diff options
| author | Greg Wilkins | 2009-08-03 08:54:41 +0000 |
|---|---|---|
| committer | Greg Wilkins | 2009-08-03 08:54:41 +0000 |
| commit | 6e4f53cc3d04e6bb8bb68cb1f1c349b3212f2634 (patch) | |
| tree | f03de6474174e3fd3b9eb623228619b875c43f21 /jetty-security/src/main/java | |
| parent | ff0450e1b8fc8b42c7a15e153c30e60a8624a10e (diff) | |
| download | org.eclipse.jetty.project-6e4f53cc3d04e6bb8bb68cb1f1c349b3212f2634.tar.gz org.eclipse.jetty.project-6e4f53cc3d04e6bb8bb68cb1f1c349b3212f2634.tar.xz org.eclipse.jetty.project-6e4f53cc3d04e6bb8bb68cb1f1c349b3212f2634.zip | |
improved deferred authentication handling and fixed test harnesses
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@623 7e9141cc-0065-0410-87d8-b60c137991c4
Diffstat (limited to 'jetty-security/src/main/java')
19 files changed, 291 insertions, 459 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java index 09a9ca5b2d..271fa933d8 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java @@ -63,16 +63,6 @@ public interface Authenticator Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException; /* ------------------------------------------------------------ */ - /** Ask Authenticator if authentication is mandatory for a specific request. - * This allows authenticators like FORM authentication to be called for specific requests like j_security_check, - * even if there is not constraint. - * - * @param request - * @return - */ - boolean isMandatory(ServletRequest request); - - /* ------------------------------------------------------------ */ /** * @param request * @param response @@ -94,7 +84,6 @@ public interface Authenticator { String getAuthMethod(); String getRealmName(); - boolean isLazy(); String getInitParameter(String key); Set<String> getInitParameterNames(); LoginService getLoginService(); diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java index 1b15e5628b..d495e0146f 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java @@ -250,14 +250,13 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, Object constraintInfo) throws IOException { if (constraintInfo == null) - { return true; - } + RoleInfo roleInfo = (RoleInfo)constraintInfo; if (roleInfo.isForbidden()) - { return false; - } + + UserDataConstraint dataConstraint = roleInfo.getUserDataConstraint(); if (dataConstraint == null || dataConstraint == UserDataConstraint.None) { @@ -277,8 +276,11 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr url += "?" + request.getQueryString(); response.setContentLength(0); response.sendRedirect(url); - request.setHandled(true); } + else + response.sendError(Response.SC_FORBIDDEN,"!Integral"); + + request.setHandled(true); return false; } else if (dataConstraint == UserDataConstraint.Confidential) @@ -295,8 +297,11 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr response.setContentLength(0); response.sendRedirect(url); - request.setHandled(true); } + else + response.sendError(Response.SC_FORBIDDEN,"!Confidential"); + + request.setHandled(true); return false; } else diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java index 9cf0db0878..290ae6b0d1 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java @@ -21,8 +21,6 @@ import org.eclipse.jetty.security.authentication.BasicAuthenticator; import org.eclipse.jetty.security.authentication.ClientCertAuthenticator; import org.eclipse.jetty.security.authentication.DigestAuthenticator; import org.eclipse.jetty.security.authentication.FormAuthenticator; -import org.eclipse.jetty.security.authentication.DeferredAuthenticator; -import org.eclipse.jetty.security.authentication.SessionCachingAuthenticator; import org.eclipse.jetty.server.Server; /* ------------------------------------------------------------ */ @@ -56,13 +54,10 @@ public class DefaultAuthenticatorFactory implements Authenticator.Factory else if (Constraint.__DIGEST_AUTH.equalsIgnoreCase(auth)) authenticator=new DigestAuthenticator(); else if (Constraint.__FORM_AUTH.equalsIgnoreCase(auth)) - authenticator=new SessionCachingAuthenticator(new FormAuthenticator()); + authenticator=new FormAuthenticator(); if (Constraint.__CERT_AUTH.equalsIgnoreCase(auth)||Constraint.__CERT_AUTH2.equalsIgnoreCase(auth)) authenticator=new ClientCertAuthenticator(); - if (configuration.isLazy() && authenticator!=null) - authenticator=new DeferredAuthenticator(authenticator); - return authenticator; } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java index d9372bd456..31e21af15a 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java @@ -129,7 +129,6 @@ public class HashLoginService extends MappedLoginService @Override protected UserIdentity loadUser(String username) { - // TODO Auto-generated method stub return null; } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java index ee2810fe73..06e51c8136 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java @@ -213,7 +213,6 @@ public class JDBCLoginService extends MappedLoginService return super.login(username,credentials); } - /* ------------------------------------------------------------ */ @Override protected void loadUsers() diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java index 9c1378c875..fbd53a7a6f 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java @@ -26,10 +26,39 @@ import org.eclipse.jetty.server.UserIdentity; */ public interface LoginService { + + /* ------------------------------------------------------------ */ + /** + * @return Get the name of the login service (aka Realm name) + */ String getName(); + + /* ------------------------------------------------------------ */ + /** Login a user. + * @param username The user name + * @param credentials The users credentials + * @return A UserIdentity if the credentials matched, otherwise null + */ UserIdentity login(String username,Object credentials); - void logout(UserIdentity user); + /* ------------------------------------------------------------ */ + /** Validate a user identity. + * Validate that a UserIdentity previously created by a call + * to {@link #login(String, Object)} is still valid. + * @param user The user to validate + * @return true if authentication has not been revoked for the user. + */ + boolean validate(UserIdentity user); + + /* ------------------------------------------------------------ */ + /** Get the IdentityService associated with this Login Service. + * @return the IdentityService associated with this Login Service. + */ IdentityService getIdentityService(); + + /* ------------------------------------------------------------ */ + /** Set the IdentityService associated with this Login Service. + * @param service the IdentityService associated with this Login Service. + */ void setIdentityService(IdentityService service); } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java index 551a531151..1978e5bec9 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java @@ -179,7 +179,13 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo UserIdentity identity=_identityService.newUserIdentity(subject,userPrincipal,roles); _users.put(userName,identity); return identity; - } + } + + /* ------------------------------------------------------------ */ + public void removeUser(String username) + { + _users.remove(username); + } /* ------------------------------------------------------------ */ /** @@ -202,9 +208,15 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo } /* ------------------------------------------------------------ */ - public void logout(UserIdentity user) + public boolean validate(UserIdentity user) { - // TODO maybe clear cache? + if (_users.containsKey(user.getUserPrincipal().getName())) + return true; + + if (loadUser(user.getUserPrincipal().getName())!=null) + return true; + + return false; } /* ------------------------------------------------------------ */ diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index 7f984f6b7b..f8dc21decd 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -25,7 +25,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.eclipse.jetty.security.authentication.DeferredAuthenticator.DeferredAuthentication; +import org.eclipse.jetty.security.authentication.DeferredAuthentication; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.HttpConnection; @@ -57,7 +57,6 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti private boolean _checkWelcomeFiles = false; private Authenticator _authenticator; private Authenticator.Factory _authenticatorFactory=new DefaultAuthenticatorFactory(); - private boolean _isLazy=true; private String _realmName; private String _authMethod; private final Map<String,String> _initParameters=new HashMap<String,String>(); @@ -153,27 +152,6 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti /* ------------------------------------------------------------ */ /** - * @return the isLazy - */ - public boolean isLazy() - { - return _isLazy; - } - - /* ------------------------------------------------------------ */ - /** - * @param isLazy the isLazy to set - * @throws IllegalStateException if the SecurityHandler is running - */ - public void setLazy(boolean isLazy) - { - if (isRunning()) - throw new IllegalStateException("running"); - _isLazy = isLazy; - } - - /* ------------------------------------------------------------ */ - /** * @return the realmName */ public String getRealmName() @@ -421,7 +399,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti { if (!baseRequest.isHandled()) { - response.sendError(Response.SC_FORBIDDEN,"!data constraint"); + response.sendError(Response.SC_FORBIDDEN); baseRequest.setHandled(true); } return; @@ -429,8 +407,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti // is Auth mandatory? boolean isAuthMandatory = - isAuthMandatory(baseRequest, base_response, constraintInfo) || - authenticator.isMandatory(request); + isAuthMandatory(baseRequest, base_response, constraintInfo); // check authentication Object previousIdentity = null; @@ -472,8 +449,8 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti } else if (authentication instanceof Authentication.Deferred) { - DeferredAuthentication lazy= (DeferredAuthentication)authentication; - lazy.setIdentityService(_identityService); + DeferredAuthentication deferred= (DeferredAuthentication)authentication; + deferred.setIdentityService(_identityService); baseRequest.setAuthentication(authentication); try @@ -482,9 +459,10 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti } finally { - previousIdentity = lazy.getPreviousAssociation(); - lazy.setIdentityService(null); + previousIdentity = deferred.getPreviousAssociation(); + deferred.setIdentityService(null); } + Authentication auth=baseRequest.getAuthentication(); if (auth instanceof Authentication.User) { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java index c3355c9a70..27d7c280eb 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java @@ -13,7 +13,6 @@ package org.eclipse.jetty.security; -import org.eclipse.jetty.security.authentication.DelegateAuthenticator; import org.eclipse.jetty.security.authentication.LoginAuthenticator; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.UserIdentity; @@ -51,23 +50,16 @@ public class UserAuthentication implements Authentication.User public void logout() { - Authenticator authenticator = _authenticator; - while (true) + final Authenticator authenticator = _authenticator; + if (authenticator instanceof LoginAuthenticator) { - if (authenticator instanceof LoginAuthenticator) - { - ((LoginAuthenticator)authenticator).getLoginService().logout(this.getUserIdentity()); - break; - } - else if (authenticator instanceof DelegateAuthenticator) - { - authenticator=((DelegateAuthenticator)authenticator).getDelegate(); - } - else - break; + IdentityService id_service=((LoginAuthenticator)authenticator).getLoginService().getIdentityService(); + if (id_service!=null) + id_service.disassociate(null); // TODO provide the previous value } } + @Override public String toString() { return "{Auth,"+getAuthMethod()+","+_userIdentity+"}"; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java index 8032419a55..160564b816 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java @@ -64,6 +64,9 @@ public class BasicAuthenticator extends LoginAuthenticator try { + if (!mandatory) + return _deferred; + if (credentials != null) { credentials = credentials.substring(credentials.indexOf(' ')+1); @@ -77,13 +80,12 @@ public class BasicAuthenticator extends LoginAuthenticator return new UserAuthentication(this,user); } - if (mandatory) - { - response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "basic realm=\"" + _loginService.getName() + '"'); - response.sendError(HttpServletResponse.SC_UNAUTHORIZED); - return Authentication.SEND_CONTINUE; - } - return credentials==null?Authentication.NOT_CHECKED:Authentication.UNAUTHENTICATED; + if (_deferred.isDeferred(response)) + return Authentication.UNAUTHENTICATED; + + response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "basic realm=\"" + _loginService.getName() + '"'); + response.sendError(HttpServletResponse.SC_UNAUTHORIZED); + return Authentication.SEND_CONTINUE; } catch (IOException e) { @@ -91,7 +93,6 @@ public class BasicAuthenticator extends LoginAuthenticator } } - // TODO most likely validatedUser is not needed here ?? public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException { return true; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java index 0f765ce47e..ab314b0b89 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java @@ -46,15 +46,14 @@ public class ClientCertAuthenticator extends LoginAuthenticator } /** - * TODO what should happen if an insecure page is accessed without a client - * cert? Current code requires a client cert always but allows access to - * insecure pages if it is not recognized. - * * @return * @throws ServerAuthException */ public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException { + if (!mandatory) + return _deferred; + HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); @@ -72,7 +71,6 @@ public class ClientCertAuthenticator extends LoginAuthenticator if (principal == null) principal = cert.getIssuerDN(); final String username = principal == null ? "clientcert" : principal.getName(); - // TODO no idea if this is correct final char[] credential = B64Code.encode(cert.getSignature()); UserIdentity user = _loginService.login(username,credential); @@ -81,13 +79,13 @@ public class ClientCertAuthenticator extends LoginAuthenticator } } - if (mandatory) + if (!_deferred.isDeferred(response)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return Authentication.SEND_FAILURE; } - return certs==null?Authentication.NOT_CHECKED:Authentication.UNAUTHENTICATED; + return Authentication.UNAUTHENTICATED; } catch (IOException e) { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java index 565362cf55..28ebf728b3 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java @@ -1,5 +1,5 @@ // ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. +// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd. // ------------------------------------------------------------------------ // All rights reserved. This program and the accompanying materials // are made available under the terms of the Eclipse Public License v1.0 @@ -11,6 +11,7 @@ // You may elect to redistribute this code under either of these licenses. // ======================================================================== + package org.eclipse.jetty.security.authentication; import java.io.IOException; @@ -27,145 +28,114 @@ import org.eclipse.jetty.security.Authenticator; import org.eclipse.jetty.security.IdentityService; import org.eclipse.jetty.security.ServerAuthException; import org.eclipse.jetty.server.Authentication; -import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.IO; import org.eclipse.jetty.util.log.Log; -/** - * Deferred Authentictor - * <p> - * Authenticator that defers non manditory authentication by - * returning a {@link Authentication.Deferred} instance that - * defers authentication until a call - * to {@link Authentication.Deferred#authenticate()} or - * {@link Authentication.Deferred#authenticate(ServletRequest, ServletResponse)}. - * - * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ - */ -public class DeferredAuthenticator extends DelegateAuthenticator +public class DeferredAuthentication implements Authentication.Deferred { - private final DeferredAuthentication _deferred; + protected final Authenticator _authenticator; + + private IdentityService _identityService; + private Object _previousAssociation; + + public DeferredAuthentication(Authenticator authenticator) + { + if (authenticator == null) + throw new NullPointerException("No Authenticator"); + this._authenticator = authenticator; + } /* ------------------------------------------------------------ */ - public DeferredAuthenticator(Authenticator delegate) + /** Get the identityService. + * @return the identityService + */ + public IdentityService getIdentityService() { - super(delegate); - _deferred=new DeferredAuthentication(delegate); + return _identityService; } /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.security.Authenticator#validateRequest(ServletRequest, - * ServletResponse, boolean) + /** Set the identityService. + * @param identityService the identityService to set */ - public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException + public void setIdentityService(IdentityService identityService) { - if (!mandatory) - return _deferred; - - return _delegate.validateRequest(request,response,mandatory); + _identityService = identityService; } /* ------------------------------------------------------------ */ - /* ------------------------------------------------------------ */ - /* ------------------------------------------------------------ */ - public static class DeferredAuthentication implements Authentication.Deferred + /** + * @see org.eclipse.jetty.server.Authentication.Deferred#authenticate() + */ + public Authentication authenticate(ServletRequest request) { - protected final Authenticator _authenticator; - - private IdentityService _identityService; - private Object _previousAssociation; - - public DeferredAuthentication(Authenticator authenticator) - { - if (authenticator == null) - throw new NullPointerException("No Authenticator"); - this._authenticator = authenticator; - } - - /* ------------------------------------------------------------ */ - /** Get the identityService. - * @return the identityService - */ - public IdentityService getIdentityService() + try { - return _identityService; - } - - /* ------------------------------------------------------------ */ - /** Set the identityService. - * @param identityService the identityService to set - */ - public void setIdentityService(IdentityService identityService) - { - _identityService = identityService; - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.Authentication.Deferred#authenticate() - */ - public Authentication authenticate(ServletRequest request) - { - try - { - Authentication authentication = _authenticator.validateRequest(request,__nullResponse,false); - - if (authentication!=null && (authentication instanceof Authentication.User) && !(authentication instanceof Authentication.ResponseSent)) - { - if (_identityService!=null) - _previousAssociation=_identityService.associate(((Authentication.User)authentication).getUserIdentity()); - return authentication; - } - } - catch (ServerAuthException e) + Authentication authentication = _authenticator.validateRequest(request,__deferredResponse,true); + + if (authentication!=null && (authentication instanceof Authentication.User) && !(authentication instanceof Authentication.ResponseSent)) { - Log.debug(e); - } - return Authentication.UNAUTHENTICATED; - } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.Authentication.Deferred#authenticate(javax.servlet.ServletRequest, javax.servlet.ServletResponse) - */ - public Authentication authenticate(ServletRequest request, ServletResponse response) - { - try - { - Authentication authentication = _authenticator.validateRequest(request,response,true); - if (authentication instanceof Authentication.User && _identityService!=null) + if (_identityService!=null) _previousAssociation=_identityService.associate(((Authentication.User)authentication).getUserIdentity()); return authentication; } - catch (ServerAuthException e) - { - Log.debug(e); - } - return Authentication.UNAUTHENTICATED; } - - /* ------------------------------------------------------------ */ - /** - * @see org.eclipse.jetty.server.Authentication.Deferred#login(java.lang.String, java.lang.String) - */ - public Authentication login(String username, String password) + catch (ServerAuthException e) { - return null; // TODO implement + Log.debug(e); } - - /* ------------------------------------------------------------ */ - public Object getPreviousAssociation() + return Authentication.UNAUTHENTICATED; + } + + /* ------------------------------------------------------------ */ + /** + * @see org.eclipse.jetty.server.Authentication.Deferred#authenticate(javax.servlet.ServletRequest, javax.servlet.ServletResponse) + */ + public Authentication authenticate(ServletRequest request, ServletResponse response) + { + try + { + Authentication authentication = _authenticator.validateRequest(request,response,true); + if (authentication instanceof Authentication.User && _identityService!=null) + _previousAssociation=_identityService.associate(((Authentication.User)authentication).getUserIdentity()); + return authentication; + } + catch (ServerAuthException e) { - return _previousAssociation; + Log.debug(e); } + return Authentication.UNAUTHENTICATED; + } + + /* ------------------------------------------------------------ */ + /** + * @see org.eclipse.jetty.server.Authentication.Deferred#login(java.lang.String, java.lang.String) + */ + public Authentication login(String username, String password) + { + return null; // TODO implement + } + + /* ------------------------------------------------------------ */ + public Object getPreviousAssociation() + { + return _previousAssociation; } - /* ------------------------------------------------------------ */ + /** + * @param response + * @return true if this response is from a deferred call to {@link #authenticate(ServletRequest)} + */ + public boolean isDeferred(HttpServletResponse response) + { + return response==__deferredResponse; + } + + /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ - private static HttpServletResponse __nullResponse = new HttpServletResponse() + static HttpServletResponse __deferredResponse = new HttpServletResponse() { public void addCookie(Cookie cookie) { @@ -326,5 +296,6 @@ public class DeferredAuthenticator extends DelegateAuthenticator { } }; + -} +}
\ No newline at end of file diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DelegateAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DelegateAuthenticator.java deleted file mode 100644 index c94b685651..0000000000 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DelegateAuthenticator.java +++ /dev/null @@ -1,62 +0,0 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== - -package org.eclipse.jetty.security.authentication; - -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; - -import org.eclipse.jetty.security.Authenticator; -import org.eclipse.jetty.security.ServerAuthException; -import org.eclipse.jetty.server.Authentication; -import org.eclipse.jetty.server.Authentication.User; - -public class DelegateAuthenticator implements Authenticator -{ - protected final Authenticator _delegate; - - public void setConfiguration(Configuration configuration) - { - _delegate.setConfiguration(configuration); - } - - public String getAuthMethod() - { - return _delegate.getAuthMethod(); - } - - public DelegateAuthenticator(Authenticator delegate) - { - _delegate=delegate; - } - - public Authenticator getDelegate() - { - return _delegate; - } - - public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean manditory) throws ServerAuthException - { - return _delegate.validateRequest(request, response, manditory); - } - - public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException - { - return _delegate.secureResponse(req,res, mandatory, validatedUser); - } - - public boolean isMandatory(ServletRequest request) - { - return _delegate.isMandatory(request); - } -} diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java index d2c5a3ce50..61a1d016a9 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java @@ -62,6 +62,9 @@ public class DigestAuthenticator extends LoginAuthenticator public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException { + if (mandatory) + return _deferred; + HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; String credentials = request.getHeader(HttpHeaders.AUTHORIZATION); @@ -130,7 +133,7 @@ public class DigestAuthenticator extends LoginAuthenticator } - if (mandatory) + if (!_deferred.isDeferred(response)) { String domain = request.getContextPath(); if (domain == null) @@ -147,7 +150,7 @@ public class DigestAuthenticator extends LoginAuthenticator return Authentication.SEND_CONTINUE; } - return credentials==null?Authentication.NOT_CHECKED:Authentication.UNAUTHENTICATED; + return Authentication.UNAUTHENTICATED; } catch (IOException e) { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index 0f465350fb..e5a701b354 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -59,11 +59,11 @@ public class FormAuthenticator extends LoginAuthenticator public final static String __FORM_LOGIN_PAGE="org.eclipse.jetty.security.form_login_page"; public final static String __FORM_ERROR_PAGE="org.eclipse.jetty.security.form_error_page"; public final static String __FORM_DISPATCH="org.eclipse.jetty.security.dispatch"; - public final static String __J_URI = "org.eclipse.jetty.util.URI"; - public final static String __J_AUTHENTICATED = "org.eclipse.jetty.server.Auth"; + public final static String __J_URI = "org.eclipse.jetty.security.form_URI"; public final static String __J_SECURITY_CHECK = "/j_security_check"; public final static String __J_USERNAME = "j_username"; public final static String __J_PASSWORD = "j_password"; + private String _formErrorPage; private String _formErrorPath; private String _formLoginPage; @@ -148,25 +148,26 @@ public class FormAuthenticator extends LoginAuthenticator /* ------------------------------------------------------------ */ public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException - { + { HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; - HttpSession session = request.getSession(mandatory); String uri = request.getRequestURI(); + if (uri==null) + uri=URIUtil.SLASH; + + mandatory|=uri.endsWith(__J_SECURITY_CHECK); + if (!mandatory) + return _deferred; - // not mandatory or not authenticated - if (session == null || isLoginOrErrorPage(uri)) - { + if (isLoginOrErrorPage(uri)) return Authentication.NOT_CHECKED; - } - + HttpSession session = request.getSession(true); + try { // Handle a request for authentication. - if (uri==null) - uri=URIUtil.SLASH; - else if (uri.endsWith(__J_SECURITY_CHECK)) + if (uri.endsWith(__J_SECURITY_CHECK)) { final String username = request.getParameter(__J_USERNAME); final String password = request.getParameter(__J_PASSWORD); @@ -190,6 +191,9 @@ public class FormAuthenticator extends LoginAuthenticator } response.setContentLength(0); response.sendRedirect(response.encodeRedirectURL(nuri)); + + Authentication cached=new SessionAuthentication(session,this,user); + session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached); return new FormAuthentication(this,user); } @@ -216,35 +220,52 @@ public class FormAuthenticator extends LoginAuthenticator return Authentication.SEND_FAILURE; } - if (mandatory) + // Look for cached authentication + Authentication authentication = (Authentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED); + if (authentication != null) { - // redirect to login page - synchronized (session) - { - if (session.getAttribute(__J_URI)==null) - { - StringBuffer buf = request.getRequestURL(); - if (request.getQueryString() != null) - buf.append("?").append(request.getQueryString()); - session.setAttribute(__J_URI, buf.toString()); - } - } - - if (_dispatch) - { - RequestDispatcher dispatcher = request.getRequestDispatcher(_formLoginPage); - response.setHeader(HttpHeaders.CACHE_CONTROL,"No-cache"); - response.setDateHeader(HttpHeaders.EXPIRES,1); - dispatcher.forward(new FormRequest(request), new FormResponse(response)); - } + // Has authentication been revoked? + if (authentication instanceof Authentication.User && + _loginService!=null && + !_loginService.validate(((Authentication.User)authentication).getUserIdentity())) + + session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED); else + return authentication; + } + + // remember the current URI + synchronized (session) + { + // TODO is this right? + if (session.getAttribute(__J_URI)==null) { - response.sendRedirect(URIUtil.addPaths(request.getContextPath(),_formLoginPage)); + StringBuffer buf = request.getRequestURL(); + if (request.getQueryString() != null) + buf.append("?").append(request.getQueryString()); + session.setAttribute(__J_URI, buf.toString()); } - return Authentication.SEND_CONTINUE; } + + // if we can't send challenge + if (_deferred.isDeferred(response)) + return Authentication.UNAUTHENTICATED; + + // send the the challenge + if (_dispatch) + { + RequestDispatcher dispatcher = request.getRequestDispatcher(_formLoginPage); + response.setHeader(HttpHeaders.CACHE_CONTROL,"No-cache"); + response.setDateHeader(HttpHeaders.EXPIRES,1); + dispatcher.forward(new FormRequest(request), new FormResponse(response)); + } + else + { + response.sendRedirect(URIUtil.addPaths(request.getContextPath(),_formLoginPage)); + } + return Authentication.SEND_CONTINUE; - return Authentication.UNAUTHENTICATED; + } catch (IOException e) { @@ -261,13 +282,7 @@ public class FormAuthenticator extends LoginAuthenticator { return pathInContext != null && (pathInContext.equals(_formErrorPath) || pathInContext.equals(_formLoginPath)); } - - /* ------------------------------------------------------------ */ - public boolean isMandatory(ServletRequest request) - { - return ((HttpServletRequest)request).getRequestURI().endsWith(__J_SECURITY_CHECK); - } - + /* ------------------------------------------------------------ */ public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index 2033960cfb..cf339d02cc 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -13,14 +13,13 @@ package org.eclipse.jetty.security.authentication; -import javax.servlet.ServletRequest; - import org.eclipse.jetty.security.Authenticator; import org.eclipse.jetty.security.IdentityService; import org.eclipse.jetty.security.LoginService; public abstract class LoginAuthenticator implements Authenticator { + protected final DeferredAuthentication _deferred=new DeferredAuthentication(this); protected LoginService _loginService; protected IdentityService _identityService; @@ -42,9 +41,4 @@ public abstract class LoginAuthenticator implements Authenticator { return _loginService; } - - public boolean isMandatory(ServletRequest request) - { - return false; - } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java new file mode 100644 index 0000000000..bde0faef1e --- /dev/null +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java @@ -0,0 +1,62 @@ +// ======================================================================== +// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== + + +package org.eclipse.jetty.security.authentication; + +import javax.servlet.http.HttpSession; +import javax.servlet.http.HttpSessionAttributeListener; +import javax.servlet.http.HttpSessionBindingEvent; + +import org.eclipse.jetty.security.Authenticator; +import org.eclipse.jetty.security.UserAuthentication; +import org.eclipse.jetty.server.UserIdentity; + +class SessionAuthentication extends UserAuthentication implements HttpSessionAttributeListener +{ + public final static String __J_AUTHENTICATED="org.eclipse.jetty.security.UserIdentity"; + + HttpSession _session; + + public SessionAuthentication(HttpSession session,Authenticator authenticator, UserIdentity userIdentity) + { + super(authenticator,userIdentity); + _session=session; + } + + public void attributeAdded(HttpSessionBindingEvent event) + { + } + + public void attributeRemoved(HttpSessionBindingEvent event) + { + super.logout(); + } + + public void attributeReplaced(HttpSessionBindingEvent event) + { + if (event.getValue()==null) + super.logout(); + } + + public void logout() + { + _session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED); + } + + public String toString() + { + return "Session"+super.toString(); + } + +}
\ No newline at end of file diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionCachingAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionCachingAuthenticator.java deleted file mode 100644 index d51c671d62..0000000000 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionCachingAuthenticator.java +++ /dev/null @@ -1,91 +0,0 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== - -package org.eclipse.jetty.security.authentication; - -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpSession; -import javax.servlet.http.HttpSessionAttributeListener; -import javax.servlet.http.HttpSessionBindingEvent; -import javax.servlet.http.HttpSessionEvent; -import javax.servlet.http.HttpSessionListener; - -import org.eclipse.jetty.security.Authenticator; -import org.eclipse.jetty.security.UserAuthentication; -import org.eclipse.jetty.security.ServerAuthException; -import org.eclipse.jetty.server.Authentication; -import org.eclipse.jetty.server.UserIdentity; - -/** - * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ - */ -public class SessionCachingAuthenticator extends DelegateAuthenticator -{ - public final static String __J_AUTHENTICATED = "org.eclipse.jetty.server.Auth"; - - public SessionCachingAuthenticator(Authenticator delegate) - { - super(delegate); - } - - public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException - { - HttpSession session = ((HttpServletRequest)request).getSession(mandatory); - // not mandatory and not authenticated - if (session == null) - return Authentication.NOT_CHECKED; - - Authentication authentication = (Authentication) session.getAttribute(__J_AUTHENTICATED); - if (authentication != null) - return authentication; - - authentication = _delegate.validateRequest(request, response, mandatory); - if (authentication instanceof Authentication.User) - { - Authentication cached=new SessionAuthentication(_delegate,((Authentication.User)authentication).getUserIdentity()); - session.setAttribute(__J_AUTHENTICATED, cached); - } - - return authentication; - } - - protected class SessionAuthentication extends UserAuthentication implements HttpSessionAttributeListener - { - public SessionAuthentication(Authenticator authenticator, UserIdentity userIdentity) - { - super(authenticator,userIdentity); - } - - public void attributeAdded(HttpSessionBindingEvent event) - { - } - - public void attributeRemoved(HttpSessionBindingEvent event) - { - logout(); - } - - public void attributeReplaced(HttpSessionBindingEvent arg0) - { - logout(); - } - - public String toString() - { - return "Session"+super.toString(); - } - - } -} diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/XCPSCachingAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/XCPSCachingAuthenticator.java deleted file mode 100644 index a79034e6f7..0000000000 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/XCPSCachingAuthenticator.java +++ /dev/null @@ -1,57 +0,0 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== - -package org.eclipse.jetty.security.authentication; - -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.eclipse.jetty.security.Authenticator; -import org.eclipse.jetty.security.CrossContextPsuedoSession; -import org.eclipse.jetty.security.ServerAuthException; -import org.eclipse.jetty.server.Authentication; - -/** - * Cross-context psuedo-session caching ServerAuthentication - * - * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ - */ -public class XCPSCachingAuthenticator extends DelegateAuthenticator -{ - public final static String __J_AUTHENTICATED = "org.eclipse.jetty.server.Auth"; - - private final CrossContextPsuedoSession<Authentication> _xcps; - - public XCPSCachingAuthenticator(Authenticator delegate, CrossContextPsuedoSession<Authentication> xcps) - { - super(delegate); - this._xcps = xcps; - } - - public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean manditory) throws ServerAuthException - { - - Authentication serverAuthResult = _xcps.fetch((HttpServletRequest)request); - if (serverAuthResult != null) - return serverAuthResult; - - serverAuthResult = _delegate.validateRequest(request, response, manditory); - if (serverAuthResult != null) - _xcps.store(serverAuthResult, (HttpServletResponse)response); - - return serverAuthResult; - } - -} |