You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2011/11/18 22:57:18 UTC

svn commit: r1203872 - in /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core: AuthConstants.java impl/AuthenticationHandlerHolder.java

Author: fmeschbe
Date: Fri Nov 18 21:57:17 2011
New Revision: 1203872

URL: http://svn.apache.org/viewvc?rev=1203872&view=rev
Log:
SLING-2280 Implement Option 2: Support AuthenticationHandler service registration property to indicate that browser requests are supported only.

Added:
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java
Modified:
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java

Added: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java?rev=1203872&view=auto
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java (added)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthConstants.java Fri Nov 18 21:57:17 2011
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.auth.core;
+
+/**
+ * The <code>AuthConstants</code> provides a collection of constants used
+ * to configure and customize the Sling authentication infrastructure.
+ * <p>
+ * This class can neither be extended from nor can it be instantiated.
+ *
+ * @since 1.1 (bundle version 1.0.8)
+ */
+public final class AuthConstants {
+
+    /**
+     * Service Registration property which may be set by an
+     * {@link org.apache.sling.auth.core.spi.AuthenticationHandler} service to
+     * indicate whether its
+     * {@link org.apache.sling.auth.core.spi.AuthenticationHandler#requestCredentials(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}
+     * method supports non-browser requests (according to
+     * {@link AuthUtil#isBrowserRequest(javax.servlet.http.HttpServletRequest)}
+     * or not.
+     * <p>
+     * For backwards compatibility with existing
+     * {@link org.apache.sling.auth.core.spi.AuthenticationHandler} services the
+     * default assumption in the absence of this property is that all requests
+     * are supported.
+     * <p>
+     * If this property is set to <code>true</code> or <code>yes</code>
+     * (case-insensitive check) the handler is not called for requests assumed
+     * to be sent from non-browser clients. Any other value of this property
+     * indicates support for non-browser requests by the handler.
+     * <p>
+     * Note that this property only influences whether the
+     * <code>requestCredentials</code> method is called or not. The
+     * <code>extractCredentials</code> and <code>dropCredentials</code> are
+     * called regardless of this property.
+     */
+    public static final String AUTH_HANDLER_BROWSER_ONLY = "sling.auth.browser-only";
+
+    private AuthConstants() {
+    }
+
+}

Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java?rev=1203872&r1=1203871&r2=1203872&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/AuthenticationHandlerHolder.java Fri Nov 18 21:57:17 2011
@@ -23,6 +23,9 @@ import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.sling.auth.core.AuthConstants;
+import org.apache.sling.auth.core.AuthUtil;
+import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
 import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
 import org.apache.sling.auth.core.spi.AuthenticationHandler;
 import org.apache.sling.auth.core.spi.AuthenticationInfo;
@@ -43,15 +46,21 @@ final class AuthenticationHandlerHolder 
     // the supported authentication type of the handler
     private final String authType;
 
+    // whether requestCredentials only for browsers
+    private final boolean browserOnlyRequestCredentials;
+
     AuthenticationHandlerHolder(final String fullPath,
             final AuthenticationHandler handler,
             final ServiceReference serviceReference) {
         super(fullPath, serviceReference);
 
+        final String browserOnly = OsgiUtil.toString(serviceReference.getProperty(AuthConstants.AUTH_HANDLER_BROWSER_ONLY), null);
+
         // assign the fields
         this.handler = handler;
-        this.authType = OsgiUtil.toString(
-            serviceReference.getProperty(TYPE_PROPERTY), null);
+        this.authType = OsgiUtil.toString(serviceReference.getProperty(TYPE_PROPERTY), null);
+        this.browserOnlyRequestCredentials = "true".equalsIgnoreCase(browserOnly)
+            || "yes".equalsIgnoreCase(browserOnly);
     }
 
     @Override
@@ -109,10 +118,12 @@ final class AuthenticationHandlerHolder 
      * Returns <code>true</code> if the <code>requestCredentials</code> method
      * of the held authentication handler should be called or not:
      * <ul>
+     * <li>If the handler handles all clients or the request is assumed to be
+     * coming from a browser</li>
      * <li>If the authentication handler is registered without an authentication
      * type</li>
-     * <li>If the <code>sling:authRequestLogin</code> request parameter is not
-     * set</li>
+     * <li>If the <code>sling:authRequestLogin</code> request parameter or
+     * attribute is not set</li>
      * <li>If the <code>sling:authRequestLogin</code> is set to the same value
      * as the authentication type of the held authentication handler.</li>
      * <ul>
@@ -126,12 +137,17 @@ final class AuthenticationHandlerHolder 
      *         should be called.
      */
     private boolean doesRequestCredentials(final HttpServletRequest request) {
-        // no configured authentication type, always request credentials
+
+        if (browserOnlyRequestCredentials && !AuthUtil.isBrowserRequest(request)) {
+            return false;
+        }
+
         if (authType == null) {
             return true;
         }
 
-        final String requestLogin = request.getParameter(REQUEST_LOGIN_PARAMETER);
+        final String requestLogin = AbstractAuthenticationHandler.getAttributeOrParameter(request,
+            REQUEST_LOGIN_PARAMETER, null);
         return requestLogin == null || authType.equals(requestLogin);
     }
 }
\ No newline at end of file