Package winstone.auth

Source Code of winstone.auth.BaseAuthenticationHandler

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
/*
* Copyright 2003-2006 Rick Knowles <winstone-devel at lists sourceforge net>
* Distributed under the terms of either:
* - the common development and distribution license (CDDL), v1.0; or
* - the GNU Lesser General Public License, v2.1 or later
*/
package winstone.auth;

import java.io.IOException;
import java.util.List;
import java.util.Set;

import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.w3c.dom.Node;

import winstone.AuthenticationHandler;
import winstone.AuthenticationRealm;
import winstone.Logger;
import winstone.WebAppConfiguration;
import winstone.WinstoneResourceBundle;

/**
* Base class for managers of authentication within Winstone. This class also
* acts as a factory, loading the appropriate subclass for the requested auth
* type.
*
* @author mailto: <a href="rick_knowles@hotmail.com">Rick Knowles</a>
* @version $Id: BaseAuthenticationHandler.java,v 1.6 2006/02/28 07:32:47 rickknowles Exp $
*/
public abstract class BaseAuthenticationHandler implements
        AuthenticationHandler {
    static final String ELEM_REALM_NAME = "realm-name";
   
    protected SecurityConstraint constraints[];
    protected AuthenticationRealm realm;
    protected String realmName;
    public final static WinstoneResourceBundle AUTH_RESOURCES = new WinstoneResourceBundle("winstone.auth.LocalStrings");

    /**
     * Factory method - this parses the web.xml nodes and builds the correct
     * subclass for handling that auth type.
     */
    protected BaseAuthenticationHandler(Node loginConfigNode,
            List constraintNodes, Set rolesAllowed,
            AuthenticationRealm realm) {
        this.realm = realm;

        for (int m = 0; m < loginConfigNode.getChildNodes().getLength(); m++) {
            Node loginElm = loginConfigNode.getChildNodes().item(m);
            if (loginElm.getNodeType() != Node.ELEMENT_NODE)
                continue;
            else if (loginElm.getNodeName().equals(ELEM_REALM_NAME))
                realmName = WebAppConfiguration.getTextFromNode(loginElm);
        }

        // Build security constraints
        this.constraints = new SecurityConstraint[constraintNodes.size()];
        for (int n = 0; n < constraints.length; n++)
            this.constraints[n] = new SecurityConstraint((Node) constraintNodes
                    .get(n), rolesAllowed, n);
    }

    /**
     * Evaluates any authentication constraints, intercepting if auth is
     * required. The relevant authentication handler subclass's logic is used to
     * actually authenticate.
     *
     * @return A boolean indicating whether to continue after this request
     */
    public boolean processAuthentication(ServletRequest inRequest,
            ServletResponse inResponse, String pathRequested)
            throws IOException, ServletException {
        Logger.log(Logger.FULL_DEBUG, AUTH_RESOURCES,
                "BaseAuthenticationHandler.StartAuthCheck");

        HttpServletRequest request = (HttpServletRequest) inRequest;
        HttpServletResponse response = (HttpServletResponse) inResponse;

        // Give previous attempts a chance to be validated
        if (!validatePossibleAuthenticationResponse(request, response, pathRequested)) {
            return false;
        } else {
            return doRoleCheck(request, response, pathRequested);
        }
    }

    protected boolean doRoleCheck(HttpServletRequest request,
            HttpServletResponse response, String pathRequested)
            throws IOException, ServletException {
        // Loop through constraints
        boolean foundApplicable = false;
        for (int n = 0; (n < this.constraints.length) && !foundApplicable; n++) {
            Logger.log(Logger.FULL_DEBUG, AUTH_RESOURCES,
                    "BaseAuthenticationHandler.EvalConstraint",
                    this.constraints[n].getName());

            // Find one that applies, then
            if (this.constraints[n].isApplicable(pathRequested, request.getMethod())) {
                Logger.log(Logger.FULL_DEBUG, AUTH_RESOURCES,
                        "BaseAuthenticationHandler.ApplicableConstraint",
                        this.constraints[n].getName());
                foundApplicable = true;

                if (this.constraints[n].needsSSL() && !request.isSecure()) {
                    Logger.log(Logger.DEBUG, AUTH_RESOURCES,
                            "BaseAuthenticationHandler.ConstraintNeedsSSL",
                            this.constraints[n].getName());
                    response.sendError(HttpServletResponse.SC_FORBIDDEN,
                            AUTH_RESOURCES.getString("BaseAuthenticationHandler.ConstraintNeedsSSL",
                                    this.constraints[n].getName()));
                    return false;
                }

                else if (!this.constraints[n].isAllowed(request)) {
                    // Logger.log(Logger.FULL_DEBUG, "Not allowed - requesting auth");
                    requestAuthentication(request, response, pathRequested);
                    return false;
                } else {
                    // Logger.log(Logger.FULL_DEBUG, "Allowed - authorization accepted");
                    // Ensure that secured resources are not cached
                    setNoCache(response);
                }
            }
        }
       
        // If we made it this far without a check being run, there must be none applicable
        Logger.log(Logger.FULL_DEBUG, AUTH_RESOURCES, "BaseAuthenticationHandler.PassedAuthCheck");
        return true;
    }
   
    protected void setNoCache(HttpServletResponse response) {
        response.setHeader("Pragma", "No-cache");
        response.setHeader("Cache-Control", "No-cache");
        response.setDateHeader("Expires", 1);
    }

    /**
     * The actual auth request implementation.
     */
    protected abstract void requestAuthentication(HttpServletRequest request,
            HttpServletResponse response, String pathRequested)
            throws IOException, ServletException;

    /**
     * Handling the (possible) response
     */
    protected abstract boolean validatePossibleAuthenticationResponse(
            HttpServletRequest request, HttpServletResponse response,
            String pathRequested) throws ServletException, IOException;
}
TOP

Related Classes of winstone.auth.BaseAuthenticationHandler

  • javax.servlet.http.HttpServletResponse
  • org.w3c.dom.Node
  • javax.servlet.http.HttpServletRequest
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.