HttpServletRequest req = (HttpServletRequest) request.getRequest();
HttpServletResponse res = (HttpServletResponse) response.getResponse();
Subject subject = new Subject();
MessageInfo messageInfo = new HttpMessageInfo(req, res);
boolean rvalue = false;
boolean isMandatory = true;
try {
WebSecurityManager webSecMgr = getWebSecurityManager(true);
isMandatory = !webSecMgr.permitAll(req);
//Issue - 9578 - produce user challenge if call originates from HttpRequest.authenticate
if (isMandatory || calledFromAuthenticate) {
messageInfo.getMap().put(HttpServletConstants.IS_MANDATORY,
Boolean.TRUE.toString());
}
ServerAuthContext sAC =
helper.getServerAuthContext(messageInfo,
null); // null serviceSubject
if (sAC != null) {
AuthStatus authStatus =
sAC.validateRequest(messageInfo, subject,
null); // null serviceSubject
rvalue = AuthStatus.SUCCESS.equals(authStatus);
if (rvalue) { // cache it only if validateRequest = true
messageInfo.getMap().put(SERVER_AUTH_CONTEXT, sAC);
req.setAttribute(MESSAGE_INFO, messageInfo);
}
} else {
throw new AuthException("null ServerAuthContext");
}
} catch (AuthException ae) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE,
"JMAC: http msg authentication fail", ae);
}
res.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
if (rvalue) {
Set<Principal> principalSet = subject.getPrincipals();
// must be at least one new principal to establish
// non-default security context
if (principalSet != null && !principalSet.isEmpty() &&
!principalSetContainsOnlyAnonymousPrincipal(principalSet)) {
SecurityContext ctx = new SecurityContext(subject);
//XXX assuming no null principal here
Principal p = ctx.getCallerPrincipal();
WebPrincipal wp = new WebPrincipal(p, ctx);
try {
//XXX Keep it for reference
/*
if (this.sAC.managesSessions(sharedState)) {
// registration (via proxy) does not occur
// if context manages sessions
// record authentication information in the request
request.setAuthType(PROXY_AUTH_TYPE);
request.setUserPrincipal(wp);
} else {
AuthenticatorProxy proxy =
new AuthenticatorProxy(authenticator,wp);
proxy.authenticate(request,response,config);
}
*/
String authType = (String) messageInfo.getMap().get(
HttpServletConstants.AUTH_TYPE);
boolean register = messageInfo.getMap().containsKey(
HttpServletConstants.REGISTER_WITH_AUTHENTICATOR);
if (authType == null && config != null &&
config.getAuthMethod() != null) {
authType = config.getAuthMethod();
}
if (register) {
AuthenticatorProxy proxy = new AuthenticatorProxy(authenticator, wp, authType);
proxy.authenticate(request, response, config);
} else {
request.setAuthType((authType == null) ? PROXY_AUTH_TYPE : authType);
request.setUserPrincipal(wp);
}
} catch (LifecycleException le) {
_logger.log(Level.SEVERE, "[Web-Security] unable to register session", le);
}
HttpServletRequest newRequest = (HttpServletRequest) messageInfo.getRequestMessage();
if (newRequest != req) {
request.setNote(Globals.WRAPPED_REQUEST,
new HttpRequestWrapper(request, newRequest));
}
HttpServletResponse newResponse = (HttpServletResponse) messageInfo.getResponseMessage();
if (newResponse != res) {
request.setNote(Globals.WRAPPED_RESPONSE,
new HttpResponseWrapper(response, newResponse));
}