private Authentication getNonUiCachedAuthentication(HttpServletRequest request) { // return cached authentication only if this is a non ui request (this guards the case when user // accessed // Artifactory both from external tool and from the ui) AuthCacheKey authCacheKey = new AuthCacheKey(authFilter.getCacheKey(request), request.getRemoteAddr()); return RequestUtils.isUiRequest(request) ? null : nonUiAuthCache.get(authCacheKey); }
@SuppressWarnings({"ThrowableInstanceNeverThrown"}) private void useAnonymousIfPossible( HttpServletRequest request, HttpServletResponse response, FilterChain chain, SecurityContext securityContext) throws IOException, ServletException { boolean anonAccessEnabled = context.getAuthorizationService().isAnonAccessEnabled(); if (anonAccessEnabled || authInterceptors.accept(request)) { log.debug("Using anonymous"); Authentication authentication = getNonUiCachedAuthentication(request); if (authentication == null) { log.debug("Creating the Anonymous token"); final UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(UserInfo.ANONYMOUS, ""); AuthenticationDetailsSource ads = new HttpAuthenticationDetailsSource(); //noinspection unchecked authRequest.setDetails(ads.buildDetails(request)); // explicitly ask for the default spring authentication manager by name (we have another one // which // is only used by the basic authentication filter) AuthenticationManager authenticationManager = context.beanForType("authenticationManager", AuthenticationManager.class); authentication = authenticationManager.authenticate(authRequest); if (authentication != null && authentication.isAuthenticated() && !RequestUtils.isUiRequest(request)) { AuthCacheKey authCacheKey = new AuthCacheKey(authFilter.getCacheKey(request), request.getRemoteAddr()); nonUiAuthCache.put(authCacheKey, authentication); log.debug("Added anonymous authentication {} to cache", authentication); } } else { log.debug("Using cached anonymous authentication"); } useAuthentication(request, response, chain, authentication, securityContext); } else { if (authFilter.acceptEntry(request)) { log.debug("Sending request requiring authentication"); authFilter.commence( request, response, new InsufficientAuthenticationException("Authentication is required")); } else { log.debug("No filter or entry just chain"); chain.doFilter(request, response); } } }
private void authenticateAndExecute( HttpServletRequest request, HttpServletResponse response, FilterChain chain, SecurityContext securityContext) throws IOException, ServletException { // Try to see if authentication in cache based on the hashed header and client ip Authentication authentication = getNonUiCachedAuthentication(request); if (authentication != null && authentication.isAuthenticated() && !reAuthenticationRequired(request, authentication)) { log.debug("Header authentication {} found in cache.", authentication); useAuthentication(request, response, chain, authentication, securityContext); // Add to user change cache the login state addToUserChange(authentication); return; } try { authFilter.doFilter(request, response, chain); } finally { Authentication newAuthentication = securityContext.getAuthentication(); if (newAuthentication != null && newAuthentication.isAuthenticated()) { // Add to user change cache the login state addToUserChange(newAuthentication); // Save authentication like in Wicket Session (if session exists) if (RequestUtils.setAuthentication(request, newAuthentication, false)) { log.debug("Added authentication {} in Http session.", newAuthentication); } else { // If it did not work use the header cache // An authorization cache key with no header can only be used for Anonymous authentication AuthCacheKey authCacheKey = new AuthCacheKey(authFilter.getCacheKey(request), request.getRemoteAddr()); String username = newAuthentication.getName(); if ((UserInfo.ANONYMOUS.equals(username) && authCacheKey.hasEmptyHeader()) || (!UserInfo.ANONYMOUS.equals(username) && !authCacheKey.hasEmptyHeader())) { nonUiAuthCache.put(authCacheKey, newAuthentication); userChangedCache.get(username).addAuthCacheKey(authCacheKey); log.debug("Added authentication {} in cache.", newAuthentication); } } } securityContext.setAuthentication(null); } }