You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2010/09/13 14:12:34 UTC
svn commit: r996509 -
/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
Author: fmeschbe
Date: Mon Sep 13 12:12:34 2010
New Revision: 996509
URL: http://svn.apache.org/viewvc?rev=996509&view=rev
Log:
Revert changes from commit 996477 which are not intended to go into that commit (relative to handling auth failures for XHR requests and handling the cookie)
Modified:
sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
Modified: sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java?rev=996509&r1=996508&r2=996509&view=diff
==============================================================================
--- sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java Mon Sep 13 12:12:34 2010
@@ -330,26 +330,13 @@ public class FormAuthenticationHandler e
if (authData != null) {
if (tokenStore.isValid(authData)) {
info = createAuthInfo(authData);
- } else if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) {
- // signal to AJAX the request is forbidden
- try {
- response.sendError(
- HttpServletResponse.SC_REQUEST_TIMEOUT,
- "Session Timeout, please login");
- response.flushBuffer();
- } catch (IOException ioe) {
- // TODO: log !!
- }
- return AuthenticationInfo.DOING_AUTH;
} else {
if (this.loginAfterExpire) {
- // signal the requestCredentials method a previous login
- // failure
+ // signal the requestCredentials method a previous login failure
request.setAttribute(PAR_J_REASON, FormReason.TIMEOUT);
info = AuthenticationInfo.FAIL_AUTH;
}
- // clear the cookie, its invalid and we should get rid of it
- // so that the invalid cookie
+ // clear the cookie, its invalid and we should get rid of it so that the invalid cookie
// isn't present on the authN operation.
authStorage.clear(request, response);
}
@@ -904,15 +891,6 @@ public class FormAuthenticationHandler e
* {@link CookieAuthData} in an HTTP Cookie.
*/
private static class CookieStorage implements AuthenticationStorage {
-
- /**
- * The Set-Cookie header used to manage the login cookie.
- *
- * @see CookieStorage#setCookie(HttpServletRequest, HttpServletResponse,
- * String, String, int, String)
- */
- private static final String HEADER_SET_COOKIE = "Set-Cookie";
-
private final String cookieName;
private final String domainCookieName;
private final String defaultCookieDomain;
@@ -934,11 +912,8 @@ public class FormAuthenticationHandler e
// reverse the base64 encoding
try {
- String result = new String(
- Base64.decodeBase64(value), "UTF-8");
- if (result.length() > 0) {
- return result;
- }
+ return new String(Base64.decodeBase64(value),
+ "UTF-8");
} catch (UnsupportedEncodingException e1) {
throw new RuntimeException(e1);
}
@@ -1008,37 +983,14 @@ public class FormAuthenticationHandler e
? "/"
: ctxPath;
- /*
- * The Servlet Spec 2.5 does not allow us to set the commonly used
- * HttpOnly attribute on cookies (Servlet API 3.0 does) so we create
- * the Set-Cookie header manually. See
- * http://www.owasp.org/index.php/HttpOnly for information on what
- * the HttpOnly attribute is used for.
- */
-
- final StringBuilder header = new StringBuilder();
-
- // default setup with name, value, cookie path and HttpOnly
- header.append(name).append('=').append(value);
- header.append(";Path=").append(cookiePath);
- header.append(";HttpOnly"); // don't allow JS access
-
- // set the cookie domain if so configured
+ Cookie cookie = new Cookie(name, value);
if (domain != null) {
- header.append(";Domain=").append(domain);
+ cookie.setDomain(domain);
}
-
- // Only set the Max-Age attribute to remove the cookie
- if (age == 0) {
- header.append(";Max-Age=").append(age);
- }
-
- // ensure the cookie is secured if this is an https request
- if (request.isSecure()) {
- header.append(";Secure");
- }
-
- response.addHeader(HEADER_SET_COOKIE, header.toString());
+ cookie.setMaxAge(age);
+ cookie.setPath(cookiePath);
+ cookie.setSecure(request.isSecure());
+ response.addCookie(cookie);
}
}