* javax.servlet.http.HttpServletResponse, int)
*/
public void handle(String target, HttpServletRequest request, HttpServletResponse response, int dispatch) throws IOException, ServletException
{
Request base_request=(request instanceof Request)?(Request)request:HttpConnection.getCurrentConnection().getRequest();
Response base_response=(response instanceof Response)?(Response)response:HttpConnection.getCurrentConnection().getResponse();
String pathInContext=target;
String user=null;
String password=null;
boolean IPValid=true;
if (log.isDebugEnabled())
log.debug("HTAccessHandler pathInContext="+pathInContext,null,null);
String credentials=request.getHeader(HttpHeaders.AUTHORIZATION);
if (credentials!=null)
{
credentials=credentials.substring(credentials.indexOf(' ')+1);
credentials=B64Code.decode(credentials,StringUtil.__ISO_8859_1);
int i=credentials.indexOf(':');
user=credentials.substring(0,i);
password=credentials.substring(i+1);
if (log.isDebugEnabled())
log.debug("User="+user+", password="+"******************************".substring(0,password.length()),null,null);
}
HTAccess ht=null;
try
{
Resource resource=null;
String directory=pathInContext.endsWith("/")?pathInContext:URIUtil.parentPath(pathInContext);
// Look for htAccess resource
while (directory!=null)
{
String htPath=directory+_accessFile;
resource=((ContextHandler)getProtegee()).getResource(htPath);
if (log.isDebugEnabled())
log.debug("directory="+directory+" resource="+resource,null,null);
if (resource!=null&&resource.exists()&&!resource.isDirectory())
break;
resource=null;
directory=URIUtil.parentPath(directory);
}
boolean haveHtAccess=true;
// Try default directory
if (resource==null&&_default!=null)
{
resource=Resource.newResource(_default);
if (!resource.exists()||resource.isDirectory())
haveHtAccess=false;
}
if (resource==null)
haveHtAccess=false;
// prevent access to htaccess files
if (pathInContext.endsWith(_accessFile)
// extra security
||pathInContext.endsWith(_accessFile+"~")||pathInContext.endsWith(_accessFile+".bak"))
{
response.sendError(HttpServletResponse.SC_FORBIDDEN);
base_request.setHandled(true);
return;
}
if (haveHtAccess)
{
if (log.isDebugEnabled())
log.debug("HTACCESS="+resource,null,null);
ht=(HTAccess)_htCache.get(resource);
if (ht==null||ht.getLastModified()!=resource.lastModified())
{
ht=new HTAccess(resource);
_htCache.put(resource,ht);
if (log.isDebugEnabled())
log.debug("HTCache loaded "+ht,null,null);
}
// See if there is a config problem
if (ht.isForbidden())
{
log.warn("Mis-configured htaccess: "+ht,null,null);
response.sendError(HttpServletResponse.SC_FORBIDDEN);
base_request.setHandled(true);
return;
}
// first see if we need to handle based on method type
Map methods=ht.getMethods();
if (methods.size()>0&&!methods.containsKey(request.getMethod()))
return; // Nothing to check
// Check the accesss
int satisfy=ht.getSatisfy();
// second check IP address
IPValid=ht.checkAccess("",request.getRemoteAddr());
if (log.isDebugEnabled())
log.debug("IPValid = "+IPValid,null,null);
// If IP is correct and satify is ANY then access is allowed
if (IPValid==true&&satisfy==HTAccess.ANY)
return;
// If IP is NOT correct and satify is ALL then access is
// forbidden
if (IPValid==false&&satisfy==HTAccess.ALL)
{
response.sendError(HttpServletResponse.SC_FORBIDDEN);
base_request.setHandled(true);
return;
}
// set required page
if (!ht.checkAuth(user,password,getUserRealm(),base_request))
{
log.debug("Auth Failed",null,null);
response.setHeader(HttpHeaders.WWW_AUTHENTICATE,"basic realm="+ht.getName());
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
base_response.complete();
base_request.setHandled(true);
return;
}
// set user