Author: remy.maucherat(a)jboss.com
Date: 2013-06-19 11:52:43 -0400 (Wed, 19 Jun 2013)
New Revision: 2225
Modified:
branches/8.0.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java
branches/8.0.x/src/main/java/org/apache/catalina/realm/RealmBase.java
branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java
Log:
Adapt and port Servlet 3.1 auth updates, to support **.
Modified:
branches/8.0.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
---
branches/8.0.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-06-18
12:31:51 UTC (rev 2224)
+++
branches/8.0.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-06-19
15:52:43 UTC (rev 2225)
@@ -395,6 +395,36 @@
}
}
+ // Special handling for form-based logins to deal with the case where
+ // a resource is protected for some HTTP methods but not protected for
+ // GET which is used after authentication when redirecting to the
+ // protected resource.
+ // TODO: This is similar to the FormAuthenticator.matchRequest() logic
+ // Is there a way to remove the duplication?
+ Session session = request.getSessionInternal(false);
+ if (session != null) {
+ SavedRequest savedRequest =
+ (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
+ if (savedRequest != null) {
+ String decodedRequestURI = request.getDecodedRequestURI();
+ if (decodedRequestURI != null &&
+ decodedRequestURI.equals(
+ savedRequest.getDecodedRequestURI())) {
+ if (!authenticate(request, response)) {
+ if (CatalinaLogger.AUTH_LOGGER.isDebugEnabled()) {
+ CatalinaLogger.AUTH_LOGGER.debug(" Failed authenticate()
test");
+ }
+ /*
+ * ASSERT: Authenticator already set the appropriate
+ * HTTP status code, so we do not have to do anything
+ * special
+ */
+ return;
+ }
+ }
+ }
+ }
+
Realm realm = this.context.getRealm();
// Is this request URI subject to a security constraint?
SecurityConstraint [] constraints
@@ -450,10 +480,13 @@
for(i=0; i < constraints.length && authRequired; i++) {
if(!constraints[i].getAuthConstraint()) {
authRequired = false;
- } else if(!constraints[i].getAllRoles()) {
+ break;
+ } else if(!constraints[i].getAllRoles() &&
+ !constraints[i].getAuthenticatedUsers()) {
String [] roles = constraints[i].findAuthRoles();
if(roles == null || roles.length == 0) {
authRequired = false;
+ break;
}
}
}
Modified: branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java
===================================================================
---
branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java 2013-06-18
12:31:51 UTC (rev 2224)
+++
branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java 2013-06-19
15:52:43 UTC (rev 2225)
@@ -39,6 +39,9 @@
public class SecurityConstraint implements Serializable {
+ public static final String ROLE_ALL_ROLES = "*";
+ public static final String ROLE_ALL_AUTHENTICATED_USERS = "**";
+
// ----------------------------------------------------------- Constructors
@@ -56,13 +59,21 @@
/**
- * Was the "all roles" wildcard included in the authorization constraints
- * for this security constraint?
+ * Was the "all roles" wildcard - {@link #ROLE_ALL_ROLES} - included in
the
+ * authorization constraints for this security constraint?
*/
private boolean allRoles = false;
/**
+ * Was the "all authenticated users" wildcard -
+ * {@link #ROLE_ALL_AUTHENTICATED_USERS} - included in the authorization
+ * constraints for this security constraint?
+ */
+ private boolean authenticatedUsers = false;
+
+
+ /**
* Was an authorization constraint included in this security constraint?
* This is necessary to distinguish the case where an auth-constraint with
* no roles (signifying no direct access at all) was requested, versus
@@ -113,6 +124,15 @@
/**
+ * Was the "all authenticated users" wildcard included in this
+ * authentication constraint?
+ */
+ public boolean getAuthenticatedUsers() {
+ return this.authenticatedUsers;
+ }
+
+
+ /**
* Return the authorization constraint present flag for this security
* constraint.
*/
@@ -177,6 +197,24 @@
}
+ /**
+ * Called in the unlikely event that an application defines a role named
+ * "**".
+ */
+ public void treatAllAuthenticatedUsersAsApplicationRole() {
+ if (authenticatedUsers) {
+ authenticatedUsers = false;
+
+ String results[] = new String[authRoles.length + 1];
+ for (int i = 0; i < authRoles.length; i++)
+ results[i] = authRoles[i];
+ results[authRoles.length] = ROLE_ALL_AUTHENTICATED_USERS;
+ authRoles = results;
+ authConstraint = true;
+ }
+ }
+
+
// --------------------------------------------------------- Public Methods
@@ -191,10 +229,14 @@
if (authRole == null)
return;
authConstraint = true;
- if ("*".equals(authRole)) {
+ if (ROLE_ALL_ROLES.equals(authRole)) {
allRoles = true;
return;
}
+ if (ROLE_ALL_AUTHENTICATED_USERS.equals(authRole)) {
+ authenticatedUsers = true;
+ return;
+ }
String results[] = new String[authRoles.length + 1];
for (int i = 0; i < authRoles.length; i++)
results[i] = authRoles[i];
@@ -329,6 +371,14 @@
if (authRole == null)
return;
+ if (ROLE_ALL_ROLES.equals(authRole)) {
+ allRoles = false;
+ return;
+ }
+ if (ROLE_ALL_AUTHENTICATED_USERS.equals(authRole)) {
+ authenticatedUsers = false;
+ return;
+ }
int n = -1;
for (int i = 0; i < authRoles.length; i++) {
if (authRoles[i].equals(authRole)) {
Modified: branches/8.0.x/src/main/java/org/apache/catalina/realm/RealmBase.java
===================================================================
--- branches/8.0.x/src/main/java/org/apache/catalina/realm/RealmBase.java 2013-06-18
12:31:51 UTC (rev 2224)
+++ branches/8.0.x/src/main/java/org/apache/catalina/realm/RealmBase.java 2013-06-19
15:52:43 UTC (rev 2225)
@@ -751,7 +751,13 @@
if (CatalinaLogger.REALM_LOGGER.isDebugEnabled())
CatalinaLogger.REALM_LOGGER.debug(" Checking roles " +
principal);
- if (roles.length == 0 && !constraint.getAllRoles()) {
+ if (constraint.getAuthenticatedUsers() && principal != null) {
+ if (CatalinaLogger.REALM_LOGGER.isDebugEnabled()) {
+ CatalinaLogger.REALM_LOGGER.debug("Passing all authenticated
users");
+ }
+ status = true;
+ } else if (roles.length == 0 && !constraint.getAllRoles() &&
+ !constraint.getAuthenticatedUsers()) {
if(constraint.getAuthConstraint()) {
if( CatalinaLogger.REALM_LOGGER.isDebugEnabled() )
CatalinaLogger.REALM_LOGGER.debug("No roles ");
Modified: branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java
===================================================================
--- branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java 2013-06-18
12:31:51 UTC (rev 2224)
+++ branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java 2013-06-19
15:52:43 UTC (rev 2225)
@@ -665,13 +665,22 @@
*/
protected void validateSecurityRoles() {
+ // Check if ** role was defined by the application itself
+ if (context.findSecurityRole(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
+ SecurityConstraint constraints[] = context.findConstraints();
+ for (SecurityConstraint constraint : constraints) {
+ constraint.treatAllAuthenticatedUsersAsApplicationRole();
+ }
+ }
+
// Check role names used in <security-constraint> elements
SecurityConstraint constraints[] = context.findConstraints();
for (int i = 0; i < constraints.length; i++) {
String roles[] = constraints[i].findAuthRoles();
for (int j = 0; j < roles.length; j++) {
- if (!"*".equals(roles[j]) &&
- !context.findSecurityRole(roles[j])) {
+ if (!SecurityConstraint.ROLE_ALL_ROLES.equals(roles[j])
+ &&
!SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS.equals(roles[j])
+ && !context.findSecurityRole(roles[j])) {
CatalinaLogger.STARTUP_LOGGER.roleValidationAuth(roles[j]);
context.addSecurityRole(roles[j]);
}
Show replies by date