception {
  		Assert.hasLength(loginFormUrl, "loginFormUrl must be specified");
  		Assert.notNull(portMapper, "portMapper must be specified");
  		Assert.notNull(portResolver, "portResolver must be specified");
  	}
  
  	/**
  	 * Allows subclasses to modify the login form URL that should be applicable
  	 * for a given request.
  	 * 
  	 * @param request the request
  	 * @param response the response
 	 * @param exception the exception
 	 * @return the URL (cannot be null or empty; defaults to
 	 * {@link #getLoginFormUrl()})
 	 */
 	protected String determineUrlToUseForThisRequest(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException exception) {
 		return getLoginFormUrl();
 	}
 
 	public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
 			throws IOException, ServletException {
 		HttpServletRequest req = (HttpServletRequest) request;
 		HttpServletResponse resp = (HttpServletResponse) response;
 		String scheme = request.getScheme();
 		String serverName = request.getServerName();
 		int serverPort = portResolver.getServerPort(request);
 		String contextPath = req.getContextPath();
 
 		boolean inHttp = "http".equals(scheme.toLowerCase());
 		boolean inHttps = "https".equals(scheme.toLowerCase());
 
 		boolean includePort = true;
 
 		String redirectUrl = null;
 		boolean doForceHttps = false;
 		Integer httpsPort = null;
 
 		if (inHttp && (serverPort == 80)) {
 			includePort = false;
 		}
 		else if (inHttps && (serverPort == 443)) {
 			includePort = false;
 		}
 
 		if (forceHttps && inHttp) {
 			httpsPort = (Integer) portMapper.lookupHttpsPort(new Integer(serverPort));
 
 			if (httpsPort != null) {
 				doForceHttps = true;
 				if (httpsPort.intValue() == 443) {
 					includePort = false;
 				}
 				else {
 					includePort = true;
 				}
 			}
 
 		}
 
 		String loginForm = determineUrlToUseForThisRequest(req, resp, authException);
 
 		if (serverSideRedirect) {
 
 			if (doForceHttps) {
 
 				// before doing server side redirect, we need to do client
 				// redirect to https.
 
 				String servletPath = req.getServletPath();
 				String pathInfo = req.getPathInfo();
 				String query = req.getQueryString();
 
 				redirectUrl = "https://" + serverName + ((includePort) ? (":" + httpsPort) : "") + contextPath
 						+ servletPath + (pathInfo == null ? "" : pathInfo) + (query == null ? "" : "?" + query);
 
 			}
 			else {
 
 				if (logger.isDebugEnabled()) {
 					logger.debug("Server side forward to: " + loginForm);
 				}
 
 				RequestDispatcher dispatcher = req.getRequestDispatcher(loginForm);
 
 				dispatcher.forward(request, response);
 
 				return;
 
 			}
 
 		}
 		else {
 
 			if (doForceHttps) {
 
 				redirectUrl = "https://" + serverName + ((includePort) ? (":" + httpsPort) : "") + contextPath
 						+ loginForm;
 
 			}
 			else {
 
 				redirectUrl = scheme + "://" + serverName + ((includePort) ? (":" + serverPort) : "") + contextPath
 						+ loginForm;
 
 			}
 		}
 
 		if (logger.isDebugEnabled()) {
 			logger.debug("Redirecting to: " + redirectUrl);
 		}
 
 		((HttpServletResponse) response).sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectUrl));
 	}
 
 	public boolean getForceHttps() {
 		return forceHttps;
 	}
 
 	public String getLoginFormUrl() {
 		return loginFormUrl;
 	}
 
 	public PortMapper getPortMapper() {
 		return portMapper;
 	}
 
 	public PortResolver getPortResolver() {
 		return portResolver;
 	}
 
 	public boolean isServerSideRedirect() {
 		return serverSideRedirect;
 	}
 
 	/**
 	 * Set to true to force login form access to be via https. If this value is
 	 * ture (the default is false), and the incoming request for the protected
 	 * resource which triggered the interceptor was not already
 	 * <code>https</code>, then
 	 * 
 	 * @param forceHttps
 	 */
 	public void setForceHttps(boolean forceHttps) {
 		this.forceHttps = forceHttps;
 	}
 
 	/**
 	 * The URL where the <code>AuthenticationProcessingFilter</code> login
 	 * page can be found. Should be relative to the web-app context path, and
 	 * include a leading <code>/</code>
 	 * 
 	 * @param loginFormUrl
 	 */
 	public void setLoginFormUrl(String loginFormUrl) {
 		this.loginFormUrl = loginFormUrl;
 	}
 
 	public void setPortMapper(PortMapper portMapper) {
 		this.portMapper = portMapper;
 	}
 
 	public void setPortResolver(PortResolver portResolver) {
 		this.portResolver = portResolver;
 	}
 
 	/**
 	 * Tells if we are to do a server side include of the
 	 * <code>loginFormUrl</code> instead of a 302 redirect.
 	 * 
 	 * @param serverSideRedirect
 	 */
 	public void setServerSideRedirect(boolean serverSideRedirect) {
 		this.serverSideRedirect = serverSideRedirect;
 	}
 
 }