You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/03/17 13:39:04 UTC
svn commit: r1667292 - in
/tomcat/trunk/java/org/apache/catalina/authenticator:
AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java
FormAuthenticator.java SSLAuthenticator.java SpnegoAuthenticator.java
Author: markt
Date: Tue Mar 17 12:39:04 2015
New Revision: 1667292
URL: http://svn.apache.org/r1667292
Log:
Pull up common code from the authenticate() method to reduce duplication.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1667292&r1=1667291&r2=1667292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Tue Mar 17 12:39:04 2015
@@ -686,6 +686,57 @@ public abstract class AuthenticatorBase
/**
+ * Check to see if the user has already been authenticated earlier in the
+ * processing chain or if there is enough information available to
+ * authenticate the user without requiring further user interaction.
+ *
+ * @param request The current request
+ * @param useSSO Should information available from SSO be used to attempt
+ * to authenticate the current user?
+ *
+ * @return <code>true</code> if the user was authenticated via the cache,
+ * otherwise <code>false</code>
+ */
+ protected boolean checkForCachedAuthentication(Request request, boolean useSSO) {
+
+ // Has the user already been authenticated?
+ Principal principal = request.getUserPrincipal();
+ String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
+ if (principal != null) {
+ if (log.isDebugEnabled()) {
+ log.debug("Already authenticated '" + principal.getName() + "'");
+ }
+ // Associate the session with any existing SSO session. Even if
+ // useSSO is false, this will ensure coordinated session
+ // invalidation at log out.
+ if (ssoId != null) {
+ associate(ssoId, request.getSessionInternal(true));
+ }
+ return true;
+ }
+
+ // Is there an SSO session against which we can try to reauthenticate?
+ if (useSSO && ssoId != null) {
+ if (log.isDebugEnabled()) {
+ log.debug("SSO Id " + ssoId + " set; attempting " +
+ "reauthentication");
+ }
+ /* Try to reauthenticate using data cached by SSO. If this fails,
+ either the original SSO logon was of DIGEST or SSL (which
+ we can't reauthenticate ourselves because there is no
+ cached username and password), or the realm denied
+ the user's reauthentication for some reason.
+ In either case we have to prompt the user for a logon */
+ if (reauthenticateFromSSO(ssoId, request)) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+
+ /**
* Attempts reauthentication to the <code>Realm</code> using
* the credentials included in argument <code>entry</code>.
*
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=1667292&r1=1667291&r2=1667292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java Tue Mar 17 12:39:04 2015
@@ -63,35 +63,8 @@ public class BasicAuthenticator extends
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (log.isDebugEnabled()) {
- log.debug("Already authenticated '" + principal.getName() + "'");
- }
- // Associate the session with any existing SSO session
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
- return (true);
- }
-
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled()) {
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- }
- /* Try to reauthenticate using data cached by SSO. If this fails,
- either the original SSO logon was of DIGEST or SSL (which
- we can't reauthenticate ourselves because there is no
- cached username and password), or the realm denied
- the user's reauthentication for some reason.
- In either case we have to prompt the user for a logon */
- if (reauthenticateFromSSO(ssoId, request)) {
- return true;
- }
+ if (checkForCachedAuthentication(request, true)) {
+ return true;
}
// Validate any credentials already included with this request
@@ -108,7 +81,7 @@ public class BasicAuthenticator extends
String username = credentials.getUsername();
String password = credentials.getPassword();
- principal = context.getRealm().authenticate(username, password);
+ Principal principal = context.getRealm().authenticate(username, password);
if (principal != null) {
register(request, response, principal,
HttpServletRequest.BASIC_AUTH, username, password);
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=1667292&r1=1667291&r2=1667292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java Tue Mar 17 12:39:04 2015
@@ -197,48 +197,20 @@ public class DigestAuthenticator extends
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (log.isDebugEnabled()) {
- log.debug("Already authenticated '" + principal.getName() + "'");
- }
- // Associate the session with any existing SSO session in order
- // to get coordinated session invalidation at logout
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
- return (true);
- }
-
// NOTE: We don't try to reauthenticate using any existing SSO session,
// because that will only work if the original authentication was
// BASIC or FORM, which are less secure than the DIGEST auth-type
// specified for this webapp
//
- // Uncomment below to allow previous FORM or BASIC authentications
+ // Change to true below to allow previous FORM or BASIC authentications
// to authenticate users for this webapp
// TODO make this a configurable attribute (in SingleSignOn??)
- /*
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled())
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- // Try to reauthenticate using data cached by SSO. If this fails,
- // either the original SSO logon was of DIGEST or SSL (which
- // we can't reauthenticate ourselves because there is no
- // cached username and password), or the realm denied
- // the user's reauthentication for some reason.
- // In either case we have to prompt the user for a logon
- if (reauthenticateFromSSO(ssoId, request))
- return true;
+ if (checkForCachedAuthentication(request, false)) {
+ return true;
}
- */
// Validate any credentials already included with this request
+ Principal principal = null;
String authorization = request.getHeader("authorization");
DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),
getKey(), nonces, isValidateUri());
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1667292&r1=1667291&r2=1667292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Tue Mar 17 12:39:04 2015
@@ -134,40 +134,13 @@ public class FormAuthenticator
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // References to objects we will need later
- Session session = null;
-
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (log.isDebugEnabled()) {
- log.debug("Already authenticated '" +
- principal.getName() + "'");
- }
- // Associate the session with any existing SSO session
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
+ if (checkForCachedAuthentication(request, true)) {
return true;
}
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled()) {
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- }
- // Try to reauthenticate using data cached by SSO. If this fails,
- // either the original SSO logon was of DIGEST or SSL (which
- // we can't reauthenticate ourselves because there is no
- // cached username and password), or the realm denied
- // the user's reauthentication for some reason.
- // In either case we have to prompt the user for a logon */
- if (reauthenticateFromSSO(ssoId, request)) {
- return true;
- }
- }
+ // References to objects we will need later
+ Session session = null;
+ Principal principal = null;
// Have we authenticated this user before but have caching disabled?
if (!cache) {
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java?rev=1667292&r1=1667291&r2=1667292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/SSLAuthenticator.java Tue Mar 17 12:39:04 2015
@@ -49,46 +49,17 @@ public class SSLAuthenticator extends Au
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (containerLog.isDebugEnabled()) {
- containerLog.debug("Already authenticated '" + principal.getName() + "'");
- }
- // Associate the session with any existing SSO session in order
- // to get coordinated session invalidation at logout
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
- return (true);
- }
-
// NOTE: We don't try to reauthenticate using any existing SSO session,
// because that will only work if the original authentication was
- // BASIC or FORM, which are less secure than the CLIENT_CERT auth-type
+ // BASIC or FORM, which are less secure than the CLIENT-CERT auth-type
// specified for this webapp
//
- // Uncomment below to allow previous FORM or BASIC authentications
+ // Change to true below to allow previous FORM or BASIC authentications
// to authenticate users for this webapp
// TODO make this a configurable attribute (in SingleSignOn??)
- /*
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled())
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- // Try to reauthenticate using data cached by SSO. If this fails,
- // either the original SSO logon was of DIGEST or SSL (which
- // we can't reauthenticate ourselves because there is no
- // cached username and password), or the realm denied
- // the user's reauthentication for some reason.
- // In either case we have to prompt the user for a logon
- if (reauthenticateFromSSO(ssoId, request))
- return true;
+ if (checkForCachedAuthentication(request, false)) {
+ return true;
}
- */
// Retrieve the certificate chain for this client
if (containerLog.isDebugEnabled()) {
@@ -107,7 +78,7 @@ public class SSLAuthenticator extends Au
}
// Authenticate the specified certificate chain
- principal = context.getRealm().authenticate(certs);
+ Principal principal = context.getRealm().authenticate(certs);
if (principal == null) {
if (containerLog.isDebugEnabled()) {
containerLog.debug(" Realm.authenticate() returned false");
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1667292&r1=1667291&r2=1667292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Tue Mar 17 12:39:04 2015
@@ -128,37 +128,10 @@ public class SpnegoAuthenticator extends
public boolean authenticate(Request request, HttpServletResponse response)
throws IOException {
- // Have we already authenticated someone?
- Principal principal = request.getUserPrincipal();
- String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
- if (principal != null) {
- if (log.isDebugEnabled()) {
- log.debug("Already authenticated '" + principal.getName() + "'");
- }
- // Associate the session with any existing SSO session
- if (ssoId != null) {
- associate(ssoId, request.getSessionInternal(true));
- }
+ if (checkForCachedAuthentication(request, true)) {
return true;
}
- // Is there an SSO session against which we can try to reauthenticate?
- if (ssoId != null) {
- if (log.isDebugEnabled()) {
- log.debug("SSO Id " + ssoId + " set; attempting " +
- "reauthentication");
- }
- /* Try to reauthenticate using data cached by SSO. If this fails,
- either the original SSO logon was of DIGEST or SSL (which
- we can't reauthenticate ourselves because there is no
- cached username and password), or the realm denied
- the user's reauthentication for some reason.
- In either case we have to prompt the user for a logon */
- if (reauthenticateFromSSO(ssoId, request)) {
- return true;
- }
- }
-
MessageBytes authorization =
request.getCoyoteRequest().getMimeHeaders()
.getValue("authorization");
@@ -204,6 +177,7 @@ public class SpnegoAuthenticator extends
LoginContext lc = null;
GSSContext gssContext = null;
byte[] outToken = null;
+ Principal principal = null;
try {
try {
lc = new LoginContext(getLoginConfigName());
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org