You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/03/18 14:52:33 UTC
svn commit: r1667553 - in /tomcat/tc8.0.x/trunk: ./
java/org/apache/catalina/authenticator/ webapps/docs/
Author: markt
Date: Wed Mar 18 13:52:32 2015
New Revision: 1667553
URL: http://svn.apache.org/r1667553
Log:
Pull up common code from the authenticate() method to reduce duplication.
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Mar 18 13:52:32 2015
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663324,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552,1666569,1666579,1666637,1
666649,1666757,1666966,1666972,1666985,1666995,1666997
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663324,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552,1666569,1666579,1666637,1
666649,1666757,1666966,1666972,1666985,1666995,1666997,1667292
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1667553&r1=1667552&r2=1667553&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Wed Mar 18 13:52:32 2015
@@ -682,6 +682,57 @@ public abstract class AuthenticatorBase
/**
+ * Check to see if the user has already been authenticated earlier in the
+ * processing chain or if there is enough information available to
+ * authenticate the user without requiring further user interaction.
+ *
+ * @param request The current request
+ * @param useSSO Should information available from SSO be used to attempt
+ * to authenticate the current user?
+ *
+ * @return <code>true</code> if the user was authenticated via the cache,
+ * otherwise <code>false</code>
+ */
+ protected boolean checkForCachedAuthentication(Request request, boolean useSSO) {
+
+ // Has the user already been authenticated?
+ Principal principal = request.getUserPrincipal();
+ String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
+ if (principal != null) {
+ if (log.isDebugEnabled()) {
+ log.debug("Already authenticated '" + principal.getName() + "'");
+ }
+ // Associate the session with any existing SSO session. Even if
+ // useSSO is false, this will ensure coordinated session
+ // invalidation at log out.
+ if (ssoId != null) {
+ associate(ssoId, request.getSessionInternal(true));
+ }
+ return true;
+ }
+
+ // Is there an SSO session against which we can try to reauthenticate?
+ if (useSSO && ssoId != null) {
+ if (log.isDebugEnabled()) {
+ log.debug("SSO Id " + ssoId + " set; attempting " +
+ "reauthentication");
+ }
+ /* Try to reauthenticate using data cached by SSO. If this fails,
+ either the original SSO logon was of DIGEST or SSL (which
+ we can't reauthenticate ourselves because there is no
+ cached username and password), or the realm denied
+ the user's reauthentication for some reason.
+ In either case we have to prompt the user for a logon */
+ if (reauthenticateFromSSO(ssoId, request)) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+
+ /**
* Attempts reauthentication to the <code>Realm</code> using
* the credentials included in argument <code>entry</code>.
*
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=1667553&r1=1667552&r2=1667553&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java Wed Mar 18 13:52:32 2015
@@ -63,35 +63,8 @@ public class BasicAuthenticator extends
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (log.isDebugEnabled()) {
- log.debug("Already authenticated '" + principal.getName() + "'");
- }
- // Associate the session with any existing SSO session
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
- return (true);
- }
-
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled()) {
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- }
- /* Try to reauthenticate using data cached by SSO. If this fails,
- either the original SSO logon was of DIGEST or SSL (which
- we can't reauthenticate ourselves because there is no
- cached username and password), or the realm denied
- the user's reauthentication for some reason.
- In either case we have to prompt the user for a logon */
- if (reauthenticateFromSSO(ssoId, request)) {
- return true;
- }
+ if (checkForCachedAuthentication(request, true)) {
+ return true;
}
// Validate any credentials already included with this request
@@ -108,7 +81,7 @@ public class BasicAuthenticator extends
String username = credentials.getUsername();
String password = credentials.getPassword();
- principal = context.getRealm().authenticate(username, password);
+ Principal principal = context.getRealm().authenticate(username, password);
if (principal != null) {
register(request, response, principal,
HttpServletRequest.BASIC_AUTH, username, password);
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=1667553&r1=1667552&r2=1667553&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java Wed Mar 18 13:52:32 2015
@@ -197,48 +197,20 @@ public class DigestAuthenticator extends
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (log.isDebugEnabled()) {
- log.debug("Already authenticated '" + principal.getName() + "'");
- }
- // Associate the session with any existing SSO session in order
- // to get coordinated session invalidation at logout
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
- return (true);
- }
-
// NOTE: We don't try to reauthenticate using any existing SSO session,
// because that will only work if the original authentication was
// BASIC or FORM, which are less secure than the DIGEST auth-type
// specified for this webapp
//
- // Uncomment below to allow previous FORM or BASIC authentications
+ // Change to true below to allow previous FORM or BASIC authentications
// to authenticate users for this webapp
// TODO make this a configurable attribute (in SingleSignOn??)
- /*
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled())
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- // Try to reauthenticate using data cached by SSO. If this fails,
- // either the original SSO logon was of DIGEST or SSL (which
- // we can't reauthenticate ourselves because there is no
- // cached username and password), or the realm denied
- // the user's reauthentication for some reason.
- // In either case we have to prompt the user for a logon
- if (reauthenticateFromSSO(ssoId, request))
- return true;
+ if (checkForCachedAuthentication(request, false)) {
+ return true;
}
- */
// Validate any credentials already included with this request
+ Principal principal = null;
String authorization = request.getHeader("authorization");
DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),
getKey(), nonces, isValidateUri());
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1667553&r1=1667552&r2=1667553&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Wed Mar 18 13:52:32 2015
@@ -125,40 +125,13 @@ public class FormAuthenticator
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // References to objects we will need later
- Session session = null;
-
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (log.isDebugEnabled()) {
- log.debug("Already authenticated '" +
- principal.getName() + "'");
- }
- // Associate the session with any existing SSO session
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
+ if (checkForCachedAuthentication(request, true)) {
return true;
}
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled()) {
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- }
- // Try to reauthenticate using data cached by SSO. If this fails,
- // either the original SSO logon was of DIGEST or SSL (which
- // we can't reauthenticate ourselves because there is no
- // cached username and password), or the realm denied
- // the user's reauthentication for some reason.
- // In either case we have to prompt the user for a logon */
- if (reauthenticateFromSSO(ssoId, request)) {
- return true;
- }
- }
+ // References to objects we will need later
+ Session session = null;
+ Principal principal = null;
// Have we authenticated this user before but have caching disabled?
if (!cache) {
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java?rev=1667553&r1=1667552&r2=1667553&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java Wed Mar 18 13:52:32 2015
@@ -49,46 +49,17 @@ public class SSLAuthenticator extends Au
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (containerLog.isDebugEnabled()) {
- containerLog.debug("Already authenticated '" + principal.getName() + "'");
- }
- // Associate the session with any existing SSO session in order
- // to get coordinated session invalidation at logout
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
- return (true);
- }
-
// NOTE: We don't try to reauthenticate using any existing SSO session,
// because that will only work if the original authentication was
- // BASIC or FORM, which are less secure than the CLIENT_CERT auth-type
+ // BASIC or FORM, which are less secure than the CLIENT-CERT auth-type
// specified for this webapp
//
- // Uncomment below to allow previous FORM or BASIC authentications
+ // Change to true below to allow previous FORM or BASIC authentications
// to authenticate users for this webapp
// TODO make this a configurable attribute (in SingleSignOn??)
- /*
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled())
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- // Try to reauthenticate using data cached by SSO. If this fails,
- // either the original SSO logon was of DIGEST or SSL (which
- // we can't reauthenticate ourselves because there is no
- // cached username and password), or the realm denied
- // the user's reauthentication for some reason.
- // In either case we have to prompt the user for a logon
- if (reauthenticateFromSSO(ssoId, request))
- return true;
+ if (checkForCachedAuthentication(request, false)) {
+ return true;
}
- */
// Retrieve the certificate chain for this client
if (containerLog.isDebugEnabled()) {
@@ -107,7 +78,7 @@ public class SSLAuthenticator extends Au
}
// Authenticate the specified certificate chain
- principal = context.getRealm().authenticate(certs);
+ Principal principal = context.getRealm().authenticate(certs);
if (principal == null) {
if (containerLog.isDebugEnabled()) {
containerLog.debug(" Realm.authenticate() returned false");
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1667553&r1=1667552&r2=1667553&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Wed Mar 18 13:52:32 2015
@@ -128,37 +128,10 @@ public class SpnegoAuthenticator extends
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (log.isDebugEnabled()) {
- log.debug("Already authenticated '" + principal.getName() + "'");
- }
- // Associate the session with any existing SSO session
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
+ if (checkForCachedAuthentication(request, true)) {
return true;
}
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled()) {
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- }
- /* Try to reauthenticate using data cached by SSO. If this fails,
- either the original SSO logon was of DIGEST or SSL (which
- we can't reauthenticate ourselves because there is no
- cached username and password), or the realm denied
- the user's reauthentication for some reason.
- In either case we have to prompt the user for a logon */
- if (reauthenticateFromSSO(ssoId, request)) {
- return true;
- }
- }
-
MessageBytes authorization =
request.getCoyoteRequest().getMimeHeaders()
.getValue("authorization");
@@ -204,6 +177,7 @@ public class SpnegoAuthenticator extends
LoginContext lc = null;
GSSContext gssContext = null;
byte[] outToken = null;
+ Principal principal = null;
try {
try {
lc = new LoginContext(getLoginConfigName());
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1667553&r1=1667552&r2=1667553&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Wed Mar 18 13:52:32 2015
@@ -128,6 +128,10 @@
Add support for <code>LAST_ACCESS_AT_START</code> system property to
<code>SingleSignOn</code>. (kfujino)
</fix>
+ <scode>
+ Refactor Authenticator implementations to reduce code duplication.
+ (markt)
+ </scode>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org