HTTP authentication - RIFE

RIFE's authentication framework, which bases itself on the behavioral inheritance feature, is flexible enough to allow you to create any kind of custom authentication and authorization.

Below is a sample implementation of an element that provides basic HTTP authentication, using RIFE's memory users as credentials database:

package tutorial.authentication;

import com.uwyn.rife.authentication.SessionManager;
import com.uwyn.rife.authentication.SessionValidator;
import com.uwyn.rife.authentication.credentials.RoleUser;
import com.uwyn.rife.authentication.credentialsmanagers.MemoryUsers;
import com.uwyn.rife.authentication.exceptions.CredentialsManagerException;
import com.uwyn.rife.authentication.exceptions.SessionManagerException;
import com.uwyn.rife.authentication.sessionmanagers.MemorySessionsFactory;
import com.uwyn.rife.authentication.sessionvalidators.MemorySessionValidator;
import com.uwyn.rife.engine.Element;
import com.uwyn.rife.engine.exceptions.EngineException;
import com.uwyn.rife.tools.Base64;
import com.uwyn.rife.tools.StringUtils;
import java.io.UnsupportedEncodingException;

public class HttpAuthentication extends Element
{
    public void processElement()
    {
        String authorization = getHeader("Authorization");
        if (authorization != null &&
            authorization.startsWith("Basic "))
        {
            authorization = authorization.substring("Basic ".length());
            try
            {
                String cred_str = new String(Base64.decode(authorization), "ISO-8859-1");
                String[] cred_arr = StringUtils.splitToArray(cred_str, ":");
                if (2 == cred_arr.length)
                {
                    String login = cred_arr[0];
                    String password = cred_arr[1];
                    String role = getPropertyString("role");
                    RoleUser credentials = new RoleUser(login, password, role);
                    
                    SessionManager     session_manager = MemorySessionsFactory.getInstance();
                    SessionValidator   validator = new MemorySessionValidator();
                    MemoryUsers        credentials_manager = MemoryUsers.getRepInstance();
                    validator.setCredentialsManager(credentials_manager);
                    validator.setSessionManager(session_manager);
                    validator.setRememberManager(null);
                    
                    if (credentials.validate())
                    {
                        long userid = credentials_manager.verifyCredentials(credentials);
                        if (userid >= 0)
                        {
                            // You don't need the session manager at all if you just need
                            // to protect certain elements and don't need to be able to retrieve
                            // the user from the back-end afterwards.
                            session_manager.startSession(userid, getRemoteAddr(), false);
                            child();
                        }
                    }
                }
            }
            catch (CredentialsManagerException e)
            {
                throw new EngineException(e);
            }
            catch (SessionManagerException e)
            {
                throw new EngineException(e);
            }
            catch (UnsupportedEncodingException e)
            {
                // should never happen
                throw new RuntimeException(e);
            }
        }

        addHeader("WWW-Authenticate",  "Basic realm=\"RIFE Application\"");
        sendError(401);
    }
}

Using this element is very simple, just declare it in your site structure and make any element, group or sub-site inherit its behavior:

<element id="HttpAuth" implementation="tutorial.authentication.HttpAuthentication">
    <property name="role">admin</property>
</element>
<group inherits="HttpAuth">
    <!-- ... your protected elements ... -->
</group>