You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 09:18:35 UTC

[sling-org-apache-sling-auth-form] 18/26: SLING-1428 Reimplement full j_validate functionality: Send a 403 response if either the provided cookie value is invalid or if the provided user name and password cannot be used to login. Created methods to actually send back the success or failure responses for validation requests.

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.auth.form-1.0.2
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-form.git

commit e4d4eff5caac01256945b675c6d880233127c201
Author: Felix Meschberger <fm...@apache.org>
AuthorDate: Thu Sep 23 13:33:27 2010 +0000

    SLING-1428 Reimplement full j_validate functionality: Send a 403 response if either the provided cookie value is invalid or if the provided user name and password cannot be used to login. Created methods to actually send back the success or failure responses for validation requests.
    
    git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form@1000462 13f79535-47bb-0310-9956-ffa450edef68
---
 .../auth/form/impl/FormAuthenticationHandler.java  | 92 ++++++++++++++++------
 1 file changed, 67 insertions(+), 25 deletions(-)

diff --git a/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java b/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
index dab932e..f5a47f7 100644
--- a/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
+++ b/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
@@ -252,6 +252,18 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler {
      */
     private static final long MINUTES = 60L * 1000L;
 
+    /**
+     * The name of the request header set by
+     * {@link #authenticationFailed(HttpServletRequest, HttpServletResponse, AuthenticationInfo)}
+     * if instead of requesting credentials from the client a 403/FORBIDDEN response is sent.
+     * <p>
+     * This header may be inspected by clients for a reason why the request
+     * failed.
+     *
+     * @see #authenticationFailed(HttpServletRequest, HttpServletResponse, AuthenticationInfo)
+     */
+    private static final String X_REASON = "X-Reason";
+
     /** default log */
     private final Logger log = LoggerFactory.getLogger(getClass());
 
@@ -323,14 +335,20 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler {
                 if (tokenStore.isValid(authData)) {
                     info = createAuthInfo(authData);
                 } else {
+                    // clear the cookie, its invalid and we should get rid of it
+                    // so that the invalid cookie isn't present on the authN
+                    // operation.
+                    authStorage.clear(request, response);
                     if (this.loginAfterExpire) {
-                      // signal the requestCredentials method a previous login failure
+                        // signal the requestCredentials method a previous login
+                        // failure
                         request.setAttribute(FAILURE_REASON, FormReason.TIMEOUT);
                         info = AuthenticationInfo.FAIL_AUTH;
+                    } else if (isValidateRequest(request)) {
+                        // send 403 response and terminate the request
+                        sendInvalid(response, FormReason.TIMEOUT);
+                        info = AuthenticationInfo.DOING_AUTH;
                     }
-                    // clear the cookie, its invalid and we should get rid of it so that the invalid cookie
-                    // isn't present on the authN operation.
-                    authStorage.clear(request, response);
                 }
             }
         }
@@ -358,19 +376,6 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler {
             return false;
         }
 
-        // 1. check whether we short cut for a failed log in with validation
-        if (isValidateRequest(request)) {
-            try {
-                response.setStatus(403);
-                response.flushBuffer();
-            } catch (IOException ioe) {
-                log.error("Failed to send 403/FORBIDDEN response", ioe);
-            }
-
-            // consider credentials requested
-            return true;
-        }
-
         final String resource = setLoginResourceAttribute(request,
             request.getRequestURI());
 
@@ -446,8 +451,17 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler {
         // clear authentication data from Cookie or Http Session
         authStorage.clear(request, response);
 
-        // signal the requestCredentials method a previous login failure
-        request.setAttribute(FAILURE_REASON, FormReason.INVALID_CREDENTIALS);
+        if (isValidateRequest(request)) {
+
+            // just validated the credentials to be invalid
+            sendInvalid(response, FormReason.INVALID_CREDENTIALS);
+
+        } else {
+
+            // signal the requestCredentials method a previous login failure
+            request.setAttribute(FAILURE_REASON, FormReason.INVALID_CREDENTIALS);
+
+        }
     }
 
     /**
@@ -477,12 +491,7 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler {
         final boolean result;
         if (isValidateRequest(request)) {
 
-            try {
-                response.setStatus(200);
-                response.flushBuffer();
-            } catch (IOException ioe) {
-                log.error("Failed to send 200/OK response", ioe);
-            }
+            sendValid(response);
 
             // terminate request, all done
             result = true;
@@ -558,6 +567,39 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler {
     }
 
     /**
+     * Sends a 200/OK response to a credential validation request.
+     *
+     * @param response The response object
+     */
+    private void sendValid(final HttpServletResponse response) {
+        try {
+            response.setStatus(200);
+            response.flushBuffer();
+        } catch (IOException ioe) {
+            log.error("Failed to send 200/OK response", ioe);
+        }
+    }
+
+    /**
+     * Sends a 403/FORBIDDEN response to a credential validation request
+     * providing the given reason as the value of the {@link #X_REASON} header.
+     *
+     * @param response The response object
+     * @param reason The reason to set on the header; not expected to be
+     *            <code>null</code>
+     */
+    private void sendInvalid(final HttpServletResponse response,
+            final FormReason reason) {
+        try {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.setHeader(X_REASON, reason.toString());
+            response.flushBuffer();
+        } catch (IOException ioe) {
+            log.error("Failed to send 403/Forbidden response", ioe);
+        }
+    }
+
+    /**
      * Ensures the authentication data is set (if not set yet) and the expiry
      * time is prolonged (if auth data already existed).
      * <p>

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.