Provides a filter that performs authentication with the
SecurityProvider
as configured according to
BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME
.
This replaces the JAAS "BrooklynLoginModule" because that login module requires
Basic auth, which is not flexible enough to support redirect-based solutions like Oauth.
Unfortunately we seem to need two filters, the Jersey filter for the REST bundle,
and the Javax filter for the static content bundles (in brooklyn-ui/ui-modules).
(We could set up our own Jersey servlet or blueprint for the static content bundles
to re-use the Jersey filter, but that seems like overkill; and surely there's an easy
way to set the Javax filter to run for the REST bundle inside blueprint.xml, but a
few early attempts didn't succeed and the approach of having two filters seems easiest
(especially as they share code for the significant parts, in this class).
This does give us the opportunity to differentiate the redirect, so that
jersey (REST) requests don't redirect to the auth site, as the redirect requires human intervention.
More unfortunately, the session handlers for the multiple bundles and all different,
and the CXF JAX-RS bundles don't allow any configuration of the handlers
(see JettyHTTPServerEngine.addServant(..) call to configureSession).
So we cheat and modify the request's session handler so that we can use a shared
session handler. This means all webapps and jaxrs apps that use this filter will
be able to share their session handler, so happily when you logout from one,
you log out from all, and when you're authenticated in one you're authenticated in all.