public void invoke(Request request, Response response, ValveContext valveContext)
      throws IOException, ServletException {

    SimpleWrapper wrapper = (SimpleWrapper) getContainer();
    ServletRequest sreq = request.getRequest();
    ServletResponse sres = response.getResponse();
    Servlet servlet = null;
    HttpServletRequest hreq = null;
    if (sreq instanceof HttpServletRequest) hreq = (HttpServletRequest) sreq;
    HttpServletResponse hres = null;
    if (sres instanceof HttpServletResponse) hres = (HttpServletResponse) sres;

    // Allocate a servlet instance to process this request
    try {
      servlet = wrapper.allocate();
      if (hres != null && hreq != null) {
        servlet.service(hreq, hres);
      } else {
        servlet.service(sreq, sres);
      }
    } catch (ServletException e) {
    }
  }
  /**
   * Enforce the security restrictions in the web application deployment descriptor of our
   * associated Context.
   *
   * @param request Request to be processed
   * @param response Response to be processed
   * @param context The valve context used to invoke the next valve in the current processing
   *     pipeline
   * @exception IOException if an input/output error occurs
   * @exception ServletException if thrown by a processing element
   */
  public void invoke(Request request, Response response, ValveContext context)
      throws IOException, ServletException {

    // If this is not an HTTP request, do nothing
    if (!(request instanceof HttpRequest) || !(response instanceof HttpResponse)) {
      context.invokeNext(request, response);
      return;
    }
    if (!(request.getRequest() instanceof HttpServletRequest)
        || !(response.getResponse() instanceof HttpServletResponse)) {
      context.invokeNext(request, response);
      return;
    }
    HttpRequest hrequest = (HttpRequest) request;
    HttpResponse hresponse = (HttpResponse) response;
    if (debug >= 1)
      log(
          "Security checking request "
              + ((HttpServletRequest) request.getRequest()).getMethod()
              + " "
              + ((HttpServletRequest) request.getRequest()).getRequestURI());
    LoginConfig config = this.context.getLoginConfig();

    // Have we got a cached authenticated Principal to record?
    if (cache) {
      Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal();
      if (principal == null) {
        Session session = getSession(hrequest);
        if (session != null) {
          principal = session.getPrincipal();
          if (principal != null) {
            if (debug >= 1)
              log(
                  "We have cached auth type "
                      + session.getAuthType()
                      + " for principal "
                      + session.getPrincipal());
            hrequest.setAuthType(session.getAuthType());
            hrequest.setUserPrincipal(principal);
          }
        }
      }
    }

    // Special handling for form-based logins to deal with the case
    // where the login form (and therefore the "j_security_check" URI
    // to which it submits) might be outside the secured area
    String contextPath = this.context.getPath();
    String requestURI = hrequest.getDecodedRequestURI();
    if (requestURI.startsWith(contextPath) && requestURI.endsWith(Constants.FORM_ACTION)) {
      if (!authenticate(hrequest, hresponse, config)) {
        if (debug >= 1) log(" Failed authenticate() test");
        return;
      }
    }

    // Is this request URI subject to a security constraint?
    SecurityConstraint constraint = findConstraint(hrequest);
    if ((constraint == null) /*
									 * && (!Constants.FORM_METHOD.equals(config.
									 * getAuthMethod()))
									 */) {
      if (debug >= 1) log(" Not subject to any constraint");
      context.invokeNext(request, response);
      return;
    }
    if ((debug >= 1) && (constraint != null)) log(" Subject to constraint " + constraint);

    // Make sure that constrained resources are not cached by web proxies
    // or browsers as caching can provide a security hole
    if (!(((HttpServletRequest) hrequest.getRequest()).isSecure())) {
      HttpServletResponse sresponse = (HttpServletResponse) response.getResponse();
      sresponse.setHeader("Pragma", "No-cache");
      sresponse.setHeader("Cache-Control", "no-cache");
      sresponse.setDateHeader("Expires", 1);
    }

    // Enforce any user data constraint for this security constraint
    if (debug >= 1) log(" Calling checkUserData()");
    if (!checkUserData(hrequest, hresponse, constraint)) {
      if (debug >= 1) log(" Failed checkUserData() test");
      // ASSERT: Authenticator already set the appropriate
      // HTTP status code, so we do not have to do anything special
      return;
    }

    // Authenticate based upon the specified login configuration
    if (constraint.getAuthConstraint()) {
      if (debug >= 1) log(" Calling authenticate()");
      if (!authenticate(hrequest, hresponse, config)) {
        if (debug >= 1) log(" Failed authenticate() test");
        // ASSERT: Authenticator already set the appropriate
        // HTTP status code, so we do not have to do anything special
        return;
      }
    }

    // Perform access control based on the specified role(s)
    if (constraint.getAuthConstraint()) {
      if (debug >= 1) log(" Calling accessControl()");
      if (!accessControl(hrequest, hresponse, constraint)) {
        if (debug >= 1) log(" Failed accessControl() test");
        // ASSERT: AccessControl method has already set the appropriate
        // HTTP status code, so we do not have to do anything special
        return;
      }
    }

    // Any and all specified constraints have been satisfied
    if (debug >= 1) log(" Successfully passed all security constraints");
    context.invokeNext(request, response);
  }