9:28 a.m.
Author: mposolda
Date: 2011-11-02 10:28:05 -0400 (Wed, 02 Nov 2011)
New Revision: 7936
Modified:
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/SPNEGOFilter.java
components/sso/trunk/spnego/pom.xml
components/sso/trunk/spnego/src/main/java/org/gatein/sso/spnego/NegotiationAuthenticator.java
Log:
GTNPORTAL-2251 Handle login through portal/login to avoid need of changes in login.jsp
Modified:
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/SPNEGOFilter.java
===================================================================
---
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/SPNEGOFilter.java 2011-11-02
14:01:37 UTC (rev 7935)
+++
components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/filter/SPNEGOFilter.java 2011-11-02
14:28:05 UTC (rev 7936)
@@ -1,24 +1,26 @@
/*
-* JBoss, a division of Red Hat
-* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
+ * JBoss, a division of Red Hat
+ * Copyright 2011, Red Hat Middleware, LLC, and individual
+ * contributors as indicated by the @authors tag. See the
+ * copyright.txt in the distribution for a full listing of
+ * individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
package org.gatein.sso.agent.filter;
import java.io.IOException;
@@ -28,54 +30,83 @@
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
import org.exoplatform.container.web.AbstractFilter;
-import org.exoplatform.services.security.Authenticator;
-import org.exoplatform.services.security.IdentityRegistry;
-import org.exoplatform.services.security.Identity;
/**
- * Note: This Filter should not be needed anymore. Once various SPNEGO scenarios have
been tested and stabilized, I would recommend removing this from the codebase in
- * a future release of the module
- *
- * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ * Filter is needed because when fallback to FORM authentication, we don't need to
redirect request to PortalLoginController to secured URI,
+ * but we need to go directly to /initiatelogin without going again through Tomcat
authenticator.
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class SPNEGOFilter extends AbstractFilter
{
-
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException
- {
- HttpServletRequest httpRequest = (HttpServletRequest)request;
- try
- {
- String remoteUser = httpRequest.getRemoteUser();
-
- if(remoteUser != null)
- {
- //Check and make sure the IdentityRegistry is consistent
- IdentityRegistry identityRegistry = (IdentityRegistry) getContainer()
- .getComponentInstanceOfType(IdentityRegistry.class);
- if(identityRegistry.getIdentity(remoteUser) == null)
- {
- Authenticator authenticator = (Authenticator) getContainer()
- .getComponentInstanceOfType(Authenticator.class);
-
- Identity identity = authenticator.createIdentity(remoteUser);
-
- identityRegistry.register(identity);
- }
- }
-
- chain.doFilter(request, response);
- }
- catch(Throwable t)
- {
- throw new RuntimeException(t);
- }
- }
- public void destroy()
- {
- }
+ public static final String ATTR_INITIAL_URI = "SPNEGOFilter.initialURI";
+
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException
+ {
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ HttpServletResponse httpResponse = (HttpServletResponse)response;
+ try
+ {
+ if (isLoginControllerInProgress(httpRequest))
+ {
+ // first save initialURI as parameter into HTTP session. We may need it later
in authenticator
+ String initialURI = httpRequest.getParameter("initialURI");
+ if (initialURI != null)
+ {
+ httpRequest.getSession().setAttribute(ATTR_INITIAL_URI, initialURI);
+ }
+
+ // we need to redirect directly to initiatelogin without going through
secured URL.
+ HttpServletResponse wrapperResponse = new
IgnoreRedirectHttpResponse(httpResponse);
+ chain.doFilter(request, wrapperResponse);
+ httpResponse.sendRedirect("/portal/initiatelogin");
+ }
+ else
+ {
+ chain.doFilter(request, response);
+ }
+ }
+ catch(Throwable t)
+ {
+ throw new RuntimeException(t);
+ }
+ }
+
+ public void destroy()
+ {
+ }
+
+ private boolean isLoginControllerInProgress(HttpServletRequest request)
+ {
+ String action = request.getRequestURI();
+
+ if (action != null && action.equals("/portal/login"))
+ {
+ return true;
+ }
+
+ return false;
+ }
+
+ // Ignoring calls to response.sendRedirect, which are performed from
PortalLoginController
+ private class IgnoreRedirectHttpResponse extends HttpServletResponseWrapper
+ {
+
+ public IgnoreRedirectHttpResponse(HttpServletResponse response)
+ {
+ super(response);
+ }
+
+ @Override
+ public void sendRedirect(String location)
+ {
+ }
+
+ }
}
Modified: components/sso/trunk/spnego/pom.xml
===================================================================
--- components/sso/trunk/spnego/pom.xml 2011-11-02 14:01:37 UTC (rev 7935)
+++ components/sso/trunk/spnego/pom.xml 2011-11-02 14:28:05 UTC (rev 7936)
@@ -25,6 +25,11 @@
<groupId>org.jboss.security</groupId>
<artifactId>jboss-negotiation-spnego</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.gatein.sso</groupId>
+ <artifactId>sso-agent</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
<build>
Modified:
components/sso/trunk/spnego/src/main/java/org/gatein/sso/spnego/NegotiationAuthenticator.java
===================================================================
---
components/sso/trunk/spnego/src/main/java/org/gatein/sso/spnego/NegotiationAuthenticator.java 2011-11-02
14:01:37 UTC (rev 7935)
+++
components/sso/trunk/spnego/src/main/java/org/gatein/sso/spnego/NegotiationAuthenticator.java 2011-11-02
14:28:05 UTC (rev 7936)
@@ -26,11 +26,14 @@
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.AuthenticatorBase;
+import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.authenticator.FormAuthenticator;
+import org.apache.catalina.authenticator.SavedRequest;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.log4j.Logger;
+import org.gatein.sso.agent.filter.SPNEGOFilter;
import org.jboss.security.negotiation.MessageFactory;
import org.jboss.security.negotiation.NegotiationException;
import org.jboss.security.negotiation.NegotiationMessage;
@@ -297,6 +300,32 @@
}
}
+ /**
+ * Return the request URI (with the corresponding query string, if any)
+ * from the saved request so that we can redirect to it. We need to override this
method
+ * because Constants.FORM_REQUEST_NOTE can be null sometimes (when request was send
to /portal/login without displaying login.jsp page)
+ *
+ * @param session Our current session
+ */
+ protected String savedRequestURL(Session session)
+ {
+ String savedURI = super.savedRequestURL(session);
+
+ // use url saved by SPNEGOFilter if saved request not found
+ if (savedURI == null)
+ {
+ savedURI =
(String)session.getSession().getAttribute(SPNEGOFilter.ATTR_INITIAL_URI);
+ }
+
+ // using default context if nothing helped
+ if (savedURI == null)
+ {
+ savedURI = session.getSession().getServletContext().getContextPath();
+ }
+
+ return savedURI;
+ }
+
private void initiateNegotiation(final Request request, final HttpServletResponse
response, final LoginConfig config)
throws IOException
{