/** * Returns the {@link AuthenticationToken} for the request. * * <p>It looks at the received HTTP cookies and extracts the value of the {@link * AuthenticatedURL#AUTH_COOKIE} if present. It verifies the signature and if correct it creates * the {@link AuthenticationToken} and returns it. * * <p>If this method returns <code>null</code> the filter will invoke the configured {@link * AuthenticationHandler} to perform user authentication. * * @param request request object. * @return the Authentication token if the request is authenticated, <code>null</code> otherwise. * @throws IOException thrown if an IO error occurred. * @throws AuthenticationException thrown if the token is invalid or if it has expired. */ protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException { AuthenticationToken token = null; String tokenStr = null; Cookie[] cookies = request.getCookies(); if (cookies != null) { for (Cookie cookie : cookies) { if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) { tokenStr = cookie.getValue(); try { tokenStr = signer.verifyAndExtract(tokenStr); } catch (SignerException ex) { throw new AuthenticationException(ex); } break; } } } if (tokenStr != null) { token = AuthenticationToken.parse(tokenStr); if (!token.getType().equals(authHandler.getType())) { throw new AuthenticationException("Invalid AuthenticationToken type"); } if (token.isExpired()) { throw new AuthenticationException("AuthenticationToken expired"); } } return token; }