You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2011/11/23 16:40:22 UTC
svn commit: r1205454 - in
/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core: ./
impl/ spi/
Author: fmeschbe
Date: Wed Nov 23 15:40:20 2011
New Revision: 1205454
URL: http://svn.apache.org/viewvc?rev=1205454&view=rev
Log:
SLING-2299 Consolidate utility methods in AuthUtil and constants in AuthConstants and adapt uses. Existing methods (mostly in AbstractAuthenticationHandler) are deprecated but remain implemented calling the new AuthUtil methods. The SlingAuthentication.isBrowserRequest (which was wrong) is also replaced by the AuthUtil.isBrowserRequest method (analyzing the User-Agent).
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java Wed Nov 23 15:40:20 2011
@@ -19,8 +19,8 @@
package org.apache.sling.auth.core;
/**
- * The <code>AuthConstants</code> provides a collection of constants used
- * to configure and customize the Sling authentication infrastructure.
+ * The <code>AuthConstants</code> provides a collection of constants used to
+ * configure and customize the Sling authentication infrastructure.
* <p>
* This class can neither be extended from nor can it be instantiated.
*
@@ -29,6 +29,29 @@ package org.apache.sling.auth.core;
public final class AuthConstants {
/**
+ * The name of the request parameter indicating that the submitted username
+ * and password should just be checked and a status code be set for success
+ * (200/OK) or failure (403/FORBIDDEN).
+ *
+ * @see #isValidateRequest(HttpServletRequest)
+ * @see #sendValid(HttpServletResponse)
+ * @see #sendInvalid(HttpServletRequest, HttpServletResponse)
+ */
+ public static final String PAR_J_VALIDATE = "j_validate";
+
+ /**
+ * The name of the request header set by the
+ * {@link #sendInvalid(HttpServletRequest, HttpServletResponse)} method if the provided
+ * credentials cannot be used for login.
+ * <p>
+ * This header may be inspected by clients for a reason why the request
+ * failed.
+ *
+ * @see #sendInvalid(HttpServletRequest, HttpServletResponse)
+ */
+ public static final String X_REASON = "X-Reason";
+
+ /**
* Service Registration property which may be set by an
* {@link org.apache.sling.auth.core.spi.AuthenticationHandler} service to
* indicate whether its
@@ -54,6 +77,21 @@ public final class AuthConstants {
*/
public static final String AUTH_HANDLER_BROWSER_ONLY = "sling.auth.browser-only";
+ /**
+ * The name of the request parameter (or request attribute) indicating the
+ * workspace to use.
+ * <p>
+ * The {@link AuthenticationSupport} service implemented by this bundle will
+ * respect this parameter and attribute and ensure the
+ * <code>jcr.user.workspace</code> attribute of the
+ * {@link org.apache.sling.auth.core.spi.AuthenticationInfo} used for
+ * accessing the resource resolver is set to this value (unless the property
+ * has already been set by the
+ * {@link org.apache.sling.auth.core.spi.AuthenticationHandler} providing
+ * the {@link org.apache.sling.auth.core.spi.AuthenticationInfo} instance).
+ */
+ public static final String J_WORKSPACE = "j_workspace";
+
private AuthConstants() {
}
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java Wed Nov 23 15:40:20 2011
@@ -18,10 +18,23 @@
*/
package org.apache.sling.auth.core;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceUtil;
+import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -36,11 +49,354 @@ import org.slf4j.LoggerFactory;
*/
public final class AuthUtil {
+ /**
+ * Request header commonly set by Ajax Frameworks to indicate the request is
+ * posted as an Ajax request. The value set is expected to be
+ * {@link #XML_HTTP_REQUEST}.
+ * <p>
+ * This header is known to be set by JQuery, ExtJS and Prototype. Other
+ * client-side JavaScript framework most probably also set it.
+ *
+ * @see #isAjaxRequest(javax.servlet.http.HttpServletRequest)
+ */
+ private static final String X_REQUESTED_WITH = "X-Requested-With";
+
+ /**
+ * The expected value of the {@link #X_REQUESTED_WITH} request header to
+ * identify a request as an Ajax request.
+ *
+ * @see #isAjaxRequest(javax.servlet.http.HttpServletRequest)
+ */
+ private static final String XML_HTTP_REQUEST = "XMLHttpRequest";
+
+ /**
+ * Request header providing the clients user agent information used
+ * by {@link #isBrowserRequest(HttpServletRequest)} to decide whether
+ * a request is probably sent by a browser or not.
+ */
+ private static final String USER_AGENT = "User-Agent";
+
+ /**
+ * String contained in a {@link #USER_AGENT} header indicating a Mozilla
+ * class browser. Examples of such browsers are Firefox (generally Gecko
+ * based browsers), Safari, Chrome (probably generally WebKit based
+ * browsers), and Microsoft IE.
+ */
+ private static final String BROWSER_CLASS_MOZILLA = "Mozilla";
+
+ /**
+ * String contained in a {@link #USER_AGENT} header indicating a Opera class
+ * browser. The only known browser in this class is the Opera browser.
+ */
+ private static final String BROWSER_CLASS_OPERA = "Opera";
+
// no instantiation
private AuthUtil() {
}
/**
+ * Returns the value of the named request attribute or parameter as a string
+ * as follows:
+ * <ol>
+ * <li>If there is a request attribute of that name, which is a non-empty
+ * string, it is returned.</li>If there is a non-empty request parameter of
+ * that name, this parameter is returned.
+ * <li>Otherwise the <code>defaultValue</code> is returned.
+ *
+ * @param request The request from which to return the attribute or request
+ * parameter
+ * @param name The name of the attribute/parameter
+ * @param defaultValue The default value to use if neither a non-empty
+ * string attribute or a non-empty parameter exists in the
+ * request.
+ * @return The attribute, parameter or <code>defaultValue</code> as defined
+ * above.
+ */
+ public static String getAttributeOrParameter(
+ final HttpServletRequest request, final String name,
+ final String defaultValue) {
+
+ final String resourceAttr = getAttributeString(request, name);
+ if (resourceAttr != null) {
+ return resourceAttr;
+ }
+
+ final String resource = request.getParameter(name);
+ if (resource != null && resource.length() > 0) {
+ return resource;
+ }
+
+ return defaultValue;
+ }
+
+ /**
+ * Returns any resource target to redirect to after successful
+ * authentication. This method either returns a non-empty string or the
+ * <code>defaultLoginResource</code> parameter. First the
+ * <code>resource</code> request attribute is checked. If it is a non-empty
+ * string, it is returned. Second the <code>resource</code> request
+ * parameter is checked and returned if it is a non-empty string.
+ *
+ * @param request The request providing the attribute or parameter
+ * @param defaultLoginResource The default login resource value
+ * @return The non-empty redirection target or
+ * <code>defaultLoginResource</code>.
+ */
+ public static String getLoginResource(final HttpServletRequest request,
+ String defaultLoginResource) {
+ return getAttributeOrParameter(request, Authenticator.LOGIN_RESOURCE,
+ defaultLoginResource);
+ }
+
+ /**
+ * Ensures and returns the {@link Authenticator#LOGIN_RESOURCE} request
+ * attribute is set to a non-null, non-empty string. If the attribute is not
+ * currently set, this method sets it as follows:
+ * <ol>
+ * <li>If the {@link Authenticator#LOGIN_RESOURCE} request parameter is set
+ * to a non-empty string, that parameter is set</li>
+ * <li>Otherwise if the <code>defaultValue</code> is a non-empty string the
+ * default value is used</li>
+ * <li>Otherwise the attribute is set to "/"</li>
+ * </ol>
+ *
+ * @param request The request to check for the resource attribute
+ * @param defaultValue The default value to use if the attribute is not set
+ * and the request parameter is not set. This parameter is
+ * ignored if it is <code>null</code> or an empty string.
+ * @return returns the value of resource request attribute
+ * @since 1.0.2 (Bundle version 1.0.4)
+ */
+ public static String setLoginResourceAttribute(
+ final HttpServletRequest request, final String defaultValue) {
+ String resourceAttr = getAttributeString(request,
+ Authenticator.LOGIN_RESOURCE);
+ if (resourceAttr == null) {
+ final String resourcePar = request.getParameter(Authenticator.LOGIN_RESOURCE);
+ if (resourcePar != null && resourcePar.length() > 0) {
+ resourceAttr = resourcePar;
+ } else if (defaultValue != null && defaultValue.length() > 0) {
+ resourceAttr = defaultValue;
+ } else {
+ resourceAttr = "/";
+ }
+ request.setAttribute(Authenticator.LOGIN_RESOURCE, resourceAttr);
+ }
+ return resourceAttr;
+ }
+
+ /**
+ * Redirects to the given target path appending any parameters provided in
+ * the parameter map.
+ * <p>
+ * This method implements the following functionality:
+ * <ul>
+ * <li>The target path is prefixed with the request's context path to ensure
+ * proper redirection into the same web application. Therefore the
+ * <code>target</code> path parameter must not be prefixed with the context
+ * path.</li>
+ * <li>If the <code>params</code> map does not contain a (non-
+ * <code>null</code>) value for the {@link Authenticator#LOGIN_RESOURCE
+ * resource} entry, such an entry is generated from the request URI and the
+ * (optional) query string of the given <code>request</code>.</li>
+ * <li>The parameters from the <code>params</code> map or at least a single
+ * {@link Authenticator#LOGIN_RESOURCE resource} parameter are added to the
+ * target path for the redirect. Each parameter value is encoded using the
+ * <code>java.net.URLEncoder</code> with UTF-8 encoding to make it safe for
+ * requests</li>
+ * </ul>
+ *
+ * @param request The request object used to get the current request URI and
+ * request query string if the <code>params</code> map does not
+ * have the {@link Authenticator#LOGIN_RESOURCE resource}
+ * parameter set.
+ * @param response The response used to send the redirect to the client.
+ * @param target The target path to redirect the client to. This parameter
+ * must not be prefixed with the request's context path because
+ * this will be added by this method. If this parameter is not
+ * a valid target request as per the
+ * {@link #isRedirectValid(HttpServletRequest, String)} method
+ * the target is modified to be the root of the request's context.
+ * @param params The map of parameters to be added to the target path. This
+ * may be <code>null</code>.
+ * @throws IOException If an error occurs sending the redirect request
+ * @throws IllegalStateException If the response was committed or if a
+ * partial URL is given and cannot be converted into a valid URL
+ * @throws InternalError If the UTF-8 character encoding is not supported by
+ * the platform. This should not be caught, because it is a real
+ * problem if the encoding required by the specification is
+ * missing.
+ * @since 1.0.2 (Bundle version 1.0.4)
+ * @since 1.0.4 (bundle version 1.0.8) the target is validated with the
+ * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)} method.
+ */
+ public static void sendRedirect(final HttpServletRequest request,
+ final HttpServletResponse response, final String target,
+ Map<String, String> params) throws IOException {
+ StringBuilder b = new StringBuilder();
+ b.append(request.getContextPath());
+
+ if (AuthUtil.isRedirectValid(request, target)) {
+ b.append(target);
+ } else {
+ b.append("/");
+ }
+
+ if (params == null) {
+ params = new HashMap<String, String>();
+ }
+
+ // ensure the login resource is provided with the redirect
+ if (params.get(Authenticator.LOGIN_RESOURCE) == null) {
+ String resource = request.getRequestURI();
+ if (request.getQueryString() != null) {
+ resource += "?" + request.getQueryString();
+ }
+ params.put(Authenticator.LOGIN_RESOURCE, resource);
+ }
+
+ b.append('?');
+ Iterator<Entry<String, String>> ei = params.entrySet().iterator();
+ while (ei.hasNext()) {
+ Entry<String, String> entry = ei.next();
+ if (entry.getKey() != null && entry.getValue() != null) {
+ try {
+ b.append(entry.getKey()).append('=').append(
+ URLEncoder.encode(entry.getValue(), "UTF-8"));
+ } catch (UnsupportedEncodingException uee) {
+ throw new InternalError(
+ "Unexpected UnsupportedEncodingException for UTF-8");
+ }
+
+ if (ei.hasNext()) {
+ b.append('&');
+ }
+ }
+ }
+
+ response.sendRedirect(b.toString());
+ }
+
+ /**
+ * Returns the name request attribute if it is a non-empty string value.
+ *
+ * @param request The request from which to retrieve the attribute
+ * @param name The name of the attribute to return
+ * @return The named request attribute or <code>null</code> if the attribute
+ * is not set or is not a non-empty string value.
+ */
+ private static String getAttributeString(final HttpServletRequest request,
+ final String name) {
+ Object resObj = request.getAttribute(name);
+ if ((resObj instanceof String) && ((String) resObj).length() > 0) {
+ return (String) resObj;
+ }
+
+ // not set or not a non-empty string
+ return null;
+ }
+
+ /**
+ * Returns <code>true</code> if the the client just asks for validation of
+ * submitted username/password credentials.
+ * <p>
+ * This implementation returns <code>true</code> if the request parameter
+ * {@link #PAR_J_VALIDATE} is set to <code>true</code> (case-insensitve). If
+ * the request parameter is not set or to any value other than
+ * <code>true</code> this method returns <code>false</code>.
+ *
+ * @param request The request to provide the parameter to check
+ * @return <code>true</code> if the {@link #PAR_J_VALIDATE} parameter is set
+ * to <code>true</code>.
+ * @since 1.0.2 (Bundle version 1.0.4)
+ */
+ public static boolean isValidateRequest(final HttpServletRequest request) {
+ return "true".equalsIgnoreCase(request.getParameter(AuthConstants.PAR_J_VALIDATE));
+ }
+
+ /**
+ * Sends a 200/OK response to a credential validation request.
+ *
+ * @param response The response object
+ * @since 1.0.2 (Bundle version 1.0.4)
+ */
+ public static void sendValid(final HttpServletResponse response) {
+ try {
+ response.setStatus(HttpServletResponse.SC_OK);
+
+ // explicitly tell we have no content but set content type
+ // to prevent firefox from trying to parse the response
+ // (SLING-1841)
+ response.setContentType("text/plain");
+ response.setContentLength(0);
+
+ // prevent the client from aggressively caching the response
+ // (SLING-1841)
+ response.setHeader("Pragma", "no-cache");
+ response.setHeader("Cache-Control", "no-cache");
+ response.addHeader("Cache-Control", "no-store");
+
+ response.flushBuffer();
+ } catch (IOException ioe) {
+ getLog().error("Failed to send 200/OK response", ioe);
+ }
+ }
+
+ /**
+ * Sends a 403/FORBIDDEN response optionally stating the reason for
+ * this response code in the {@link #X_REASON} header. The value for
+ * the {@link #X_REASON} header is taken from
+ * {@link AuthenticationHandler#FAILURE_REASON} request attribute if
+ * set.
+ *
+ * @param request The request object
+ * @param response The response object
+ * @since 1.0.2 (Bundle version 1.0.4)
+ */
+ public static void sendInvalid(final HttpServletRequest request,
+ final HttpServletResponse response) {
+ try {
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+
+ Object reason = request.getAttribute(AuthenticationHandler.FAILURE_REASON);
+ if (reason != null) {
+ response.setHeader(AuthConstants.X_REASON, reason.toString());
+ response.setContentType("text/plain");
+ response.setCharacterEncoding("UTF-8");
+ response.getWriter().println(reason);
+ }
+
+ response.flushBuffer();
+ } catch (IOException ioe) {
+ getLog().error("Failed to send 403/Forbidden response", ioe);
+ }
+ }
+
+ /**
+ * Check if the request is for this authentication handler.
+ *
+ * @param request the current request
+ * @return true if the referer matches this handler, or false otherwise
+ */
+ public static boolean checkReferer(HttpServletRequest request, String loginForm) {
+ //SLING-2165: if a Referer header is supplied check if it matches the login path for this handler
+ String referer = request.getHeader("Referer");
+ if (referer != null) {
+ String expectedPath = String.format("%s%s", request.getContextPath(), loginForm);
+ try {
+ URL uri = new URL(referer);
+ if (!expectedPath.equals(uri.getPath())) {
+ //not for this selector, so let the next one handle it.
+ return false;
+ }
+ } catch (MalformedURLException e) {
+ getLog().debug("Failed to parse the referer value for the login form " + loginForm, e);
+ }
+ }
+ return true;
+ }
+
+ /**
* Returns <code>true</code> if the given redirect <code>target</code> is
* valid according to the following list of requirements:
* <ul>
@@ -124,14 +480,29 @@ public final class AuthUtil {
* browser.
*/
public static boolean isBrowserRequest(final HttpServletRequest request) {
- final String userAgent = request.getHeader("User-Agent");
- if (userAgent != null && (userAgent.contains("Mozilla") || userAgent.contains("Opera"))) {
+ final String userAgent = request.getHeader(USER_AGENT);
+ if (userAgent != null && (userAgent.contains(BROWSER_CLASS_MOZILLA) || userAgent.contains(BROWSER_CLASS_OPERA))) {
return true;
}
return false;
}
/**
+ * Returns <code>true</code> if the request is to be considered an AJAX
+ * request placed using the <code>XMLHttpRequest</code> browser host object.
+ * Currently a request is considered an AJAX request if the client sends the
+ * <i>X-Requested-With</i> request header set to <code>XMLHttpRequest</code>
+ * .
+ *
+ * @param request The current request
+ * @return <code>true</code> if the request can be considered an AJAX
+ * request.
+ */
+ public static boolean isAjaxRequest(final HttpServletRequest request) {
+ return XML_HTTP_REQUEST.equals(request.getHeader(X_REQUESTED_WITH));
+ }
+
+ /**
* Helper method returning a <i>org.apache.sling.auth.core.AuthUtil</i> logger.
*/
private static Logger getLog() {
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java Wed Nov 23 15:40:20 2011
@@ -25,7 +25,6 @@ import javax.servlet.http.HttpServletRes
import org.apache.sling.auth.core.AuthConstants;
import org.apache.sling.auth.core.AuthUtil;
-import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
@@ -146,8 +145,7 @@ final class AuthenticationHandlerHolder
return true;
}
- final String requestLogin = AbstractAuthenticationHandler.getAttributeOrParameter(request,
- REQUEST_LOGIN_PARAMETER, null);
+ final String requestLogin = AuthUtil.getAttributeOrParameter(request, REQUEST_LOGIN_PARAMETER, null);
return requestLogin == null || authType.equals(requestLogin);
}
}
\ No newline at end of file
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java Wed Nov 23 15:40:20 2011
@@ -25,7 +25,7 @@ import javax.servlet.http.HttpServletReq
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
-import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
+import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
@@ -171,8 +171,7 @@ class HttpBasicAuthenticationHandler ext
* or attribute is set to any value.
*/
private boolean isLoginRequested(HttpServletRequest request) {
- return AbstractAuthenticationHandler.getAttributeOrParameter(request,
- REQUEST_LOGIN_PARAMETER, null) != null;
+ return AuthUtil.getAttributeOrParameter(request, REQUEST_LOGIN_PARAMETER, null) != null;
}
/**
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java Wed Nov 23 15:40:20 2011
@@ -35,7 +35,7 @@ import org.apache.sling.api.SlingHttpSer
import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.auth.NoAuthenticationHandlerException;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
-import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
+import org.apache.sling.auth.core.AuthUtil;
import org.osgi.framework.Constants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -79,8 +79,7 @@ public class LoginServlet extends SlingA
// through the login servlet), redirect to root now assuming we are
// authenticated.
if (request.getAuthType() != null) {
- final String resourcePath = AbstractAuthenticationHandler.getLoginResource(
- request, null);
+ final String resourcePath = AuthUtil.getLoginResource(request, null);
if (isSelf(resourcePath)) {
String redirectTarget = request.getContextPath() + "/";
log.warn(
@@ -96,7 +95,7 @@ public class LoginServlet extends SlingA
try {
// set the login resource to select the authenticator
- AbstractAuthenticationHandler.setLoginResourceAttribute(request, null);
+ AuthUtil.setLoginResourceAttribute(request, null);
authenticator.login(request, response);
return;
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java Wed Nov 23 15:40:20 2011
@@ -32,7 +32,7 @@ import org.apache.sling.api.SlingHttpSer
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
-import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
+import org.apache.sling.auth.core.AuthUtil;
import org.osgi.framework.Constants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -71,7 +71,7 @@ public class LogoutServlet extends Sling
final Authenticator authenticator = this.authenticator;
if (authenticator != null) {
try {
- AbstractAuthenticationHandler.setLoginResourceAttribute(request, null);
+ AuthUtil.setLoginResourceAttribute(request, null);
authenticator.logout(request, response);
return;
} catch (IllegalStateException ise) {
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Wed Nov 23 15:40:20 2011
@@ -49,7 +49,6 @@ import org.apache.sling.api.resource.Res
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.AuthenticationSupport;
import org.apache.sling.auth.core.impl.engine.EngineAuthenticationHandlerHolder;
-import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
@@ -181,34 +180,6 @@ public class SlingAuthenticator implemen
*/
private static final String AUTH_INFO_PROP_FEEDBACK_HANDLER = "$$sling.auth.AuthenticationFeedbackHandler$$";
- /**
- * Request header commonly set by Ajax Frameworks to indicate the request is
- * posted as an Ajax request. The value set is expected to be
- * {@link #XML_HTTP_REQUEST}.
- * <p>
- * This header is known to be set by JQuery, ExtJS and Prototype. Other
- * client-side JavaScript framework most probably also set it.
- *
- * @see #isAjaxRequest(HttpServletRequest)
- */
- private static final String X_REQUESTED_WITH = "X-Requested-With";
-
- /**
- * The expected value of the {@link #X_REQUESTED_WITH} request header to
- * identify a request as an Ajax request.
- *
- * @see #isAjaxRequest(HttpServletRequest)
- */
- private static final String XML_HTTP_REQUEST = "XMLHttpRequest";
-
- /**
- * The name of the <code>Accept</code> header which must not exists to
- * consider a request an initial WebDAV request.
- *
- * @see #isBrowserRequest(HttpServletRequest)
- */
- private static final String HEADER_ACCEPT = "Accept";
-
@Reference
private ResourceResolverFactory resourceResolverFactory;
@@ -454,7 +425,7 @@ public class SlingAuthenticator implemen
if (process && expectAuthenticationHandler(request)) {
log.warn("handleSecurity: AuthenticationHandler did not block request; access denied");
request.removeAttribute(AuthenticationHandler.FAILURE_REASON);
- AbstractAuthenticationHandler.sendInvalid(request, response);
+ AuthUtil.sendInvalid(request, response);
return false;
}
@@ -486,7 +457,7 @@ public class SlingAuthenticator implemen
} else if (authInfo == AuthenticationInfo.FAIL_AUTH) {
log.debug("doHandleSecurity: Credentials present but not valid, request authentication again");
- AbstractAuthenticationHandler.setLoginResourceAttribute(request, request.getRequestURI());
+ AuthUtil.setLoginResourceAttribute(request, request.getRequestURI());
doLogin(request, response);
return false;
@@ -800,8 +771,8 @@ public class SlingAuthenticator implemen
// client requested validation, which succeeds, thus send
// success response and close the resolver
- if (AbstractAuthenticationHandler.isValidateRequest(request)) {
- AbstractAuthenticationHandler.sendValid(response);
+ if (AuthUtil.isValidateRequest(request)) {
+ AuthUtil.sendValid(response);
resolver.close();
return false;
}
@@ -1046,11 +1017,11 @@ public class SlingAuthenticator implemen
private void doLogin(HttpServletRequest request,
HttpServletResponse response) {
- if (!AbstractAuthenticationHandler.isValidateRequest(request)) {
+ if (!AuthUtil.isValidateRequest(request)) {
- if (isBrowserRequest(request) && !isLoginLoop(request)) {
+ if (AuthUtil.isBrowserRequest(request) && !isLoginLoop(request)) {
- if (!isAjaxRequest(request)) {
+ if (!AuthUtil.isAjaxRequest(request)) {
try {
login(request, response);
@@ -1099,34 +1070,7 @@ public class SlingAuthenticator implemen
ensureAttribute(request, AuthenticationHandler.FAILURE_REASON,
"Authentication Failed");
- AbstractAuthenticationHandler.sendInvalid(request, response);
- }
-
- /**
- * Determine if this request comes from a web browser which accepts
- * anything.
- *
- * @param request The current request
- * @return <code>true</code> if the request can be considered a browser
- * request.
- */
- private boolean isBrowserRequest(final HttpServletRequest request) {
- return request.getHeader(HEADER_ACCEPT) != null;
- }
-
- /**
- * Returns <code>true</code> if the request is to be considered an AJAX
- * request placed using the <code>XMLHttpRequest</code> browser host object.
- * Currently a request is considered an AJAX request if the client sends the
- * <i>X-Requested-With</i> request header set to <code>XMLHttpRequest</code>
- * .
- *
- * @param request The current request
- * @return <code>true</code> if the request can be considered an AJAX
- * request.
- */
- private boolean isAjaxRequest(final HttpServletRequest request) {
- return XML_HTTP_REQUEST.equals(request.getHeader(X_REQUESTED_WITH));
+ AuthUtil.sendInvalid(request, response);
}
/**
@@ -1378,7 +1322,7 @@ public class SlingAuthenticator implemen
// find the redirect target from the resource attribute or parameter
// falling back to the request context path (or /) if not set or invalid
- String target = AbstractAuthenticationHandler.getLoginResource(request, request.getContextPath());
+ String target = AuthUtil.getLoginResource(request, request.getContextPath());
if (!AuthUtil.isRedirectValid(request, target)) {
log.warn("redirectAfterLogout: Desired redirect target '{}' is invalid; redirecting to '/'", target);
target = "/";
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java Wed Nov 23 15:40:20 2011
@@ -27,6 +27,8 @@ import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.sling.auth.core.AuthUtil;
+
/**
* The <code>AbstractAuthenticationFormServlet</code> provides a basic
* implementation of a simple servlet to render a login form for authentication
@@ -132,7 +134,7 @@ public abstract class AbstractAuthentica
form = form.replace("${j_reason}", getReason(request));
form = form.replace("${requestContextPath}", getContextPath(request));
form = form.replace("${contextPath}", request.getContextPath());
-
+
return form;
}
@@ -146,7 +148,7 @@ public abstract class AbstractAuthentica
* if no specific target has been requested.
*/
protected String getResource(final HttpServletRequest request) {
- return AbstractAuthenticationHandler.getLoginResource(request, "");
+ return AuthUtil.getLoginResource(request, "");
}
/**
@@ -180,7 +182,7 @@ public abstract class AbstractAuthentica
if (query > 0) {
contextPath = contextPath.substring(0, query);
}
-
+
return removeEndingSlash(contextPath);
}
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java?rev=1205454&r1=1205453&r2=1205454&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java Wed Nov 23 15:40:20 2011
@@ -19,55 +19,26 @@
package org.apache.sling.auth.core.spi;
import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLEncoder;
-import java.util.HashMap;
-import java.util.Iterator;
import java.util.Map;
-import java.util.Map.Entry;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.auth.core.AuthUtil;
-import org.slf4j.LoggerFactory;
/**
* The <code>AbstractAuthenticationHandler</code> implements the
* <code>AuthenticationHandler</code> interface and extends the
* {@link DefaultAuthenticationFeedbackHandler} providing some helper methods
* which may be used by authentication handlers.
+ *
+ * @deprecated since Bundle 1.0.8; {@link AuthenticationHandler} implementations
+ * should extend {@link DefaultAuthenticationFeedbackHandler}
+ * directly and use the utility methods in the {@link AuthUtil}
+ * class.
*/
-public abstract class AbstractAuthenticationHandler extends
- DefaultAuthenticationFeedbackHandler implements AuthenticationHandler {
-
- /**
- * The name of the request parameter indicating that the submitted username
- * and password should just be checked and a status code be set for success
- * (200/OK) or failure (403/FORBIDDEN).
- *
- * @see #isValidateRequest(HttpServletRequest)
- * @see #sendValid(HttpServletResponse)
- * @see #sendInvalid(HttpServletRequest, HttpServletResponse)
- * @since 1.0.2 (Bundle version 1.0.4)
- */
- private static final String PAR_J_VALIDATE = "j_validate";
-
- /**
- * The name of the request header set by the
- * {@link #sendInvalid(HttpServletRequest, HttpServletResponse)} method if the provided
- * credentials cannot be used for login.
- * <p>
- * This header may be inspected by clients for a reason why the request
- * failed.
- *
- * @see #sendInvalid(HttpServletRequest, HttpServletResponse)
- * @since 1.0.2 (Bundle version 1.0.4)
- */
- private static final String X_REASON = "X-Reason";
+@Deprecated
+public abstract class AbstractAuthenticationHandler extends DefaultAuthenticationFeedbackHandler implements
+ AuthenticationHandler {
/**
* Returns the value of the named request attribute or parameter as a string
@@ -86,22 +57,13 @@ public abstract class AbstractAuthentica
* request.
* @return The attribute, parameter or <code>defaultValue</code> as defined
* above.
+ * @deprecated since Bundle 1.0.8, use
+ * {@link AuthUtil#getAttributeOrParameter(HttpServletRequest, String, String)}
*/
- public static String getAttributeOrParameter(
- final HttpServletRequest request, final String name,
+ @Deprecated
+ public static String getAttributeOrParameter(final HttpServletRequest request, final String name,
final String defaultValue) {
-
- final String resourceAttr = getAttributeString(request, name);
- if (resourceAttr != null) {
- return resourceAttr;
- }
-
- final String resource = request.getParameter(name);
- if (resource != null && resource.length() > 0) {
- return resource;
- }
-
- return defaultValue;
+ return AuthUtil.getAttributeOrParameter(request, name, defaultValue);
}
/**
@@ -116,11 +78,12 @@ public abstract class AbstractAuthentica
* @param defaultLoginResource The default login resource value
* @return The non-empty redirection target or
* <code>defaultLoginResource</code>.
+ * @deprecated since Bundle 1.0.8, use
+ * {@link AuthUtil#getLoginResource(HttpServletRequest, String)}
*/
- public static String getLoginResource(final HttpServletRequest request,
- String defaultLoginResource) {
- return getAttributeOrParameter(request, Authenticator.LOGIN_RESOURCE,
- defaultLoginResource);
+ @Deprecated
+ public static String getLoginResource(final HttpServletRequest request, String defaultLoginResource) {
+ return AuthUtil.getLoginResource(request, defaultLoginResource);
}
/**
@@ -141,23 +104,12 @@ public abstract class AbstractAuthentica
* ignored if it is <code>null</code> or an empty string.
* @return returns the value of resource request attribute
* @since 1.0.2 (Bundle version 1.0.4)
+ * @deprecated since Bundle 1.0.8, use
+ * {@link AuthUtil#setLoginResourceAttribute(HttpServletRequest, String)}
*/
- public static String setLoginResourceAttribute(
- final HttpServletRequest request, final String defaultValue) {
- String resourceAttr = getAttributeString(request,
- Authenticator.LOGIN_RESOURCE);
- if (resourceAttr == null) {
- final String resourcePar = request.getParameter(Authenticator.LOGIN_RESOURCE);
- if (resourcePar != null && resourcePar.length() > 0) {
- resourceAttr = resourcePar;
- } else if (defaultValue != null && defaultValue.length() > 0) {
- resourceAttr = defaultValue;
- } else {
- resourceAttr = "/";
- }
- request.setAttribute(Authenticator.LOGIN_RESOURCE, resourceAttr);
- }
- return resourceAttr;
+ @Deprecated
+ public static String setLoginResourceAttribute(final HttpServletRequest request, final String defaultValue) {
+ return AuthUtil.setLoginResourceAttribute(request, defaultValue);
}
/**
@@ -188,10 +140,11 @@ public abstract class AbstractAuthentica
* @param response The response used to send the redirect to the client.
* @param target The target path to redirect the client to. This parameter
* must not be prefixed with the request's context path because
- * this will be added by this method. If this parameter is not
- * a valid target request as per the
+ * this will be added by this method. If this parameter is not a
+ * valid target request as per the
* {@link #isRedirectValid(HttpServletRequest, String)} method
- * the target is modified to be the root of the request's context.
+ * the target is modified to be the root of the request's
+ * context.
* @param params The map of parameters to be added to the target path. This
* may be <code>null</code>.
* @throws IOException If an error occurs sending the redirect request
@@ -203,53 +156,15 @@ public abstract class AbstractAuthentica
* missing.
* @since 1.0.2 (Bundle version 1.0.4)
* @since 1.0.4 (bundle version 1.0.8) the target is validated with the
- * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)} method.
+ * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)}
+ * method.
+ * @deprecated since Bundle 1.0.8, use
+ * {@link AuthUtil#sendRedirect(HttpServletRequest, HttpServletResponse, String, Map)}
*/
- public static void sendRedirect(final HttpServletRequest request,
- final HttpServletResponse response, final String target,
- Map<String, String> params) throws IOException {
- StringBuilder b = new StringBuilder();
- b.append(request.getContextPath());
-
- if (AuthUtil.isRedirectValid(request, target)) {
- b.append(target);
- } else {
- b.append("/");
- }
-
- if (params == null) {
- params = new HashMap<String, String>();
- }
-
- // ensure the login resource is provided with the redirect
- if (params.get(Authenticator.LOGIN_RESOURCE) == null) {
- String resource = request.getRequestURI();
- if (request.getQueryString() != null) {
- resource += "?" + request.getQueryString();
- }
- params.put(Authenticator.LOGIN_RESOURCE, resource);
- }
-
- b.append('?');
- Iterator<Entry<String, String>> ei = params.entrySet().iterator();
- while (ei.hasNext()) {
- Entry<String, String> entry = ei.next();
- if (entry.getKey() != null && entry.getValue() != null) {
- try {
- b.append(entry.getKey()).append('=').append(
- URLEncoder.encode(entry.getValue(), "UTF-8"));
- } catch (UnsupportedEncodingException uee) {
- throw new InternalError(
- "Unexpected UnsupportedEncodingException for UTF-8");
- }
-
- if (ei.hasNext()) {
- b.append('&');
- }
- }
- }
-
- response.sendRedirect(b.toString());
+ @Deprecated
+ public static void sendRedirect(final HttpServletRequest request, final HttpServletResponse response,
+ final String target, Map<String, String> params) throws IOException {
+ AuthUtil.sendRedirect(request, response, target, params);
}
/**
@@ -257,16 +172,14 @@ public abstract class AbstractAuthentica
* valid according to the following list of requirements:
* <ul>
* <li>The <code>target</code> is neither <code>null</code> nor an empty
- * string</li>
+ * string</li>
* <li>The <code>target</code> is not an URL which is identified by the
- * character sequence <code>://</code> separating the scheme from the
- * host</li>
+ * character sequence <code>://</code> separating the scheme from the host</li>
* <li>If a <code>ResourceResolver</code> is available as a request
- * attribute the <code>target</code> must resolve to an existing resource
- * </li>
+ * attribute the <code>target</code> must resolve to an existing resource</li>
* <li>If a <code>ResourceResolver</code> is <i>not</i> available as a
- * request attribute the <code>target</code> must be an absolute path
- * starting with a slash character</li>
+ * request attribute the <code>target</code> must be an absolute path
+ * starting with a slash character</li>
* </ul>
* <p>
* If any of the conditions does not hold, the method returns
@@ -274,43 +187,22 @@ public abstract class AbstractAuthentica
* <i>org.apache.sling.auth.core.spi.AbstractAuthenticationHandler</i>
* logger.
*
- *
- * @param request Providing the <code>ResourceResolver</code> attribute
- * and the context to resolve the resource from the <code>target</code>.
- * This may be <code>null</code> which cause the target to not be
- * validated with a <code>ResoureResolver</code>
+ * @param request Providing the <code>ResourceResolver</code> attribute and
+ * the context to resolve the resource from the
+ * <code>target</code>. This may be <code>null</code> which cause
+ * the target to not be validated with a
+ * <code>ResoureResolver</code>
* @param target The redirect target to validate
- * @return <code>true</code> if the redirect target can be considered
- * valid
- *
- * @since 1.0.4 (bundle version 1.0.8)
+ * @return <code>true</code> if the redirect target can be considered valid
+ * @since 1.0.4 (bundle version 1.0.8), use
+ * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)}
*/
@Deprecated
- public static boolean isRedirectValid(final HttpServletRequest request,
- final String target) {
+ public static boolean isRedirectValid(final HttpServletRequest request, final String target) {
return AuthUtil.isRedirectValid(request, target);
}
/**
- * Returns the name request attribute if it is a non-empty string value.
- *
- * @param request The request from which to retrieve the attribute
- * @param name The name of the attribute to return
- * @return The named request attribute or <code>null</code> if the attribute
- * is not set or is not a non-empty string value.
- */
- private static String getAttributeString(final HttpServletRequest request,
- final String name) {
- Object resObj = request.getAttribute(name);
- if ((resObj instanceof String) && ((String) resObj).length() > 0) {
- return (String) resObj;
- }
-
- // not set or not a non-empty string
- return null;
- }
-
- /**
* Returns <code>true</code> if the the client just asks for validation of
* submitted username/password credentials.
* <p>
@@ -323,9 +215,12 @@ public abstract class AbstractAuthentica
* @return <code>true</code> if the {@link #PAR_J_VALIDATE} parameter is set
* to <code>true</code>.
* @since 1.0.2 (Bundle version 1.0.4)
+ * @deprecated since Bundle 1.0.8, use
+ * {@link AuthUtil#isValidateRequest(HttpServletRequest)}
*/
+ @Deprecated
public static boolean isValidateRequest(final HttpServletRequest request) {
- return "true".equalsIgnoreCase(request.getParameter(PAR_J_VALIDATE));
+ return AuthUtil.isValidateRequest(request);
}
/**
@@ -333,81 +228,28 @@ public abstract class AbstractAuthentica
*
* @param response The response object
* @since 1.0.2 (Bundle version 1.0.4)
+ * @deprecated since Bundle 1.0.8, use
+ * {@link AuthUtil#sendValid(HttpServletResponse)}
*/
+ @Deprecated
public static void sendValid(final HttpServletResponse response) {
- try {
- response.setStatus(HttpServletResponse.SC_OK);
-
- // explicitly tell we have no content but set content type
- // to prevent firefox from trying to parse the response
- // (SLING-1841)
- response.setContentType("text/plain");
- response.setContentLength(0);
-
- // prevent the client from aggressively caching the response
- // (SLING-1841)
- response.setHeader("Pragma", "no-cache");
- response.setHeader("Cache-Control", "no-cache");
- response.addHeader("Cache-Control", "no-store");
-
- response.flushBuffer();
- } catch (IOException ioe) {
- // TODO: log.error("Failed to send 200/OK response", ioe);
- }
+ AuthUtil.sendValid(response);
}
/**
- * Sends a 403/FORBIDDEN response optionally stating the reason for
- * this response code in the {@link #X_REASON} header. The value for
- * the {@link #X_REASON} header is taken from
- * {@link AuthenticationHandler#FAILURE_REASON} request attribute if
- * set.
+ * Sends a 403/FORBIDDEN response optionally stating the reason for this
+ * response code in the {@link #X_REASON} header. The value for the
+ * {@link #X_REASON} header is taken from
+ * {@link AuthenticationHandler#FAILURE_REASON} request attribute if set.
*
* @param request The request object
* @param response The response object
* @since 1.0.2 (Bundle version 1.0.4)
+ * @deprecated since Bundle 1.0.8, use
+ * {@link AuthUtil#sendInvalid(HttpServletRequest, HttpServletResponse)}
*/
- public static void sendInvalid(final HttpServletRequest request,
- final HttpServletResponse response) {
- try {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-
- Object reason = request.getAttribute(AuthenticationHandler.FAILURE_REASON);
- if (reason != null) {
- response.setHeader(X_REASON, reason.toString());
- response.setContentType("text/plain");
- response.setCharacterEncoding("UTF-8");
- response.getWriter().println(reason);
- }
-
- response.flushBuffer();
- } catch (IOException ioe) {
- // TODO: log.error("Failed to send 403/Forbidden response", ioe);
- }
+ @Deprecated
+ public static void sendInvalid(final HttpServletRequest request, final HttpServletResponse response) {
+ AuthUtil.sendInvalid(request, response);
}
-
- /**
- * Check if the request is for this authentication handler.
- *
- * @param request the current request
- * @return true if the referer matches this handler, or false otherwise
- */
- public static boolean checkReferer(HttpServletRequest request, String loginForm) {
- //SLING-2165: if a Referer header is supplied check if it matches the login path for this handler
- String referer = request.getHeader("Referer");
- if (referer != null) {
- String expectedPath = String.format("%s%s", request.getContextPath(), loginForm);
- try {
- URL uri = new URL(referer);
- if (!expectedPath.equals(uri.getPath())) {
- //not for this selector, so let the next one handle it.
- return false;
- }
- } catch (MalformedURLException e) {
- LoggerFactory.getLogger(AbstractAuthenticationHandler.class)
- .debug("Failed to parse the referer value for the login form " + loginForm, e);
- }
- }
- return true;
- }
}