You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/08/04 13:24:22 UTC
svn commit: r1755181 - in
/tomcat/trunk/java/org/apache/catalina/authenticator:
AuthenticatorBase.java FormAuthenticator.java
Author: markt
Date: Thu Aug 4 13:24:22 2016
New Revision: 1755181
URL: http://svn.apache.org/viewvc?rev=1755181&view=rev
Log:
Move the FORM specific checks to the FormAuthenticator
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1755181&r1=1755180&r2=1755181&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Thu Aug 4 13:24:22 2016
@@ -465,43 +465,7 @@ public abstract class AuthenticatorBase
}
}
- // Special handling for form-based logins to deal with the case
- // where the login form (and therefore the "j_security_check" URI
- // to which it submits) might be outside the secured area
- String contextPath = this.context.getPath();
- String decodedRequestURI = request.getDecodedRequestURI();
- if (decodedRequestURI.startsWith(contextPath) &&
- decodedRequestURI.endsWith(Constants.FORM_ACTION)) {
- if (!authenticate(request, response, serverAuthContext, messageInfo)) {
- if (log.isDebugEnabled()) {
- log.debug(" Failed authenticate() test ??" + decodedRequestURI);
- }
- return;
- }
- }
-
- // Special handling for form-based logins to deal with the case where
- // a resource is protected for some HTTP methods but not protected for
- // GET which is used after authentication when redirecting to the
- // protected resource.
- // TODO: This is similar to the FormAuthenticator.matchRequest() logic
- // Is there a way to remove the duplication?
- Session session = request.getSessionInternal(false);
- if (session != null) {
- SavedRequest savedRequest = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
- if (savedRequest != null &&
- decodedRequestURI.equals(savedRequest.getDecodedRequestURI()) &&
- !authenticate(request, response)) {
- if (log.isDebugEnabled()) {
- log.debug(" Failed authenticate() test");
- }
- /*
- * ASSERT: Authenticator already set the appropriate HTTP status
- * code, so we do not have to do anything special
- */
- return;
- }
- }
+ boolean authRequired = isContinuationRequired(request);
// The Servlet may specify security constraints through annotations.
// Ensure that they have been processed before constraints are checked
@@ -556,10 +520,7 @@ public abstract class AuthenticatorBase
// Since authenticate modifies the response on failure,
// we have to check for allow-from-all first.
- boolean authRequired;
- if (constraints == null) {
- authRequired = false;
- } else {
+ if (!authRequired && constraints != null) {
authRequired = true;
for (int i = 0; i < constraints.length && authRequired; i++) {
if (!constraints[i].getAuthConstraint()) {
@@ -669,6 +630,21 @@ public abstract class AuthenticatorBase
/**
+ * Does this authenticator require that {@link #authenticate(Request,
+ * HttpServletResponse)} is called to continue an authentication process
+ * that started in a previous request?
+ *
+ * @param request The request currently being processed
+ *
+ * @return {@code true} if authenticate() must be called, otherwise
+ * {@code false}
+ */
+ protected boolean isContinuationRequired(Request request) {
+ return false;
+ }
+
+
+ /**
* Look for the X509 certificate chain in the Request under the key
* <code>javax.servlet.request.X509Certificate</code>. If not found, trigger
* extracting the certificate chain from the Coyote request.
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1755181&r1=1755180&r2=1755181&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Thu Aug 4 13:24:22 2016
@@ -115,7 +115,7 @@ public class FormAuthenticator
}
- // --------------------------------------------------------- Public Methods
+ // ------------------------------------------------------ Protected Methods
/**
@@ -344,12 +344,40 @@ public class FormAuthenticator
@Override
- protected String getAuthMethod() {
- return HttpServletRequest.FORM_AUTH;
+ protected boolean isContinuationRequired(Request request) {
+ // Special handling for form-based logins to deal with the case
+ // where the login form (and therefore the "j_security_check" URI
+ // to which it submits) might be outside the secured area
+ String contextPath = this.context.getPath();
+ String decodedRequestURI = request.getDecodedRequestURI();
+ if (decodedRequestURI.startsWith(contextPath) &&
+ decodedRequestURI.endsWith(Constants.FORM_ACTION)) {
+ return true;
+ }
+
+ // Special handling for form-based logins to deal with the case where
+ // a resource is protected for some HTTP methods but not protected for
+ // GET which is used after authentication when redirecting to the
+ // protected resource.
+ // TODO: This is similar to the FormAuthenticator.matchRequest() logic
+ // Is there a way to remove the duplication?
+ Session session = request.getSessionInternal(false);
+ if (session != null) {
+ SavedRequest savedRequest = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
+ if (savedRequest != null &&
+ decodedRequestURI.equals(savedRequest.getDecodedRequestURI())) {
+ return true;
+ }
+ }
+
+ return false;
}
- // ------------------------------------------------------ Protected Methods
+ @Override
+ protected String getAuthMethod() {
+ return HttpServletRequest.FORM_AUTH;
+ }
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org