Mailing-List: contact commits-help@chemistry.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@chemistry.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1756919 - in
 /chemistry/opencmis/trunk/chemistry-opencmis-server:
 chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/
 chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/src/main/java/
 chemist...
Date: Fri, 19 Aug 2016 14:21:37 -0000
To: commits@chemistry.apache.org
From: fmui@apache.org
Message-Id: <20160819142138.071283A0319@svn01-us-west.apache.org>
archived-at: Fri, 19 Aug 2016 14:21:52 -0000

Author: fmui
Date: Fri Aug 19 14:21:37 2016
New Revision: 1756919

URL: http://svn.apache.org/viewvc?rev=1756919&view=rev
Log:
added more code and comment around authentication

Added:
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/AbstractCallContextInterceptor.java
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CallContextHandlerInterceptor.java
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AttributeCallContextHandler.java
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/UserPrincipalCallContextHandler.java
Modified:
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/pom.xml
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/src/main/java/__projectPrefix__CmisServiceFactory.java
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web-async.xml
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web.xml
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CmisWebServicesServlet.java
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/UsernameTokenInterceptor.java
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AbstractCmisHttpServlet.java
    chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/BasicAuthCallContextHandler.java

Modified: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/pom.xml
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/pom.xml?rev=1756919&r1=1756918&r2=1756919&view=diff
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/pom.xml (original)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/pom.xml Fri Aug 19 14:21:37 2016
@@ -18,19 +18,9 @@
     <build>
         <plugins>
             <plugin>
-                <inherited>true</inherited>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.0</version>
-                <configuration>
-                    <target>1.6</target>
-                    <source>1.6</source>
-                    <encoding>UTF-8</encoding>
-                </configuration>
-            </plugin>
-            <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-war-plugin</artifactId>
-                <version>2.3</version>
+                <version>2.4</version>
                 <configuration>
                     <overlays>
                         <overlay></overlay>

Modified: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/src/main/java/__projectPrefix__CmisServiceFactory.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/src/main/java/__projectPrefix__CmisServiceFactory.java?rev=1756919&r1=1756918&r2=1756919&view=diff
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/src/main/java/__projectPrefix__CmisServiceFactory.java (original)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-archetype/src/main/resources/archetype-resources/src/main/java/__projectPrefix__CmisServiceFactory.java Fri Aug 19 14:21:37 2016
@@ -41,7 +41,9 @@ public class ${projectPrefix}CmisService
 
     @Override
     public CmisService getService(CallContext context) {
-        // authentication can go here
+        // get the user name and password that the CallContextHandler has determined
+        // - if the user is null, this is either an anonymous request or the CallContextHandler configuration is wrong
+        // - the password may be null depending on the authentication method
         String user = context.getUsername();
         String password = context.getPassword();
 

Modified: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web-async.xml
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web-async.xml?rev=1756919&r1=1756918&r2=1756919&view=diff
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web-async.xml (original)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web-async.xml Fri Aug 19 14:21:37 2016
@@ -20,7 +20,7 @@
 <web-app version="3.0"
     xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
-    
+
     <display-name>OpenCMIS Server</display-name>
 
     <welcome-file-list>
@@ -31,64 +31,97 @@
     <listener>
         <listener-class>org.apache.chemistry.opencmis.server.impl.CmisRepositoryContextListener</listener-class>
     </listener>
-    
+
     <!-- 
-         A servlet filter that logs all requests in files. Useful for monitoring and debugging.
-         Use it with care! It can generate a huge amount of files and will slow down performance
-         significantly.
+        Consider adding an authentication filter that checks the user credentials before
+        the request is forwarded to OpenCMIS.
     -->
     <!-- - ->
     <filter>
-           <filter-name>LoggingFilter</filter-name>
-          <filter-class>org.apache.chemistry.opencmis.server.support.filter.LoggingFilter</filter-class>
-           <init-param>
-              <param-name>LogDir</param-name>
-              <param-value></param-value>
-           </init-param>
-           <init-param>
-              <param-name>PrettyPrint</param-name>
-              <param-value>true</param-value>
-           </init-param>
-           <init-param>
-              <param-name>LogHeader</param-name>
-              <param-value>true</param-value>
-           </init-param>
-           <init-param>
-              <param-name>Indent</param-name>
-              <param-value>4</param-value>
-           </init-param>
+        <filter-name>AuthFilter</filter-name>
+        <filter-class>your.auth.filterClass</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisatom10</servlet-name> 
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisatom11</servlet-name> 
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisws10</servlet-name> 
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisws11</servlet-name> 
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisbrowser</servlet-name> 
+    </filter-mapping>
+    <!- - -->
+
+    <!-- 
+        A servlet filter that logs all requests in files. Useful for monitoring and debugging.
+        Use it with care! It can generate a huge amount of files and will slow down performance
+        significantly.
+    -->
+    <!-- - ->
+    <filter>
+        <filter-name>LoggingFilter</filter-name>
+        <filter-class>org.apache.chemistry.opencmis.server.support.filter.LoggingFilter</filter-class>
+        <init-param>
+            <param-name>LogDir</param-name>
+            <param-value></param-value>
+        </init-param>
+        <init-param>
+            <param-name>PrettyPrint</param-name>
+            <param-value>true</param-value>
+        </init-param>
+        <init-param>
+            <param-name>LogHeader</param-name>
+            <param-value>true</param-value>
+        </init-param>
+        <init-param>
+            <param-name>Indent</param-name>
+            <param-value>4</param-value>
+        </init-param>
     </filter>
-    
+
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisatom10</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisatom10</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisatom11</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisatom11</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisws10</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisws10</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisws11</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisws11</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisbrowser</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisbrowser</servlet-name> 
     </filter-mapping>
-    <!- -   -->
+    <!- - -->
 
     <!--
         Uncomment the following filter if the OpenCMIS server runs behind a proxy server or a load balancer.
-        The value of the 'trustedProxies' parameter is a regular expression. It must match the IP address of the proxy or load balancer.
+        The value of the 'trustedProxies' parameter is a regular expression. It must match the
+        IP address of the proxy or load balancer.
     -->
     <!--
     <filter>
-           <filter-name>ProxyFilter</filter-name>
-          <filter-class>org.apache.chemistry.opencmis.server.filter.ProxyFilter</filter-class>
+        <filter-name>ProxyFilter</filter-name>
+        <filter-class>org.apache.chemistry.opencmis.server.filter.ProxyFilter</filter-class>
         <init-param>
             <param-name>trustedProxies</param-name>
             <param-value>10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}</param-value>
@@ -96,23 +129,24 @@
     </filter>
 
     <filter-mapping>
-           <filter-name>ProxyFilter</filter-name>
-           <servlet-name>cmisatom10</servlet-name> 
+        <filter-name>ProxyFilter</filter-name>
+        <servlet-name>cmisatom10</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>ProxyFilter</filter-name>
-           <servlet-name>cmisatom11</servlet-name> 
+        <filter-name>ProxyFilter</filter-name>
+        <servlet-name>cmisatom11</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>ProxyFilter</filter-name>
-           <servlet-name>cmisbrowser</servlet-name> 
-    </filter-mapping>    
+        <filter-name>ProxyFilter</filter-name>
+        <servlet-name>cmisbrowser</servlet-name> 
+    </filter-mapping>
     -->
 
     <!--
         Uncomment the following filter to enable CORS support for the browser binding.
         See http://software.dzhuvinov.com/cors-filter.html for details.
-        Put the CORS libraries into the WEB-INF/lib directory or uncomment the CORS dependency in the pom.xml.
+        Put the CORS libraries into the WEB-INF/lib directory or uncomment the CORS dependency
+        in the pom.xml.
     -->
     <!--
     <filter>
@@ -166,20 +200,36 @@
         <servlet-name>cmisws10</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.async.impl.webservices.AsyncCmisWebServicesServlet</servlet-class>
         <init-param>
+            <description>CMIS version of this endpoint</description>
             <param-name>cmisVersion</param-name>
             <param-value>1.0</param-value>
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>1</load-on-startup>
         <async-supported>true</async-supported>
     </servlet>
-    
+
     <servlet>
         <servlet-name>cmisws11</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.async.impl.webservices.AsyncCmisWebServicesServlet</servlet-class>
         <init-param>
+            <description>CMIS version of this endpoint</description>
             <param-name>cmisVersion</param-name>
             <param-value>1.1</param-value>
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>1</load-on-startup>
         <async-supported>true</async-supported>
     </servlet>
@@ -190,11 +240,21 @@
         <init-param>
             <param-name>callContextHandler</param-name>
             <param-value>org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler</param-value>
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.UserPrincipalCallContextHandler</param-value> -->
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.AttributeCallContextHandler</param-value> -->
         </init-param>
         <init-param>
+            <description>CMIS version of this endpoint</description>
             <param-name>cmisVersion</param-name>
             <param-value>1.0</param-value>
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>2</load-on-startup>
         <async-supported>true</async-supported>
     </servlet>
@@ -205,26 +265,45 @@
         <init-param>
             <param-name>callContextHandler</param-name>
             <param-value>org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler</param-value>
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.UserPrincipalCallContextHandler</param-value> -->
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.AttributeCallContextHandler</param-value> -->
         </init-param>
         <init-param>
+            <description>CMIS version of this endpoint</description>
             <param-name>cmisVersion</param-name>
             <param-value>1.1</param-value>
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>2</load-on-startup>
         <async-supported>true</async-supported>
     </servlet>
-    
+
     <servlet>
         <servlet-name>cmisbrowser</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.async.impl.browser.AsyncCmisBrowserBindingServlet</servlet-class>
         <init-param>
             <param-name>callContextHandler</param-name>
             <param-value>org.apache.chemistry.opencmis.server.impl.browser.token.TokenCallContextHandler</param-value>
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.UserPrincipalCallContextHandler</param-value> -->
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.AttributeCallContextHandler</param-value> -->
+        </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
         </init-param>
+        -->
         <load-on-startup>2</load-on-startup>
         <async-supported>true</async-supported>
     </servlet>
-    
+
     <servlet>
         <servlet-name>cmisendpoints</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.impl.endpoints.SimpleCmisEndpointsDocumentServlet</servlet-class>
@@ -249,7 +328,7 @@
         <servlet-name>cmisatom10</servlet-name>
         <url-pattern>/atom/*</url-pattern>
     </servlet-mapping>
-    
+
     <servlet-mapping>
         <servlet-name>cmisatom11</servlet-name>
         <url-pattern>/atom11/*</url-pattern>

Modified: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web.xml?rev=1756919&r1=1756918&r2=1756919&view=diff
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web.xml (original)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings-war/src/main/webapp/WEB-INF/web.xml Fri Aug 19 14:21:37 2016
@@ -31,64 +31,97 @@
     <listener>
         <listener-class>org.apache.chemistry.opencmis.server.impl.CmisRepositoryContextListener</listener-class>
     </listener>
-    
+
     <!-- 
-         A servlet filter that logs all requests in files. Useful for monitoring and debugging.
-         Use it with care! It can generate a huge amount of files and will slow down performance
-         significantly.
+        Consider adding an authentication filter that checks the user credentials before
+        the request is forwarded to OpenCMIS.
     -->
     <!-- - ->
     <filter>
-           <filter-name>LoggingFilter</filter-name>
-          <filter-class>org.apache.chemistry.opencmis.server.support.filter.LoggingFilter</filter-class>
-           <init-param>
-              <param-name>LogDir</param-name>
-              <param-value></param-value>
-           </init-param>
-           <init-param>
-              <param-name>PrettyPrint</param-name>
-              <param-value>true</param-value>
-           </init-param>
-           <init-param>
-              <param-name>LogHeader</param-name>
-              <param-value>true</param-value>
-           </init-param>
-           <init-param>
-              <param-name>Indent</param-name>
-              <param-value>4</param-value>
-           </init-param>
+        <filter-name>AuthFilter</filter-name>
+        <filter-class>your.auth.filterClass</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisatom10</servlet-name> 
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisatom11</servlet-name> 
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisws10</servlet-name> 
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisws11</servlet-name> 
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>AuthFilter</filter-name>
+        <servlet-name>cmisbrowser</servlet-name> 
+    </filter-mapping>
+    <!- - -->
+
+    <!-- 
+        A servlet filter that logs all requests in files. Useful for monitoring and debugging.
+        Use it with care! It can generate a huge amount of files and will slow down performance
+        significantly.
+    -->
+    <!-- - ->
+    <filter>
+        <filter-name>LoggingFilter</filter-name>
+        <filter-class>org.apache.chemistry.opencmis.server.support.filter.LoggingFilter</filter-class>
+        <init-param>
+            <param-name>LogDir</param-name>
+            <param-value></param-value>
+        </init-param>
+        <init-param>
+            <param-name>PrettyPrint</param-name>
+            <param-value>true</param-value>
+        </init-param>
+        <init-param>
+            <param-name>LogHeader</param-name>
+            <param-value>true</param-value>
+        </init-param>
+        <init-param>
+            <param-name>Indent</param-name>
+            <param-value>4</param-value>
+        </init-param>
     </filter>
-    
+
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisatom10</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisatom10</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisatom11</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisatom11</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisws10</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisws10</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisws11</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisws11</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>LoggingFilter</filter-name>
-           <servlet-name>cmisbrowser</servlet-name> 
+        <filter-name>LoggingFilter</filter-name>
+        <servlet-name>cmisbrowser</servlet-name> 
     </filter-mapping>
-    <!- -   -->
+    <!- - -->
 
     <!--
         Uncomment the following filter if the OpenCMIS server runs behind a proxy server or a load balancer.
-        The value of the 'trustedProxies' parameter is a regular expression. It must match the IP address of the proxy or load balancer.
+        The value of the 'trustedProxies' parameter is a regular expression. It must match the
+        IP address of the proxy or load balancer.
     -->
     <!--
     <filter>
-           <filter-name>ProxyFilter</filter-name>
-          <filter-class>org.apache.chemistry.opencmis.server.filter.ProxyFilter</filter-class>
+        <filter-name>ProxyFilter</filter-name>
+        <filter-class>org.apache.chemistry.opencmis.server.filter.ProxyFilter</filter-class>
         <init-param>
             <param-name>trustedProxies</param-name>
             <param-value>10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}</param-value>
@@ -96,23 +129,24 @@
     </filter>
 
     <filter-mapping>
-           <filter-name>ProxyFilter</filter-name>
-           <servlet-name>cmisatom10</servlet-name> 
+        <filter-name>ProxyFilter</filter-name>
+        <servlet-name>cmisatom10</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>ProxyFilter</filter-name>
-           <servlet-name>cmisatom11</servlet-name> 
+        <filter-name>ProxyFilter</filter-name>
+        <servlet-name>cmisatom11</servlet-name> 
     </filter-mapping>
     <filter-mapping>
-           <filter-name>ProxyFilter</filter-name>
-           <servlet-name>cmisbrowser</servlet-name> 
-    </filter-mapping>    
+        <filter-name>ProxyFilter</filter-name>
+        <servlet-name>cmisbrowser</servlet-name> 
+    </filter-mapping>
     -->
 
     <!--
         Uncomment the following filter to enable CORS support for the browser binding.
         See http://software.dzhuvinov.com/cors-filter.html for details.
-        Put the CORS libraries into the WEB-INF/lib directory or uncomment the CORS dependency in the pom.xml.
+        Put the CORS libraries into the WEB-INF/lib directory or uncomment the CORS dependency
+        in the pom.xml.
     -->
     <!--
     <filter>
@@ -166,19 +200,35 @@
         <servlet-name>cmisws10</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.impl.webservices.CmisWebServicesServlet</servlet-class>
         <init-param>
+            <description>CMIS version of this endpoint</description>
             <param-name>cmisVersion</param-name>
             <param-value>1.0</param-value>
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>1</load-on-startup>
     </servlet>
-    
+
     <servlet>
         <servlet-name>cmisws11</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.impl.webservices.CmisWebServicesServlet</servlet-class>
         <init-param>
+            <description>CMIS version of this endpoint</description>
             <param-name>cmisVersion</param-name>
             <param-value>1.1</param-value>
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>1</load-on-startup>
     </servlet>
 
@@ -186,13 +236,24 @@
         <servlet-name>cmisatom10</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.impl.atompub.CmisAtomPubServlet</servlet-class>
         <init-param>
+            <description>Call Context Handler implementation</description>
             <param-name>callContextHandler</param-name>
             <param-value>org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler</param-value>
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.UserPrincipalCallContextHandler</param-value> -->
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.AttributeCallContextHandler</param-value> -->
         </init-param>
         <init-param>
+            <description>CMIS version of this endpoint</description>
             <param-name>cmisVersion</param-name>
             <param-value>1.0</param-value>
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>2</load-on-startup>
     </servlet>
 
@@ -200,26 +261,47 @@
         <servlet-name>cmisatom11</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.impl.atompub.CmisAtomPubServlet</servlet-class>
         <init-param>
+            <description>Call Context Handler implementation</description>
             <param-name>callContextHandler</param-name>
             <param-value>org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler</param-value>
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.UserPrincipalCallContextHandler</param-value> -->
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.AttributeCallContextHandler</param-value> -->
         </init-param>
         <init-param>
+            <description>CMIS version of this endpoint</description>
             <param-name>cmisVersion</param-name>
             <param-value>1.1</param-value>
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>2</load-on-startup>
     </servlet>
-    
+
     <servlet>
         <servlet-name>cmisbrowser</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.impl.browser.CmisBrowserBindingServlet</servlet-class>
         <init-param>
+            <description>Call Context Handler implementation</description>
             <param-name>callContextHandler</param-name>
             <param-value>org.apache.chemistry.opencmis.server.impl.browser.token.TokenCallContextHandler</param-value>
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.UserPrincipalCallContextHandler</param-value> -->
+            <!-- <param-value>org.apache.chemistry.opencmis.server.shared.AttributeCallContextHandler</param-value> -->
         </init-param>
+        <!--
+        <init-param>
+            <description>Name of the CSRF header</description>
+            <param-name>csrfHeader</param-name>
+            <param-value>X-CSRF-Token</param-value>
+        </init-param>
+        -->
         <load-on-startup>2</load-on-startup>
     </servlet>
-    
+
     <servlet>
         <servlet-name>cmisendpoints</servlet-name>
         <servlet-class>org.apache.chemistry.opencmis.server.impl.endpoints.SimpleCmisEndpointsDocumentServlet</servlet-class>
@@ -244,7 +326,7 @@
         <servlet-name>cmisatom10</servlet-name>
         <url-pattern>/atom/*</url-pattern>
     </servlet-mapping>
-    
+
     <servlet-mapping>
         <servlet-name>cmisatom11</servlet-name>
         <url-pattern>/atom11/*</url-pattern>
@@ -254,7 +336,7 @@
         <servlet-name>cmisbrowser</servlet-name>
         <url-pattern>/browser/*</url-pattern>
     </servlet-mapping>
-    
+
     <servlet-mapping>
         <servlet-name>cmisendpoints</servlet-name>
         <url-pattern>/cmis-endpoints.json</url-pattern>

Added: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/AbstractCallContextInterceptor.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/AbstractCallContextInterceptor.java?rev=1756919&view=auto
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/AbstractCallContextInterceptor.java (added)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/AbstractCallContextInterceptor.java Fri Aug 19 14:21:37 2016
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.chemistry.opencmis.server.impl.webservices;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.chemistry.opencmis.commons.server.CallContext;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
+import org.apache.cxf.phase.Phase;
+
+/**
+ * Base class for all interceptors that add data to the call context.
+ */
+public abstract class AbstractCallContextInterceptor extends AbstractSoapInterceptor {
+
+    public AbstractCallContextInterceptor() {
+        super(Phase.PRE_INVOKE);
+    }
+
+    /**
+     * Returns the current call context map.
+     * 
+     * @return the call context map or {@code null} if there isn't one
+     */
+    @SuppressWarnings("unchecked")
+    protected Map<String, String> getCurrentCallContextMap(SoapMessage message) {
+        Object callContextMapObject = message.getExchange().getInMessage().get(AbstractService.CALL_CONTEXT_MAP);
+
+        if (callContextMapObject instanceof Map) {
+            return (Map<String, String>) callContextMapObject;
+        }
+
+        return null;
+    }
+
+    /**
+     * Sets a new call context map.
+     */
+    protected void setCallContextMap(SoapMessage message, Map<String, String> callContextMap) {
+        message.getExchange().getInMessage().put(AbstractService.CALL_CONTEXT_MAP, callContextMap);
+    }
+
+    /**
+     * Returns the current user.
+     */
+    protected String getCurrentUser(SoapMessage message) {
+        Map<String, String> callContextMap = getCurrentCallContextMap(message);
+        if (callContextMap != null) {
+            return callContextMap.get(CallContext.USERNAME);
+        }
+
+        return null;
+    }
+
+    /**
+     * Adds data to the current call context map.
+     */
+    protected void addToCurrentCallContextMap(SoapMessage message, Map<String, String> callContextMapAdditions) {
+        Map<String, String> callContextMap = getCurrentCallContextMap(message);
+        if (callContextMap == null) {
+            callContextMap = new HashMap<String, String>();
+        }
+
+        callContextMap.putAll(callContextMapAdditions);
+
+        setCallContextMap(message, callContextMap);
+    }
+
+    /**
+     * Adds a user and a password to the current call context map.
+     */
+    protected void setUserAndPassword(SoapMessage message, String user, String password) {
+        Map<String, String> callContextMap = getCurrentCallContextMap(message);
+        if (callContextMap == null) {
+            callContextMap = new HashMap<String, String>();
+        }
+
+        callContextMap.put(CallContext.USERNAME, user);
+        callContextMap.put(CallContext.PASSWORD, password);
+
+        setCallContextMap(message, callContextMap);
+    }
+
+    /**
+     * Adds just a user to the current call context map.
+     */
+    protected void setUser(SoapMessage message, String user) {
+        Map<String, String> callContextMap = getCurrentCallContextMap(message);
+        if (callContextMap == null) {
+            callContextMap = new HashMap<String, String>();
+        }
+
+        callContextMap.put(CallContext.USERNAME, user);
+
+        setCallContextMap(message, callContextMap);
+    }
+}

Added: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CallContextHandlerInterceptor.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CallContextHandlerInterceptor.java?rev=1756919&view=auto
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CallContextHandlerInterceptor.java (added)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CallContextHandlerInterceptor.java Fri Aug 19 14:21:37 2016
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.chemistry.opencmis.server.impl.webservices;
+
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.chemistry.opencmis.server.shared.CallContextHandler;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.transport.http.AbstractHTTPDestination;
+
+/**
+ * Adds data form a {@link CallContextHandler} if one is configured.
+ */
+public class CallContextHandlerInterceptor extends AbstractCallContextInterceptor {
+
+    private final CallContextHandler callContextHandler;
+
+    public CallContextHandlerInterceptor(CallContextHandler callContextHandler) {
+        super();
+        this.callContextHandler = callContextHandler;
+    }
+
+    @Override
+    public void handleMessage(SoapMessage message) {
+        if (callContextHandler == null) {
+            return;
+        }
+
+        HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
+        if (request == null) {
+            return;
+        }
+
+        Map<String, String> callContextMap = callContextHandler.getCallContextMap(request);
+        if (callContextMap == null || callContextMap.isEmpty()) {
+            return;
+        }
+
+        addToCurrentCallContextMap(message, callContextMap);
+    }
+}

Modified: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CmisWebServicesServlet.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CmisWebServicesServlet.java?rev=1756919&r1=1756918&r2=1756919&view=diff
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CmisWebServicesServlet.java (original)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/CmisWebServicesServlet.java Fri Aug 19 14:21:37 2016
@@ -39,6 +39,8 @@ import org.apache.chemistry.opencmis.com
 import org.apache.chemistry.opencmis.commons.impl.UrlBuilder;
 import org.apache.chemistry.opencmis.commons.server.CmisServiceFactory;
 import org.apache.chemistry.opencmis.server.impl.CmisRepositoryContextListener;
+import org.apache.chemistry.opencmis.server.shared.AbstractCmisHttpServlet;
+import org.apache.chemistry.opencmis.server.shared.CallContextHandler;
 import org.apache.chemistry.opencmis.server.shared.CsrfManager;
 import org.apache.chemistry.opencmis.server.shared.Dispatcher;
 import org.apache.commons.lang3.StringEscapeUtils;
@@ -74,6 +76,7 @@ public class CmisWebServicesServlet exte
 
     private Map<String, String> docs;
 
+    private CallContextHandler callContextHandler;
     private CsrfManager csrfManager;
 
     @Override
@@ -93,6 +96,9 @@ public class CmisWebServicesServlet exte
             cmisVersion = CmisVersion.CMIS_1_0;
         }
 
+        // initialize the call context handler
+        callContextHandler = AbstractCmisHttpServlet.loadCallContextHandler(config);
+
         // set up WSDL and XSD documents
         docs = new HashMap<String, String>();
 
@@ -108,6 +114,16 @@ public class CmisWebServicesServlet exte
         super.init(config);
     }
 
+    /**
+     * Returns the {@code CallContextHandler}.
+     * 
+     * @return the {@code CallContextHandler} or {@code null} if it is not
+     *         configured
+     */
+    protected CallContextHandler getCallContextHandler() {
+        return callContextHandler;
+    }
+
     private String readFile(ServletConfig config, String path) throws ServletException {
         InputStream stream = config.getServletContext().getResourceAsStream(path);
         if (stream == null) {
@@ -176,10 +192,10 @@ public class CmisWebServicesServlet exte
 
         String respDoc = doc;
         respDoc = BASE_PATTERN.matcher(respDoc).replaceAll(baseUrl.toString());
-        respDoc = CORE_PATTERN.matcher(respDoc)
-                .replaceAll((new UrlBuilder(baseUrl)).addPath("cmis").addParameter("core").toString());
-        respDoc = MSG_PATTERN.matcher(respDoc)
-                .replaceAll((new UrlBuilder(baseUrl)).addPath("cmis").addParameter("msg").toString());
+        respDoc = CORE_PATTERN.matcher(respDoc).replaceAll(
+                (new UrlBuilder(baseUrl)).addPath("cmis").addParameter("core").toString());
+        respDoc = MSG_PATTERN.matcher(respDoc).replaceAll(
+                (new UrlBuilder(baseUrl)).addPath("cmis").addParameter("msg").toString());
 
         PrintWriter pw = response.getWriter();
         pw.print(respDoc);
@@ -192,12 +208,14 @@ public class CmisWebServicesServlet exte
         response.setContentType("text/html");
         response.setCharacterEncoding(IOUtils.UTF8);
 
-        String urlEscaped = StringEscapeUtils
-                .escapeHtml4((new UrlBuilder(baseUrl)).addPath("cmis").addParameter("wsdl").toString());
+        String urlEscaped = StringEscapeUtils.escapeHtml4((new UrlBuilder(baseUrl)).addPath("cmis")
+                .addParameter("wsdl").toString());
 
         PrintWriter pw = response.getWriter();
 
-        pw.print("<html><head><title>Apache Chemistry OpenCMIS - CMIS " + cmisVersion.value() + " Web Services</title>"
+        pw.print("<html><head><title>Apache Chemistry OpenCMIS - CMIS "
+                + cmisVersion.value()
+                + " Web Services</title>"
                 + "<style><!--H1 {font-size:24px;line-height:normal;font-weight:bold;background-color:#f0f0f0;color:#003366;border-bottom:1px solid #3c78b5;padding:2px;} "
                 + "BODY {font-family:Verdana,arial,sans-serif;color:black;font-size:14px;} "
                 + "HR {color:#3c78b5;height:1px;}--></style></head><body>");
@@ -309,6 +327,7 @@ public class CmisWebServicesServlet exte
      */
     protected void configureInterceptors(Bus bus) {
         bus.getInInterceptors().add(new SoapActionRemoveInterceptor());
+        bus.getInInterceptors().add(new CallContextHandlerInterceptor(getCallContextHandler()));
         bus.getInInterceptors().add(new UsernameTokenInterceptor());
     }
 

Modified: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/UsernameTokenInterceptor.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/UsernameTokenInterceptor.java?rev=1756919&r1=1756918&r2=1756919&view=diff
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/UsernameTokenInterceptor.java (original)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/impl/webservices/UsernameTokenInterceptor.java Fri Aug 19 14:21:37 2016
@@ -18,17 +18,11 @@
  */
 package org.apache.chemistry.opencmis.server.impl.webservices;
 
-import java.util.HashMap;
-import java.util.Map;
-
 import javax.xml.namespace.QName;
 
 import org.apache.chemistry.opencmis.commons.exceptions.CmisRuntimeException;
-import org.apache.chemistry.opencmis.commons.server.CallContext;
 import org.apache.cxf.binding.soap.SoapMessage;
-import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
 import org.apache.cxf.headers.Header;
-import org.apache.cxf.phase.Phase;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
@@ -39,10 +33,10 @@ import org.w3c.dom.NodeList;
  * This class emulates the behavior of the OpenCMIS server framework 0.13.0 and
  * earlier.
  */
-public class UsernameTokenInterceptor extends AbstractSoapInterceptor {
+public class UsernameTokenInterceptor extends AbstractCallContextInterceptor {
 
     public UsernameTokenInterceptor() {
-        super(Phase.PRE_INVOKE);
+        super();
     }
 
     protected static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
@@ -54,29 +48,28 @@ public class UsernameTokenInterceptor ex
 
     @Override
     public void handleMessage(SoapMessage message) {
-        Header securityHeader = message.getHeader(WSSE_SECURITY);
-        if (securityHeader != null) {
-            if (!(securityHeader.getObject() instanceof Node)) {
-                throw new CmisRuntimeException("Cannot read Security header.");
-            }
+        // don't extract a user, if there is already one
+        if (getCurrentUser(message) == null) {
+            Header securityHeader = message.getHeader(WSSE_SECURITY);
+            if (securityHeader != null) {
+                if (!(securityHeader.getObject() instanceof Node)) {
+                    throw new CmisRuntimeException("Cannot read Security header.");
+                }
+
+                Node usernameTokenNode = getUsernameTokenNode((Node) securityHeader.getObject());
+                if (usernameTokenNode == null) {
+                    return;
+                }
+
+                String username = getUsername(usernameTokenNode);
+                if (username == null) {
+                    return;
+                }
 
-            Node usernameTokenNode = getUsernameTokenNode((Node) securityHeader.getObject());
-            if (usernameTokenNode == null) {
-                return;
-            }
+                String password = getPassword(usernameTokenNode);
 
-            String username = getUsername(usernameTokenNode);
-            if (username == null) {
-                return;
+                setUserAndPassword(message, username, password);
             }
-
-            String password = getPasswordText(usernameTokenNode);
-
-            Map<String, String> callContextMap = new HashMap<String, String>();
-            callContextMap.put(CallContext.USERNAME, username);
-            callContextMap.put(CallContext.PASSWORD, password);
-
-            message.getExchange().getInMessage().put(AbstractService.CALL_CONTEXT_MAP, callContextMap);
         }
     }
 
@@ -94,7 +87,7 @@ public class UsernameTokenInterceptor ex
         return null;
     }
 
-    protected String getPasswordText(Node usernameTokenNode) {
+    protected String getPassword(Node usernameTokenNode) {
         Node node = findElement(usernameTokenNode, WSSE_NS, WSSE_PASSWORD);
 
         if (node != null) {

Modified: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AbstractCmisHttpServlet.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AbstractCmisHttpServlet.java?rev=1756919&r1=1756918&r2=1756919&view=diff
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AbstractCmisHttpServlet.java (original)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AbstractCmisHttpServlet.java Fri Aug 19 14:21:37 2016
@@ -55,16 +55,7 @@ public abstract class AbstractCmisHttpSe
         super.init(config);
 
         // initialize the call context handler
-        callContextHandler = null;
-        String callContextHandlerClass = config.getInitParameter(PARAM_CALL_CONTEXT_HANDLER);
-        if (callContextHandlerClass != null) {
-            try {
-                callContextHandler = (CallContextHandler) ClassLoaderUtil.loadClass(callContextHandlerClass)
-                        .newInstance();
-            } catch (Exception e) {
-                throw new ServletException("Could not load call context handler: " + e, e);
-            }
-        }
+        callContextHandler = loadCallContextHandler(config);
 
         // get service factory
         factory = CmisRepositoryContextListener.getServiceFactory(config.getServletContext());
@@ -78,6 +69,23 @@ public abstract class AbstractCmisHttpSe
     }
 
     /**
+     * Loads a {@code CallContextHandler} if it is configured in for this
+     * servlet.
+     */
+    public static CallContextHandler loadCallContextHandler(ServletConfig config) throws ServletException {
+        String callContextHandlerClass = config.getInitParameter(PARAM_CALL_CONTEXT_HANDLER);
+        if (callContextHandlerClass != null) {
+            try {
+                return (CallContextHandler) ClassLoaderUtil.loadClass(callContextHandlerClass).newInstance();
+            } catch (Exception e) {
+                throw new ServletException("Could not load call context handler: " + e, e);
+            }
+        }
+
+        return null;
+    }
+
+    /**
      * Sets the binding.
      */
     protected void setBinding(String binding) {

Added: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AttributeCallContextHandler.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AttributeCallContextHandler.java?rev=1756919&view=auto
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AttributeCallContextHandler.java (added)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/AttributeCallContextHandler.java Fri Aug 19 14:21:37 2016
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.chemistry.opencmis.server.shared;
+
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.chemistry.opencmis.commons.server.CallContext;
+
+/**
+ * Call Context handler that takes the user from a request attribute.
+ * 
+ * If the current user is determined in a filter, the filter can set the
+ * following attribute to pass down the user name to OpenCMIS with this
+ * CallContextHandler.
+ * 
+ * <pre>
+ * {@code
+ *  request.setAttribute(AttributeCallContextHandler.USERNAME_ATTRIBUTE, user);
+ * }
+ * </pre>
+ */
+public class AttributeCallContextHandler implements CallContextHandler, Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    public static final String USERNAME_ATTRIBUTE = "org.apache.chemistry.opencmis.server.username";
+
+    /**
+     * Constructor.
+     */
+    public AttributeCallContextHandler() {
+    }
+
+    @Override
+    public Map<String, String> getCallContextMap(HttpServletRequest request) {
+        assert request != null;
+
+        Map<String, String> result = null;
+
+        if (request.getAttribute(USERNAME_ATTRIBUTE) != null) {
+            result = new HashMap<String, String>();
+            result.put(CallContext.USERNAME, request.getAttribute(USERNAME_ATTRIBUTE).toString());
+        }
+
+        return result;
+    }
+}

Modified: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/BasicAuthCallContextHandler.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/BasicAuthCallContextHandler.java?rev=1756919&r1=1756918&r2=1756919&view=diff
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/BasicAuthCallContextHandler.java (original)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/BasicAuthCallContextHandler.java Fri Aug 19 14:21:37 2016
@@ -31,6 +31,14 @@ import org.apache.chemistry.opencmis.com
 
 /**
  * Call Context handler that handles basic authentication.
+ * 
+ * This handler assumes that the user credentials have either already checked
+ * (for example by a Servlet filter) or will be checked later in the CMIS
+ * implementation.
+ * 
+ * Checking the credentials before the request reaches the CMIS implementation
+ * is the preferred option because it prevents malicious clients early from
+ * flooding the server with useless data.
  */
 public class BasicAuthCallContextHandler implements CallContextHandler, Serializable {
 

Added: chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/UserPrincipalCallContextHandler.java
URL: http://svn.apache.org/viewvc/chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/UserPrincipalCallContextHandler.java?rev=1756919&view=auto
==============================================================================
--- chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/UserPrincipalCallContextHandler.java (added)
+++ chemistry/opencmis/trunk/chemistry-opencmis-server/chemistry-opencmis-server-bindings/src/main/java/org/apache/chemistry/opencmis/server/shared/UserPrincipalCallContextHandler.java Fri Aug 19 14:21:37 2016
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.chemistry.opencmis.server.shared;
+
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.chemistry.opencmis.commons.server.CallContext;
+
+/**
+ * Call Context handler that handles UserPrincipals.
+ */
+public class UserPrincipalCallContextHandler implements CallContextHandler, Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Constructor.
+     */
+    public UserPrincipalCallContextHandler() {
+    }
+
+    @Override
+    public Map<String, String> getCallContextMap(HttpServletRequest request) {
+        assert request != null;
+
+        Map<String, String> result = null;
+
+        if (request.getUserPrincipal() != null) {
+            result = new HashMap<String, String>();
+            result.put(CallContext.USERNAME, request.getUserPrincipal().getName());
+        }
+
+        return result;
+    }
+}