You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/08/04 16:41:33 UTC
svn commit: r1755211 - in /tomcat/tc8.5.x/trunk: ./
java/org/apache/catalina/authenticator/ webapps/docs/
Author: markt
Date: Thu Aug 4 16:41:32 2016
New Revision: 1755211
URL: http://svn.apache.org/viewvc?rev=1755211&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59823
Ensure JASPIC auth is included (if configured) when using
HttpServletRequest.authenticate()
Modified:
tomcat/tc8.5.x/trunk/ (props changed)
tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Aug 4 16:41:32 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501
,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747536,1747
924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501
,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747536,1747
924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208
Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1755211&r1=1755210&r2=1755211&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Thu Aug 4 16:41:32 2016
@@ -428,10 +428,6 @@ public abstract class AuthenticatorBase
request.getRequestURI());
}
- AuthConfigProvider jaspicProvider = getJaspicProvider();
- MessageInfo messageInfo = null;
- ServerAuthContext serverAuthContext = null;
-
// Have we got a cached authenticated Principal to record?
if (cache) {
Principal principal = request.getUserPrincipal();
@@ -451,57 +447,7 @@ public abstract class AuthenticatorBase
}
}
- if (jaspicProvider != null) {
- messageInfo = new MessageInfoImpl(request.getRequest(), response.getResponse(), true);
- try {
- ServerAuthConfig serverAuthConfig = jaspicProvider.getServerAuthConfig(
- "HttpServlet", jaspicAppContextID, CallbackHandlerImpl.getInstance());
- String authContextID = serverAuthConfig.getAuthContextID(messageInfo);
- serverAuthContext = serverAuthConfig.getAuthContext(authContextID, null, null);
- } catch (AuthException e) {
- log.warn(sm.getString("authenticator.jaspicServerAuthContextFail"), e);
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- return;
- }
- }
-
- // Special handling for form-based logins to deal with the case
- // where the login form (and therefore the "j_security_check" URI
- // to which it submits) might be outside the secured area
- String contextPath = this.context.getPath();
- String decodedRequestURI = request.getDecodedRequestURI();
- if (decodedRequestURI.startsWith(contextPath) &&
- decodedRequestURI.endsWith(Constants.FORM_ACTION)) {
- if (!authenticate(request, response, serverAuthContext, messageInfo)) {
- if (log.isDebugEnabled()) {
- log.debug(" Failed authenticate() test ??" + decodedRequestURI);
- }
- return;
- }
- }
-
- // Special handling for form-based logins to deal with the case where
- // a resource is protected for some HTTP methods but not protected for
- // GET which is used after authentication when redirecting to the
- // protected resource.
- // TODO: This is similar to the FormAuthenticator.matchRequest() logic
- // Is there a way to remove the duplication?
- Session session = request.getSessionInternal(false);
- if (session != null) {
- SavedRequest savedRequest = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
- if (savedRequest != null &&
- decodedRequestURI.equals(savedRequest.getDecodedRequestURI()) &&
- !authenticate(request, response)) {
- if (log.isDebugEnabled()) {
- log.debug(" Failed authenticate() test");
- }
- /*
- * ASSERT: Authenticator already set the appropriate HTTP status
- * code, so we do not have to do anything special
- */
- return;
- }
- }
+ boolean authRequired = isContinuationRequired(request);
// The Servlet may specify security constraints through annotations.
// Ensure that they have been processed before constraints are checked
@@ -514,8 +460,12 @@ public abstract class AuthenticatorBase
// Is this request URI subject to a security constraint?
SecurityConstraint[] constraints = realm.findSecurityConstraints(request, this.context);
- if (constraints == null && !context.getPreemptiveAuthentication() &&
- jaspicProvider == null) {
+ AuthConfigProvider jaspicProvider = getJaspicProvider();
+ if (jaspicProvider != null) {
+ authRequired = true;
+ }
+
+ if (constraints == null && !context.getPreemptiveAuthentication() && !authRequired) {
if (log.isDebugEnabled()) {
log.debug(" Not subject to any constraint");
}
@@ -537,7 +487,6 @@ public abstract class AuthenticatorBase
response.setHeader("Expires", DATE_ONE);
}
- int i;
if (constraints != null) {
// Enforce any user data constraint for this security constraint
if (log.isDebugEnabled()) {
@@ -557,12 +506,9 @@ public abstract class AuthenticatorBase
// Since authenticate modifies the response on failure,
// we have to check for allow-from-all first.
- boolean authRequired;
- if (constraints == null) {
- authRequired = false;
- } else {
+ if (!authRequired && constraints != null) {
authRequired = true;
- for (i = 0; i < constraints.length && authRequired; i++) {
+ for (int i = 0; i < constraints.length && authRequired; i++) {
if (!constraints[i].getAuthConstraint()) {
authRequired = false;
break;
@@ -588,15 +534,22 @@ public abstract class AuthenticatorBase
authRequired = certs != null && certs.length > 0;
}
- if (!authRequired && jaspicProvider != null) {
- authRequired = true;
- }
+ JaspicState jaspicState = null;
if (authRequired) {
if (log.isDebugEnabled()) {
log.debug(" Calling authenticate()");
}
- if (!authenticate(request, response, serverAuthContext, messageInfo)) {
+
+ if (jaspicProvider != null) {
+ jaspicState = getJaspicState(jaspicProvider, request, response);
+ if (jaspicState == null) {
+ return;
+ }
+ }
+
+ if (jaspicProvider == null && !doAuthenticate(request, response) ||
+ jaspicProvider != null && !authenticateJaspic(request, response, jaspicState)) {
if (log.isDebugEnabled()) {
log.debug(" Failed authenticate() test");
}
@@ -631,20 +584,105 @@ public abstract class AuthenticatorBase
}
getNext().invoke(request, response);
- if (serverAuthContext != null && messageInfo != null) {
- try {
- serverAuthContext.secureResponse(messageInfo, null);
- request.setRequest((HttpServletRequest) messageInfo.getRequestMessage());
- response.setResponse((HttpServletResponse) messageInfo.getResponseMessage());
- } catch (AuthException e) {
- log.warn(sm.getString("authenticator.jaspicSecureResponseFail"), e);
+ if (jaspicProvider != null) {
+ secureResponseJspic(request, response, jaspicState);
+ }
+ }
+
+
+ @Override
+ public boolean authenticate(Request request, HttpServletResponse httpResponse)
+ throws IOException {
+
+ AuthConfigProvider jaspicProvider = getJaspicProvider();
+
+ if (jaspicProvider == null) {
+ return doAuthenticate(request, httpResponse);
+ } else {
+ Response response = request.getResponse();
+ JaspicState jaspicState = getJaspicState(jaspicProvider, request, response);
+ if (jaspicState == null) {
+ return false;
}
+
+ boolean result = authenticateJaspic(request, response, jaspicState);
+
+ secureResponseJspic(request, response, jaspicState);
+
+ return result;
+ }
+ }
+
+
+ private void secureResponseJspic(Request request, Response response, JaspicState state) {
+ try {
+ state.serverAuthContext.secureResponse(state.messageInfo, null);
+ request.setRequest((HttpServletRequest) state.messageInfo.getRequestMessage());
+ response.setResponse((HttpServletResponse) state.messageInfo.getResponseMessage());
+ } catch (AuthException e) {
+ log.warn(sm.getString("authenticator.jaspicSecureResponseFail"), e);
}
}
+
+ private JaspicState getJaspicState(AuthConfigProvider jaspicProvider, Request request,
+ Response response) throws IOException {
+ JaspicState jaspicState = new JaspicState();
+
+ jaspicState.messageInfo =
+ new MessageInfoImpl(request.getRequest(), response.getResponse(), true);
+
+ try {
+ ServerAuthConfig serverAuthConfig = jaspicProvider.getServerAuthConfig(
+ "HttpServlet", jaspicAppContextID, CallbackHandlerImpl.getInstance());
+ String authContextID = serverAuthConfig.getAuthContextID(jaspicState.messageInfo);
+ jaspicState.serverAuthContext = serverAuthConfig.getAuthContext(authContextID, null, null);
+ } catch (AuthException e) {
+ log.warn(sm.getString("authenticator.jaspicServerAuthContextFail"), e);
+ response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ return null;
+ }
+
+ return jaspicState;
+ }
+
+
// ------------------------------------------------------ Protected Methods
/**
+ * Provided for sub-classes to implement their specific authentication
+ * mechanism.
+ *
+ * @param request The request that triggered the authentication
+ * @param response The response associated with the request
+ *
+ * @return {@code true} if the the user was authenticated, otherwise {@code
+ * false}, in which case an authentication challenge will have been
+ * written to the response
+ *
+ * @throws IOException If an I/O problem occurred during the authentication
+ * process
+ */
+ protected abstract boolean doAuthenticate(Request request, HttpServletResponse response)
+ throws IOException;
+
+
+ /**
+ * Does this authenticator require that {@link #authenticate(Request,
+ * HttpServletResponse)} is called to continue an authentication process
+ * that started in a previous request?
+ *
+ * @param request The request currently being processed
+ *
+ * @return {@code true} if authenticate() must be called, otherwise
+ * {@code false}
+ */
+ protected boolean isContinuationRequired(Request request) {
+ return false;
+ }
+
+
+ /**
* Look for the X509 certificate chain in the Request under the key
* <code>javax.servlet.request.X509Certificate</code>. If not found, trigger
* extracting the certificate chain from the Coyote request.
@@ -692,51 +730,45 @@ public abstract class AuthenticatorBase
}
- private boolean authenticate(Request request, Response response,
- ServerAuthContext serverAuthContext, MessageInfo messageInfo) throws IOException {
+ private boolean authenticateJaspic(Request request, Response response, JaspicState state) {
- if (serverAuthContext == null) {
- // No JASPIC configuration. Use the standard authenticator.
- return authenticate(request, response);
- } else {
- boolean cachedAuth = checkForCachedAuthentication(request, response, false);
- Subject client = new Subject();
- AuthStatus authStatus;
- try {
- authStatus = serverAuthContext.validateRequest(messageInfo, client, null);
- } catch (AuthException e) {
- log.debug(sm.getString("authenticator.loginFail"), e);
- return false;
- }
+ boolean cachedAuth = checkForCachedAuthentication(request, response, false);
+ Subject client = new Subject();
+ AuthStatus authStatus;
+ try {
+ authStatus = state.serverAuthContext.validateRequest(state.messageInfo, client, null);
+ } catch (AuthException e) {
+ log.debug(sm.getString("authenticator.loginFail"), e);
+ return false;
+ }
- request.setRequest((HttpServletRequest) messageInfo.getRequestMessage());
- response.setResponse((HttpServletResponse) messageInfo.getResponseMessage());
+ request.setRequest((HttpServletRequest) state.messageInfo.getRequestMessage());
+ response.setResponse((HttpServletResponse) state.messageInfo.getResponseMessage());
- if (authStatus == AuthStatus.SUCCESS) {
- GenericPrincipal principal = getPrincipal(client);
- if (log.isDebugEnabled()) {
- log.debug("Authenticated user: " + principal);
- }
- if (principal == null) {
- request.setUserPrincipal(null);
- request.setAuthType(null);
- } else if (cachedAuth == false ||
- !principal.getUserPrincipal().equals(request.getUserPrincipal())) {
- // Skip registration if authentication credentials were
- // cached and the Principal did not change.
- request.setNote(Constants.REQ_JASPIC_SUBJECT_NOTE, client);
- @SuppressWarnings("rawtypes")// JASPIC API uses raw types
- Map map = messageInfo.getMap();
- if (map != null && map.containsKey("javax.servlet.http.registerSession")) {
- register(request, response, principal, "JASPIC", null, null, true, true);
- } else {
- register(request, response, principal, "JASPIC", null, null);
- }
+ if (authStatus == AuthStatus.SUCCESS) {
+ GenericPrincipal principal = getPrincipal(client);
+ if (log.isDebugEnabled()) {
+ log.debug("Authenticated user: " + principal);
+ }
+ if (principal == null) {
+ request.setUserPrincipal(null);
+ request.setAuthType(null);
+ } else if (cachedAuth == false ||
+ !principal.getUserPrincipal().equals(request.getUserPrincipal())) {
+ // Skip registration if authentication credentials were
+ // cached and the Principal did not change.
+ request.setNote(Constants.REQ_JASPIC_SUBJECT_NOTE, client);
+ @SuppressWarnings("rawtypes")// JASPIC API uses raw types
+ Map map = state.messageInfo.getMap();
+ if (map != null && map.containsKey("javax.servlet.http.registerSession")) {
+ register(request, response, principal, "JASPIC", null, null, true, true);
+ } else {
+ register(request, response, principal, "JASPIC", null, null);
}
- return true;
}
- return false;
+ return true;
}
+ return false;
}
@@ -1153,4 +1185,10 @@ public abstract class AuthenticatorBase
this);
jaspicProvider = provider;
}
+
+
+ private static class JaspicState {
+ public MessageInfo messageInfo = null;
+ public ServerAuthContext serverAuthContext = null;
+ }
}
Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=1755211&r1=1755210&r2=1755211&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java Thu Aug 4 16:41:32 2016
@@ -48,19 +48,8 @@ public class BasicAuthenticator extends
// --------------------------------------------------------- Public Methods
- /**
- * Authenticate the user making this request, based on the specified
- * login configuration. Return <code>true</code> if any specified
- * constraint has been satisfied, or <code>false</code> if we have
- * created a response challenge already.
- *
- * @param request Request we are processing
- * @param response Response we are creating
- *
- * @exception IOException if an input/output error occurs
- */
@Override
- public boolean authenticate(Request request, HttpServletResponse response)
+ protected boolean doAuthenticate(Request request, HttpServletResponse response)
throws IOException {
if (checkForCachedAuthentication(request, response, true)) {
Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=1755211&r1=1755210&r2=1755211&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java Thu Aug 4 16:41:32 2016
@@ -194,7 +194,7 @@ public class DigestAuthenticator extends
* @exception IOException if an input/output error occurs
*/
@Override
- public boolean authenticate(Request request, HttpServletResponse response)
+ protected boolean doAuthenticate(Request request, HttpServletResponse response)
throws IOException {
// NOTE: We don't try to reauthenticate using any existing SSO session,
Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1755211&r1=1755210&r2=1755211&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Thu Aug 4 16:41:32 2016
@@ -115,7 +115,7 @@ public class FormAuthenticator
}
- // --------------------------------------------------------- Public Methods
+ // ------------------------------------------------------ Protected Methods
/**
@@ -130,7 +130,7 @@ public class FormAuthenticator
* @exception IOException if an input/output error occurs
*/
@Override
- public boolean authenticate(Request request, HttpServletResponse response)
+ protected boolean doAuthenticate(Request request, HttpServletResponse response)
throws IOException {
if (checkForCachedAuthentication(request, response, true)) {
@@ -344,12 +344,40 @@ public class FormAuthenticator
@Override
- protected String getAuthMethod() {
- return HttpServletRequest.FORM_AUTH;
+ protected boolean isContinuationRequired(Request request) {
+ // Special handling for form-based logins to deal with the case
+ // where the login form (and therefore the "j_security_check" URI
+ // to which it submits) might be outside the secured area
+ String contextPath = this.context.getPath();
+ String decodedRequestURI = request.getDecodedRequestURI();
+ if (decodedRequestURI.startsWith(contextPath) &&
+ decodedRequestURI.endsWith(Constants.FORM_ACTION)) {
+ return true;
+ }
+
+ // Special handling for form-based logins to deal with the case where
+ // a resource is protected for some HTTP methods but not protected for
+ // GET which is used after authentication when redirecting to the
+ // protected resource.
+ // TODO: This is similar to the FormAuthenticator.matchRequest() logic
+ // Is there a way to remove the duplication?
+ Session session = request.getSessionInternal(false);
+ if (session != null) {
+ SavedRequest savedRequest = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
+ if (savedRequest != null &&
+ decodedRequestURI.equals(savedRequest.getDecodedRequestURI())) {
+ return true;
+ }
+ }
+
+ return false;
}
- // ------------------------------------------------------ Protected Methods
+ @Override
+ protected String getAuthMethod() {
+ return HttpServletRequest.FORM_AUTH;
+ }
/**
Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java?rev=1755211&r1=1755210&r2=1755211&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java Thu Aug 4 16:41:32 2016
@@ -74,7 +74,7 @@ public final class NonLoginAuthenticator
* @exception IOException if an input/output error occurs
*/
@Override
- public boolean authenticate(Request request, HttpServletResponse response)
+ protected boolean doAuthenticate(Request request, HttpServletResponse response)
throws IOException {
// Don't try and use SSO to authenticate since there is no auth
Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java?rev=1755211&r1=1755210&r2=1755211&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java Thu Aug 4 16:41:32 2016
@@ -46,7 +46,7 @@ public class SSLAuthenticator extends Au
* @exception IOException if an input/output error occurs
*/
@Override
- public boolean authenticate(Request request, HttpServletResponse response)
+ protected boolean doAuthenticate(Request request, HttpServletResponse response)
throws IOException {
// NOTE: We don't try to reauthenticate using any existing SSO session,
Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1755211&r1=1755210&r2=1755211&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Thu Aug 4 16:41:32 2016
@@ -134,7 +134,7 @@ public class SpnegoAuthenticator extends
@Override
- public boolean authenticate(Request request, HttpServletResponse response)
+ protected boolean doAuthenticate(Request request, HttpServletResponse response)
throws IOException {
if (checkForCachedAuthentication(request, response, true)) {
Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1755211&r1=1755210&r2=1755211&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Aug 4 16:41:32 2016
@@ -95,6 +95,10 @@
the object obtained is of the expected type. (markt)
</add>
<fix>
+ <bug>59823</bug>: Ensure that JASPIC configuration is taken into account
+ when calling <code>HttpServletRequest.authenticate()</code>. (markt)
+ </fix>
+ <fix>
<bug>59824</bug>: Mark the <code>RewriteValve</code> as supporting async
processing by default. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org