You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by en...@apache.org on 2011/11/12 23:22:51 UTC
svn commit: r1201346 - in /sling/trunk:
bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/
bundles/auth/form/
bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/
bundles/auth/openid/ bundles/auth/openid/src/main/java/org/apach...
Author: enorman
Date: Sat Nov 12 22:22:51 2011
New Revision: 1201346
URL: http://svn.apache.org/viewvc?rev=1201346&view=rev
Log:
SLING-2165 Form based login failure should stay on the same login page to show the login error
Added:
sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java
sling/trunk/bundles/auth/form/pom.xml
sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
sling/trunk/bundles/auth/openid/pom.xml
sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java
sling/trunk/bundles/auth/selector/pom.xml
sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java
sling/trunk/launchpad/builder/src/main/bundles/list.xml
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java Sat Nov 12 22:22:51 2011
@@ -20,6 +20,8 @@ package org.apache.sling.auth.core.spi;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Iterator;
@@ -420,4 +422,29 @@ public abstract class AbstractAuthentica
// TODO: log.error("Failed to send 403/Forbidden response", ioe);
}
}
+
+ /**
+ * Check if the request is for this authentication handler.
+ *
+ * @param request the current request
+ * @return true if the referer matches this handler, or false otherwise
+ */
+ public static boolean checkReferer(HttpServletRequest request, String loginForm) {
+ //SLING-2165: if a Referer header is supplied check if it matches the login path for this handler
+ String referer = request.getHeader("Referer");
+ if (referer != null) {
+ String expectedPath = String.format("%s%s", request.getContextPath(), loginForm);
+ try {
+ URL uri = new URL(referer);
+ if (!expectedPath.equals(uri.getPath())) {
+ //not for this selector, so let the next one handle it.
+ return false;
+ }
+ } catch (MalformedURLException e) {
+ LoggerFactory.getLogger(AbstractAuthenticationHandler.class)
+ .debug("Failed to parse the referer value for the login form " + loginForm, e);
+ }
+ }
+ return true;
+ }
}
Modified: sling/trunk/bundles/auth/form/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/form/pom.xml?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/form/pom.xml (original)
+++ sling/trunk/bundles/auth/form/pom.xml Sat Nov 12 22:22:51 2011
@@ -98,7 +98,7 @@
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.auth.core</artifactId>
- <version>1.0.4</version>
+ <version>1.0.7-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
<dependency>
Modified: sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java Sat Nov 12 22:22:51 2011
@@ -353,6 +353,12 @@ public class FormAuthenticationHandler e
return false;
}
+ //check the referer to see if the request is for this handler
+ if (!checkReferer(request, loginForm)) {
+ //not for this handler, so return
+ return false;
+ }
+
final String resource = setLoginResourceAttribute(request,
request.getRequestURI());
Modified: sling/trunk/bundles/auth/openid/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/openid/pom.xml?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/openid/pom.xml (original)
+++ sling/trunk/bundles/auth/openid/pom.xml Sat Nov 12 22:22:51 2011
@@ -107,7 +107,7 @@
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.auth.core</artifactId>
- <version>1.0.4</version>
+ <version>1.0.7-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
<dependency>
Modified: sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java Sat Nov 12 22:22:51 2011
@@ -395,6 +395,13 @@ public class OpenIDAuthenticationHandler
return false;
}
+ //check the referer to see if the request is for this handler
+ if (!checkReferer(request, loginForm)) {
+ //not for this handler, so return
+ return false;
+ }
+
+
// requestAuthentication is only called after a failedauthentication
// so it makes sense to remove any existing login
final RelyingParty relyingParty = getRelyingParty(request);
Modified: sling/trunk/bundles/auth/selector/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/selector/pom.xml?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/selector/pom.xml (original)
+++ sling/trunk/bundles/auth/selector/pom.xml Sat Nov 12 22:22:51 2011
@@ -100,7 +100,7 @@
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.auth.core</artifactId>
- <version>1.0.4</version>
+ <version>1.0.7-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
<dependency>
Modified: sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java Sat Nov 12 22:22:51 2011
@@ -87,6 +87,12 @@ public class SelectorAuthenticationHandl
public boolean requestCredentials(HttpServletRequest request,
HttpServletResponse response) {
+ //check the referer to see if the request is for this handler
+ if (!checkReferer(request, loginForm)) {
+ //not for this handler, so return
+ return false;
+ }
+
HashMap<String, String> params = new HashMap<String, String>();
params.put(Authenticator.LOGIN_RESOURCE,
getLoginResource(request, null));
Modified: sling/trunk/launchpad/builder/src/main/bundles/list.xml
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/builder/src/main/bundles/list.xml?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/launchpad/builder/src/main/bundles/list.xml (original)
+++ sling/trunk/launchpad/builder/src/main/bundles/list.xml Sat Nov 12 22:22:51 2011
@@ -71,7 +71,7 @@
<bundle>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.auth.core</artifactId>
- <version>1.0.6</version>
+ <version>1.0.7-SNAPSHOT</version>
</bundle>
<bundle>
<groupId>org.apache.sling</groupId>
@@ -81,7 +81,7 @@
<bundle>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.auth.openid</artifactId>
- <version>1.0.2</version>
+ <version>1.0.3-SNAPSHOT</version>
</bundle>
<bundle>
<groupId>org.apache.sling</groupId>
@@ -91,7 +91,7 @@
<bundle>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.auth.selector</artifactId>
- <version>1.0.4</version>
+ <version>1.0.5-SNAPSHOT</version>
</bundle>
<bundle>
<groupId>org.apache.sling</groupId>
Added: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java?rev=1201346&view=auto
==============================================================================
--- sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java (added)
+++ sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java Sat Nov 12 22:22:51 2011
@@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sling.launchpad.webapp.integrationtest.login;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.httpclient.Header;
+import org.apache.commons.httpclient.HttpMethod;
+import org.apache.commons.httpclient.NameValuePair;
+import org.apache.commons.httpclient.methods.PostMethod;
+import org.apache.sling.commons.testing.integration.HttpTestBase;
+
+/** Test SLING-2165 Verify that redirect to the referring login form after login error works */
+public class RedirectOnLoginErrorTest extends HttpTestBase {
+
+ /** Execute a POST request and check status
+ * @return the HttpMethod executed
+ * @throws IOException */
+ private HttpMethod assertPostStatus(String url, int expectedStatusCode, List<NameValuePair> postParams,
+ String assertMessage, String referer) throws IOException {
+ final PostMethod post = new PostMethod(url);
+ post.setFollowRedirects(false);
+ post.setDoAuthentication(false);
+
+ //set the referer to indicate where we came from
+ post.setRequestHeader("Referer", referer);
+
+ //set Accept header to trick sling into treating the request as from a browser
+ post.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+
+ if(postParams!=null) {
+ final NameValuePair [] nvp = {};
+ post.setRequestBody(postParams.toArray(nvp));
+ }
+
+ if(postParams!=null) {
+ final NameValuePair [] nvp = {};
+ post.setRequestBody(postParams.toArray(nvp));
+ }
+
+ final int status = httpClient.executeMethod(post);
+ if(assertMessage == null) {
+ assertEquals(expectedStatusCode, status);
+ } else {
+ assertEquals(assertMessage, expectedStatusCode, status);
+ }
+ return post;
+ }
+
+ /**
+ * Test SLING-2165. Login Error should redirect back to the referrer
+ * login page.
+ *
+ * @throws Exception
+ */
+ public void testRedirectToSelectorLoginFormAfterLoginError() throws Exception {
+ //login failure
+ List<NameValuePair> params = new ArrayList<NameValuePair>();
+ params.add(new NameValuePair("j_username", "___bogus___"));
+ params.add(new NameValuePair("j_password", "not_a_real_user"));
+ final String loginPageUrl = String.format("%s/system/sling/selector/login", HTTP_BASE_URL);
+ PostMethod post = (PostMethod)assertPostStatus(HTTP_BASE_URL + "/j_security_check",
+ HttpServletResponse.SC_MOVED_TEMPORARILY,
+ params,
+ null,
+ loginPageUrl);
+
+ final Header locationHeader = post.getResponseHeader("Location");
+ String location = locationHeader.getValue();
+ int queryStrStart = location.indexOf('?');
+ if (queryStrStart != -1) {
+ location = location.substring(0, queryStrStart);
+ }
+ assertEquals("Expected to remain on the selector/login page", loginPageUrl, location);
+ }
+
+ /**
+ * Test SLING-2165. Login Error should redirect back to the referrer
+ * login page.
+ *
+ * @throws Exception
+ */
+ public void testRedirectToOpenIDLoginFormAfterLoginError() throws Exception {
+ //login failure
+ List<NameValuePair> params = new ArrayList<NameValuePair>();
+ params.add(new NameValuePair("openid_identifier", "___bogus___"));
+ final String loginPageUrl = String.format("%s/system/sling/openid/login", HTTP_BASE_URL);
+ PostMethod post = (PostMethod)assertPostStatus(HTTP_BASE_URL + "/j_security_check",
+ HttpServletResponse.SC_MOVED_TEMPORARILY,
+ params,
+ null,
+ loginPageUrl);
+
+ final Header locationHeader = post.getResponseHeader("Location");
+ String location = locationHeader.getValue();
+ int queryStrStart = location.indexOf('?');
+ if (queryStrStart != -1) {
+ location = location.substring(0, queryStrStart);
+ }
+ assertEquals("Expected to remain on the openid/login page", loginPageUrl, location);
+ }
+
+ /**
+ * Test SLING-2165. Login Error should redirect back to the referrer
+ * login page.
+ *
+ * @throws Exception
+ */
+ public void testRedirectToLoginFormAfterLoginError() throws Exception {
+ //login failure
+ List<NameValuePair> params = new ArrayList<NameValuePair>();
+ params.add(new NameValuePair("j_username", "___bogus___"));
+ params.add(new NameValuePair("j_password", "not_a_real_user"));
+ final String loginPageUrl = String.format("%s/system/sling/form/login", HTTP_BASE_URL);
+ PostMethod post = (PostMethod)assertPostStatus(HTTP_BASE_URL + "/j_security_check",
+ HttpServletResponse.SC_MOVED_TEMPORARILY,
+ params,
+ null,
+ loginPageUrl);
+
+ final Header locationHeader = post.getResponseHeader("Location");
+ String location = locationHeader.getValue();
+ int queryStrStart = location.indexOf('?');
+ if (queryStrStart != -1) {
+ location = location.substring(0, queryStrStart);
+ }
+ assertEquals("Expected to remain on the form/login page", loginPageUrl, location);
+ }
+}