/** * Perform form authentication. Called from SecurityHandler. * * @return UserPrincipal if authenticated else null. */ public Principal authenticate( UserRealm realm, String pathInContext, HttpRequest httpRequest, HttpResponse httpResponse) throws IOException { HttpServletRequest request = (ServletHttpRequest) httpRequest.getWrapper(); HttpServletResponse response = httpResponse == null ? null : (HttpServletResponse) httpResponse.getWrapper(); // Handle paths String uri = pathInContext; // Setup session HttpSession session = request.getSession(response != null); if (session == null) return null; // Handle a request for authentication. if (uri.substring(uri.lastIndexOf("/") + 1).startsWith(__J_SECURITY_CHECK)) { // Check the session object for login info. FormCredential form_cred = new FormCredential(); form_cred.authenticate( realm, request.getParameter(__J_USERNAME), request.getParameter(__J_PASSWORD), httpRequest); String nuri = (String) session.getAttribute(__J_URI); if (nuri == null || nuri.length() == 0) { nuri = request.getContextPath(); if (nuri.length() == 0) nuri = "/"; } if (form_cred._userPrincipal != null) { // Authenticated OK if (log.isDebugEnabled()) log.debug("Form authentication OK for " + form_cred._jUserName); session.removeAttribute(__J_URI); // Remove popped return URI. httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(form_cred._jUserName); httpRequest.setUserPrincipal(form_cred._userPrincipal); session.setAttribute(__J_AUTHENTICATED, form_cred); // Sign-on to SSO mechanism if (realm instanceof SSORealm) { ((SSORealm) realm) .setSingleSignOn( httpRequest, httpResponse, form_cred._userPrincipal, new Password(form_cred._jPassword)); } // Redirect to original request if (response != null) { response.setContentLength(0); response.sendRedirect(response.encodeRedirectURL(nuri)); } } else if (response != null) { if (log.isDebugEnabled()) log.debug("Form authentication FAILED for " + form_cred._jUserName); if (_formErrorPage != null) { response.setContentLength(0); response.sendRedirect( response.encodeRedirectURL(URI.addPaths(request.getContextPath(), _formErrorPage))); } else { response.sendError(HttpResponse.__403_Forbidden); } } // Security check is always false, only true after final redirection. return null; } // Check if the session is already authenticated. FormCredential form_cred = (FormCredential) session.getAttribute(__J_AUTHENTICATED); if (form_cred != null) { // We have a form credential. Has it been distributed? if (form_cred._userPrincipal == null) { // This form_cred appears to have been distributed. Need to reauth form_cred.authenticate(realm, httpRequest); // Sign-on to SSO mechanism if (form_cred._userPrincipal != null && realm instanceof SSORealm) { ((SSORealm) realm) .setSingleSignOn( httpRequest, httpResponse, form_cred._userPrincipal, new Password(form_cred._jPassword)); } } else if (!realm.reauthenticate(form_cred._userPrincipal)) // Else check that it is still authenticated. form_cred._userPrincipal = null; // If this credential is still authenticated if (form_cred._userPrincipal != null) { if (log.isDebugEnabled()) log.debug("FORM Authenticated for " + form_cred._userPrincipal.getName()); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(form_cred._userPrincipal.getName()); httpRequest.setUserPrincipal(form_cred._userPrincipal); return form_cred._userPrincipal; } else session.setAttribute(__J_AUTHENTICATED, null); } else if (realm instanceof SSORealm) { // Try a single sign on. Credential cred = ((SSORealm) realm).getSingleSignOn(httpRequest, httpResponse); if (httpRequest.hasUserPrincipal()) { form_cred = new FormCredential(); form_cred._userPrincipal = request.getUserPrincipal(); form_cred._jUserName = form_cred._userPrincipal.getName(); if (cred != null) form_cred._jPassword = cred.toString(); if (log.isDebugEnabled()) log.debug("SSO for " + form_cred._userPrincipal); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); session.setAttribute(__J_AUTHENTICATED, form_cred); return form_cred._userPrincipal; } } // Don't authenticate authform or errorpage if (isLoginOrErrorPage(pathInContext)) return SecurityConstraint.__NOBODY; // redirect to login page if (response != null) { if (httpRequest.getQuery() != null) uri += "?" + httpRequest.getQuery(); session.setAttribute( __J_URI, request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + URI.addPaths(request.getContextPath(), uri)); response.setContentLength(0); response.sendRedirect( response.encodeRedirectURL(URI.addPaths(request.getContextPath(), _formLoginPage))); } return null; }
/** * Creates an new request for the app server from an HTTP request. * * @param request HTTP request to create * @return the request */ public AppRequest createRequest(HttpRequest request) { return createRequest(request, request.getHost(), request.getURI()); }