You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2011/12/05 10:45:39 UTC
svn commit: r1210380 -
/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java
Author: fmeschbe
Date: Mon Dec 5 09:45:38 2011
New Revision: 1210380
URL: http://svn.apache.org/viewvc?rev=1210380&view=rev
Log:
SLING-2318 Properly check the response whether it is committed and reset the output buffer before generating the response.
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java?rev=1210380&r1=1210379&r2=1210380&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java Mon Dec 5 09:45:38 2011
@@ -205,6 +205,11 @@ public final class AuthUtil {
* <code>java.net.URLEncoder</code> with UTF-8 encoding to make it safe for
* requests</li>
* </ul>
+ * <p>
+ * After checking the redirect target and creating the target URL from the
+ * parameter map, the response buffer is reset and the
+ * <code>HttpServletResponse.sendRedirect</code> is called. Any headers
+ * already set before calling this method are preserved.
*
* @param request The request object used to get the current request URI and
* request query string if the <code>params</code> map does not
@@ -213,10 +218,11 @@ public final class AuthUtil {
* @param response The response used to send the redirect to the client.
* @param target The target path to redirect the client to. This parameter
* must not be prefixed with the request's context path because
- * this will be added by this method. If this parameter is not
- * a valid target request as per the
+ * this will be added by this method. If this parameter is not a
+ * valid target request as per the
* {@link #isRedirectValid(HttpServletRequest, String)} method
- * the target is modified to be the root of the request's context.
+ * the target is modified to be the root of the request's
+ * context.
* @param params The map of parameters to be added to the target path. This
* may be <code>null</code>.
* @throws IOException If an error occurs sending the redirect request
@@ -228,11 +234,15 @@ public final class AuthUtil {
* missing.
* @since 1.0.2 (Bundle version 1.0.4)
* @since 1.0.4 (bundle version 1.0.8) the target is validated with the
- * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)} method.
+ * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)}
+ * method.
*/
public static void sendRedirect(final HttpServletRequest request,
final HttpServletResponse response, final String target,
Map<String, String> params) throws IOException {
+
+ checkAndReset(response);
+
StringBuilder b = new StringBuilder();
b.append(request.getContextPath());
@@ -316,11 +326,18 @@ public final class AuthUtil {
/**
* Sends a 200/OK response to a credential validation request.
+ * <p>
+ * This method just overwrites the response status to 200/OK, sends no
+ * content (content length header set to zero) and prevents caching on
+ * clients and proxies. Any other response headers set before calling this
+ * methods are preserved and sent along with the response.
*
* @param response The response object
+ * @throws IllegalStateException if the response has already been committed
* @since 1.0.2 (Bundle version 1.0.4)
*/
public static void sendValid(final HttpServletResponse response) {
+ checkAndReset(response);
try {
response.setStatus(HttpServletResponse.SC_OK);
@@ -343,18 +360,24 @@ public final class AuthUtil {
}
/**
- * Sends a 403/FORBIDDEN response optionally stating the reason for
- * this response code in the {@link #X_REASON} header. The value for
- * the {@link #X_REASON} header is taken from
- * {@link AuthenticationHandler#FAILURE_REASON} request attribute if
- * set.
+ * Sends a 403/FORBIDDEN response optionally stating the reason for this
+ * response code in the {@link #X_REASON} header. The value for the
+ * {@link #X_REASON} header is taken from
+ * {@link AuthenticationHandler#FAILURE_REASON} request attribute if set.
+ * <p>
+ * This method just overwrites the response status to 403/FORBIDDEN, adds
+ * the {@link AuthConstants#X_REASON} header and sends the reason as result
+ * back. Any other response headers set before calling this methods are
+ * preserved and sent along with the response.
*
* @param request The request object
* @param response The response object
+ * @throws IllegalStateException if the response has already been committed
* @since 1.0.2 (Bundle version 1.0.4)
*/
public static void sendInvalid(final HttpServletRequest request,
final HttpServletResponse response) {
+ checkAndReset(response);
try {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
@@ -503,6 +526,21 @@ public final class AuthUtil {
}
/**
+ * Checks whether the response has already been committed. If so an
+ * <code>IllegalStateException</code> is thrown. Otherwise the response
+ * buffer is cleared leaving any headers and status already set untouched.
+ *
+ * @param response The response to check and reset.
+ * @throws IllegalStateException if the response has already been committed
+ */
+ private static void checkAndReset(final HttpServletResponse response) {
+ if (response.isCommitted()) {
+ throw new IllegalStateException("Response is already committed");
+ }
+ response.resetBuffer();
+ }
+
+ /**
* Helper method returning a <i>org.apache.sling.auth.core.AuthUtil</i> logger.
*/
private static Logger getLog() {