You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2011/12/15 14:45:32 UTC
svn commit: r1214752 - in
/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl:
HttpBasicAuthenticationHandler.java SlingAuthenticator.java
Author: fmeschbe
Date: Thu Dec 15 13:45:31 2011
New Revision: 1214752
URL: http://svn.apache.org/viewvc?rev=1214752&view=rev
Log:
SLING-2329 Fix loop prevention
- Implement authenticationFailed method for HTTP Basic Authentication Handler to
force the client to provide different credentials
- Send 403/FORBIDDEN if a browser client causes a redirect loop (instead of
having the HTTP Basic handler send 401
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java?rev=1214752&r1=1214751&r2=1214752&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java Thu Dec 15 13:45:31 2011
@@ -156,6 +156,27 @@ class HttpBasicAuthenticationHandler ext
}
/**
+ * Called if the credentials extracted by the
+ * {@link #extractCredentials(HttpServletRequest, HttpServletResponse)}
+ * method are not valid and sends back a 401/UNAUTHORIZED response
+ * requesting the credentials again.
+ * <p>
+ * The only way to get a browser (or a client in general) into forgetting
+ * the current credentials and sending different credentials is sending back
+ * such a response. Otherwise the browser sends the same credentials over
+ * and over again.
+ * <p>
+ * The assumption of this method unconditionally sending back the
+ * 401/UNAUTHORIZED response is that this method here is only called if the
+ * request actually provided invalid HTTP Basic credentials.
+ */
+ @Override
+ public void authenticationFailed(HttpServletRequest request, HttpServletResponse response,
+ AuthenticationInfo authInfo) {
+ sendUnauthorized(response);
+ }
+
+ /**
* Returns true if the {@link #REQUEST_LOGIN_PARAMETER} parameter or request
* attribute is set to any non-<code>null</code> value.
* <p>
@@ -221,7 +242,7 @@ class HttpBasicAuthenticationHandler ext
*
* @param response The response object to which to send the request
* @return <code>true</code> if the 401/UNAUTHORIZED method has successfully
- * been sent.
+ * been sent and the response has been committed.
*/
boolean sendUnauthorized(HttpServletResponse response) {
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1214752&r1=1214751&r2=1214752&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Thu Dec 15 13:45:31 2011
@@ -1012,9 +1012,9 @@ public class SlingAuthenticator implemen
if (!AuthUtil.isValidateRequest(request)) {
- if (AuthUtil.isBrowserRequest(request) && !isLoginLoop(request)) {
+ if (AuthUtil.isBrowserRequest(request)) {
- if (!AuthUtil.isAjaxRequest(request)) {
+ if (!AuthUtil.isAjaxRequest(request) && !isLoginLoop(request)) {
try {
login(request, response);
@@ -1044,8 +1044,6 @@ public class SlingAuthenticator implemen
// enabled for preemptive credential support, we just request
// HTTP Basic credentials. Otherwise (HTTP Basic is fully
// switched off, 403 is sent back)
- // we also do this in case of a redirect loop upon login
- // (see SLING-1831 for details)
if (httpBasicHandler != null) {
httpBasicHandler.sendUnauthorized(response);
return;