You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/01/24 11:02:25 UTC
[tomcat] 01/07: Code cleanup (format). No functional change.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit b6607520d38703f55ab3f5857a8334da53e678aa
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 24 09:55:32 2023 +0000
Code cleanup (format). No functional change.
---
.../catalina/authenticator/AuthenticatorBase.java | 456 ++++++++-------------
.../catalina/authenticator/BasicAuthenticator.java | 75 ++--
.../apache/catalina/authenticator/Constants.java | 22 +-
.../authenticator/DigestAuthenticator.java | 134 +++---
.../catalina/authenticator/FormAuthenticator.java | 144 +++----
.../authenticator/NonLoginAuthenticator.java | 68 ++-
.../catalina/authenticator/SSLAuthenticator.java | 44 +-
.../catalina/authenticator/SavedRequest.java | 19 +-
.../catalina/authenticator/SingleSignOn.java | 257 +++++-------
.../catalina/authenticator/SingleSignOnEntry.java | 82 ++--
.../authenticator/SingleSignOnSessionKey.java | 17 +-
.../authenticator/SpnegoAuthenticator.java | 105 ++---
12 files changed, 560 insertions(+), 863 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 8bd74438e8..a9a00d4e48 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -73,25 +73,21 @@ import org.apache.tomcat.util.http.RequestUtil;
import org.apache.tomcat.util.res.StringManager;
/**
- * Basic implementation of the <b>Valve</b> interface that enforces the
- * <code><security-constraint></code> elements in the web application
- * deployment descriptor. This functionality is implemented as a Valve so that
- * it can be omitted in environments that do not require these features.
- * Individual implementations of each supported authentication method can
- * subclass this base class as required.
+ * Basic implementation of the <b>Valve</b> interface that enforces the <code><security-constraint></code>
+ * elements in the web application deployment descriptor. This functionality is implemented as a Valve so that it can be
+ * omitted in environments that do not require these features. Individual implementations of each supported
+ * authentication method can subclass this base class as required.
* <p>
- * <b>USAGE CONSTRAINT</b>: When this class is utilized, the Context to which it
- * is attached (or a parent Container in a hierarchy) must have an associated
- * Realm that can be used for authenticating users and enumerating the roles to
- * which they have been assigned.
+ * <b>USAGE CONSTRAINT</b>: When this class is utilized, the Context to which it is attached (or a parent Container in a
+ * hierarchy) must have an associated Realm that can be used for authenticating users and enumerating the roles to which
+ * they have been assigned.
* <p>
- * <b>USAGE CONSTRAINT</b>: This Valve is only useful when processing HTTP
- * requests. Requests of any other type will simply be passed through.
+ * <b>USAGE CONSTRAINT</b>: This Valve is only useful when processing HTTP requests. Requests of any other type will
+ * simply be passed through.
*
* @author Craig R. McClanahan
*/
-public abstract class AuthenticatorBase extends ValveBase
- implements Authenticator, RegistrationListener {
+public abstract class AuthenticatorBase extends ValveBase implements Authenticator, RegistrationListener {
private final Log log = LogFactory.getLog(AuthenticatorBase.class); // must not be static
@@ -143,26 +139,21 @@ public abstract class AuthenticatorBase extends ValveBase
// ----------------------------------------------------- Instance Variables
/**
- * Should a session always be used once a user is authenticated? This may
- * offer some performance benefits since the session can then be used to
- * cache the authenticated Principal, hence removing the need to
- * authenticate the user via the Realm on every request. This may be of help
- * for combinations such as BASIC authentication used with the JNDIRealm or
- * DataSourceRealms. However there will also be the performance cost of
- * creating and GC'ing the session. By default, a session will not be
- * created.
+ * Should a session always be used once a user is authenticated? This may offer some performance benefits since the
+ * session can then be used to cache the authenticated Principal, hence removing the need to authenticate the user
+ * via the Realm on every request. This may be of help for combinations such as BASIC authentication used with the
+ * JNDIRealm or DataSourceRealms. However there will also be the performance cost of creating and GC'ing the
+ * session. By default, a session will not be created.
*/
protected boolean alwaysUseSession = false;
/**
- * Should we cache authenticated Principals if the request is part of an
- * HTTP session?
+ * Should we cache authenticated Principals if the request is part of an HTTP session?
*/
protected boolean cache = true;
/**
- * Should the session ID, if any, be changed upon a successful
- * authentication to prevent a session fixation attack?
+ * Should the session ID, if any, be changed upon a successful authentication to prevent a session fixation attack?
*/
protected boolean changeSessionIdOnAuthentication = true;
@@ -172,64 +163,52 @@ public abstract class AuthenticatorBase extends ValveBase
protected Context context = null;
/**
- * Flag to determine if we disable proxy caching, or leave the issue up to
- * the webapp developer.
+ * Flag to determine if we disable proxy caching, or leave the issue up to the webapp developer.
*/
protected boolean disableProxyCaching = true;
/**
- * Flag to determine if we disable proxy caching with headers incompatible
- * with IE.
+ * Flag to determine if we disable proxy caching with headers incompatible with IE.
*/
protected boolean securePagesWithPragma = false;
/**
- * The Java class name of the secure random number generator class to be
- * used when generating SSO session identifiers. The random number generator
- * class must be self-seeding and have a zero-argument constructor. If not
- * specified, an instance of {@link java.security.SecureRandom} will be
- * generated.
+ * The Java class name of the secure random number generator class to be used when generating SSO session
+ * identifiers. The random number generator class must be self-seeding and have a zero-argument constructor. If not
+ * specified, an instance of {@link java.security.SecureRandom} will be generated.
*/
protected String secureRandomClass = null;
/**
- * The name of the algorithm to use to create instances of
- * {@link java.security.SecureRandom} which are used to generate SSO session
- * IDs. If no algorithm is specified, SHA1PRNG is used. If SHA1PRNG is not
- * available, the platform default will be used. To use the platform default
- * (which may be SHA1PRNG), specify the empty string. If an invalid
- * algorithm and/or provider is specified the SecureRandom instances will be
- * created using the defaults. If that fails, the SecureRandom instances
- * will be created using platform defaults.
+ * The name of the algorithm to use to create instances of {@link java.security.SecureRandom} which are used to
+ * generate SSO session IDs. If no algorithm is specified, SHA1PRNG is used. If SHA1PRNG is not available, the
+ * platform default will be used. To use the platform default (which may be SHA1PRNG), specify the empty string. If
+ * an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults.
+ * If that fails, the SecureRandom instances will be created using platform defaults.
*/
protected String secureRandomAlgorithm = SessionIdGeneratorBase.DEFAULT_SECURE_RANDOM_ALGORITHM;
/**
- * The name of the provider to use to create instances of
- * {@link java.security.SecureRandom} which are used to generate session SSO
- * IDs. If no provider is specified the platform default is used. If an
- * invalid algorithm and/or provider is specified the SecureRandom instances
- * will be created using the defaults. If that fails, the SecureRandom
- * instances will be created using platform defaults.
+ * The name of the provider to use to create instances of {@link java.security.SecureRandom} which are used to
+ * generate session SSO IDs. If no provider is specified the platform default is used. If an invalid algorithm
+ * and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the
+ * SecureRandom instances will be created using platform defaults.
*/
protected String secureRandomProvider = null;
/**
- * The name of the JASPIC callback handler class. If none is specified the
- * default {@link org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl}
- * will be used.
+ * The name of the JASPIC callback handler class. If none is specified the default
+ * {@link org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl} will be used.
*/
protected String jaspicCallbackHandlerClass = "org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl";
/**
- * Should the auth information (remote user and auth type) be returned as response
- * headers for a forwarded/proxied request? When the {@link RemoteIpValve} or
- * {@link RemoteIpFilter} mark a forwarded request with the
- * {@link Globals#REQUEST_FORWARDED_ATTRIBUTE} this authenticator can return the
- * values of {@link HttpServletRequest#getRemoteUser()} and
- * {@link HttpServletRequest#getAuthType()} as response headers {@code remote-user}
- * and {@code auth-type} to a reverse proxy. This is useful, e.g., for access log
- * consistency or other decisions to make.
+ * Should the auth information (remote user and auth type) be returned as response headers for a forwarded/proxied
+ * request? When the {@link RemoteIpValve} or {@link RemoteIpFilter} mark a forwarded request with the
+ * {@link Globals#REQUEST_FORWARDED_ATTRIBUTE} this authenticator can return the values of
+ * {@link HttpServletRequest#getRemoteUser()} and {@link HttpServletRequest#getAuthType()} as response headers
+ * {@code remote-user} and {@code auth-type} to a reverse proxy. This is useful, e.g., for access log consistency or
+ * other decisions to make.
*/
protected boolean sendAuthInfoResponseHeaders = false;
@@ -237,8 +216,7 @@ public abstract class AuthenticatorBase extends ValveBase
protected SessionIdGeneratorBase sessionIdGenerator = null;
/**
- * The SingleSignOn implementation in our request processing chain, if there
- * is one.
+ * The SingleSignOn implementation in our request processing chain, if there is one.
*/
protected SingleSignOn sso = null;
@@ -270,8 +248,7 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Return the cache authenticated Principals flag.
*
- * @return <code>true</code> if authenticated Principals will be cached,
- * otherwise <code>false</code>
+ * @return <code>true</code> if authenticated Principals will be cached, otherwise <code>false</code>
*/
public boolean getCache() {
return this.cache;
@@ -280,8 +257,7 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Set the cache authenticated Principals flag.
*
- * @param cache
- * The new cache flag
+ * @param cache The new cache flag
*/
public void setCache(boolean cache) {
this.cache = cache;
@@ -298,8 +274,7 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Set the Container to which this Valve is attached.
*
- * @param container
- * The container to which we are attached
+ * @param container The container to which we are attached
*/
@Override
public void setContainer(Container container) {
@@ -314,70 +289,60 @@ public abstract class AuthenticatorBase extends ValveBase
}
/**
- * Return the flag that states if we add headers to disable caching by
- * proxies.
+ * Return the flag that states if we add headers to disable caching by proxies.
*
- * @return <code>true</code> if the headers will be added, otherwise
- * <code>false</code>
+ * @return <code>true</code> if the headers will be added, otherwise <code>false</code>
*/
public boolean getDisableProxyCaching() {
return disableProxyCaching;
}
/**
- * Set the value of the flag that states if we add headers to disable
- * caching by proxies.
+ * Set the value of the flag that states if we add headers to disable caching by proxies.
*
- * @param nocache
- * <code>true</code> if we add headers to disable proxy caching,
- * <code>false</code> if we leave the headers alone.
+ * @param nocache <code>true</code> if we add headers to disable proxy caching, <code>false</code> if we leave the
+ * headers alone.
*/
public void setDisableProxyCaching(boolean nocache) {
disableProxyCaching = nocache;
}
/**
- * Return the flag that states, if proxy caching is disabled, what headers
- * we add to disable the caching.
+ * Return the flag that states, if proxy caching is disabled, what headers we add to disable the caching.
*
- * @return <code>true</code> if a Pragma header should be used, otherwise
- * <code>false</code>
+ * @return <code>true</code> if a Pragma header should be used, otherwise <code>false</code>
*/
public boolean getSecurePagesWithPragma() {
return securePagesWithPragma;
}
/**
- * Set the value of the flag that states what headers we add to disable
- * proxy caching.
+ * Set the value of the flag that states what headers we add to disable proxy caching.
*
- * @param securePagesWithPragma
- * <code>true</code> if we add headers which are incompatible
- * with downloading office documents in IE under SSL but which
- * fix a caching problem in Mozilla.
+ * @param securePagesWithPragma <code>true</code> if we add headers which are incompatible with downloading office
+ * documents in IE under SSL but which fix a caching problem in Mozilla.
*/
public void setSecurePagesWithPragma(boolean securePagesWithPragma) {
this.securePagesWithPragma = securePagesWithPragma;
}
/**
- * Return the flag that states if we should change the session ID of an
- * existing session upon successful authentication.
+ * Return the flag that states if we should change the session ID of an existing session upon successful
+ * authentication.
*
- * @return <code>true</code> to change session ID upon successful
- * authentication, <code>false</code> to do not perform the change.
+ * @return <code>true</code> to change session ID upon successful authentication, <code>false</code> to do not
+ * perform the change.
*/
public boolean getChangeSessionIdOnAuthentication() {
return changeSessionIdOnAuthentication;
}
/**
- * Set the value of the flag that states if we should change the session ID
- * of an existing session upon successful authentication.
+ * Set the value of the flag that states if we should change the session ID of an existing session upon successful
+ * authentication.
*
- * @param changeSessionIdOnAuthentication <code>true</code> to change
- * session ID upon successful authentication, <code>false</code>
- * to do not perform the change.
+ * @param changeSessionIdOnAuthentication <code>true</code> to change session ID upon successful authentication,
+ * <code>false</code> to do not perform the change.
*/
public void setChangeSessionIdOnAuthentication(boolean changeSessionIdOnAuthentication) {
this.changeSessionIdOnAuthentication = changeSessionIdOnAuthentication;
@@ -386,8 +351,7 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Return the secure random number generator class name.
*
- * @return The fully qualified name of the SecureRandom implementation to
- * use
+ * @return The fully qualified name of the SecureRandom implementation to use
*/
public String getSecureRandomClass() {
return this.secureRandomClass;
@@ -396,8 +360,7 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Set the secure random number generator class name.
*
- * @param secureRandomClass
- * The new secure random number generator class name
+ * @param secureRandomClass The new secure random number generator class name
*/
public void setSecureRandomClass(String secureRandomClass) {
this.secureRandomClass = secureRandomClass;
@@ -415,8 +378,7 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Set the secure random number generator algorithm name.
*
- * @param secureRandomAlgorithm
- * The new secure random number generator algorithm name
+ * @param secureRandomAlgorithm The new secure random number generator algorithm name
*/
public void setSecureRandomAlgorithm(String secureRandomAlgorithm) {
this.secureRandomAlgorithm = secureRandomAlgorithm;
@@ -434,8 +396,7 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Set the secure random number generator provider name.
*
- * @param secureRandomProvider
- * The new secure random number generator provider name
+ * @param secureRandomProvider The new secure random number generator provider name
*/
public void setSecureRandomProvider(String secureRandomProvider) {
this.secureRandomProvider = secureRandomProvider;
@@ -453,29 +414,25 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Set the JASPIC callback handler class name
*
- * @param jaspicCallbackHandlerClass
- * The new JASPIC callback handler class name
+ * @param jaspicCallbackHandlerClass The new JASPIC callback handler class name
*/
public void setJaspicCallbackHandlerClass(String jaspicCallbackHandlerClass) {
this.jaspicCallbackHandlerClass = jaspicCallbackHandlerClass;
}
/**
- * Returns the flag whether authentication information will be sent to a reverse
- * proxy on a forwarded request.
+ * Returns the flag whether authentication information will be sent to a reverse proxy on a forwarded request.
*
- * @return {@code true} if response headers shall be sent, {@code false} otherwise
+ * @return {@code true} if response headers shall be sent, {@code false} otherwise
*/
public boolean isSendAuthInfoResponseHeaders() {
return sendAuthInfoResponseHeaders;
}
/**
- * Sets the flag whether authentication information will be send to a reverse
- * proxy on a forwarded request.
+ * Sets the flag whether authentication information will be send to a reverse proxy on a forwarded request.
*
- * @param sendAuthInfoResponseHeaders {@code true} if response headers shall be
- * sent, {@code false} otherwise
+ * @param sendAuthInfoResponseHeaders {@code true} if response headers shall be sent, {@code false} otherwise
*/
public void setSendAuthInfoResponseHeaders(boolean sendAuthInfoResponseHeaders) {
this.sendAuthInfoResponseHeaders = sendAuthInfoResponseHeaders;
@@ -484,25 +441,19 @@ public abstract class AuthenticatorBase extends ValveBase
// --------------------------------------------------------- Public Methods
/**
- * Enforce the security restrictions in the web application deployment
- * descriptor of our associated Context.
+ * Enforce the security restrictions in the web application deployment descriptor of our associated Context.
*
- * @param request
- * Request to be processed
- * @param response
- * Response to be processed
+ * @param request Request to be processed
+ * @param response Response to be processed
*
- * @exception IOException
- * if an input/output error occurs
- * @exception ServletException
- * if thrown by a processing element
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if thrown by a processing element
*/
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
if (log.isDebugEnabled()) {
- log.debug("Security checking request " + request.getMethod() + " " +
- request.getRequestURI());
+ log.debug("Security checking request " + request.getMethod() + " " + request.getRequestURI());
}
// Have we got a cached authenticated Principal to record?
@@ -514,8 +465,8 @@ public abstract class AuthenticatorBase extends ValveBase
principal = session.getPrincipal();
if (principal != null) {
if (log.isDebugEnabled()) {
- log.debug("We have cached auth type " + session.getAuthType() +
- " for principal " + principal);
+ log.debug("We have cached auth type " + session.getAuthType() + " for principal " +
+ principal);
}
request.setAuthType(session.getAuthType());
request.setUserPrincipal(principal);
@@ -545,8 +496,7 @@ public abstract class AuthenticatorBase extends ValveBase
// Make sure that constrained resources are not cached by web proxies
// or browsers as caching can provide a security hole
- if (constraints != null && disableProxyCaching &&
- !"POST".equalsIgnoreCase(request.getMethod())) {
+ if (constraints != null && disableProxyCaching && !"POST".equalsIgnoreCase(request.getMethod())) {
if (securePagesWithPragma) {
// Note: These can cause problems with downloading files with IE
response.setHeader("Pragma", "No-cache");
@@ -567,8 +517,8 @@ public abstract class AuthenticatorBase extends ValveBase
log.debug("Failed hasUserDataPermission() test");
}
/*
- * ASSERT: Authenticator already set the appropriate HTTP status
- * code, so we do not have to do anything special
+ * ASSERT: Authenticator already set the appropriate HTTP status code, so we do not have to do anything
+ * special
*/
return;
}
@@ -582,8 +532,7 @@ public abstract class AuthenticatorBase extends ValveBase
for (int i = 0; i < constraints.length && hasAuthConstraint; i++) {
if (!constraints[i].getAuthConstraint()) {
hasAuthConstraint = false;
- } else if (!constraints[i].getAllRoles() &&
- !constraints[i].getAuthenticatedUsers()) {
+ } else if (!constraints[i].getAllRoles() && !constraints[i].getAuthenticatedUsers()) {
String[] roles = constraints[i].findAuthRoles();
if (roles == null || roles.length == 0) {
hasAuthConstraint = false;
@@ -596,8 +545,7 @@ public abstract class AuthenticatorBase extends ValveBase
authRequired = true;
}
- if (!authRequired && context.getPreemptiveAuthentication() &&
- isPreemptiveAuthPossible(request)) {
+ if (!authRequired && context.getPreemptiveAuthentication() && isPreemptiveAuthPossible(request)) {
authRequired = true;
}
@@ -624,14 +572,13 @@ public abstract class AuthenticatorBase extends ValveBase
}
if (jaspicProvider == null && !doAuthenticate(request, response) ||
- jaspicProvider != null &&
- !authenticateJaspic(request, response, jaspicState, false)) {
+ jaspicProvider != null && !authenticateJaspic(request, response, jaspicState, false)) {
if (log.isDebugEnabled()) {
log.debug("Failed authenticate() test");
}
/*
- * ASSERT: Authenticator already set the appropriate HTTP status
- * code, so we do not have to do anything special
+ * ASSERT: Authenticator already set the appropriate HTTP status code, so we do not have to do anything
+ * special
*/
return;
}
@@ -647,8 +594,8 @@ public abstract class AuthenticatorBase extends ValveBase
log.debug("Failed accessControl() test");
}
/*
- * ASSERT: AccessControl method has already set the appropriate
- * HTTP status code, so we do not have to do anything special
+ * ASSERT: AccessControl method has already set the appropriate HTTP status code, so we do not have to
+ * do anything special
*/
return;
}
@@ -674,14 +621,11 @@ public abstract class AuthenticatorBase extends ValveBase
// This is a subset of the tests in CorsFilter.checkRequestType
if ("OPTIONS".equals(request.getMethod())) {
String originHeader = request.getHeader(CorsFilter.REQUEST_HEADER_ORIGIN);
- if (originHeader != null &&
- !originHeader.isEmpty() &&
- RequestUtil.isValidOrigin(originHeader) &&
+ if (originHeader != null && !originHeader.isEmpty() && RequestUtil.isValidOrigin(originHeader) &&
!RequestUtil.isSameOrigin(request, originHeader)) {
- String accessControlRequestMethodHeader =
- request.getHeader(CorsFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
- if (accessControlRequestMethodHeader != null &&
- !accessControlRequestMethodHeader.isEmpty()) {
+ String accessControlRequestMethodHeader = request
+ .getHeader(CorsFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
+ if (accessControlRequestMethodHeader != null && !accessControlRequestMethodHeader.isEmpty()) {
// This appears to be a CORS Preflight request
if (allowCorsPreflight == AllowCorsPreflight.ALWAYS) {
allowBypass = true;
@@ -725,8 +669,7 @@ public abstract class AuthenticatorBase extends ValveBase
@Override
- public boolean authenticate(Request request, HttpServletResponse httpResponse)
- throws IOException {
+ public boolean authenticate(Request request, HttpServletResponse httpResponse) throws IOException {
AuthConfigProvider jaspicProvider = getJaspicProvider();
@@ -759,17 +702,16 @@ public abstract class AuthenticatorBase extends ValveBase
}
- private JaspicState getJaspicState(AuthConfigProvider jaspicProvider, Request request,
- Response response, boolean authMandatory) throws IOException {
+ private JaspicState getJaspicState(AuthConfigProvider jaspicProvider, Request request, Response response,
+ boolean authMandatory) throws IOException {
JaspicState jaspicState = new JaspicState();
- jaspicState.messageInfo =
- new MessageInfoImpl(request.getRequest(), response.getResponse(), authMandatory);
+ jaspicState.messageInfo = new MessageInfoImpl(request.getRequest(), response.getResponse(), authMandatory);
try {
CallbackHandler callbackHandler = getCallbackHandler();
- ServerAuthConfig serverAuthConfig = jaspicProvider.getServerAuthConfig(
- "HttpServlet", jaspicAppContextID, callbackHandler);
+ ServerAuthConfig serverAuthConfig = jaspicProvider.getServerAuthConfig("HttpServlet", jaspicAppContextID,
+ callbackHandler);
String authContextID = serverAuthConfig.getAuthContextID(jaspicState.messageInfo);
jaspicState.serverAuthContext = serverAuthConfig.getAuthContext(authContextID, null, null);
} catch (AuthException e) {
@@ -796,8 +738,7 @@ public abstract class AuthenticatorBase extends ValveBase
Class<?> clazz = null;
try {
- clazz = Class.forName(jaspicCallbackHandlerClass, true,
- Thread.currentThread().getContextClassLoader());
+ clazz = Class.forName(jaspicCallbackHandlerClass, true, Thread.currentThread().getContextClassLoader());
} catch (ClassNotFoundException e) {
// Proceed with the retry below
}
@@ -806,7 +747,7 @@ public abstract class AuthenticatorBase extends ValveBase
if (clazz == null) {
clazz = Class.forName(jaspicCallbackHandlerClass);
}
- callbackHandler = (CallbackHandler)clazz.getConstructor().newInstance();
+ callbackHandler = (CallbackHandler) clazz.getConstructor().newInstance();
} catch (ReflectiveOperationException e) {
throw new SecurityException(e);
}
@@ -823,32 +764,26 @@ public abstract class AuthenticatorBase extends ValveBase
// ------------------------------------------------------ Protected Methods
/**
- * Provided for sub-classes to implement their specific authentication
- * mechanism.
+ * Provided for sub-classes to implement their specific authentication mechanism.
*
- * @param request The request that triggered the authentication
+ * @param request The request that triggered the authentication
* @param response The response associated with the request
*
* @return {@code true} if the the user was authenticated, otherwise {@code
- * false}, in which case an authentication challenge will have been
- * written to the response
+ * false}, in which case an authentication challenge will have been written to the response
*
- * @throws IOException If an I/O problem occurred during the authentication
- * process
+ * @throws IOException If an I/O problem occurred during the authentication process
*/
- protected abstract boolean doAuthenticate(Request request, HttpServletResponse response)
- throws IOException;
+ protected abstract boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException;
/**
- * Does this authenticator require that {@link #authenticate(Request,
- * HttpServletResponse)} is called to continue an authentication process
- * that started in a previous request?
+ * Does this authenticator require that {@link #authenticate(Request, HttpServletResponse)} is called to continue an
+ * authentication process that started in a previous request?
*
* @param request The request currently being processed
*
- * @return {@code true} if authenticate() must be called, otherwise
- * {@code false}
+ * @return {@code true} if authenticate() must be called, otherwise {@code false}
*/
protected boolean isContinuationRequired(Request request) {
return false;
@@ -856,13 +791,10 @@ public abstract class AuthenticatorBase extends ValveBase
/**
- * Associate the specified single sign on identifier with the specified
- * Session.
+ * Associate the specified single sign on identifier with the specified Session.
*
- * @param ssoId
- * Single sign on identifier
- * @param session
- * Session to be associated
+ * @param ssoId Single sign on identifier
+ * @param session Session to be associated
*/
protected void associate(String ssoId, Session session) {
@@ -921,11 +853,9 @@ public abstract class AuthenticatorBase extends ValveBase
}
/*
- * Need to handle three cases.
- * See https://bz.apache.org/bugzilla/show_bug.cgi?id=64713
- * 1. registerSession TRUE always use session, always cache
- * 2. registerSession NOT SET config for session, config for cache
- * 3. registerSession FALSE config for session, never cache
+ * Need to handle three cases. See https://bz.apache.org/bugzilla/show_bug.cgi?id=64713 1.
+ * registerSession TRUE always use session, always cache 2. registerSession NOT SET config for session,
+ * config for cache 3. registerSession FALSE config for session, never cache
*/
if (register != null) {
register(request, response, principal, authType, null, null,
@@ -956,20 +886,14 @@ public abstract class AuthenticatorBase extends ValveBase
/**
- * Check to see if the user has already been authenticated earlier in the
- * processing chain or if there is enough information available to
- * authenticate the user without requiring further user interaction.
+ * Check to see if the user has already been authenticated earlier in the processing chain or if there is enough
+ * information available to authenticate the user without requiring further user interaction.
*
- * @param request
- * The current request
- * @param response
- * The current response
- * @param useSSO
- * Should information available from SSO be used to attempt to
- * authenticate the current user?
+ * @param request The current request
+ * @param response The current response
+ * @param useSSO Should information available from SSO be used to attempt to authenticate the current user?
*
- * @return <code>true</code> if the user was authenticated via the cache,
- * otherwise <code>false</code>
+ * @return <code>true</code> if the user was authenticated via the cache, otherwise <code>false</code>
*/
protected boolean checkForCachedAuthentication(Request request, HttpServletResponse response, boolean useSSO) {
@@ -995,12 +919,10 @@ public abstract class AuthenticatorBase extends ValveBase
log.debug(sm.getString("authenticator.check.sso", ssoId));
}
/*
- * Try to reauthenticate using data cached by SSO. If this fails,
- * either the original SSO logon was of DIGEST or SSL (which we
- * can't reauthenticate ourselves because there is no cached
- * username and password), or the realm denied the user's
- * reauthentication for some reason. In either case we have to
- * prompt the user for a logon
+ * Try to reauthenticate using data cached by SSO. If this fails, either the original SSO logon was of
+ * DIGEST or SSL (which we can't reauthenticate ourselves because there is no cached username and password),
+ * or the realm denied the user's reauthentication for some reason. In either case we have to prompt the
+ * user for a logon
*/
if (reauthenticateFromSSO(ssoId, request)) {
return true;
@@ -1036,14 +958,12 @@ public abstract class AuthenticatorBase extends ValveBase
}
/**
- * Attempts reauthentication to the <code>Realm</code> using the credentials
- * included in argument <code>entry</code>.
+ * Attempts reauthentication to the <code>Realm</code> using the credentials included in argument
+ * <code>entry</code>.
+ *
+ * @param ssoId identifier of SingleSignOn session with which the caller is associated
+ * @param request the request that needs to be authenticated
*
- * @param ssoId
- * identifier of SingleSignOn session with which the caller is
- * associated
- * @param request
- * the request that needs to be authenticated
* @return <code>true</code> if the reauthentication from SSL occurred
*/
protected boolean reauthenticateFromSSO(String ssoId, Request request) {
@@ -1066,8 +986,7 @@ public abstract class AuthenticatorBase extends ValveBase
associate(ssoId, request.getSessionInternal(true));
if (log.isDebugEnabled()) {
- log.debug("Reauthenticated cached principal '" +
- request.getUserPrincipal().getName() +
+ log.debug("Reauthenticated cached principal '" + request.getUserPrincipal().getName() +
"' with auth type '" + request.getAuthType() + "'");
}
}
@@ -1076,57 +995,37 @@ public abstract class AuthenticatorBase extends ValveBase
}
/**
- * Register an authenticated Principal and authentication type in our
- * request, in the current session (if there is one), and with our
- * SingleSignOn valve, if there is one. Set the appropriate cookie to be
- * returned.
+ * Register an authenticated Principal and authentication type in our request, in the current session (if there is
+ * one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.
*
- * @param request
- * The servlet request we are processing
- * @param response
- * The servlet response we are generating
- * @param principal
- * The authenticated Principal to be registered
- * @param authType
- * The authentication type to be registered
- * @param username
- * Username used to authenticate (if any)
- * @param password
- * Password used to authenticate (if any)
+ * @param request The servlet request we are processing
+ * @param response The servlet response we are generating
+ * @param principal The authenticated Principal to be registered
+ * @param authType The authentication type to be registered
+ * @param username Username used to authenticate (if any)
+ * @param password Password used to authenticate (if any)
*/
- public void register(Request request, HttpServletResponse response, Principal principal,
- String authType, String username, String password) {
+ public void register(Request request, HttpServletResponse response, Principal principal, String authType,
+ String username, String password) {
register(request, response, principal, authType, username, password, alwaysUseSession, cache);
}
/**
- * Register an authenticated Principal and authentication type in our
- * request, in the current session (if there is one), and with our
- * SingleSignOn valve, if there is one. Set the appropriate cookie to be
- * returned.
+ * Register an authenticated Principal and authentication type in our request, in the current session (if there is
+ * one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.
*
- * @param request
- * The servlet request we are processing
- * @param response
- * The servlet response we are generating
- * @param principal
- * The authenticated Principal to be registered
- * @param authType
- * The authentication type to be registered
- * @param username
- * Username used to authenticate (if any)
- * @param password
- * Password used to authenticate (if any)
- * @param alwaysUseSession
- * Should a session always be used once a user is authenticated?
- * @param cache
- * Should we cache authenticated Principals if the request is part of an
- * HTTP session?
+ * @param request The servlet request we are processing
+ * @param response The servlet response we are generating
+ * @param principal The authenticated Principal to be registered
+ * @param authType The authentication type to be registered
+ * @param username Username used to authenticate (if any)
+ * @param password Password used to authenticate (if any)
+ * @param alwaysUseSession Should a session always be used once a user is authenticated?
+ * @param cache Should we cache authenticated Principals if the request is part of an HTTP session?
*/
- protected void register(Request request, HttpServletResponse response, Principal principal,
- String authType, String username, String password, boolean alwaysUseSession,
- boolean cache) {
+ protected void register(Request request, HttpServletResponse response, Principal principal, String authType,
+ String username, String password, boolean alwaysUseSession, boolean cache) {
if (log.isDebugEnabled()) {
String name = (principal == null) ? "none" : principal.getName();
@@ -1137,8 +1036,8 @@ public abstract class AuthenticatorBase extends ValveBase
request.setAuthType(authType);
request.setUserPrincipal(principal);
- if (sendAuthInfoResponseHeaders
- && Boolean.TRUE.equals(request.getAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE))) {
+ if (sendAuthInfoResponseHeaders &&
+ Boolean.TRUE.equals(request.getAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE))) {
response.setHeader("remote-user", request.getRemoteUser());
response.setHeader("auth-type", request.getAuthType());
}
@@ -1253,18 +1152,15 @@ public abstract class AuthenticatorBase extends ValveBase
/**
* Process the login request.
*
- * @param request
- * Associated request
- * @param username
- * The user
- * @param password
- * The password
+ * @param request Associated request
+ * @param username The user
+ * @param password The password
+ *
* @return The authenticated Principal
- * @throws ServletException
- * No principal was authenticated with the specified credentials
+ *
+ * @throws ServletException No principal was authenticated with the specified credentials
*/
- protected Principal doLogin(Request request, String username, String password)
- throws ServletException {
+ protected Principal doLogin(Request request, String username, String password) throws ServletException {
Principal p = context.getRealm().authenticate(username, password);
if (p == null) {
throw new ServletException(sm.getString("authenticator.loginFail"));
@@ -1281,8 +1177,8 @@ public abstract class AuthenticatorBase extends ValveBase
if (client != null) {
ServerAuthContext serverAuthContext;
try {
- ServerAuthConfig serverAuthConfig = provider.getServerAuthConfig("HttpServlet",
- jaspicAppContextID, getCallbackHandler());
+ ServerAuthConfig serverAuthConfig = provider.getServerAuthConfig("HttpServlet", jaspicAppContextID,
+ getCallbackHandler());
String authContextID = serverAuthConfig.getAuthContextID(messageInfo);
serverAuthContext = serverAuthConfig.getAuthContext(authContextID, null, null);
serverAuthContext.cleanSubject(messageInfo, client);
@@ -1310,15 +1206,13 @@ public abstract class AuthenticatorBase extends ValveBase
* Start this component and implement the requirements of
* {@link org.apache.catalina.util.LifecycleBase#startInternal()}.
*
- * @exception LifecycleException
- * if this component detects a fatal error that prevents this
- * component from being used
+ * @exception LifecycleException if this component detects a fatal error that prevents this component from being
+ * used
*/
@Override
protected synchronized void startInternal() throws LifecycleException {
ServletContext servletContext = context.getServletContext();
- jaspicAppContextID = servletContext.getVirtualServerName() + " " +
- servletContext.getContextPath();
+ jaspicAppContextID = servletContext.getVirtualServerName() + " " + servletContext.getContextPath();
// Look up the SingleSignOn implementation in our request processing
// path, if there is one
@@ -1356,9 +1250,8 @@ public abstract class AuthenticatorBase extends ValveBase
* Stop this component and implement the requirements of
* {@link org.apache.catalina.util.LifecycleBase#stopInternal()}.
*
- * @exception LifecycleException
- * if this component detects a fatal error that prevents this
- * component from being used
+ * @exception LifecycleException if this component detects a fatal error that prevents this component from being
+ * used
*/
@Override
protected synchronized void stopInternal() throws LifecycleException {
@@ -1370,13 +1263,11 @@ public abstract class AuthenticatorBase extends ValveBase
/**
- * Can the authenticator perform preemptive authentication for the given
- * request?
+ * Can the authenticator perform preemptive authentication for the given request?
*
* @param request The request to check for credentials
*
- * @return {@code true} if preemptive authentication is possible, otherwise
- * {@code false}
+ * @return {@code true} if preemptive authentication is possible, otherwise {@code false}
*/
protected boolean isPreemptiveAuthPossible(Request request) {
return false;
@@ -1398,8 +1289,7 @@ public abstract class AuthenticatorBase extends ValveBase
if (factory == null) {
provider = Optional.empty();
} else {
- provider = Optional.ofNullable(
- factory.getConfigProvider("HttpServlet", jaspicAppContextID, this));
+ provider = Optional.ofNullable(factory.getConfigProvider("HttpServlet", jaspicAppContextID, this));
}
jaspicProvider = provider;
return provider;
@@ -1419,8 +1309,6 @@ public abstract class AuthenticatorBase extends ValveBase
protected enum AllowCorsPreflight {
- NEVER,
- FILTER,
- ALWAYS
+ NEVER, FILTER, ALWAYS
}
}
diff --git a/java/org/apache/catalina/authenticator/BasicAuthenticator.java b/java/org/apache/catalina/authenticator/BasicAuthenticator.java
index 730323cc46..f19c89c6a6 100644
--- a/java/org/apache/catalina/authenticator/BasicAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/BasicAuthenticator.java
@@ -32,9 +32,8 @@ import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.codec.binary.Base64;
/**
- * An <b>Authenticator</b> and <b>Valve</b> implementation of HTTP BASIC
- * Authentication, as outlined in RFC 2617: "HTTP Authentication: Basic
- * and Digest Access Authentication."
+ * An <b>Authenticator</b> and <b>Valve</b> implementation of HTTP BASIC Authentication, as outlined in RFC 2617: "HTTP
+ * Authentication: Basic and Digest Access Authentication."
*
* @author Craig R. McClanahan
*/
@@ -65,7 +64,6 @@ public class BasicAuthenticator extends AuthenticatorBase {
}
-
public boolean getTrimCredentials() {
return trimCredentials;
}
@@ -77,17 +75,14 @@ public class BasicAuthenticator extends AuthenticatorBase {
@Override
- protected boolean doAuthenticate(Request request, HttpServletResponse response)
- throws IOException {
+ protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
if (checkForCachedAuthentication(request, response, true)) {
return true;
}
// Validate any credentials already included with this request
- MessageBytes authorization =
- request.getCoyoteRequest().getMimeHeaders()
- .getValue("authorization");
+ MessageBytes authorization = request.getCoyoteRequest().getMimeHeaders().getValue("authorization");
if (authorization != null) {
authorization.toBytes();
@@ -100,12 +95,10 @@ public class BasicAuthenticator extends AuthenticatorBase {
Principal principal = context.getRealm().authenticate(username, password);
if (principal != null) {
- register(request, response, principal,
- HttpServletRequest.BASIC_AUTH, username, password);
+ register(request, response, principal, HttpServletRequest.BASIC_AUTH, username, password);
return true;
}
- }
- catch (IllegalArgumentException iae) {
+ } catch (IllegalArgumentException iae) {
if (log.isDebugEnabled()) {
log.debug("Invalid Authorization" + iae.getMessage());
}
@@ -142,9 +135,8 @@ public class BasicAuthenticator extends AuthenticatorBase {
/**
- * Parser for an HTTP Authorization header for BASIC authentication
- * as per RFC 2617 section 2, and the Base64 encoded credentials as
- * per RFC 2045 section 6.8.
+ * Parser for an HTTP Authorization header for BASIC authentication as per RFC 2617 section 2, and the Base64
+ * encoded credentials as per RFC 2045 section 6.8.
*/
public static class BasicCredentials {
@@ -163,18 +155,14 @@ public class BasicAuthenticator extends AuthenticatorBase {
private String password = null;
/**
- * Parse the HTTP Authorization header for BASIC authentication
- * as per RFC 2617 section 2, and the Base64 encoded credentials
- * as per RFC 2045 section 6.8.
+ * Parse the HTTP Authorization header for BASIC authentication as per RFC 2617 section 2, and the Base64
+ * encoded credentials as per RFC 2045 section 6.8.
*
* @param input The header value to parse in-place
- * @param charset The character set to use to convert the bytes
- * to a string
- * @param trimCredentials Should leading and trailing whitespace be
- * removed from the parsed credentials
+ * @param charset The character set to use to convert the bytes to a string
+ * @param trimCredentials Should leading and trailing whitespace be removed from the parsed credentials
*
- * @throws IllegalArgumentException If the header does not conform
- * to RFC 2617
+ * @throws IllegalArgumentException If the header does not conform to RFC 2617
*/
public BasicCredentials(ByteChunk input, Charset charset, boolean trimCredentials)
throws IllegalArgumentException {
@@ -191,8 +179,7 @@ public class BasicAuthenticator extends AuthenticatorBase {
/**
* Trivial accessor.
*
- * @return the decoded username token as a String, which is
- * never be <code>null</code>, but can be empty.
+ * @return the decoded username token as a String, which is never be <code>null</code>, but can be empty.
*/
public String getUsername() {
return username;
@@ -201,16 +188,15 @@ public class BasicAuthenticator extends AuthenticatorBase {
/**
* Trivial accessor.
*
- * @return the decoded password token as a String, or <code>null</code>
- * if no password was found in the credentials.
+ * @return the decoded password token as a String, or <code>null</code> if no password was found in the
+ * credentials.
*/
public String getPassword() {
return password;
}
/*
- * The authorization method string is case-insensitive and must
- * hae at least one space character as a delimiter.
+ * The authorization method string is case-insensitive and must hae at least one space character as a delimiter.
*/
private void parseMethod() throws IllegalArgumentException {
if (authorization.startsWithIgnoreCase(METHOD, 0)) {
@@ -219,35 +205,30 @@ public class BasicAuthenticator extends AuthenticatorBase {
base64blobLength = authorization.getLength() - METHOD.length();
} else {
// is this possible, or permitted?
- throw new IllegalArgumentException(
- "Authorization header method is not \"Basic\"");
+ throw new IllegalArgumentException("Authorization header method is not \"Basic\"");
}
}
+
/*
- * Decode the base64-user-pass token, which RFC 2617 states
- * can be longer than the 76 characters per line limit defined
- * in RFC 2045. The base64 decoder will ignore embedded line
- * break characters as well as surplus surrounding white space.
+ * Decode the base64-user-pass token, which RFC 2617 states can be longer than the 76 characters per line limit
+ * defined in RFC 2045. The base64 decoder will ignore embedded line break characters as well as surplus
+ * surrounding white space.
*/
private byte[] parseBase64() throws IllegalArgumentException {
- byte[] decoded = Base64.decodeBase64(
- authorization.getBuffer(),
- base64blobOffset, base64blobLength);
- // restore original offset
+ byte[] decoded = Base64.decodeBase64(authorization.getBuffer(), base64blobOffset, base64blobLength);
+ // restore original offset
authorization.setOffset(initialOffset);
if (decoded == null) {
- throw new IllegalArgumentException(
- "Basic Authorization credentials are not Base64");
+ throw new IllegalArgumentException("Basic Authorization credentials are not Base64");
}
return decoded;
}
/*
- * Extract the mandatory username token and separate it from the
- * optional password token. Tolerate surplus surrounding white space.
+ * Extract the mandatory username token and separate it from the optional password token. Tolerate surplus
+ * surrounding white space.
*/
- private void parseCredentials(byte[] decoded)
- throws IllegalArgumentException {
+ private void parseCredentials(byte[] decoded) throws IllegalArgumentException {
int colon = -1;
for (int i = 0; i < decoded.length; i++) {
diff --git a/java/org/apache/catalina/authenticator/Constants.java b/java/org/apache/catalina/authenticator/Constants.java
index bb59fd93f7..6b0778da79 100644
--- a/java/org/apache/catalina/authenticator/Constants.java
+++ b/java/org/apache/catalina/authenticator/Constants.java
@@ -41,8 +41,7 @@ public class Constants {
// --------------------------------------------------------- Request Notes
/**
- * The notes key to track the single-sign-on identity with which this
- * request is associated.
+ * The notes key to track the single-sign-on identity with which this request is associated.
*/
public static final String REQ_SSOID_NOTE = "org.apache.catalina.request.SSOID";
@@ -58,26 +57,23 @@ public class Constants {
/**
- * If the <code>cache</code> property of the authenticator is set, and the
- * current request is part of a session, the password used to authenticate
- * this user will be cached under this key to avoid the need for repeated
- * calls to <code>Realm.authenticate()</code>.
+ * If the <code>cache</code> property of the authenticator is set, and the current request is part of a session, the
+ * password used to authenticate this user will be cached under this key to avoid the need for repeated calls to
+ * <code>Realm.authenticate()</code>.
*/
public static final String SESS_PASSWORD_NOTE = "org.apache.catalina.session.PASSWORD";
/**
- * If the <code>cache</code> property of the authenticator is set, and the
- * current request is part of a session, the user name used to authenticate
- * this user will be cached under this key to avoid the need for repeated
- * calls to <code>Realm.authenticate()</code>.
+ * If the <code>cache</code> property of the authenticator is set, and the current request is part of a session, the
+ * user name used to authenticate this user will be cached under this key to avoid the need for repeated calls to
+ * <code>Realm.authenticate()</code>.
*/
public static final String SESS_USERNAME_NOTE = "org.apache.catalina.session.USERNAME";
/**
- * The original request information, to which the user will be redirected if
- * authentication succeeds, is cached in the notes under this key during the
- * authentication process.
+ * The original request information, to which the user will be redirected if authentication succeeds, is cached in
+ * the notes under this key during the authentication process.
*/
public static final String FORM_REQUEST_NOTE = "org.apache.catalina.authenticator.REQUEST";
}
diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
index 1ae286cb30..9775705447 100644
--- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java
@@ -38,8 +38,7 @@ import org.apache.tomcat.util.security.MD5Encoder;
/**
- * An <b>Authenticator</b> and <b>Valve</b> implementation of HTTP DIGEST
- * Authentication (see RFC 2069).
+ * An <b>Authenticator</b> and <b>Valve</b> implementation of HTTP DIGEST Authentication (see RFC 2069).
*
* @author Craig R. McClanahan
* @author Remy Maucherat
@@ -70,27 +69,25 @@ public class DigestAuthenticator extends AuthenticatorBase {
/**
* List of server nonce values currently being tracked
*/
- protected Map<String,NonceInfo> nonces;
+ protected Map<String, NonceInfo> nonces;
/**
- * The last timestamp used to generate a nonce. Each nonce should get a
- * unique timestamp.
+ * The last timestamp used to generate a nonce. Each nonce should get a unique timestamp.
*/
protected long lastTimestamp = 0;
protected final Object lastTimestampLock = new Object();
/**
- * Maximum number of server nonces to keep in the cache. If not specified,
- * the default value of 1000 is used.
+ * Maximum number of server nonces to keep in the cache. If not specified, the default value of 1000 is used.
*/
protected int nonceCacheSize = 1000;
/**
- * The window size to use to track seen nonce count values for a given
- * nonce. If not specified, the default of 100 is used.
+ * The window size to use to track seen nonce count values for a given nonce. If not specified, the default of 100
+ * is used.
*/
protected int nonceCountWindowSize = 100;
@@ -101,8 +98,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
/**
- * How long server nonces are valid for in milliseconds. Defaults to 5
- * minutes.
+ * How long server nonces are valid for in milliseconds. Defaults to 5 minutes.
*/
protected long nonceValidity = 5 * 60 * 1000;
@@ -114,8 +110,8 @@ public class DigestAuthenticator extends AuthenticatorBase {
/**
- * Should the URI be validated as required by RFC2617? Can be disabled in
- * reverse proxies where the proxy has modified the URI.
+ * Should the URI be validated as required by RFC2617? Can be disabled in reverse proxies where the proxy has
+ * modified the URI.
*/
protected boolean validateUri = true;
@@ -184,19 +180,17 @@ public class DigestAuthenticator extends AuthenticatorBase {
// --------------------------------------------------------- Public Methods
/**
- * Authenticate the user making this request, based on the specified
- * login configuration. Return <code>true</code> if any specified
- * constraint has been satisfied, or <code>false</code> if we have
- * created a response challenge already.
+ * Authenticate the user making this request, based on the specified login configuration. Return <code>true</code>
+ * if any specified constraint has been satisfied, or <code>false</code> if we have created a response challenge
+ * already.
*
- * @param request Request we are processing
+ * @param request Request we are processing
* @param response Response we are creating
*
* @exception IOException if an input/output error occurs
*/
@Override
- protected boolean doAuthenticate(Request request, HttpServletResponse response)
- throws IOException {
+ protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
// NOTE: We don't try to reauthenticate using any existing SSO session,
// because that will only work if the original authentication was
@@ -213,8 +207,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
// Validate any credentials already included with this request
Principal principal = null;
String authorization = request.getHeader("authorization");
- DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),
- getKey(), nonces, isValidateUri());
+ DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(), getKey(), nonces, isValidateUri());
if (authorization != null) {
if (digestInfo.parse(request, authorization)) {
if (digestInfo.validate(request)) {
@@ -222,9 +215,8 @@ public class DigestAuthenticator extends AuthenticatorBase {
}
if (principal != null && !digestInfo.isNonceStale()) {
- register(request, response, principal,
- HttpServletRequest.DIGEST_AUTH,
- digestInfo.getUsername(), null);
+ register(request, response, principal, HttpServletRequest.DIGEST_AUTH, digestInfo.getUsername(),
+ null);
return true;
}
}
@@ -236,8 +228,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
// to be unique).
String nonce = generateNonce(request);
- setAuthenticateHeader(request, response, nonce,
- principal != null && digestInfo.isNonceStale());
+ setAuthenticateHeader(request, response, nonce, principal != null && digestInfo.isNonceStale());
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
@@ -253,18 +244,16 @@ public class DigestAuthenticator extends AuthenticatorBase {
/**
- * Removes the quotes on a string. RFC2617 states quotes are optional for
- * all parameters except realm.
+ * Removes the quotes on a string. RFC2617 states quotes are optional for all parameters except realm.
*
- * @param quotedString The quoted string
+ * @param quotedString The quoted string
* @param quotesRequired <code>true</code> if quotes were required
+ *
* @return The unquoted string
*/
- protected static String removeQuotes(String quotedString,
- boolean quotesRequired) {
- //support both quoted and non-quoted
- if (quotedString.length() > 0 && quotedString.charAt(0) != '"' &&
- !quotesRequired) {
+ protected static String removeQuotes(String quotedString, boolean quotesRequired) {
+ // support both quoted and non-quoted
+ if (quotedString.length() > 0 && quotedString.charAt(0) != '"' && !quotesRequired) {
return quotedString;
} else if (quotedString.length() > 2) {
return quotedString.substring(1, quotedString.length() - 1);
@@ -277,6 +266,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
* Removes the quotes on a string.
*
* @param quotedString The quoted string
+ *
* @return The unquoted string
*/
protected static String removeQuotes(String quotedString) {
@@ -284,11 +274,11 @@ public class DigestAuthenticator extends AuthenticatorBase {
}
/**
- * Generate a unique token. The token is generated according to the
- * following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":"
- * time-stamp ":" private-key ) ).
+ * Generate a unique token. The token is generated according to the following pattern. NOnceToken = Base64 ( MD5 (
+ * client-IP ":" time-stamp ":" private-key ) ).
*
* @param request HTTP Servlet request
+ *
* @return The generated nonce
*/
protected String generateNonce(Request request) {
@@ -303,11 +293,9 @@ public class DigestAuthenticator extends AuthenticatorBase {
}
}
- String ipTimeKey =
- request.getRemoteAddr() + ":" + currentTime + ":" + getKey();
+ String ipTimeKey = request.getRemoteAddr() + ":" + currentTime + ":" + getKey();
- byte[] buffer = ConcurrentMessageDigest.digestMD5(
- ipTimeKey.getBytes(StandardCharsets.ISO_8859_1));
+ byte[] buffer = ConcurrentMessageDigest.digestMD5(ipTimeKey.getBytes(StandardCharsets.ISO_8859_1));
String nonce = currentTime + ":" + MD5Encoder.encode(buffer);
NonceInfo info = new NonceInfo(currentTime, getNonceCountWindowSize());
@@ -323,6 +311,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
* Generates the WWW-Authenticate header.
* <p>
* The header MUST follow this template :
+ *
* <pre>
* WWW-Authenticate = "WWW-Authenticate" ":" "Digest"
* digest-challenge
@@ -340,27 +329,23 @@ public class DigestAuthenticator extends AuthenticatorBase {
* algorithm = "algorithm" "=" ( "MD5" | token )
* </pre>
*
- * @param request HTTP Servlet request
- * @param response HTTP Servlet response
- * @param nonce nonce token
+ * @param request HTTP Servlet request
+ * @param response HTTP Servlet response
+ * @param nonce nonce token
* @param isNonceStale <code>true</code> to add a stale parameter
*/
- protected void setAuthenticateHeader(HttpServletRequest request,
- HttpServletResponse response,
- String nonce,
- boolean isNonceStale) {
+ protected void setAuthenticateHeader(HttpServletRequest request, HttpServletResponse response, String nonce,
+ boolean isNonceStale) {
String realmName = getRealmName(context);
String authenticateHeader;
if (isNonceStale) {
- authenticateHeader = "Digest realm=\"" + realmName + "\", " +
- "qop=\"" + QOP + "\", nonce=\"" + nonce + "\", " + "opaque=\"" +
- getOpaque() + "\", stale=true";
+ authenticateHeader = "Digest realm=\"" + realmName + "\", " + "qop=\"" + QOP + "\", nonce=\"" + nonce +
+ "\", " + "opaque=\"" + getOpaque() + "\", stale=true";
} else {
- authenticateHeader = "Digest realm=\"" + realmName + "\", " +
- "qop=\"" + QOP + "\", nonce=\"" + nonce + "\", " + "opaque=\"" +
- getOpaque() + "\"";
+ authenticateHeader = "Digest realm=\"" + realmName + "\", " + "qop=\"" + QOP + "\", nonce=\"" + nonce +
+ "\", " + "opaque=\"" + getOpaque() + "\"";
}
response.setHeader(AUTH_HEADER_NAME, authenticateHeader);
@@ -399,17 +384,13 @@ public class DigestAuthenticator extends AuthenticatorBase {
private long lastLog = 0;
@Override
- protected boolean removeEldestEntry(
- Map.Entry<String,NonceInfo> eldest) {
+ protected boolean removeEldestEntry(Map.Entry<String, NonceInfo> eldest) {
// This is called from a sync so keep it simple
long currentTime = System.currentTimeMillis();
if (size() > getNonceCacheSize()) {
- if (lastLog < currentTime &&
- currentTime - eldest.getValue().getTimestamp() <
- getNonceValidity()) {
+ if (lastLog < currentTime && currentTime - eldest.getValue().getTimestamp() < getNonceValidity()) {
// Replay attack is possible
- log.warn(sm.getString(
- "digestAuthenticator.cacheRemove"));
+ log.warn(sm.getString("digestAuthenticator.cacheRemove"));
lastLog = currentTime + LOG_SUPPRESS_TIME;
}
return true;
@@ -424,7 +405,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
private final String opaque;
private final long nonceValidity;
private final String key;
- private final Map<String,NonceInfo> nonces;
+ private final Map<String, NonceInfo> nonces;
private boolean validateUri = true;
private String userName = null;
@@ -441,8 +422,8 @@ public class DigestAuthenticator extends AuthenticatorBase {
private boolean nonceStale = false;
- public DigestInfo(String opaque, long nonceValidity, String key,
- Map<String,NonceInfo> nonces, boolean validateUri) {
+ public DigestInfo(String opaque, long nonceValidity, String key, Map<String, NonceInfo> nonces,
+ boolean validateUri) {
this.opaque = opaque;
this.nonceValidity = nonceValidity;
this.key = key;
@@ -462,10 +443,9 @@ public class DigestAuthenticator extends AuthenticatorBase {
return false;
}
- Map<String,String> directives;
+ Map<String, String> directives;
try {
- directives = Authorization.parseAuthorizationDigest(
- new StringReader(authorization));
+ directives = Authorization.parseAuthorizationDigest(new StringReader(authorization));
} catch (IOException e) {
return false;
}
@@ -489,8 +469,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
}
public boolean validate(Request request) {
- if ( (userName == null) || (realmName == null) || (nonce == null)
- || (uri == null) || (response == null) ) {
+ if ((userName == null) || (realmName == null) || (nonce == null) || (uri == null) || (response == null)) {
return false;
}
@@ -554,10 +533,8 @@ public class DigestAuthenticator extends AuthenticatorBase {
nonces.remove(nonce);
}
}
- String serverIpTimeKey =
- request.getRemoteAddr() + ":" + nonceTime + ":" + key;
- byte[] buffer = ConcurrentMessageDigest.digestMD5(
- serverIpTimeKey.getBytes(StandardCharsets.ISO_8859_1));
+ String serverIpTimeKey = request.getRemoteAddr() + ":" + nonceTime + ":" + key;
+ byte[] buffer = ConcurrentMessageDigest.digestMD5(serverIpTimeKey.getBytes(StandardCharsets.ISO_8859_1));
String md5ServerIpTimeKey = MD5Encoder.encode(buffer);
if (!md5ServerIpTimeKey.equals(md5clientIpTimeKey)) {
return false;
@@ -615,12 +592,10 @@ public class DigestAuthenticator extends AuthenticatorBase {
// MD5(Method + ":" + uri)
String a2 = method + ":" + uri;
- byte[] buffer = ConcurrentMessageDigest.digestMD5(
- a2.getBytes(StandardCharsets.ISO_8859_1));
+ byte[] buffer = ConcurrentMessageDigest.digestMD5(a2.getBytes(StandardCharsets.ISO_8859_1));
String md5a2 = MD5Encoder.encode(buffer);
- return realm.authenticate(userName, response, nonce, nc, cnonce,
- qop, realmName, md5a2);
+ return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, md5a2);
}
}
@@ -638,8 +613,7 @@ public class DigestAuthenticator extends AuthenticatorBase {
}
public synchronized boolean nonceCountValid(long nonceCount) {
- if ((count - offset) >= nonceCount ||
- (nonceCount > count - offset + seen.length)) {
+ if ((count - offset) >= nonceCount || (nonceCount > count - offset + seen.length)) {
return false;
}
int checkIndex = (int) ((nonceCount + offset) % seen.length);
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 95bffc286a..5abdb07998 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -43,14 +43,13 @@ import org.apache.tomcat.util.descriptor.web.LoginConfig;
import org.apache.tomcat.util.http.MimeHeaders;
/**
- * An <b>Authenticator</b> and <b>Valve</b> implementation of FORM BASED
- * Authentication, as described in the Servlet API Specification.
+ * An <b>Authenticator</b> and <b>Valve</b> implementation of FORM BASED Authentication, as described in the Servlet API
+ * Specification.
*
* @author Craig R. McClanahan
* @author Remy Maucherat
*/
-public class FormAuthenticator
- extends AuthenticatorBase {
+public class FormAuthenticator extends AuthenticatorBase {
private final Log log = LogFactory.getLog(FormAuthenticator.class); // must not be static
@@ -58,16 +57,14 @@ public class FormAuthenticator
// ----------------------------------------------------- Instance Variables
/**
- * Character encoding to use to read the username and password parameters
- * from the request. If not set, the encoding of the request body will be
- * used.
+ * Character encoding to use to read the username and password parameters from the request. If not set, the encoding
+ * of the request body will be used.
*/
protected String characterEncoding = null;
/**
- * Landing page to use if a user tries to access the login page directly or
- * if the session times out during login. If not set, error responses will
- * be sent instead.
+ * Landing page to use if a user tries to access the login page directly or if the session times out during login.
+ * If not set, error responses will be sent instead.
*/
protected String landingPage = null;
@@ -107,8 +104,7 @@ public class FormAuthenticator
/**
* Set the landing page to use when the FORM auth is mis-used.
*
- * @param landingPage The path to the landing page relative to the web
- * application root
+ * @param landingPage The path to the landing page relative to the web application root
*/
public void setLandingPage(String landingPage) {
this.landingPage = landingPage;
@@ -119,19 +115,17 @@ public class FormAuthenticator
/**
- * Authenticate the user making this request, based on the specified
- * login configuration. Return <code>true</code> if any specified
- * constraint has been satisfied, or <code>false</code> if we have
- * created a response challenge already.
+ * Authenticate the user making this request, based on the specified login configuration. Return <code>true</code>
+ * if any specified constraint has been satisfied, or <code>false</code> if we have created a response challenge
+ * already.
*
- * @param request Request we are processing
+ * @param request Request we are processing
* @param response Response we are creating
*
* @exception IOException if an input/output error occurs
*/
@Override
- protected boolean doAuthenticate(Request request, HttpServletResponse response)
- throws IOException {
+ protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
// References to objects we will need later
Session session = null;
@@ -163,7 +157,7 @@ public class FormAuthenticator
}
// Is this the re-submit of the original request URI after successful
- // authentication? If so, forward the *original* request instead.
+ // authentication? If so, forward the *original* request instead.
if (matchRequest(request)) {
session = request.getSessionInternal(true);
if (log.isDebugEnabled()) {
@@ -270,8 +264,8 @@ public class FormAuthenticator
containerLog.debug("User took so long to log on the session expired");
}
if (landingPage == null) {
- response.sendError(
- HttpServletResponse.SC_REQUEST_TIMEOUT, sm.getString("authenticator.sessionExpired"));
+ response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
+ sm.getString("authenticator.sessionExpired"));
} else {
// Make the authenticator think the user originally requested
// the landing page
@@ -330,8 +324,7 @@ public class FormAuthenticator
// to which it submits) might be outside the secured area
String contextPath = this.context.getPath();
String decodedRequestURI = request.getDecodedRequestURI();
- if (decodedRequestURI.startsWith(contextPath) &&
- decodedRequestURI.endsWith(Constants.FORM_ACTION)) {
+ if (decodedRequestURI.startsWith(contextPath) && decodedRequestURI.endsWith(Constants.FORM_ACTION)) {
return true;
}
@@ -344,8 +337,7 @@ public class FormAuthenticator
Session session = request.getSessionInternal(false);
if (session != null) {
SavedRequest savedRequest = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
- if (savedRequest != null &&
- decodedRequestURI.equals(savedRequest.getDecodedRequestURI())) {
+ if (savedRequest != null && decodedRequestURI.equals(savedRequest.getDecodedRequestURI())) {
return true;
}
}
@@ -361,9 +353,8 @@ public class FormAuthenticator
@Override
- protected void register(Request request, HttpServletResponse response,
- Principal principal, String authType, String username,
- String password, boolean alwaysUseSession, boolean cache) {
+ protected void register(Request request, HttpServletResponse response, Principal principal, String authType,
+ String username, String password, boolean alwaysUseSession, boolean cache) {
super.register(request, response, principal, authType, username, password, alwaysUseSession, cache);
@@ -390,31 +381,26 @@ public class FormAuthenticator
/**
* Called to forward to the login page
*
- * @param request Request we are processing
+ * @param request Request we are processing
* @param response Response we are populating
- * @param config Login configuration describing how authentication
- * should be performed
- * @throws IOException If the forward to the login page fails and the call
- * to {@link HttpServletResponse#sendError(int, String)}
- * throws an {@link IOException}
+ * @param config Login configuration describing how authentication should be performed
+ *
+ * @throws IOException If the forward to the login page fails and the call to
+ * {@link HttpServletResponse#sendError(int, String)} throws an {@link IOException}
*/
- protected void forwardToLoginPage(Request request,
- HttpServletResponse response, LoginConfig config)
+ protected void forwardToLoginPage(Request request, HttpServletResponse response, LoginConfig config)
throws IOException {
if (log.isDebugEnabled()) {
- log.debug(sm.getString("formAuthenticator.forwardLogin",
- request.getRequestURI(), request.getMethod(),
+ log.debug(sm.getString("formAuthenticator.forwardLogin", request.getRequestURI(), request.getMethod(),
config.getLoginPage(), context.getName()));
}
String loginPage = config.getLoginPage();
if (loginPage == null || loginPage.length() == 0) {
- String msg = sm.getString("formAuthenticator.noLoginPage",
- context.getName());
+ String msg = sm.getString("formAuthenticator.noLoginPage", context.getName());
log.warn(msg);
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- msg);
+ response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
return;
}
@@ -434,8 +420,7 @@ public class FormAuthenticator
String oldMethod = request.getMethod();
request.getCoyoteRequest().method().setString("GET");
- RequestDispatcher disp =
- context.getServletContext().getRequestDispatcher(loginPage);
+ RequestDispatcher disp = context.getServletContext().getRequestDispatcher(loginPage);
try {
if (context.fireRequestInitEvent(request.getRequest())) {
disp.forward(request.getRequest(), response);
@@ -446,8 +431,7 @@ public class FormAuthenticator
String msg = sm.getString("formAuthenticator.forwardLoginFail");
log.warn(msg, t);
request.setAttribute(RequestDispatcher.ERROR_EXCEPTION, t);
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- msg);
+ response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
} finally {
// Restore original method so that it is written into access log
request.getCoyoteRequest().method().setString(oldMethod);
@@ -458,30 +442,25 @@ public class FormAuthenticator
/**
* Called to forward to the error page
*
- * @param request Request we are processing
+ * @param request Request we are processing
* @param response Response we are populating
- * @param config Login configuration describing how authentication
- * should be performed
- * @throws IOException If the forward to the error page fails and the call
- * to {@link HttpServletResponse#sendError(int, String)}
- * throws an {@link IOException}
+ * @param config Login configuration describing how authentication should be performed
+ *
+ * @throws IOException If the forward to the error page fails and the call to
+ * {@link HttpServletResponse#sendError(int, String)} throws an {@link IOException}
*/
- protected void forwardToErrorPage(Request request,
- HttpServletResponse response, LoginConfig config)
+ protected void forwardToErrorPage(Request request, HttpServletResponse response, LoginConfig config)
throws IOException {
String errorPage = config.getErrorPage();
if (errorPage == null || errorPage.length() == 0) {
- String msg = sm.getString("formAuthenticator.noErrorPage",
- context.getName());
+ String msg = sm.getString("formAuthenticator.noErrorPage", context.getName());
log.warn(msg);
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- msg);
+ response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
return;
}
- RequestDispatcher disp =
- context.getServletContext().getRequestDispatcher(config.getErrorPage());
+ RequestDispatcher disp = context.getServletContext().getRequestDispatcher(config.getErrorPage());
try {
if (context.fireRequestInitEvent(request.getRequest())) {
disp.forward(request.getRequest(), response);
@@ -492,17 +471,17 @@ public class FormAuthenticator
String msg = sm.getString("formAuthenticator.forwardErrorFail");
log.warn(msg, t);
request.setAttribute(RequestDispatcher.ERROR_EXCEPTION, t);
- response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- msg);
+ response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
}
}
/**
- * Does this request match the saved one (so that it must be the redirect
- * we signaled after successful authentication?
+ * Does this request match the saved one (so that it must be the redirect we signaled after successful
+ * authentication?
*
* @param request The request to be verified
+ *
* @return <code>true</code> if the requests matched the saved one
*/
protected boolean matchRequest(Request request) {
@@ -541,18 +520,17 @@ public class FormAuthenticator
/**
- * Restore the original request from information stored in our session.
- * If the original request is no longer present (because the session
- * timed out), return <code>false</code>; otherwise, return
- * <code>true</code>.
+ * Restore the original request from information stored in our session. If the original request is no longer present
+ * (because the session timed out), return <code>false</code>; otherwise, return <code>true</code>.
*
* @param request The request to be restored
* @param session The session containing the saved information
+ *
* @return <code>true</code> if the request was successfully restored
+ *
* @throws IOException if an IO error occurred during the process
*/
- protected boolean restoreRequest(Request request, Session session)
- throws IOException {
+ protected boolean restoreRequest(Request request, Session session) throws IOException {
// Retrieve and remove the SavedRequest object from our session
SavedRequest saved = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
@@ -582,16 +560,15 @@ public class FormAuthenticator
String method = saved.getMethod();
MimeHeaders rmh = request.getCoyoteRequest().getMimeHeaders();
rmh.recycle();
- boolean cacheable = "GET".equalsIgnoreCase(method) ||
- "HEAD".equalsIgnoreCase(method);
+ boolean cacheable = "GET".equalsIgnoreCase(method) || "HEAD".equalsIgnoreCase(method);
Iterator<String> names = saved.getHeaderNames();
while (names.hasNext()) {
String name = names.next();
// The browser isn't expecting this conditional response now.
// Assuming that it can quietly recover from an unexpected 412.
// BZ 43687
- if(!("If-Modified-Since".equalsIgnoreCase(name) ||
- (cacheable && "If-None-Match".equalsIgnoreCase(name)))) {
+ if (!("If-Modified-Since".equalsIgnoreCase(name) ||
+ (cacheable && "If-None-Match".equalsIgnoreCase(name)))) {
Iterator<String> values = saved.getHeaderValues(name);
while (values.hasNext()) {
rmh.addValue(name).setString(values.next());
@@ -610,8 +587,7 @@ public class FormAuthenticator
ByteChunk body = saved.getBody();
if (body != null) {
- request.getCoyoteRequest().action
- (ActionCode.REQ_SET_BODY_REPLAY, body);
+ request.getCoyoteRequest().action(ActionCode.REQ_SET_BODY_REPLAY, body);
// Set content type
MessageBytes contentType = MessageBytes.newInstance();
@@ -649,10 +625,10 @@ public class FormAuthenticator
*
* @param request The request to be saved
* @param session The session to contain the saved information
+ *
* @throws IOException if an IO error occurred during the process
*/
- protected void saveRequest(Request request, Session session)
- throws IOException {
+ protected void saveRequest(Request request, Session session) throws IOException {
// Create and populate a SavedRequest object for this request
SavedRequest saved = new SavedRequest();
@@ -689,7 +665,7 @@ public class FormAuthenticator
int bytesRead;
InputStream is = request.getInputStream();
- while ( (bytesRead = is.read(buffer) ) >= 0) {
+ while ((bytesRead = is.read(buffer)) >= 0) {
body.append(buffer, 0, bytesRead);
}
@@ -711,15 +687,15 @@ public class FormAuthenticator
/**
- * Return the request URI (with the corresponding query string, if any)
- * from the saved request so that we can redirect to it.
+ * Return the request URI (with the corresponding query string, if any) from the saved request so that we can
+ * redirect to it.
*
* @param session Our current session
+ *
* @return the original request URL
*/
protected String savedRequestURL(Session session) {
- SavedRequest saved =
- (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
+ SavedRequest saved = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
if (saved == null) {
return null;
}
diff --git a/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java b/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
index 319105ebc7..40e112be01 100644
--- a/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
@@ -23,8 +23,8 @@ import jakarta.servlet.http.HttpServletResponse;
import org.apache.catalina.connector.Request;
/**
- * An <b>Authenticator</b> and <b>Valve</b> implementation that checks
- * only security constraints not involving user authentication.
+ * An <b>Authenticator</b> and <b>Valve</b> implementation that checks only security constraints not involving user
+ * authentication.
*
* @author Craig R. McClanahan
*/
@@ -35,47 +35,44 @@ public final class NonLoginAuthenticator extends AuthenticatorBase {
/**
- * <p>Authenticate the user making this request, based on the fact that no
- * <code>login-config</code> has been defined for the container.</p>
- *
- * <p>This implementation means "login the user even though there is no
- * self-contained way to establish a security Principal for that user".</p>
- *
- * <p>This method is called by the AuthenticatorBase super class to
- * establish a Principal for the user BEFORE the container security
- * constraints are examined, i.e. it is not yet known whether the user
- * will eventually be permitted to access the requested resource.
- * Therefore, it is necessary to always return <code>true</code> to
- * indicate the user has not failed authentication.</p>
- *
- * <p>There are two cases:</p>
+ * <p>
+ * Authenticate the user making this request, based on the fact that no <code>login-config</code> has been defined
+ * for the container.
+ * </p>
+ * <p>
+ * This implementation means "login the user even though there is no self-contained way to establish a security
+ * Principal for that user".
+ * </p>
+ * <p>
+ * This method is called by the AuthenticatorBase super class to establish a Principal for the user BEFORE the
+ * container security constraints are examined, i.e. it is not yet known whether the user will eventually be
+ * permitted to access the requested resource. Therefore, it is necessary to always return <code>true</code> to
+ * indicate the user has not failed authentication.
+ * </p>
+ * <p>
+ * There are two cases:
+ * </p>
* <ul>
- * <li>without SingleSignon: a Session instance does not yet exist
- * and there is no <code>auth-method</code> to authenticate the
- * user, so leave Request's Principal as null.
- * Note: AuthenticatorBase will later examine the security constraints
- * to determine whether the resource is accessible by a user
- * without a security Principal and Role (i.e. unauthenticated).
- * </li>
- * <li>with SingleSignon: if the user has already authenticated via
- * another container (using its own login configuration), then
- * associate this Session with the SSOEntry so it inherits the
- * already-established security Principal and associated Roles.
- * Note: This particular session will become a full member of the
- * SingleSignOnEntry Session collection and so will potentially
- * keep the SSOE "alive", even if all the other properly
- * authenticated Sessions expire first... until it expires too.
- * </li>
+ * <li>without SingleSignon: a Session instance does not yet exist and there is no <code>auth-method</code> to
+ * authenticate the user, so leave Request's Principal as null. Note: AuthenticatorBase will later examine the
+ * security constraints to determine whether the resource is accessible by a user without a security Principal and
+ * Role (i.e. unauthenticated).</li>
+ * <li>with SingleSignon: if the user has already authenticated via another container (using its own login
+ * configuration), then associate this Session with the SSOEntry so it inherits the already-established security
+ * Principal and associated Roles. Note: This particular session will become a full member of the SingleSignOnEntry
+ * Session collection and so will potentially keep the SSOE "alive", even if all the other properly authenticated
+ * Sessions expire first... until it expires too.</li>
* </ul>
*
* @param request Request we are processing
* @param response Response we are creating
+ *
* @return boolean to indicate whether the user is authenticated
+ *
* @exception IOException if an input/output error occurs
*/
@Override
- protected boolean doAuthenticate(Request request, HttpServletResponse response)
- throws IOException {
+ protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
// Don't try and use SSO to authenticate since there is no auth
// configured for this web application
@@ -101,8 +98,7 @@ public final class NonLoginAuthenticator extends AuthenticatorBase {
/**
- * Return the authentication method, which is vendor-specific and
- * not defined by HttpServletRequest.
+ * Return the authentication method, which is vendor-specific and not defined by HttpServletRequest.
*/
@Override
protected String getAuthMethod() {
diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index 45d166ceb3..492fab8ba0 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -39,8 +39,8 @@ import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLHostConfig;
/**
- * An <b>Authenticator</b> and <b>Valve</b> implementation of authentication
- * that utilizes SSL certificates to identify client users.
+ * An <b>Authenticator</b> and <b>Valve</b> implementation of authentication that utilizes SSL certificates to identify
+ * client users.
*
* @author Craig R. McClanahan
*/
@@ -49,18 +49,16 @@ public class SSLAuthenticator extends AuthenticatorBase {
private final Log log = LogFactory.getLog(SSLAuthenticator.class); // must not be static
/**
- * Authenticate the user by checking for the existence of a certificate
- * chain, validating it against the trust manager for the connector and then
- * validating the user's identity against the configured Realm.
+ * Authenticate the user by checking for the existence of a certificate chain, validating it against the trust
+ * manager for the connector and then validating the user's identity against the configured Realm.
*
- * @param request Request we are processing
+ * @param request Request we are processing
* @param response Response we are creating
*
* @exception IOException if an input/output error occurs
*/
@Override
- protected boolean doAuthenticate(Request request, HttpServletResponse response)
- throws IOException {
+ protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
// NOTE: We don't try to reauthenticate using any existing SSO session,
// because that will only work if the original authentication was
@@ -85,8 +83,7 @@ public class SSLAuthenticator extends AuthenticatorBase {
if (containerLog.isDebugEnabled()) {
containerLog.debug(" No certificates included with this request");
}
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
- sm.getString("authenticator.certificates"));
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED, sm.getString("authenticator.certificates"));
return false;
}
@@ -96,14 +93,12 @@ public class SSLAuthenticator extends AuthenticatorBase {
if (containerLog.isDebugEnabled()) {
containerLog.debug(" Realm.authenticate() returned false");
}
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
- sm.getString("authenticator.unauthorized"));
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED, sm.getString("authenticator.unauthorized"));
return false;
}
// Cache the principal (if requested) and record this authentication
- register(request, response, principal,
- HttpServletRequest.CLIENT_CERT_AUTH, null, null);
+ register(request, response, principal, HttpServletRequest.CLIENT_CERT_AUTH, null, null);
return true;
}
@@ -124,19 +119,16 @@ public class SSLAuthenticator extends AuthenticatorBase {
/**
* Look for the X509 certificate chain in the Request under the key
- * <code>jakarta.servlet.request.X509Certificate</code>. If not found, trigger
- * extracting the certificate chain from the Coyote request.
+ * <code>jakarta.servlet.request.X509Certificate</code>. If not found, trigger extracting the certificate chain from
+ * the Coyote request.
*
- * @param request
- * Request to be processed
+ * @param request Request to be processed
*
* @return The X509 certificate chain if found, <code>null</code> otherwise.
*/
- protected X509Certificate[] getRequestCertificates(final Request request)
- throws IllegalStateException {
+ protected X509Certificate[] getRequestCertificates(final Request request) throws IllegalStateException {
- X509Certificate certs[] =
- (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
+ X509Certificate certs[] = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
if ((certs == null) || (certs.length < 1)) {
try {
@@ -158,9 +150,8 @@ public class SSLAuthenticator extends AuthenticatorBase {
super.startInternal();
/*
- * This Valve should only ever be added to a Context and if the Context
- * is started there should always be a Host and an Engine but test at
- * each stage to be safe.
+ * This Valve should only ever be added to a Context and if the Context is started there should always be a Host
+ * and an Engine but test at each stage to be safe.
*/
Container container = getContainer();
if (!(container instanceof Context)) {
@@ -204,7 +195,8 @@ public class SSLAuthenticator extends AuthenticatorBase {
}
for (String enbabledProtocol : enabledProtocols) {
if (Constants.SSL_PROTO_TLSv1_3.equals(enbabledProtocol)) {
- log.warn(sm.getString("sslAuthenticatorValve.tls13", context.getName(), host.getName(), connector));
+ log.warn(sm.getString("sslAuthenticatorValve.tls13", context.getName(), host.getName(),
+ connector));
}
}
}
diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java b/java/org/apache/catalina/authenticator/SavedRequest.java
index 38d1db2716..c82a4d7a8c 100644
--- a/java/org/apache/catalina/authenticator/SavedRequest.java
+++ b/java/org/apache/catalina/authenticator/SavedRequest.java
@@ -30,13 +30,11 @@ import jakarta.servlet.http.Cookie;
import org.apache.tomcat.util.buf.ByteChunk;
/**
- * Object that saves the critical information from a request so that
- * form-based authentication can reproduce it once the user has been
- * authenticated.
+ * Object that saves the critical information from a request so that form-based authentication can reproduce it once the
+ * user has been authenticated.
* <p>
- * <b>IMPLEMENTATION NOTE</b> - It is assumed that this object is accessed
- * only from the context of a single thread, so no synchronization around
- * internal collection classes is performed.
+ * <b>IMPLEMENTATION NOTE</b> - It is assumed that this object is accessed only from the context of a single thread, so
+ * no synchronization around internal collection classes is performed.
*
* @author Craig R. McClanahan
*/
@@ -59,10 +57,8 @@ public final class SavedRequest implements Serializable {
/**
- * The set of Headers associated with this Request. Each key is a header
- * name, while the value is a List containing one or more actual
- * values for this header. The values are returned as an Iterator when
- * you ask for them.
+ * The set of Headers associated with this Request. Each key is a header name, while the value is a List containing
+ * one or more actual values for this header. The values are returned as an Iterator when you ask for them.
*/
private final Map<String, List<String>> headers = new HashMap<>();
@@ -141,8 +137,7 @@ public final class SavedRequest implements Serializable {
/**
- * The decode request URI associated with this Request. Path parameters are
- * also excluded
+ * The decode request URI associated with this Request. Path parameters are also excluded
*/
private String decodedRequestURI = null;
diff --git a/java/org/apache/catalina/authenticator/SingleSignOn.java b/java/org/apache/catalina/authenticator/SingleSignOn.java
index 36f9349400..3d4767d8e3 100644
--- a/java/org/apache/catalina/authenticator/SingleSignOn.java
+++ b/java/org/apache/catalina/authenticator/SingleSignOn.java
@@ -39,20 +39,16 @@ import org.apache.catalina.valves.ValveBase;
import org.apache.tomcat.util.res.StringManager;
/**
- * A <strong>Valve</strong> that supports a "single sign on" user experience,
- * where the security identity of a user who successfully authenticates to one
- * web application is propagated to other web applications in the same
- * security domain. For successful use, the following requirements must
- * be met:
+ * A <strong>Valve</strong> that supports a "single sign on" user experience, where the security identity of a user who
+ * successfully authenticates to one web application is propagated to other web applications in the same security
+ * domain. For successful use, the following requirements must be met:
* <ul>
- * <li>This Valve must be configured on the Container that represents a
- * virtual host (typically an implementation of <code>Host</code>).</li>
- * <li>The <code>Realm</code> that contains the shared user and role
- * information must be configured on the same Container (or a higher
- * one), and not overridden at the web application level.</li>
- * <li>The web applications themselves must use one of the standard
- * Authenticators found in the
- * <code>org.apache.catalina.authenticator</code> package.</li>
+ * <li>This Valve must be configured on the Container that represents a virtual host (typically an implementation of
+ * <code>Host</code>).</li>
+ * <li>The <code>Realm</code> that contains the shared user and role information must be configured on the same
+ * Container (or a higher one), and not overridden at the web application level.</li>
+ * <li>The web applications themselves must use one of the standard Authenticators found in the
+ * <code>org.apache.catalina.authenticator</code> package.</li>
* </ul>
*
* @author Craig R. McClanahan
@@ -61,13 +57,13 @@ public class SingleSignOn extends ValveBase {
private static final StringManager sm = StringManager.getManager(SingleSignOn.class);
- /* The engine at the top of the container hierarchy in which this SSO Valve
- * has been placed. It is used to get back to a session object from a
- * SingleSignOnSessionKey and is updated when the Valve starts and stops.
+ /*
+ * The engine at the top of the container hierarchy in which this SSO Valve has been placed. It is used to get back
+ * to a session object from a SingleSignOnSessionKey and is updated when the Valve starts and stops.
*/
private Engine engine;
- //------------------------------------------------------ Constructor
+ // ------------------------------------------------------ Constructor
public SingleSignOn() {
super(true);
@@ -77,15 +73,14 @@ public class SingleSignOn extends ValveBase {
// ----------------------------------------------------- Instance Variables
/**
- * The cache of SingleSignOnEntry instances for authenticated Principals,
- * keyed by the cookie value that is used to select them.
+ * The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to
+ * select them.
*/
- protected Map<String,SingleSignOnEntry> cache = new ConcurrentHashMap<>();
+ protected Map<String, SingleSignOnEntry> cache = new ConcurrentHashMap<>();
/**
- * Indicates whether this valve should require a downstream Authenticator to
- * reauthenticate each request, or if it itself can bind a UserPrincipal
- * and AuthType object to the request.
+ * Indicates whether this valve should require a downstream Authenticator to reauthenticate each request, or if it
+ * itself can bind a UserPrincipal and AuthType object to the request.
*/
private boolean requireReauthentication = false;
@@ -102,8 +97,7 @@ public class SingleSignOn extends ValveBase {
// ------------------------------------------------------------- Properties
/**
- * Returns the optional cookie domain.
- * May return null.
+ * Returns the optional cookie domain. May return null.
*
* @return The cookie domain
*/
@@ -136,6 +130,7 @@ public class SingleSignOn extends ValveBase {
/**
* Set the cookie name that will be used for the SSO cookie.
+ *
* @param cookieName the cookieName to set
*/
public void setCookieName(String cookieName) {
@@ -144,19 +139,15 @@ public class SingleSignOn extends ValveBase {
/**
- * Gets whether each request needs to be reauthenticated (by an
- * Authenticator downstream in the pipeline) to the security
- * <code>Realm</code>, or if this Valve can itself bind security info
- * to the request based on the presence of a valid SSO entry without
- * rechecking with the <code>Realm</code>.
+ * Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the
+ * security <code>Realm</code>, or if this Valve can itself bind security info to the request based on the presence
+ * of a valid SSO entry without rechecking with the <code>Realm</code>.
*
- * @return <code>true</code> if it is required that a downstream
- * Authenticator reauthenticate each request before calls to
- * <code>HttpServletRequest.setUserPrincipal()</code>
- * and <code>HttpServletRequest.setAuthType()</code> are made;
- * <code>false</code> if the <code>Valve</code> can itself make
- * those calls relying on the presence of a valid SingleSignOn
- * entry associated with the request.
+ * @return <code>true</code> if it is required that a downstream Authenticator reauthenticate each request before
+ * calls to <code>HttpServletRequest.setUserPrincipal()</code> and
+ * <code>HttpServletRequest.setAuthType()</code> are made; <code>false</code> if the <code>Valve</code>
+ * can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the
+ * request.
*
* @see #setRequireReauthentication
*/
@@ -166,42 +157,32 @@ public class SingleSignOn extends ValveBase {
/**
- * Sets whether each request needs to be reauthenticated (by an
- * Authenticator downstream in the pipeline) to the security
- * <code>Realm</code>, or if this Valve can itself bind security info
- * to the request, based on the presence of a valid SSO entry, without
- * rechecking with the <code>Realm</code>.
+ * Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the
+ * security <code>Realm</code>, or if this Valve can itself bind security info to the request, based on the presence
+ * of a valid SSO entry, without rechecking with the <code>Realm</code>.
* <p>
- * If this property is <code>false</code> (the default), this
- * <code>Valve</code> will bind a UserPrincipal and AuthType to the request
- * if a valid SSO entry is associated with the request. It will not notify
- * the security <code>Realm</code> of the incoming request.
+ * If this property is <code>false</code> (the default), this <code>Valve</code> will bind a UserPrincipal and
+ * AuthType to the request if a valid SSO entry is associated with the request. It will not notify the security
+ * <code>Realm</code> of the incoming request.
* <p>
- * This property should be set to <code>true</code> if the overall server
- * configuration requires that the <code>Realm</code> reauthenticate each
- * request thread. An example of such a configuration would be one where
- * the <code>Realm</code> implementation provides security for both a
- * web tier and an associated EJB tier, and needs to set security
- * credentials on each request thread in order to support EJB access.
+ * This property should be set to <code>true</code> if the overall server configuration requires that the
+ * <code>Realm</code> reauthenticate each request thread. An example of such a configuration would be one where the
+ * <code>Realm</code> implementation provides security for both a web tier and an associated EJB tier, and needs to
+ * set security credentials on each request thread in order to support EJB access.
* <p>
- * If this property is set to <code>true</code>, this Valve will set flags
- * on the request notifying the downstream Authenticator that the request
- * is associated with an SSO session. The Authenticator will then call its
- * {@link AuthenticatorBase#reauthenticateFromSSO reauthenticateFromSSO}
- * method to attempt to reauthenticate the request to the
- * <code>Realm</code>, using any credentials that were cached with this
- * Valve.
+ * If this property is set to <code>true</code>, this Valve will set flags on the request notifying the downstream
+ * Authenticator that the request is associated with an SSO session. The Authenticator will then call its
+ * {@link AuthenticatorBase#reauthenticateFromSSO reauthenticateFromSSO} method to attempt to reauthenticate the
+ * request to the <code>Realm</code>, using any credentials that were cached with this Valve.
* <p>
- * The default value of this property is <code>false</code>, in order
- * to maintain backward compatibility with previous versions of Tomcat.
+ * The default value of this property is <code>false</code>, in order to maintain backward compatibility with
+ * previous versions of Tomcat.
*
- * @param required <code>true</code> if it is required that a downstream
- * Authenticator reauthenticate each request before calls
- * to <code>HttpServletRequest.setUserPrincipal()</code>
- * and <code>HttpServletRequest.setAuthType()</code> are
- * made; <code>false</code> if the <code>Valve</code> can
- * itself make those calls relying on the presence of a
- * valid SingleSignOn entry associated with the request.
+ * @param required <code>true</code> if it is required that a downstream Authenticator reauthenticate each request
+ * before calls to <code>HttpServletRequest.setUserPrincipal()</code> and
+ * <code>HttpServletRequest.setAuthType()</code> are made; <code>false</code> if the
+ * <code>Valve</code> can itself make those calls relying on the presence of a valid
+ * SingleSignOn entry associated with the request.
*
* @see AuthenticatorBase#reauthenticateFromSSO
*/
@@ -215,15 +196,14 @@ public class SingleSignOn extends ValveBase {
/**
* Perform single-sign-on support processing for this request.
*
- * @param request The servlet request we are processing
+ * @param request The servlet request we are processing
* @param response The servlet response we are creating
*
- * @exception IOException if an input/output error occurs
+ * @exception IOException if an input/output error occurs
* @exception ServletException if a servlet error occurs
*/
@Override
- public void invoke(Request request, Response response)
- throws IOException, ServletException {
+ public void invoke(Request request, Response response) throws IOException, ServletException {
request.removeNote(Constants.REQ_SSOID_NOTE);
@@ -233,8 +213,8 @@ public class SingleSignOn extends ValveBase {
}
if (request.getUserPrincipal() != null) {
if (containerLog.isDebugEnabled()) {
- containerLog.debug(sm.getString("singleSignOn.debug.hasPrincipal",
- request.getUserPrincipal().getName()));
+ containerLog
+ .debug(sm.getString("singleSignOn.debug.hasPrincipal", request.getUserPrincipal().getName()));
}
getNext().invoke(request, response);
return;
@@ -264,15 +244,13 @@ public class SingleSignOn extends ValveBase {
// Look up the cached Principal associated with this cookie value
if (containerLog.isDebugEnabled()) {
- containerLog.debug(sm.getString("singleSignOn.debug.principalCheck",
- cookie.getValue()));
+ containerLog.debug(sm.getString("singleSignOn.debug.principalCheck", cookie.getValue()));
}
SingleSignOnEntry entry = cache.get(cookie.getValue());
if (entry != null) {
if (containerLog.isDebugEnabled()) {
containerLog.debug(sm.getString("singleSignOn.debug.principalFound",
- entry.getPrincipal() != null ? entry.getPrincipal().getName() : "",
- entry.getAuthType()));
+ entry.getPrincipal() != null ? entry.getPrincipal().getName() : "", entry.getAuthType()));
}
request.setNote(Constants.REQ_SSOID_NOTE, cookie.getValue());
// Only set security elements if reauthentication is not required
@@ -282,8 +260,7 @@ public class SingleSignOn extends ValveBase {
}
} else {
if (containerLog.isDebugEnabled()) {
- containerLog.debug(sm.getString("singleSignOn.debug.principalNotFound",
- cookie.getValue()));
+ containerLog.debug(sm.getString("singleSignOn.debug.principalNotFound", cookie.getValue()));
}
// No need to return a valid SSO session ID
cookie.setValue("REMOVE");
@@ -316,12 +293,10 @@ public class SingleSignOn extends ValveBase {
// ------------------------------------------------------ Protected Methods
/**
- * Process a session destroyed event by removing references to that session
- * from the caches and - if the session destruction is the result of a
- * logout - destroy the associated SSO session.
+ * Process a session destroyed event by removing references to that session from the caches and - if the session
+ * destruction is the result of a logout - destroy the associated SSO session.
*
- * @param ssoId The ID of the SSO session which which the destroyed
- * session was associated
+ * @param ssoId The ID of the SSO session which which the destroyed session was associated
* @param session The session that has been destroyed
*/
public void sessionDestroyed(String ssoId, Session session) {
@@ -334,12 +309,11 @@ public class SingleSignOn extends ValveBase {
// If so, we'll just remove the expired session from the SSO. If the
// session was logged out, we'll log out of all session associated with
// the SSO.
- if (((session.getMaxInactiveInterval() > 0)
- && (session.getIdleTimeInternal() >= session.getMaxInactiveInterval() * 1000))
- || (!session.getManager().getContext().getState().isAvailable())) {
+ if (((session.getMaxInactiveInterval() > 0) &&
+ (session.getIdleTimeInternal() >= session.getMaxInactiveInterval() * 1000)) ||
+ (!session.getManager().getContext().getState().isAvailable())) {
if (containerLog.isDebugEnabled()) {
- containerLog.debug(sm.getString("singleSignOn.debug.sessionTimeout",
- ssoId, session));
+ containerLog.debug(sm.getString("singleSignOn.debug.sessionTimeout", ssoId, session));
}
removeSession(ssoId, session);
} else {
@@ -347,8 +321,7 @@ public class SingleSignOn extends ValveBase {
// Deregister this single session id, invalidating
// associated sessions
if (containerLog.isDebugEnabled()) {
- containerLog.debug(sm.getString("singleSignOn.debug.sessionLogout",
- ssoId, session));
+ containerLog.debug(sm.getString("singleSignOn.debug.sessionLogout", ssoId, session));
}
// First remove the session that we know has expired / been logged
// out since it has already been removed from its Manager and, if
@@ -365,27 +338,23 @@ public class SingleSignOn extends ValveBase {
/**
- * Associate the specified single sign on identifier with the
- * specified Session.
+ * Associate the specified single sign on identifier with the specified Session.
*
- * @param ssoId Single sign on identifier
+ * @param ssoId Single sign on identifier
* @param session Session to be associated
*
- * @return <code>true</code> if the session was associated to the given SSO
- * session, otherwise <code>false</code>
+ * @return <code>true</code> if the session was associated to the given SSO session, otherwise <code>false</code>
*/
protected boolean associate(String ssoId, Session session) {
SingleSignOnEntry sso = cache.get(ssoId);
if (sso == null) {
if (containerLog.isDebugEnabled()) {
- containerLog.debug(sm.getString("singleSignOn.debug.associateFail",
- ssoId, session));
+ containerLog.debug(sm.getString("singleSignOn.debug.associateFail", ssoId, session));
}
return false;
} else {
if (containerLog.isDebugEnabled()) {
- containerLog.debug(sm.getString("singleSignOn.debug.associate",
- ssoId, session));
+ containerLog.debug(sm.getString("singleSignOn.debug.associate", ssoId, session));
}
sso.addSession(this, ssoId, session);
return true;
@@ -394,8 +363,7 @@ public class SingleSignOn extends ValveBase {
/**
- * Deregister the specified single sign on identifier, and invalidate
- * any associated sessions.
+ * Deregister the specified single sign on identifier, and invalidate any associated sessions.
*
* @param ssoId Single sign on identifier to deregister
*/
@@ -426,7 +394,7 @@ public class SingleSignOn extends ValveBase {
expire(ssoKey);
}
- // NOTE: Clients may still possess the old single sign on cookie,
+ // NOTE: Clients may still possess the old single sign on cookie,
// but it will be removed on the next request since it is no longer
// in the cache
}
@@ -468,28 +436,21 @@ public class SingleSignOn extends ValveBase {
/**
- * Attempts reauthentication to the given <code>Realm</code> using
- * the credentials associated with the single sign-on session
- * identified by argument <code>ssoId</code>.
+ * Attempts reauthentication to the given <code>Realm</code> using the credentials associated with the single
+ * sign-on session identified by argument <code>ssoId</code>.
* <p>
- * If reauthentication is successful, the <code>Principal</code> and
- * authorization type associated with the SSO session will be bound
- * to the given <code>Request</code> object via calls to
- * {@link Request#setAuthType Request.setAuthType()} and
- * {@link Request#setUserPrincipal Request.setUserPrincipal()}
+ * If reauthentication is successful, the <code>Principal</code> and authorization type associated with the SSO
+ * session will be bound to the given <code>Request</code> object via calls to {@link Request#setAuthType
+ * Request.setAuthType()} and {@link Request#setUserPrincipal Request.setUserPrincipal()}
* </p>
*
- * @param ssoId identifier of SingleSignOn session with which the
- * caller is associated
- * @param realm Realm implementation against which the caller is to
- * be authenticated
- * @param request the request that needs to be authenticated
+ * @param ssoId identifier of SingleSignOn session with which the caller is associated
+ * @param realm Realm implementation against which the caller is to be authenticated
+ * @param request the request that needs to be authenticated
*
- * @return <code>true</code> if reauthentication was successful,
- * <code>false</code> otherwise.
+ * @return <code>true</code> if reauthentication was successful, <code>false</code> otherwise.
*/
- protected boolean reauthenticate(String ssoId, Realm realm,
- Request request) {
+ protected boolean reauthenticate(String ssoId, Realm realm, Request request) {
if (ssoId == null || realm == null) {
return false;
@@ -502,8 +463,7 @@ public class SingleSignOn extends ValveBase {
String username = entry.getUsername();
if (username != null) {
- Principal reauthPrincipal =
- realm.authenticate(username, entry.getPassword());
+ Principal reauthPrincipal = realm.authenticate(username, entry.getPassword());
if (reauthPrincipal != null) {
reauthenticated = true;
// Bind the authorization credentials to the request
@@ -518,18 +478,15 @@ public class SingleSignOn extends ValveBase {
/**
- * Register the specified Principal as being associated with the specified
- * value for the single sign on identifier.
+ * Register the specified Principal as being associated with the specified value for the single sign on identifier.
*
- * @param ssoId Single sign on identifier to register
+ * @param ssoId Single sign on identifier to register
* @param principal Associated user principal that is identified
- * @param authType Authentication type used to authenticate this
- * user principal
- * @param username Username used to authenticate this user
- * @param password Password used to authenticate this user
+ * @param authType Authentication type used to authenticate this user principal
+ * @param username Username used to authenticate this user
+ * @param password Password used to authenticate this user
*/
- protected void register(String ssoId, Principal principal, String authType,
- String username, String password) {
+ protected void register(String ssoId, Principal principal, String authType, String username, String password) {
if (containerLog.isDebugEnabled()) {
containerLog.debug(sm.getString("singleSignOn.debug.register", ssoId,
@@ -541,35 +498,26 @@ public class SingleSignOn extends ValveBase {
/**
- * Updates any <code>SingleSignOnEntry</code> found under key
- * <code>ssoId</code> with the given authentication data.
+ * Updates any <code>SingleSignOnEntry</code> found under key <code>ssoId</code> with the given authentication data.
* <p>
- * The purpose of this method is to allow an SSO entry that was
- * established without a username/password combination (i.e. established
- * following DIGEST or CLIENT_CERT authentication) to be updated with
- * a username and password if one becomes available through a subsequent
- * BASIC or FORM authentication. The SSO entry will then be usable for
+ * The purpose of this method is to allow an SSO entry that was established without a username/password combination
+ * (i.e. established following DIGEST or CLIENT_CERT authentication) to be updated with a username and password if
+ * one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for
* reauthentication.
* <p>
- * <b>NOTE:</b> Only updates the SSO entry if a call to
- * <code>SingleSignOnEntry.getCanReauthenticate()</code> returns
- * <code>false</code>; otherwise, it is assumed that the SSO entry already
- * has sufficient information to allow reauthentication and that no update
- * is needed.
+ * <b>NOTE:</b> Only updates the SSO entry if a call to <code>SingleSignOnEntry.getCanReauthenticate()</code>
+ * returns <code>false</code>; otherwise, it is assumed that the SSO entry already has sufficient information to
+ * allow reauthentication and that no update is needed.
*
* @param ssoId identifier of Single sign to be updated
- * @param principal the <code>Principal</code> returned by the latest
- * call to <code>Realm.authenticate</code>.
- * @param authType the type of authenticator used (BASIC, CLIENT_CERT,
- * DIGEST or FORM)
+ * @param principal the <code>Principal</code> returned by the latest call to <code>Realm.authenticate</code>.
+ * @param authType the type of authenticator used (BASIC, CLIENT_CERT, DIGEST or FORM)
* @param username the username (if any) used for the authentication
* @param password the password (if any) used for the authentication
*
- * @return <code>true</code> if the credentials were updated, otherwise
- * <code>false</code>
+ * @return <code>true</code> if the credentials were updated, otherwise <code>false</code>
*/
- protected boolean update(String ssoId, Principal principal, String authType,
- String username, String password) {
+ protected boolean update(String ssoId, Principal principal, String authType, String username, String password) {
SingleSignOnEntry sso = cache.get(ssoId);
if (sso != null && !sso.getCanReauthenticate()) {
@@ -585,10 +533,9 @@ public class SingleSignOn extends ValveBase {
/**
- * Remove a single Session from a SingleSignOn. Called when
- * a session is timed out and no longer active.
+ * Remove a single Session from a SingleSignOn. Called when a session is timed out and no longer active.
*
- * @param ssoId Single sign on identifier from which to remove the session.
+ * @param ssoId Single sign on identifier from which to remove the session.
* @param session the session to be removed.
*/
protected void removeSession(String ssoId, Session session) {
diff --git a/java/org/apache/catalina/authenticator/SingleSignOnEntry.java b/java/org/apache/catalina/authenticator/SingleSignOnEntry.java
index f67e13579b..57e15931cf 100644
--- a/java/org/apache/catalina/authenticator/SingleSignOnEntry.java
+++ b/java/org/apache/catalina/authenticator/SingleSignOnEntry.java
@@ -30,12 +30,11 @@ import jakarta.servlet.http.HttpServletRequest;
import org.apache.catalina.Session;
/**
- * A class that represents entries in the cache of authenticated users.
- * This is necessary to make it available to
- * <code>AuthenticatorBase</code> subclasses that need it in order to perform
- * reauthentications when SingleSignOn is in use.
+ * A class that represents entries in the cache of authenticated users. This is necessary to make it available to
+ * <code>AuthenticatorBase</code> subclasses that need it in order to perform reauthentications when SingleSignOn is in
+ * use.
*
- * @author B Stansberry, based on work by Craig R. McClanahan
+ * @author B Stansberry, based on work by Craig R. McClanahan
*
* @see SingleSignOn
* @see AuthenticatorBase#reauthenticateFromSSO
@@ -44,7 +43,7 @@ public class SingleSignOnEntry implements Serializable {
private static final long serialVersionUID = 1L;
- // ------------------------------------------------------ Instance Fields
+ // ------------------------------------------------------ Instance Fields
private String authType = null;
@@ -53,27 +52,23 @@ public class SingleSignOnEntry implements Serializable {
// Marked as transient so special handling can be applied to serialization
private transient Principal principal = null;
- private final Map<SingleSignOnSessionKey,SingleSignOnSessionKey> sessionKeys =
- new ConcurrentHashMap<>();
+ private final Map<SingleSignOnSessionKey, SingleSignOnSessionKey> sessionKeys = new ConcurrentHashMap<>();
private String username = null;
private boolean canReauthenticate = false;
- // --------------------------------------------------------- Constructors
+ // --------------------------------------------------------- Constructors
/**
* Creates a new SingleSignOnEntry
*
- * @param principal the <code>Principal</code> returned by the latest
- * call to <code>Realm.authenticate</code>.
- * @param authType the type of authenticator used (BASIC, CLIENT_CERT,
- * DIGEST or FORM)
+ * @param principal the <code>Principal</code> returned by the latest call to <code>Realm.authenticate</code>.
+ * @param authType the type of authenticator used (BASIC, CLIENT_CERT, DIGEST or FORM)
* @param username the username (if any) used for the authentication
* @param password the password (if any) used for the authentication
*/
- public SingleSignOnEntry(Principal principal, String authType,
- String username, String password) {
+ public SingleSignOnEntry(Principal principal, String authType, String username, String password) {
updateCredentials(principal, authType, username, password);
}
@@ -81,13 +76,11 @@ public class SingleSignOnEntry implements Serializable {
// ------------------------------------------------------- Package Methods
/**
- * Adds a <code>Session</code> to the list of those associated with
- * this SSO.
+ * Adds a <code>Session</code> to the list of those associated with this SSO.
*
- * @param sso The <code>SingleSignOn</code> valve that is managing
- * the SSO session.
- * @param ssoId The ID of the SSO session.
- * @param session The <code>Session</code> being associated with the SSO.
+ * @param sso The <code>SingleSignOn</code> valve that is managing the SSO session.
+ * @param ssoId The ID of the SSO session.
+ * @param session The <code>Session</code> being associated with the SSO.
*/
public void addSession(SingleSignOn sso, String ssoId, Session session) {
SingleSignOnSessionKey key = new SingleSignOnSessionKey(session);
@@ -99,10 +92,9 @@ public class SingleSignOnEntry implements Serializable {
}
/**
- * Removes the given <code>Session</code> from the list of those
- * associated with this SSO.
+ * Removes the given <code>Session</code> from the list of those associated with this SSO.
*
- * @param session the <code>Session</code> to remove.
+ * @param session the <code>Session</code> to remove.
*/
public void removeSession(Session session) {
SingleSignOnSessionKey key = new SingleSignOnSessionKey(session);
@@ -112,16 +104,14 @@ public class SingleSignOnEntry implements Serializable {
/**
* Returns the HTTP Session identifiers associated with this SSO.
*
- * @return The identifiers for the HTTP sessions that are current associated
- * with this SSo entry
+ * @return The identifiers for the HTTP sessions that are current associated with this SSo entry
*/
public Set<SingleSignOnSessionKey> findSessions() {
return sessionKeys.keySet();
}
/**
- * Gets the name of the authentication type originally used to authenticate
- * the user associated with the SSO.
+ * Gets the name of the authentication type originally used to authenticate the user associated with the SSO.
*
* @return "BASIC", "CLIENT_CERT", "DIGEST", "FORM" or "NONE"
*/
@@ -130,11 +120,9 @@ public class SingleSignOnEntry implements Serializable {
}
/**
- * Gets whether the authentication type associated with the original
- * authentication supports reauthentication.
+ * Gets whether the authentication type associated with the original authentication supports reauthentication.
*
- * @return <code>true</code> if <code>getAuthType</code> returns
- * "BASIC" or "FORM", <code>false</code> otherwise.
+ * @return <code>true</code> if <code>getAuthType</code> returns "BASIC" or "FORM", <code>false</code> otherwise.
*/
public boolean getCanReauthenticate() {
return this.canReauthenticate;
@@ -143,9 +131,8 @@ public class SingleSignOnEntry implements Serializable {
/**
* Gets the password credential (if any) associated with the SSO.
*
- * @return the password credential associated with the SSO, or
- * <code>null</code> if the original authentication type
- * does not involve a password.
+ * @return the password credential associated with the SSO, or <code>null</code> if the original authentication type
+ * does not involve a password.
*/
public String getPassword() {
return this.password;
@@ -154,19 +141,17 @@ public class SingleSignOnEntry implements Serializable {
/**
* Gets the <code>Principal</code> that has been authenticated by the SSO.
*
- * @return The Principal that was created by the authentication that
- * triggered the creation of the SSO entry
+ * @return The Principal that was created by the authentication that triggered the creation of the SSO entry
*/
public Principal getPrincipal() {
return this.principal;
}
/**
- * Gets the user name provided by the user as part of the authentication
- * process.
+ * Gets the user name provided by the user as part of the authentication process.
*
- * @return The user name that was authenticated as part of the
- * authentication that triggered the creation of the SSO entry
+ * @return The user name that was authenticated as part of the authentication that triggered the creation of the SSO
+ * entry
*/
public String getUsername() {
return this.username;
@@ -174,18 +159,14 @@ public class SingleSignOnEntry implements Serializable {
/**
- * Updates the SingleSignOnEntry to reflect the latest security
- * information associated with the caller.
+ * Updates the SingleSignOnEntry to reflect the latest security information associated with the caller.
*
- * @param principal the <code>Principal</code> returned by the latest
- * call to <code>Realm.authenticate</code>.
- * @param authType the type of authenticator used (BASIC, CLIENT_CERT,
- * DIGEST or FORM)
+ * @param principal the <code>Principal</code> returned by the latest call to <code>Realm.authenticate</code>.
+ * @param authType the type of authenticator used (BASIC, CLIENT_CERT, DIGEST or FORM)
* @param username the username (if any) used for the authentication
* @param password the password (if any) used for the authentication
*/
- public synchronized void updateCredentials(Principal principal, String authType,
- String username, String password) {
+ public synchronized void updateCredentials(Principal principal, String authType, String username, String password) {
this.principal = principal;
this.authType = authType;
this.username = username;
@@ -205,8 +186,7 @@ public class SingleSignOnEntry implements Serializable {
}
}
- private void readObject(ObjectInputStream in) throws IOException,
- ClassNotFoundException {
+ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
in.defaultReadObject();
boolean hasPrincipal = in.readBoolean();
if (hasPrincipal) {
diff --git a/java/org/apache/catalina/authenticator/SingleSignOnSessionKey.java b/java/org/apache/catalina/authenticator/SingleSignOnSessionKey.java
index a07946f783..521f404781 100644
--- a/java/org/apache/catalina/authenticator/SingleSignOnSessionKey.java
+++ b/java/org/apache/catalina/authenticator/SingleSignOnSessionKey.java
@@ -22,11 +22,9 @@ import org.apache.catalina.Context;
import org.apache.catalina.Session;
/**
- * Key used by SSO to identify a session. This key is used rather than the
- * actual session to facilitate the replication of the SSO information
- * across a cluster where replicating the entire session would generate
- * significant, unnecessary overhead.
- *
+ * Key used by SSO to identify a session. This key is used rather than the actual session to facilitate the replication
+ * of the SSO information across a cluster where replicating the entire session would generate significant, unnecessary
+ * overhead.
*/
public class SingleSignOnSessionKey implements Serializable {
@@ -59,12 +57,9 @@ public class SingleSignOnSessionKey implements Serializable {
public int hashCode() {
final int prime = 31;
int result = 1;
- result = prime * result +
- ((sessionId == null) ? 0 : sessionId.hashCode());
- result = prime * result +
- ((contextName == null) ? 0 : contextName.hashCode());
- result = prime * result +
- ((hostName == null) ? 0 : hostName.hashCode());
+ result = prime * result + ((sessionId == null) ? 0 : sessionId.hashCode());
+ result = prime * result + ((contextName == null) ? 0 : contextName.hashCode());
+ result = prime * result + ((hostName == null) ? 0 : hostName.hashCode());
return result;
}
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index da9434d0e2..dab026fdac 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -47,11 +47,9 @@ import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
/**
- * A SPNEGO authenticator that uses the SPNEGO/Kerberos support built in to Java
- * 6. Successful Kerberos authentication depends on the correct configuration of
- * multiple components. If the configuration is invalid, the error messages are
- * often cryptic although a Google search will usually point you in the right
- * direction.
+ * A SPNEGO authenticator that uses the SPNEGO/Kerberos support built in to Java 6. Successful Kerberos authentication
+ * depends on the correct configuration of multiple components. If the configuration is invalid, the error messages are
+ * often cryptic although a Google search will usually point you in the right direction.
*/
public class SpnegoAuthenticator extends AuthenticatorBase {
@@ -59,23 +57,27 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
private static final String AUTH_HEADER_VALUE_NEGOTIATE = "Negotiate";
private String loginConfigName = Constants.DEFAULT_LOGIN_MODULE_NAME;
+
public String getLoginConfigName() {
return loginConfigName;
}
+
public void setLoginConfigName(String loginConfigName) {
this.loginConfigName = loginConfigName;
}
private boolean storeDelegatedCredential = true;
+
public boolean isStoreDelegatedCredential() {
return storeDelegatedCredential;
}
- public void setStoreDelegatedCredential(
- boolean storeDelegatedCredential) {
+
+ public void setStoreDelegatedCredential(boolean storeDelegatedCredential) {
this.storeDelegatedCredential = storeDelegatedCredential;
}
private Pattern noKeepAliveUserAgents = null;
+
public String getNoKeepAliveUserAgents() {
Pattern p = noKeepAliveUserAgents;
if (p == null) {
@@ -84,9 +86,9 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
return p.pattern();
}
}
+
public void setNoKeepAliveUserAgents(String noKeepAliveUserAgents) {
- if (noKeepAliveUserAgents == null ||
- noKeepAliveUserAgents.length() == 0) {
+ if (noKeepAliveUserAgents == null || noKeepAliveUserAgents.length() == 0) {
this.noKeepAliveUserAgents = null;
} else {
this.noKeepAliveUserAgents = Pattern.compile(noKeepAliveUserAgents);
@@ -94,9 +96,11 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
}
private boolean applyJava8u40Fix = true;
+
public boolean getApplyJava8u40Fix() {
return applyJava8u40Fix;
}
+
public void setApplyJava8u40Fix(boolean applyJava8u40Fix) {
this.applyJava8u40Fix = applyJava8u40Fix;
}
@@ -116,35 +120,28 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
String krb5Conf = System.getProperty(Constants.KRB5_CONF_PROPERTY);
if (krb5Conf == null) {
// System property not set, use the Tomcat default
- File krb5ConfFile = new File(container.getCatalinaBase(),
- Constants.DEFAULT_KRB5_CONF);
- System.setProperty(Constants.KRB5_CONF_PROPERTY,
- krb5ConfFile.getAbsolutePath());
+ File krb5ConfFile = new File(container.getCatalinaBase(), Constants.DEFAULT_KRB5_CONF);
+ System.setProperty(Constants.KRB5_CONF_PROPERTY, krb5ConfFile.getAbsolutePath());
}
// JAAS configuration file location
String jaasConf = System.getProperty(Constants.JAAS_CONF_PROPERTY);
if (jaasConf == null) {
// System property not set, use the Tomcat default
- File jaasConfFile = new File(container.getCatalinaBase(),
- Constants.DEFAULT_JAAS_CONF);
- System.setProperty(Constants.JAAS_CONF_PROPERTY,
- jaasConfFile.getAbsolutePath());
+ File jaasConfFile = new File(container.getCatalinaBase(), Constants.DEFAULT_JAAS_CONF);
+ System.setProperty(Constants.JAAS_CONF_PROPERTY, jaasConfFile.getAbsolutePath());
}
}
@Override
- protected boolean doAuthenticate(Request request, HttpServletResponse response)
- throws IOException {
+ protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
if (checkForCachedAuthentication(request, response, true)) {
return true;
}
- MessageBytes authorization =
- request.getCoyoteRequest().getMimeHeaders()
- .getValue("authorization");
+ MessageBytes authorization = request.getCoyoteRequest().getMimeHeaders().getValue("authorization");
if (authorization == null) {
if (log.isDebugEnabled()) {
@@ -160,8 +157,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
if (!authorizationBC.startsWithIgnoreCase("negotiate ", 0)) {
if (log.isDebugEnabled()) {
- log.debug(sm.getString(
- "spnegoAuthenticator.authHeaderNotNego"));
+ log.debug(sm.getString("spnegoAuthenticator.authHeaderNotNego"));
}
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
@@ -170,8 +166,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
authorizationBC.setOffset(authorizationBC.getOffset() + 10);
- byte[] decoded = Base64.decodeBase64(authorizationBC.getBuffer(),
- authorizationBC.getOffset(),
+ byte[] decoded = Base64.decodeBase64(authorizationBC.getBuffer(), authorizationBC.getOffset(),
authorizationBC.getLength());
if (getApplyJava8u40Fix()) {
@@ -180,8 +175,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
if (decoded.length == 0) {
if (log.isDebugEnabled()) {
- log.debug(sm.getString(
- "spnegoAuthenticator.authHeaderNoToken"));
+ log.debug(sm.getString("spnegoAuthenticator.authHeaderNoToken"));
}
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
@@ -197,10 +191,8 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
lc = new LoginContext(getLoginConfigName());
lc.login();
} catch (LoginException e) {
- log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"),
- e);
- response.sendError(
- HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e);
+ response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return false;
}
@@ -216,19 +208,15 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
} else {
credentialLifetime = GSSCredential.DEFAULT_LIFETIME;
}
- final PrivilegedExceptionAction<GSSCredential> action =
- () -> manager.createCredential(null,
- credentialLifetime,
- new Oid("1.3.6.1.5.5.2"),
- GSSCredential.ACCEPT_ONLY);
+ final PrivilegedExceptionAction<GSSCredential> action = () -> manager.createCredential(null,
+ credentialLifetime, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY);
gssContext = manager.createContext(Subject.doAs(subject, action));
outToken = Subject.doAs(lc.getSubject(), new AcceptAction(gssContext, decoded));
if (outToken == null) {
if (log.isDebugEnabled()) {
- log.debug(sm.getString(
- "spnegoAuthenticator.ticketValidateFail"));
+ log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"));
}
// Start again
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
@@ -236,8 +224,8 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
return false;
}
- principal = Subject.doAs(subject, new AuthenticateAction(
- context.getRealm(), gssContext, storeDelegatedCredential));
+ principal = Subject.doAs(subject,
+ new AuthenticateAction(context.getRealm(), gssContext, storeDelegatedCredential));
} catch (GSSException e) {
if (log.isDebugEnabled()) {
@@ -276,18 +264,14 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
}
// Send response token on success and failure
- response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE + " "
- + Base64.encodeBase64String(outToken));
+ response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE + " " + Base64.encodeBase64String(outToken));
if (principal != null) {
- register(request, response, principal, Constants.SPNEGO_METHOD,
- principal.getName(), null);
+ register(request, response, principal, Constants.SPNEGO_METHOD, principal.getName(), null);
Pattern p = noKeepAliveUserAgents;
if (p != null) {
- MessageBytes ua =
- request.getCoyoteRequest().getMimeHeaders().getValue(
- "user-agent");
+ MessageBytes ua = request.getCoyoteRequest().getMimeHeaders().getValue("user-agent");
if (ua != null && p.matcher(ua.toString()).matches()) {
response.setHeader("Connection", "close");
}
@@ -323,8 +307,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
@Override
public byte[] run() throws GSSException {
- return gssContext.acceptSecContext(decoded,
- 0, decoded.length);
+ return gssContext.acceptSecContext(decoded, 0, decoded.length);
}
}
@@ -335,8 +318,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
private final GSSContext gssContext;
private final boolean storeDelegatedCredential;
- public AuthenticateAction(Realm realm, GSSContext gssContext,
- boolean storeDelegatedCredential) {
+ public AuthenticateAction(Realm realm, GSSContext gssContext, boolean storeDelegatedCredential) {
this.realm = realm;
this.gssContext = gssContext;
this.storeDelegatedCredential = storeDelegatedCredential;
@@ -350,17 +332,14 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
/**
- * This class implements a hack around an incompatibility between the
- * SPNEGO implementation in Windows and the SPNEGO implementation in Java 8
- * update 40 onwards. It was introduced by the change to fix this bug:
- * https://bugs.openjdk.java.net/browse/JDK-8048194
- * (note: the change applied is not the one suggested in the bug report)
+ * This class implements a hack around an incompatibility between the SPNEGO implementation in Windows and the
+ * SPNEGO implementation in Java 8 update 40 onwards. It was introduced by the change to fix this bug:
+ * https://bugs.openjdk.java.net/browse/JDK-8048194 (note: the change applied is not the one suggested in the bug
+ * report)
* <p>
- * It is not clear to me if Windows, Java or Tomcat is at fault here. I
- * think it is Java but I could be wrong.
+ * It is not clear to me if Windows, Java or Tomcat is at fault here. I think it is Java but I could be wrong.
* <p>
- * This hack works by re-ordering the list of mechTypes in the NegTokenInit
- * token.
+ * This hack works by re-ordering the list of mechTypes in the NegTokenInit token.
*/
public static class SpnegoTokenFixer {
@@ -382,9 +361,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
// Fixes the token in-place
private void fix() {
/*
- * Useful references:
- * http://tools.ietf.org/html/rfc4121#page-5
- * http://tools.ietf.org/html/rfc2743#page-81
+ * Useful references: http://tools.ietf.org/html/rfc4121#page-5 http://tools.ietf.org/html/rfc2743#page-81
* https://msdn.microsoft.com/en-us/library/ms995330.aspx
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org