/**
* Perform access control based on the specified authorization constraint. Return <code>true
* </code> if this constraint is satisfied and processing should continue, or <code>false</code>
* otherwise.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraint Security constraint we are enforcing
* @exception IOException if an input/output error occurs
*/
protected boolean accessControl(
HttpRequest request, HttpResponse response, SecurityConstraint constraint)
throws IOException {
if (constraint == null) return (true);
// Specifically allow access to the form login and form error pages
// and the "j_security_check" action
LoginConfig config = context.getLoginConfig();
if ((config != null) && (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
String requestURI = request.getDecodedRequestURI();
String loginPage = context.getPath() + config.getLoginPage();
if (loginPage.equals(requestURI)) {
if (debug >= 1) log(" Allow access to login page " + loginPage);
return (true);
}
String errorPage = context.getPath() + config.getErrorPage();
if (errorPage.equals(requestURI)) {
if (debug >= 1) log(" Allow access to error page " + errorPage);
return (true);
}
if (requestURI.endsWith(Constants.FORM_ACTION)) {
if (debug >= 1) log(" Allow access to username/password submission");
return (true);
}
}
// Which user principal have we already authenticated?
Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal();
if (principal == null) {
if (debug >= 2) log(" No user authenticated, cannot grant access");
((HttpServletResponse) response.getResponse())
.sendError(
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
sm.getString("authenticator.notAuthenticated"));
return (false);
}
// Check each role included in this constraint
Realm realm = context.getRealm();
String roles[] = constraint.findAuthRoles();
if (roles == null) roles = new String[0];
if (constraint.getAllRoles()) return (true);
if ((roles.length == 0) && (constraint.getAuthConstraint())) {
((HttpServletResponse) response.getResponse())
.sendError(HttpServletResponse.SC_FORBIDDEN, sm.getString("authenticator.forbidden"));
return (false); // No listed roles means no access at all
}
for (int i = 0; i < roles.length; i++) {
if (realm.hasRole(principal, roles[i])) return (true);
}
// Return a "Forbidden" message denying access to this resource
((HttpServletResponse) response.getResponse())
.sendError(HttpServletResponse.SC_FORBIDDEN, sm.getString("authenticator.forbidden"));
return (false);
}
/**
* Register an authenticated Principal and authentication type in our request, in the current
* session (if there is one), and with our SingleSignOn valve, if there is one. Set the
* appropriate cookie to be returned.
*
* @param request The servlet request we are processing
* @param response The servlet response we are generating
* @param principal The authenticated Principal to be registered
* @param authType The authentication type to be registered
* @param username Username used to authenticate (if any)
* @param password Password used to authenticate (if any)
*/
protected void register(
HttpRequest request,
HttpResponse response,
Principal principal,
String authType,
String username,
String password) {
if (debug >= 1) log("Authenticated '" + principal.getName() + "' with type '" + authType + "'");
// Cache the authentication information in our request
request.setAuthType(authType);
request.setUserPrincipal(principal);
// Cache the authentication information in our session, if any
if (cache) {
Session session = getSession(request, false);
if (session != null) {
session.setAuthType(authType);
session.setPrincipal(principal);
if (username != null) session.setNote(Constants.SESS_USERNAME_NOTE, username);
else session.removeNote(Constants.SESS_USERNAME_NOTE);
if (password != null) session.setNote(Constants.SESS_PASSWORD_NOTE, password);
else session.removeNote(Constants.SESS_PASSWORD_NOTE);
}
}
// Construct a cookie to be returned to the client
if (sso == null) return;
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
HttpServletResponse hres = (HttpServletResponse) response.getResponse();
String value = generateSessionId();
Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, value);
cookie.setMaxAge(-1);
cookie.setPath("/");
hres.addCookie(cookie);
// Register this principal with our SSO valve
sso.register(value, principal, authType, username, password);
request.setNote(Constants.REQ_SSOID_NOTE, value);
}
/**
* Enforce any user data constraint required by the security constraint guarding this request URI.
* Return <code>true</code> if this constraint was not violated and processing should continue, or
* <code>false</code> if we have created a response already.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraint Security constraint being checked
* @exception IOException if an input/output error occurs
*/
protected boolean checkUserData(
HttpRequest request, HttpResponse response, SecurityConstraint constraint)
throws IOException {
// Is there a relevant user data constraint?
if (constraint == null) {
if (debug >= 2) log(" No applicable security constraint defined");
return (true);
}
String userConstraint = constraint.getUserConstraint();
if (userConstraint == null) {
if (debug >= 2) log(" No applicable user data constraint defined");
return (true);
}
if (userConstraint.equals(Constants.NONE_TRANSPORT)) {
if (debug >= 2) log(" User data constraint has no restrictions");
return (true);
}
// Validate the request against the user data constraint
if (request.getRequest().isSecure()) {
if (debug >= 2) log(" User data constraint already satisfied");
return (true);
}
// Initialize variables we need to determine the appropriate action
HttpServletRequest hrequest = (HttpServletRequest) request.getRequest();
HttpServletResponse hresponse = (HttpServletResponse) response.getResponse();
int redirectPort = request.getConnector().getRedirectPort();
// Is redirecting disabled?
if (redirectPort <= 0) {
if (debug >= 2) log(" SSL redirect is disabled");
hresponse.sendError(HttpServletResponse.SC_FORBIDDEN, hrequest.getRequestURI());
return (false);
}
// Redirect to the corresponding SSL port
String protocol = "https";
String host = hrequest.getServerName();
StringBuffer file = new StringBuffer(hrequest.getRequestURI());
String requestedSessionId = hrequest.getRequestedSessionId();
if ((requestedSessionId != null) && hrequest.isRequestedSessionIdFromURL()) {
file.append(";jsessionid=");
file.append(requestedSessionId);
}
String queryString = hrequest.getQueryString();
if (queryString != null) {
file.append('?');
file.append(queryString);
}
URL url = null;
try {
url = new URL(protocol, host, redirectPort, file.toString());
if (debug >= 2) log(" Redirecting to " + url.toString());
hresponse.sendRedirect(url.toString());
return (false);
} catch (MalformedURLException e) {
if (debug >= 2) log(" Cannot create new URL", e);
hresponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, hrequest.getRequestURI());
return (false);
}
}