You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2011/12/15 14:45:32 UTC

svn commit: r1214752 - in /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl: HttpBasicAuthenticationHandler.java SlingAuthenticator.java

Author: fmeschbe
Date: Thu Dec 15 13:45:31 2011
New Revision: 1214752

URL: http://svn.apache.org/viewvc?rev=1214752&view=rev
Log:
SLING-2329 Fix loop prevention
  - Implement authenticationFailed method for HTTP Basic Authentication Handler to
    force the client to provide different credentials
  - Send 403/FORBIDDEN if a browser client causes a redirect loop (instead of
    having the HTTP Basic handler send 401

Modified:
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java

Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java?rev=1214752&r1=1214751&r2=1214752&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java Thu Dec 15 13:45:31 2011
@@ -156,6 +156,27 @@ class HttpBasicAuthenticationHandler ext
     }
 
     /**
+     * Called if the credentials extracted by the
+     * {@link #extractCredentials(HttpServletRequest, HttpServletResponse)}
+     * method are not valid and sends back a 401/UNAUTHORIZED response
+     * requesting the credentials again.
+     * <p>
+     * The only way to get a browser (or a client in general) into forgetting
+     * the current credentials and sending different credentials is sending back
+     * such a response. Otherwise the browser sends the same credentials over
+     * and over again.
+     * <p>
+     * The assumption of this method unconditionally sending back the
+     * 401/UNAUTHORIZED response is that this method here is only called if the
+     * request actually provided invalid HTTP Basic credentials.
+     */
+    @Override
+    public void authenticationFailed(HttpServletRequest request, HttpServletResponse response,
+            AuthenticationInfo authInfo) {
+        sendUnauthorized(response);
+    }
+
+    /**
      * Returns true if the {@link #REQUEST_LOGIN_PARAMETER} parameter or request
      * attribute is set to any non-<code>null</code> value.
      * <p>
@@ -221,7 +242,7 @@ class HttpBasicAuthenticationHandler ext
      *
      * @param response The response object to which to send the request
      * @return <code>true</code> if the 401/UNAUTHORIZED method has successfully
-     *         been sent.
+     *         been sent and the response has been committed.
      */
     boolean sendUnauthorized(HttpServletResponse response) {
 

Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1214752&r1=1214751&r2=1214752&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Thu Dec 15 13:45:31 2011
@@ -1012,9 +1012,9 @@ public class SlingAuthenticator implemen
 
         if (!AuthUtil.isValidateRequest(request)) {
 
-            if (AuthUtil.isBrowserRequest(request) && !isLoginLoop(request)) {
+            if (AuthUtil.isBrowserRequest(request)) {
 
-                if (!AuthUtil.isAjaxRequest(request)) {
+                if (!AuthUtil.isAjaxRequest(request) && !isLoginLoop(request)) {
                     try {
 
                         login(request, response);
@@ -1044,8 +1044,6 @@ public class SlingAuthenticator implemen
                 // enabled for preemptive credential support, we just request
                 // HTTP Basic credentials. Otherwise (HTTP Basic is fully
                 // switched off, 403 is sent back)
-                // we also do this in case of a redirect loop upon login
-                // (see SLING-1831 for details)
                 if (httpBasicHandler != null) {
                     httpBasicHandler.sendUnauthorized(response);
                     return;