Author: remy.maucherat(a)jboss.com Date: 2009-11-13 13:00:41 -0500 (Fri, 13 Nov 2009) New Revision: 1268 Modified: trunk/java/org/apache/catalina/Authenticator.java trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java trunk/java/org/apache/catalina/authenticator/Constants.java trunk/java/org/apache/catalina/connector/Request.java Log: - Move code over to authenticators, where it is pluggable. Modified: trunk/java/org/apache/catalina/Authenticator.java =================================================================== --- trunk/java/org/apache/catalina/Authenticator.java 2009-11-13 04:23:25 UTC (rev 1267) +++ trunk/java/org/apache/catalina/Authenticator.java 2009-11-13 18:00:41 UTC (rev 1268) @@ -37,10 +37,8 @@ public interface Authenticator { public boolean authenticate(Request request, HttpServletResponse response) throws IOException, ServletException; - // TODO -/* public boolean login(Request request, HttpServletResponse response, - String username, String password) + public void login(Request request, String username, String password) throws ServletException; - public boolean logout(Request request, HttpServletResponse response, Session session) - throws ServletException;*/ + public void logout(Request request) + throws ServletException; } Modified: trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java =================================================================== --- trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2009-11-13 04:23:25 UTC (rev 1267) +++ trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2009-11-13 18:00:41 UTC (rev 1268) @@ -385,6 +385,38 @@ } + public void login(Request request, String username, String password) + throws ServletException { + + // Is there an SSO session against which we can try to reauthenticate? + String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); + if (ssoId != null) { + if (log.isDebugEnabled()) + log.debug("SSO Id " + ssoId + " set; attempting " + + "reauthentication"); + /* Try to reauthenticate using data cached by SSO. If this fails, + either the original SSO logon was of DIGEST or SSL (which + we can't reauthenticate ourselves because there is no + cached username and password), or the realm denied + the user's reauthentication for some reason. + In either case we have to prompt the user for a logon */ + if (reauthenticateFromSSO(ssoId, request)) + return; + } + + Realm realm = context.getRealm(); + Principal principal = realm.authenticate(username, password); + if (principal != null) { + register(request, request.getResponseFacade(), principal, Constants.LOGIN_METHOD, + username, password); + } + } + + public void logout(Request request) + throws ServletException { + unregister(request, request.getResponseFacade()); + } + /** * Enforce the security restrictions in the web application deployment * descriptor of our associated Context. @@ -453,12 +485,12 @@ // Make sure that constrained resources are not cached by web proxies // or browsers as caching can provide a security hole if (disableProxyCaching && - // FIXME: Disabled for Mozilla FORM support over SSL + // Note: Disabled for Mozilla FORM support over SSL // (improper caching issue) //!request.isSecure() && !"POST".equalsIgnoreCase(request.getMethod())) { if (securePagesWithPragma) { - // FIXME: These cause problems with downloading office docs + // Note: These cause problems with downloading office docs // from IE under SSL and may not be needed for newer Mozilla // clients. response.setHeader("Pragma", "No-cache"); @@ -794,6 +826,48 @@ } + /** + * Register an authenticated Principal and authentication type in our + * request, in the current session (if there is one), and with our + * SingleSignOn valve, if there is one. Set the appropriate cookie + * to be returned. + * + * @param request The servlet request we are processing + * @param response The servlet response we are generating + * @param principal The authenticated Principal to be registered + * @param authType The authentication type to be registered + * @param username Username used to authenticate (if any) + * @param password Password used to authenticate (if any) + */ + protected void unregister(Request request, HttpServletResponse response) { + + // Remove the authentication information from our request + request.setAuthType(null); + request.setUserPrincipal(null); + + Session session = request.getSessionInternal(false); + // Cache the authentication information in our session, if any + if (cache && session != null) { + session.setAuthType(null); + session.setPrincipal(null); + session.removeNote(Constants.SESS_USERNAME_NOTE); + session.removeNote(Constants.SESS_PASSWORD_NOTE); + } + + // Construct a cookie to be returned to the client + if (sso == null) + return; + + String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); + if (ssoId != null) { + // Update the SSO session with the latest authentication data + request.removeNote(Constants.REQ_SSOID_NOTE); + sso.deregister(ssoId); + } + + } + + // ------------------------------------------------------ Lifecycle Methods Modified: trunk/java/org/apache/catalina/authenticator/Constants.java =================================================================== --- trunk/java/org/apache/catalina/authenticator/Constants.java 2009-11-13 04:23:25 UTC (rev 1267) +++ trunk/java/org/apache/catalina/authenticator/Constants.java 2009-11-13 18:00:41 UTC (rev 1268) @@ -28,6 +28,7 @@ public static final String CERT_METHOD = "CLIENT_CERT"; public static final String DIGEST_METHOD = "DIGEST"; public static final String FORM_METHOD = "FORM"; + public static final String LOGIN_METHOD = "LOGIN"; // User data constraints for transport guarantee public static final String NONE_TRANSPORT = "NONE"; Modified: trunk/java/org/apache/catalina/connector/Request.java =================================================================== --- trunk/java/org/apache/catalina/connector/Request.java 2009-11-13 04:23:25 UTC (rev 1267) +++ trunk/java/org/apache/catalina/connector/Request.java 2009-11-13 18:00:41 UTC (rev 1268) @@ -3084,32 +3084,23 @@ if (userPrincipal != null) { throw new ServletException(sm.getString("coyoteRequest.authFailed")); } - // TODO: for JBoss, should always call Authenticator.login instead so that there's - // a callback - Realm realm = context.getRealm(); - userPrincipal = realm.authenticate(username, password); + if (context.getAuthenticator() != null) { + context.getAuthenticator().login(this, username, password); + } else { + throw new ServletException(sm.getString("coyoteRequest.noAuthenticator")); + } if (userPrincipal == null) { throw new ServletException(sm.getString("coyoteRequest.authFailed")); } - authType = "LOGIN"; - Session session = getSessionInternal(false); - if (session != null) { - session.setPrincipal(userPrincipal); - session.setAuthType(authType); - } - // Note: if SSO is needed, AuthenticatorBase.register is needed } public void logout() throws ServletException { - // TODO: for JBoss, should always call Authenticator.logout instead so that there's - // a callback Principal principal = userPrincipal; - userPrincipal = null; - authType = null; - Session session = getSessionInternal(false); - if (session != null) { - session.setPrincipal(null); - session.setAuthType(null); + if (context.getAuthenticator() != null) { + context.getAuthenticator().logout(this); + } else { + userPrincipal = null; + authType = null; } if (principal instanceof GenericPrincipal) { GenericPrincipal gp = (GenericPrincipal) principal;