Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimone Bordet2012-08-24 05:52:29 -0400
committerSimone Bordet2012-08-24 05:52:29 -0400
commit06b2de17d5a8728d71cd8fd40c5711cd5b611ebc (patch)
tree6a87fcf2cf363dbd68bf58821988d54324ed9780 /jetty-security/src
parentb73ca3e316797e5b075f89f4c0d6679626ce9c5a (diff)
parente92006390e06ceb3e9906343681ebe7d8fbcfb7b (diff)
downloadorg.eclipse.jetty.project-06b2de17d5a8728d71cd8fd40c5711cd5b611ebc.tar.gz
org.eclipse.jetty.project-06b2de17d5a8728d71cd8fd40c5711cd5b611ebc.tar.xz
org.eclipse.jetty.project-06b2de17d5a8728d71cd8fd40c5711cd5b611ebc.zip
Merge branch 'jetty-9-aggregation' into jetty-9-spdy-http
Diffstat (limited to 'jetty-security/src')
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java60
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java33
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java42
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java34
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java30
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java48
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java84
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java55
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java60
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java27
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java36
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java29
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java44
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java54
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java42
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java64
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java121
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java75
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java40
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java32
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java65
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java58
-rw-r--r--jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java76
-rw-r--r--jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java36
-rw-r--r--jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java33
38 files changed, 945 insertions, 710 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java
index 0f255300c8..c9ed72a86e 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java
@@ -1,20 +1,24 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
import java.util.Set;
-
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
@@ -27,10 +31,10 @@ import org.eclipse.jetty.server.Server;
* Authenticator Interface
* <p>
* An Authenticator is responsible for checking requests and sending
- * response challenges in order to authenticate a request.
+ * response challenges in order to authenticate a request.
* Various types of {@link Authentication} are returned in order to
* signal the next step in authentication.
- *
+ *
* @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
*/
public interface Authenticator
@@ -41,27 +45,27 @@ public interface Authenticator
* @param configuration
*/
void setConfiguration(AuthConfiguration configuration);
-
+
/* ------------------------------------------------------------ */
/**
* @return The name of the authentication method
*/
String getAuthMethod();
-
+
/* ------------------------------------------------------------ */
/** Validate a response
* @param request The request
* @param response The response
* @param mandatory True if authentication is mandatory.
- * @return An Authentication. If Authentication is successful, this will be a {@link org.eclipse.jetty.server.Authentication.User}. If a response has
+ * @return An Authentication. If Authentication is successful, this will be a {@link org.eclipse.jetty.server.Authentication.User}. If a response has
* been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will
- * implement {@link org.eclipse.jetty.server.Authentication.ResponseSent}. If Authentication is not manditory, then a
+ * implement {@link org.eclipse.jetty.server.Authentication.ResponseSent}. If Authentication is not manditory, then a
* {@link org.eclipse.jetty.server.Authentication.Deferred} may be returned.
- *
+ *
* @throws ServerAuthException
*/
Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException;
-
+
/* ------------------------------------------------------------ */
/**
* @param request
@@ -72,33 +76,33 @@ public interface Authenticator
* @throws ServerAuthException
*/
boolean secureResponse(ServletRequest request, ServletResponse response, boolean mandatory, User validatedUser) throws ServerAuthException;
-
-
+
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
- /**
+ /**
* Authenticator Configuration
*/
interface AuthConfiguration
{
String getAuthMethod();
String getRealmName();
-
+
/** Get a SecurityHandler init parameter
* @see SecurityHandler#getInitParameter(String)
* @param param parameter name
* @return Parameter value or null
*/
String getInitParameter(String param);
-
+
/* ------------------------------------------------------------ */
/** Get a SecurityHandler init parameter names
* @see SecurityHandler#getInitParameterNames()
* @return Set of parameter names
*/
Set<String> getInitParameterNames();
-
+
LoginService getLoginService();
IdentityService getIdentityService();
boolean isSessionRenewedOnAuthentication();
@@ -107,7 +111,7 @@ public interface Authenticator
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
- /**
+ /**
* Authenticator Factory
*/
interface Factory
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java
index 2ec8d8db01..92c880a5b1 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java
index 36c82fe0d8..fee3836bbf 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2004-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
index 10f0050e68..d323fce2a7 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 1999-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
@@ -231,10 +236,8 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
@Override
protected void doStop() throws Exception
{
- _constraintMap.clear();
- _constraintMappings.clear();
- _roles.clear();
super.doStop();
+ _constraintMap.clear();
}
protected void processConstraintMapping(ConstraintMapping mapping)
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java b/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java
index 9e202beb9a..dba70232af 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java
index 4dee1d083b..b04a78d4cc 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java
index 2b2b746276..06e0f205c9 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java
@@ -1,20 +1,24 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
import java.security.Principal;
-
import javax.security.auth.Subject;
import org.eclipse.jetty.server.UserIdentity;
@@ -26,7 +30,7 @@ import org.eclipse.jetty.server.UserIdentity;
* This service handles only role reference maps passed in an
* associated {@link org.eclipse.jetty.server.UserIdentity.Scope}. If there are roles
* refs present, then associate will wrap the UserIdentity with one
- * that uses the role references in the
+ * that uses the role references in the
* {@link org.eclipse.jetty.server.UserIdentity#isUserInRole(String, org.eclipse.jetty.server.UserIdentity.Scope)}
* implementation. All other operations are effectively noops.
*
@@ -37,10 +41,10 @@ public class DefaultIdentityService implements IdentityService
public DefaultIdentityService()
{
}
-
+
/* ------------------------------------------------------------ */
- /**
- * If there are roles refs present in the scope, then wrap the UserIdentity
+ /**
+ * If there are roles refs present in the scope, then wrap the UserIdentity
* with one that uses the role references in the {@link UserIdentity#isUserInRole(String, org.eclipse.jetty.server.UserIdentity.Scope)}
*/
public Object associate(UserIdentity user)
@@ -49,7 +53,7 @@ public class DefaultIdentityService implements IdentityService
}
/* ------------------------------------------------------------ */
- public void disassociate(Object previous)
+ public void disassociate(Object previous)
{
}
@@ -81,5 +85,5 @@ public class DefaultIdentityService implements IdentityService
{
return new DefaultUserIdentity(subject,userPrincipal,roles);
}
-
+
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java
index e9d2b9a7d3..ca196134ca 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java
@@ -1,20 +1,24 @@
-// ========================================================================
-// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
import java.security.Principal;
-
import javax.security.auth.Subject;
import org.eclipse.jetty.server.UserIdentity;
@@ -26,11 +30,11 @@ import org.eclipse.jetty.server.UserIdentity;
*
*/
public class DefaultUserIdentity implements UserIdentity
-{
+{
private final Subject _subject;
private final Principal _userPrincipal;
private final String[] _roles;
-
+
public DefaultUserIdentity(Subject subject, Principal userPrincipal, String[] roles)
{
_subject=subject;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java b/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java
index 06c589b03a..38444236a5 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
@@ -17,7 +22,6 @@ import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
-
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java
index 34f7a5cede..7c4be2ddff 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 1996-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java
index e05a000b2e..ac7d67b9d2 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java
@@ -1,20 +1,24 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
import java.security.Principal;
-
import javax.security.auth.Subject;
import org.eclipse.jetty.server.Request;
@@ -23,26 +27,26 @@ import org.eclipse.jetty.server.UserIdentity;
/* ------------------------------------------------------------ */
/**
* Associates UserIdentities from with threads and UserIdentity.Contexts.
- *
+ *
*/
public interface IdentityService
{
- final static String[] NO_ROLES = new String[]{};
-
+ final static String[] NO_ROLES = new String[]{};
+
/* ------------------------------------------------------------ */
/**
* Associate a user identity with the current thread.
- * This is called with as a thread enters the
+ * This is called with as a thread enters the
* {@link SecurityHandler#handle(String, Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}
* method and then again with a null argument as that call exits.
* @param user The current user or null for no user to associated.
* @return an object representing the previous associated state
*/
Object associate(UserIdentity user);
-
+
/* ------------------------------------------------------------ */
- /**
- * Disassociate the user identity from the current thread
+ /**
+ * Disassociate the user identity from the current thread
* and restore previous identity.
* @param previous The opaque object returned from a call to {@link IdentityService#associate(UserIdentity)}
*/
@@ -56,7 +60,7 @@ public interface IdentityService
* @return The previous runAsToken or null.
*/
Object setRunAs(UserIdentity user, RunAsToken token);
-
+
/* ------------------------------------------------------------ */
/**
* Disassociate the current runAsToken from the thread
@@ -69,7 +73,7 @@ public interface IdentityService
/**
* Create a new UserIdentity for use with this identity service.
* The UserIdentity should be immutable and able to be cached.
- *
+ *
* @param subject Subject to include in UserIdentity
* @param userPrincipal Principal to include in UserIdentity. This will be returned from getUserPrincipal calls
* @param roles set of roles to include in UserIdentity.
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
index 44e7ef078e..d01f2a9701 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2003-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java
index 01675fe140..39567a25d0 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
index 5ca896fb15..9d7079ff3c 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
@@ -20,7 +25,6 @@ import java.security.Principal;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
-
import javax.security.auth.Subject;
import org.eclipse.jetty.server.UserIdentity;
@@ -35,7 +39,7 @@ import org.eclipse.jetty.util.security.Credential;
/**
* A login service that keeps UserIdentities in a concurrent map
* either as the source or a cache of the users.
- *
+ *
*/
public abstract class MappedLoginService extends AbstractLifeCycle implements LoginService
{
@@ -49,7 +53,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
protected MappedLoginService()
{
}
-
+
/* ------------------------------------------------------------ */
/** Get the name.
* @return the name
@@ -58,7 +62,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return _name;
}
-
+
/* ------------------------------------------------------------ */
/** Get the identityService.
* @return the identityService
@@ -67,7 +71,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return _identityService;
}
-
+
/* ------------------------------------------------------------ */
/** Get the users.
* @return the users
@@ -76,7 +80,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return _users;
}
-
+
/* ------------------------------------------------------------ */
/** Set the identityService.
* @param identityService the identityService to set
@@ -131,17 +135,17 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
/* ------------------------------------------------------------ */
public void logout(UserIdentity identity)
- {
+ {
LOG.debug("logout {}",identity);
}
-
+
/* ------------------------------------------------------------ */
@Override
public String toString()
{
return this.getClass().getSimpleName()+"["+_name+"]";
}
-
+
/* ------------------------------------------------------------ */
/** Put user into realm.
* Called by implementations to put the user data loaded from
@@ -158,7 +162,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
else
{
Credential credential = (info instanceof Credential)?(Credential)info:Credential.getCredential(info.toString());
-
+
Principal userPrincipal = new KnownUser(userName,credential);
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
@@ -166,11 +170,11 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
subject.setReadOnly();
identity=_identityService.newUserIdentity(subject,userPrincipal,IdentityService.NO_ROLES);
}
-
+
_users.put(userName,identity);
return identity;
}
-
+
/* ------------------------------------------------------------ */
/** Put user into realm.
* @param userName The user to add
@@ -184,7 +188,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
subject.getPrivateCredentials().add(credential);
-
+
if (roles!=null)
for (String role : roles)
subject.getPrincipals().add(new RolePrincipal(role));
@@ -193,13 +197,13 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
UserIdentity identity=_identityService.newUserIdentity(subject,userPrincipal,roles);
_users.put(userName,identity);
return identity;
- }
-
+ }
+
/* ------------------------------------------------------------ */
public void removeUser(String username)
{
_users.remove(username);
- }
+ }
/* ------------------------------------------------------------ */
/**
@@ -208,10 +212,10 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
public UserIdentity login(String username, Object credentials)
{
UserIdentity user = _users.get(username);
-
+
if (user==null)
user = loadUser(username);
-
+
if (user!=null)
{
UserPrincipal principal = (UserPrincipal)user.getUserPrincipal();
@@ -226,16 +230,16 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
if (_users.containsKey(user.getUserPrincipal().getName()))
return true;
-
+
if (loadUser(user.getUserPrincipal().getName())!=null)
return true;
-
+
return false;
}
/* ------------------------------------------------------------ */
protected abstract UserIdentity loadUser(String username);
-
+
/* ------------------------------------------------------------ */
protected abstract void loadUsers() throws IOException;
@@ -248,7 +252,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
boolean authenticate(Object credentials);
public boolean isAuthenticated();
}
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
@@ -282,14 +286,14 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return "Anonymous";
}
-
+
public boolean authenticate(Object credentials)
{
return false;
}
-
+
}
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
@@ -298,7 +302,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
private static final long serialVersionUID = -6226920753748399662L;
private final String _name;
private final Credential _credential;
-
+
/* -------------------------------------------------------- */
public KnownUser(String name,Credential credential)
{
@@ -311,13 +315,13 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return _credential!=null && _credential.check(credentials);
}
-
+
/* ------------------------------------------------------------ */
public String getName()
{
return _name;
}
-
+
/* -------------------------------------------------------- */
public boolean isAuthenticated()
{
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java b/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java
index 1c95cc1a23..afff5c1033 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java
@@ -1,16 +1,22 @@
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
+
package org.eclipse.jetty.security;
-//========================================================================
-//Copyright 2011-2012 Mort Bay Consulting Pty. Ltd.
-//------------------------------------------------------------------------
-//All rights reserved. This program and the accompanying materials
-//are made available under the terms of the Eclipse Public License v1.0
-//and Apache License v2.0 which accompanies this distribution.
-//The Eclipse Public License is available at
-//http://www.eclipse.org/legal/epl-v10.html
-//The Apache License v2.0 is available at
-//http://www.opensource.org/licenses/apache2.0.php
-//You may elect to redistribute this code under either of these licenses.
-//========================================================================
import java.io.File;
import java.io.FilenameFilter;
@@ -24,7 +30,6 @@ import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
-
import javax.security.auth.Subject;
import org.eclipse.jetty.security.MappedLoginService.KnownUser;
@@ -40,16 +45,16 @@ import org.eclipse.jetty.util.security.Credential;
/**
* PropertyUserStore
- *
+ *
* This class monitors a property file of the format mentioned below and notifies registered listeners of the changes to the the given file.
- *
+ *
* <PRE>
* username: password [,rolename ...]
* </PRE>
- *
+ *
* Passwords may be clear text, obfuscated or checksummed. The class com.eclipse.Util.Password should be used to generate obfuscated passwords or password
* checksums.
- *
+ *
* If DIGEST Authentication is used, the password must be in a recoverable format, either plain text or OBF:.
*/
public class PropertyUserStore extends AbstractLifeCycle
@@ -78,7 +83,7 @@ public class PropertyUserStore extends AbstractLifeCycle
{
_config = config;
}
-
+
/* ------------------------------------------------------------ */
public UserIdentity getUserIdentity(String userName)
{
@@ -151,7 +156,7 @@ public class PropertyUserStore extends AbstractLifeCycle
}
known.add(username);
Credential credential = Credential.getCredential(credentials);
-
+
Principal userPrincipal = new KnownUser(username,credential);
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
@@ -164,9 +169,9 @@ public class PropertyUserStore extends AbstractLifeCycle
subject.getPrincipals().add(new RolePrincipal(role));
}
}
-
+
subject.setReadOnly();
-
+
_knownUserIdentities.put(username,_identityService.newUserIdentity(subject,userPrincipal,roleArray));
notifyUpdate(username,credential,roleArray);
}
@@ -210,8 +215,8 @@ public class PropertyUserStore extends AbstractLifeCycle
/**
* Depending on the value of the refresh interval, this method will either start up a scanner thread that will monitor the properties file for changes after
* it has initially loaded it. Otherwise the users will be loaded and there will be no active monitoring thread so changes will not be detected.
- *
- *
+ *
+ *
* @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart()
*/
protected void doStart() throws Exception
@@ -294,7 +299,7 @@ public class PropertyUserStore extends AbstractLifeCycle
/**
* Notifies the registered listeners of potential updates to a user
- *
+ *
* @param username
* @param credential
* @param roleArray
@@ -312,7 +317,7 @@ public class PropertyUserStore extends AbstractLifeCycle
/**
* notifies the registered listeners that a user has been removed.
- *
+ *
* @param username
*/
private void notifyRemove(String username)
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java b/jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java
index 35df88ce8f..de61c8b2e1 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java b/jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java
index 02ee2d20e0..7c1872a1ae 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java b/jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java
index 7bf84ccd87..a0793f7e89 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index 0baeef255b..19441d5b60 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
@@ -23,16 +28,20 @@ import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionListener;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.HttpChannel;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.handler.ContextHandler.Context;
import org.eclipse.jetty.server.handler.HandlerWrapper;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
import org.eclipse.jetty.util.component.LifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@@ -285,6 +294,33 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
getInitParameter(name)==null)
setInitParameter(name,context.getInitParameter(name));
}
+
+ //register a session listener to handle securing sessions when authentication is performed
+ context.getContextHandler().addEventListener(new HttpSessionListener()
+ {
+
+ public void sessionDestroyed(HttpSessionEvent se)
+ {
+
+ }
+
+ public void sessionCreated(HttpSessionEvent se)
+ {
+ //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user
+ HttpChannel channel = HttpChannel.getCurrentHttpChannel();
+
+ if (channel == null)
+ return;
+ Request request = channel.getRequest();
+ if (request == null)
+ return;
+
+ if (request.isSecure())
+ {
+ se.getSession().setAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
+ }
+ }
+ });
}
// complicated resolution of login and identity service to handle
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java
index d0f26943bf..546da84f6c 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
index 77583395db..1e1bd6ab96 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
@@ -1,23 +1,24 @@
-// ========================================================================
-// Copyright (c) Webtide LLC
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
//
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
//
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
//
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
package org.eclipse.jetty.security;
import java.util.Properties;
-
import javax.security.auth.Subject;
import org.eclipse.jetty.server.UserIdentity;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java
index 9d689ddfaa..c62610b462 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java
@@ -1,23 +1,25 @@
-package org.eclipse.jetty.security;
-//========================================================================
-//Copyright (c) Webtide LLC
-//------------------------------------------------------------------------
-//All rights reserved. This program and the accompanying materials
-//are made available under the terms of the Eclipse Public License v1.0
-//and Apache License v2.0 which accompanies this distribution.
//
-//The Eclipse Public License is available at
-//http://www.eclipse.org/legal/epl-v10.html
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
//
-//The Apache License v2.0 is available at
-//http://www.opensource.org/licenses/apache2.0.php
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
//
-//You may elect to redistribute this code under either of these licenses.
-//========================================================================
+
+package org.eclipse.jetty.security;
import java.security.Principal;
import java.util.List;
-
import javax.security.auth.Subject;
import org.eclipse.jetty.server.UserIdentity;
@@ -27,15 +29,15 @@ public class SpnegoUserIdentity implements UserIdentity
private Subject _subject;
private Principal _principal;
private List<String> _roles;
-
+
public SpnegoUserIdentity( Subject subject, Principal principal, List<String> roles )
{
_subject = subject;
_principal = principal;
_roles = roles;
}
-
-
+
+
public Subject getSubject()
{
return _subject;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java
index d3c31e684d..cdf1f1a1fb 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java
@@ -1,15 +1,20 @@
-//========================================================================
-//Copyright 2011-2012 Mort Bay Consulting Pty. Ltd.
-//------------------------------------------------------------------------
-//All rights reserved. This program and the accompanying materials
-//are made available under the terms of the Eclipse Public License v1.0
-//and Apache License v2.0 which accompanies this distribution.
-//The Eclipse Public License is available at
-//http://www.eclipse.org/legal/epl-v10.html
-//The Apache License v2.0 is available at
-//http://www.opensource.org/licenses/apache2.0.php
-//You may elect to redistribute this code under either of these licenses.
-//========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java
index da55e961c4..7846d8cfb7 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java b/jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java
index e1d4369242..508ffbc2e5 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
index dec0ee78d1..96927abf98 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
@@ -1,20 +1,24 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
import java.io.IOException;
-
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
@@ -33,13 +37,13 @@ import org.eclipse.jetty.util.security.Constraint;
/**
* @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
*/
-public class BasicAuthenticator extends LoginAuthenticator
-{
+public class BasicAuthenticator extends LoginAuthenticator
+{
/* ------------------------------------------------------------ */
public BasicAuthenticator()
{
}
-
+
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.security.Authenticator#getAuthMethod()
@@ -63,9 +67,9 @@ public class BasicAuthenticator extends LoginAuthenticator
{
if (!mandatory)
return _deferred;
-
+
if (credentials != null)
- {
+ {
int space=credentials.indexOf(' ');
if (space>0)
{
@@ -83,7 +87,7 @@ public class BasicAuthenticator extends LoginAuthenticator
UserIdentity user = _loginService.login(username,password);
if (user!=null)
{
- renewSessionOnAuthentication(request,response);
+ renewSession(request,response);
return new UserAuthentication(getAuthMethod(),user);
}
}
@@ -93,7 +97,7 @@ public class BasicAuthenticator extends LoginAuthenticator
if (_deferred.isDeferred(response))
return Authentication.UNAUTHENTICATED;
-
+
response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "basic realm=\"" + _loginService.getName() + '"');
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return Authentication.SEND_CONTINUE;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
index 2522037550..0db6551c5a 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
@@ -19,7 +24,6 @@ import java.security.Principal;
import java.security.cert.CRL;
import java.security.cert.X509Certificate;
import java.util.Collection;
-
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
@@ -65,7 +69,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
private boolean _enableOCSP = false;
/** Location of OCSP Responder */
private String _ocspResponderURL;
-
+
public ClientCertAuthenticator()
{
super();
@@ -75,7 +79,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
{
return Constraint.__CERT_AUTH;
}
-
+
/**
* @return Authentication for request
* @throws ServerAuthException
@@ -84,7 +88,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
{
if (!mandatory)
return _deferred;
-
+
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
@@ -94,7 +98,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
// Need certificates.
if (certs != null && certs.length > 0)
{
-
+
if (_validateCerts)
{
KeyStore trustStore = getKeyStore(null,
@@ -104,7 +108,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
CertificateValidator validator = new CertificateValidator(trustStore, crls);
validator.validate(certs);
}
-
+
for (X509Certificate cert: certs)
{
if (cert==null)
@@ -119,18 +123,18 @@ public class ClientCertAuthenticator extends LoginAuthenticator
UserIdentity user = _loginService.login(username,credential);
if (user!=null)
{
- renewSessionOnAuthentication(request,response);
+ renewSession(request,response);
return new UserAuthentication(getAuthMethod(),user);
}
}
}
-
+
if (!_deferred.isDeferred(response))
{
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return Authentication.SEND_FAILURE;
}
-
+
return Authentication.UNAUTHENTICATED;
}
catch (Exception e)
@@ -305,9 +309,9 @@ public class ClientCertAuthenticator extends LoginAuthenticator
{
_maxCertPathLength = maxCertPathLength;
}
-
+
/* ------------------------------------------------------------ */
- /**
+ /**
* @return true if CRL Distribution Points support is enabled
*/
public boolean isEnableCRLDP()
@@ -325,7 +329,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
- /**
+ /**
* @return true if On-Line Certificate Status Protocol support is enabled
*/
public boolean isEnableOCSP()
@@ -343,7 +347,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
- /**
+ /**
* @return Location of the OCSP Responder
*/
public String getOcspResponderURL()
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java
index bab7e9b0ba..d3435d3f60 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
@@ -19,7 +24,6 @@ import java.io.PrintWriter;
import java.util.Collection;
import java.util.Collections;
import java.util.Locale;
-
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
@@ -55,7 +59,7 @@ public class DeferredAuthentication implements Authentication.Deferred
throw new NullPointerException("No Authenticator");
this._authenticator = authenticator;
}
-
+
/* ------------------------------------------------------------ */
public DeferredAuthentication(LoginAuthenticator authenticator)
{
@@ -63,7 +67,7 @@ public class DeferredAuthentication implements Authentication.Deferred
throw new NullPointerException("No Authenticator");
this._authenticator = authenticator;
}
-
+
/* ------------------------------------------------------------ */
/** Get the identityService.
* @return the identityService
@@ -103,7 +107,7 @@ public class DeferredAuthentication implements Authentication.Deferred
try
{
Authentication authentication = _authenticator.validateRequest(request,__deferredResponse,true);
-
+
if (authentication!=null && (authentication instanceof Authentication.User) && !(authentication instanceof Authentication.ResponseSent))
{
if (_identityService!=null)
@@ -117,7 +121,7 @@ public class DeferredAuthentication implements Authentication.Deferred
}
return this;
}
-
+
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.Authentication.Deferred#authenticate(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
@@ -173,7 +177,7 @@ public class DeferredAuthentication implements Authentication.Deferred
{
return response==__deferredResponse;
}
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
@@ -362,5 +366,5 @@ public class DeferredAuthentication implements Authentication.Deferred
}
};
-
+
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
index 505831963b..ba3e964b9f 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
@@ -21,7 +26,6 @@ import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentLinkedQueue;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.atomic.AtomicInteger;
-
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
@@ -46,8 +50,8 @@ import org.eclipse.jetty.util.security.Credential;
/**
* @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
- *
- * The nonce max age in ms can be set with the {@link SecurityHandler#setInitParameter(String, String)}
+ *
+ * The nonce max age in ms can be set with the {@link SecurityHandler#setInitParameter(String, String)}
* using the name "maxNonceAge"
*/
public class DigestAuthenticator extends LoginAuthenticator
@@ -83,7 +87,7 @@ public class DigestAuthenticator extends LoginAuthenticator
public void setConfiguration(AuthConfiguration configuration)
{
super.setConfiguration(configuration);
-
+
String mna=configuration.getInitParameter("maxNonceAge");
if (mna!=null)
{
@@ -93,7 +97,7 @@ public class DigestAuthenticator extends LoginAuthenticator
}
}
}
-
+
/* ------------------------------------------------------------ */
public synchronized void setMaxNonceAge(long maxNonceAgeInMillis)
{
@@ -117,7 +121,7 @@ public class DigestAuthenticator extends LoginAuthenticator
{
if (!mandatory)
return _deferred;
-
+
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
@@ -127,7 +131,7 @@ public class DigestAuthenticator extends LoginAuthenticator
boolean stale = false;
if (credentials != null)
{
- if (LOG.isDebugEnabled())
+ if (LOG.isDebugEnabled())
LOG.debug("Credentials: " + credentials);
QuotedStringTokenizer tokenizer = new QuotedStringTokenizer(credentials, "=, ", true, false);
final Digest digest = new Digest(request.getMethod());
@@ -169,7 +173,7 @@ public class DigestAuthenticator extends LoginAuthenticator
digest.qop = tok;
else if ("uri".equalsIgnoreCase(name))
digest.uri = tok;
- else if ("response".equalsIgnoreCase(name))
+ else if ("response".equalsIgnoreCase(name))
digest.response = tok;
name=null;
}
@@ -183,11 +187,11 @@ public class DigestAuthenticator extends LoginAuthenticator
UserIdentity user = _loginService.login(digest.username,digest);
if (user!=null)
{
- renewSessionOnAuthentication(request,response);
+ renewSession(request,response);
return new UserAuthentication(getAuthMethod(),user);
}
}
- else if (n == 0)
+ else if (n == 0)
stale = true;
}
@@ -195,7 +199,7 @@ public class DigestAuthenticator extends LoginAuthenticator
if (!_deferred.isDeferred(response))
{
String domain = request.getContextPath();
- if (domain == null)
+ if (domain == null)
domain = "/";
response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Digest realm=\"" + _loginService.getName()
+ "\", domain=\""
@@ -222,7 +226,7 @@ public class DigestAuthenticator extends LoginAuthenticator
public String newNonce(Request request)
{
Nonce nonce;
-
+
do
{
byte[] nounce = new byte[24];
@@ -232,7 +236,7 @@ public class DigestAuthenticator extends LoginAuthenticator
}
while (_nonceCount.putIfAbsent(nonce._nonce,nonce)!=null);
_nonceQueue.add(nonce);
-
+
return nonce._nonce;
}
@@ -250,7 +254,7 @@ public class DigestAuthenticator extends LoginAuthenticator
{
expired = request.getTimeStamp()-_maxNonceAgeMs;
}
-
+
Nonce nonce=_nonceQueue.peek();
while (nonce!=null && nonce._ts<expired)
{
@@ -258,14 +262,14 @@ public class DigestAuthenticator extends LoginAuthenticator
_nonceCount.remove(nonce._nonce);
nonce=_nonceQueue.peek();
}
-
-
+
+
try
{
nonce = _nonceCount.get(digest.nonce);
if (nonce==null)
return 0;
-
+
long count = Long.parseLong(digest.nc,16);
if (count>Integer.MAX_VALUE)
return 0;
@@ -274,7 +278,7 @@ public class DigestAuthenticator extends LoginAuthenticator
old=nonce._nc.get();
if (count<=old)
return -1;
-
+
return 1;
}
catch (Exception e)
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
index 26196b7119..ce758f5be7 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
@@ -1,22 +1,26 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
import java.io.IOException;
import java.util.Collections;
import java.util.Enumeration;
-
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
@@ -134,6 +138,7 @@ public class FormAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
+ @Override
public String getAuthMethod()
{
return Constraint.__FORM_AUTH;
@@ -177,6 +182,7 @@ public class FormAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
+ @Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
{
HttpServletRequest request = (HttpServletRequest)req;
@@ -189,8 +195,8 @@ public class FormAuthenticator extends LoginAuthenticator
if (!mandatory)
return _deferred;
- if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())))
- return Authentication.NOT_CHECKED;
+ if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())) &&!DeferredAuthentication.isDeferred(response))
+ return _deferred;
HttpSession session = request.getSession(true);
@@ -203,29 +209,34 @@ public class FormAuthenticator extends LoginAuthenticator
final String password = request.getParameter(__J_PASSWORD);
UserIdentity user = _loginService.login(username,password);
+ LOG.debug("jsecuritycheck {} {}",username,user);
if (user!=null)
{
- session=renewSessionOnAuthentication(request,response);
+ session=renewSession(request,response);
// Redirect to original request
String nuri;
+ FormAuthentication form_auth;
synchronized(session)
{
nuri = (String) session.getAttribute(__J_URI);
- }
- if (nuri == null || nuri.length() == 0)
- {
- nuri = request.getContextPath();
- if (nuri.length() == 0)
- nuri = URIUtil.SLASH;
+ if (nuri == null || nuri.length() == 0)
+ {
+ nuri = request.getContextPath();
+ if (nuri.length() == 0)
+ nuri = URIUtil.SLASH;
+ }
+
+ Authentication cached=new SessionAuthentication(getAuthMethod(),user,password);
+ session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
+ form_auth = new FormAuthentication(getAuthMethod(),user);
}
+ LOG.debug("authenticated {}->{}",form_auth,nuri);
+
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri));
-
- Authentication cached=new SessionAuthentication(getAuthMethod(),user,password);
- session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
- return new FormAuthentication(getAuthMethod(),user);
+ return form_auth;
}
// not authenticated
@@ -233,11 +244,13 @@ public class FormAuthenticator extends LoginAuthenticator
LOG.debug("Form authentication FAILED for " + StringUtil.printable(username));
if (_formErrorPage == null)
{
+ LOG.debug("auth failed {}->403",username);
if (response != null)
response.sendError(HttpServletResponse.SC_FORBIDDEN);
}
else if (_dispatch)
{
+ LOG.debug("auth failed {}=={}",username,_formErrorPage);
RequestDispatcher dispatcher = request.getRequestDispatcher(_formErrorPage);
response.setHeader(HttpHeader.CACHE_CONTROL.asString(),HttpHeaderValue.NO_CACHE.asString());
response.setDateHeader(HttpHeader.EXPIRES.asString(),1);
@@ -245,6 +258,7 @@ public class FormAuthenticator extends LoginAuthenticator
}
else
{
+ LOG.debug("auth failed {}->{}",username,_formErrorPage);
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage)));
}
@@ -260,43 +274,51 @@ public class FormAuthenticator extends LoginAuthenticator
_loginService!=null &&
!_loginService.validate(((Authentication.User)authentication).getUserIdentity()))
{
-
+ LOG.debug("auth revoked {}",authentication);
session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
}
else
{
- String j_uri=(String)session.getAttribute(__J_URI);
- if (j_uri!=null)
+ synchronized (session)
{
- MultiMap j_post = (MultiMap)session.getAttribute(__J_POST);
- if (j_post!=null)
+ String j_uri=(String)session.getAttribute(__J_URI);
+ if (j_uri!=null)
{
- StringBuffer buf = request.getRequestURL();
- if (request.getQueryString() != null)
- buf.append("?").append(request.getQueryString());
-
- if (j_uri.equals(buf.toString()))
+ LOG.debug("auth retry {}->{}",authentication,j_uri);
+ MultiMap<String> j_post = (MultiMap<String>)session.getAttribute(__J_POST);
+ if (j_post!=null)
{
- // This is a retry of an original POST request
- // so restore method and parameters
-
- session.removeAttribute(__J_POST);
- Request base_request = HttpChannel.getCurrentHttpChannel().getRequest();
- base_request.setMethod(HttpMethod.POST,HttpMethod.POST.asString());
- base_request.setParameters(j_post);
+ LOG.debug("auth rePOST {}->{}",authentication,j_uri);
+ StringBuffer buf = request.getRequestURL();
+ if (request.getQueryString() != null)
+ buf.append("?").append(request.getQueryString());
+
+ if (j_uri.equals(buf.toString()))
+ {
+ // This is a retry of an original POST request
+ // so restore method and parameters
+
+ session.removeAttribute(__J_POST);
+ Request base_request = HttpChannel.getCurrentHttpChannel().getRequest();
+ base_request.setMethod(HttpMethod.POST,HttpMethod.POST.asString());
+ base_request.setParameters(j_post);
+ }
}
+ else
+ session.removeAttribute(__J_URI);
}
- else
- session.removeAttribute(__J_URI);
-
}
+ LOG.debug("auth {}",authentication);
return authentication;
}
}
// if we can't send challenge
if (DeferredAuthentication.isDeferred(response))
+ {
+ LOG.debug("auth deferred {}",session.getId());
return Authentication.UNAUTHENTICATED;
+ }
// remember the current URI
synchronized (session)
@@ -313,7 +335,7 @@ public class FormAuthenticator extends LoginAuthenticator
{
Request base_request = (req instanceof Request)?(Request)req:HttpChannel.getCurrentHttpChannel().getRequest();
base_request.extractParameters();
- session.setAttribute(__J_POST, new MultiMap(base_request.getParameters()));
+ session.setAttribute(__J_POST, new MultiMap<String>(base_request.getParameters()));
}
}
}
@@ -321,6 +343,7 @@ public class FormAuthenticator extends LoginAuthenticator
// send the the challenge
if (_dispatch)
{
+ LOG.debug("challenge {}=={}",session.getId(),_formLoginPage);
RequestDispatcher dispatcher = request.getRequestDispatcher(_formLoginPage);
response.setHeader(HttpHeader.CACHE_CONTROL.asString(),HttpHeaderValue.NO_CACHE.asString());
response.setDateHeader(HttpHeader.EXPIRES.asString(),1);
@@ -328,11 +351,10 @@ public class FormAuthenticator extends LoginAuthenticator
}
else
{
+ LOG.debug("challenge {}->{}",session.getId(),_formLoginPage);
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage)));
}
return Authentication.SEND_CONTINUE;
-
-
}
catch (IOException | ServletException e)
{
@@ -361,6 +383,7 @@ public class FormAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
+ @Override
public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
{
return true;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
index c730a9bab5..d44a21ea9e 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
@@ -1,22 +1,23 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
@@ -24,10 +25,14 @@ import javax.servlet.http.HttpSession;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
+import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.log.Logger;
public abstract class LoginAuthenticator implements Authenticator
{
- public final static String SESSION_SECURED="org.eclipse.jetty.security.secured";
+ private static final Logger LOG = Log.getLogger(LoginAuthenticator.class);
+
protected final DeferredAuthentication _deferred=new DeferredAuthentication(this);
protected LoginService _loginService;
protected IdentityService _identityService;
@@ -47,40 +52,40 @@ public abstract class LoginAuthenticator implements Authenticator
throw new IllegalStateException("No IdentityService for "+this+" in "+configuration);
_renewSession=configuration.isSessionRenewedOnAuthentication();
}
-
+
public LoginService getLoginService()
{
return _loginService;
}
-
- /* ------------------------------------------------------------ */
- /** Change the session when the request is authenticated for the first time
+
+ /** Change the session id.
+ * The session is changed to a new instance with a new ID if and only if:<ul>
+ * <li>A session exists.
+ * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true.
+ * <li>The session ID has been given to unauthenticated responses
+ * </ul>
* @param request
* @param response
* @return The new session.
*/
- protected HttpSession renewSessionOnAuthentication(HttpServletRequest request, HttpServletResponse response)
+ protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
{
HttpSession httpSession = request.getSession(false);
- if (_renewSession && httpSession!=null && httpSession.getAttribute(SESSION_SECURED)==null)
+
+ if (_renewSession && httpSession!=null)
{
- synchronized (this)
+ synchronized (httpSession)
{
- Map<String,Object> attributes = new HashMap<String, Object>();
- for (Enumeration<String> e=httpSession.getAttributeNames();e.hasMoreElements();)
+ //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
+ //(indicated by SESSION_SECURED not being set on the session) then we should change id
+ if (httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
{
- String name=e.nextElement();
- attributes.put(name,httpSession.getAttribute(name));
- httpSession.removeAttribute(name);
+ HttpSession newSession = AbstractSessionManager.renewSession(request, httpSession,true);
+ LOG.debug("renew {}->{}",httpSession.getId(),newSession.getId());
+ httpSession=newSession;
}
- httpSession.invalidate();
- httpSession = request.getSession(true);
- httpSession.setAttribute(SESSION_SECURED,Boolean.TRUE);
- for (Map.Entry<String, Object> entry: attributes.entrySet())
- httpSession.setAttribute(entry.getKey(),entry.getValue());
}
}
-
return httpSession;
}
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java
index 06a285c298..27fa01f8ab 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java
@@ -1,27 +1,31 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
import java.security.Principal;
-
import javax.security.auth.Subject;
/**
* This is similar to the jaspi PasswordValidationCallback but includes user
* principal and group info as well.
- *
+ *
* @version $Rev: 4792 $ $Date: 2009-03-18 22:55:52 +0100 (Wed, 18 Mar 2009) $
*/
public interface LoginCallback
@@ -31,7 +35,7 @@ public interface LoginCallback
public String getUserName();
public Object getCredential();
-
+
public boolean isSuccess();
public void setSuccess(boolean success);
@@ -41,10 +45,10 @@ public interface LoginCallback
public void setUserPrincipal(Principal userPrincipal);
public String[] getRoles();
-
+
public void setRoles(String[] roles);
-
+
public void clearPassword();
-
+
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java
index 0d3c299833..003ccbd09c 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java
@@ -1,20 +1,24 @@
-// ========================================================================
-// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
import java.security.Principal;
-
import javax.security.auth.Subject;
import org.eclipse.jetty.security.IdentityService;
@@ -22,7 +26,7 @@ import org.eclipse.jetty.security.IdentityService;
/**
* This is similar to the jaspi PasswordValidationCallback but includes user
* principal and group info as well.
- *
+ *
* @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
*/
public class LoginCallbackImpl implements LoginCallback
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
index e63e597cca..7e7ec72d49 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security.authentication;
@@ -17,7 +22,6 @@ package org.eclipse.jetty.security.authentication;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
-
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionActivationListener;
import javax.servlet.http.HttpSessionBindingEvent;
@@ -29,6 +33,7 @@ import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.UserIdentity.Scope;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@@ -38,17 +43,17 @@ public class SessionAuthentication implements Authentication.User, Serializable,
private static final long serialVersionUID = -4643200685888258706L;
-
+
public final static String __J_AUTHENTICATED="org.eclipse.jetty.security.UserIdentity";
private final String _method;
private final String _name;
private final Object _credentials;
-
+
private transient UserIdentity _userIdentity;
private transient HttpSession _session;
-
+
public SessionAuthentication(String method, UserIdentity userIdentity, Object credentials)
{
_method = method;
@@ -72,62 +77,66 @@ public class SessionAuthentication implements Authentication.User, Serializable,
return _userIdentity.isUserInRole(role, scope);
}
- private void readObject(ObjectInputStream stream)
- throws IOException, ClassNotFoundException
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException
{
stream.defaultReadObject();
-
+
SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
if (security==null)
throw new IllegalStateException("!SecurityHandler");
LoginService login_service=security.getLoginService();
if (login_service==null)
throw new IllegalStateException("!LoginService");
-
+
_userIdentity=login_service.login(_name,_credentials);
LOG.debug("Deserialized and relogged in {}",this);
}
-
+
public void logout()
{
if (_session!=null && _session.getAttribute(__J_AUTHENTICATED)!=null)
_session.removeAttribute(__J_AUTHENTICATED);
- else
+ else
doLogout();
}
-
+
private void doLogout()
{
SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
if (security!=null)
security.logout(this);
if (_session!=null)
- _session.removeAttribute(LoginAuthenticator.SESSION_SECURED);
+ _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED);
}
-
+
@Override
public String toString()
{
- return "Session"+super.toString();
+ return String.format("%s@%x{%s,%s}",this.getClass().getSimpleName(),hashCode(),_session==null?"-":_session.getId(),_userIdentity);
}
+ @Override
public void sessionWillPassivate(HttpSessionEvent se)
{
}
+ @Override
public void sessionDidActivate(HttpSessionEvent se)
{
if (_session==null)
_session=se.getSession();
}
+ @Override
public void valueBound(HttpSessionBindingEvent event)
{
}
+ @Override
public void valueUnbound(HttpSessionBindingEvent event)
{
doLogout();
}
-
-} \ No newline at end of file
+
+}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java
index dfe4192543..87193ba0cf 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java
@@ -1,22 +1,24 @@
-package org.eclipse.jetty.security.authentication;
-//========================================================================
-//Copyright (c) Webtide LLC
-//------------------------------------------------------------------------
-//All rights reserved. This program and the accompanying materials
-//are made available under the terms of the Eclipse Public License v1.0
-//and Apache License v2.0 which accompanies this distribution.
//
-//The Eclipse Public License is available at
-//http://www.eclipse.org/legal/epl-v10.html
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
//
-//The Apache License v2.0 is available at
-//http://www.opensource.org/licenses/apache2.0.php
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
//
-//You may elect to redistribute this code under either of these licenses.
-//========================================================================
-import java.io.IOException;
+package org.eclipse.jetty.security.authentication;
+import java.io.IOException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
@@ -35,14 +37,14 @@ import org.eclipse.jetty.util.security.Constraint;
public class SpnegoAuthenticator extends LoginAuthenticator
{
private static final Logger LOG = Log.getLogger(SpnegoAuthenticator.class);
-
+
private String _authMethod = Constraint.__SPNEGO_AUTH;
-
+
public SpnegoAuthenticator()
{
-
+
}
-
+
/**
* Allow for a custom authMethod value to be set for instances where SPENGO may not be appropriate
* @param authMethod
@@ -51,24 +53,24 @@ public class SpnegoAuthenticator extends LoginAuthenticator
{
_authMethod = authMethod;
}
-
+
public String getAuthMethod()
{
return _authMethod;
}
public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
- {
+ {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
-
+
String header = req.getHeader(HttpHeader.AUTHORIZATION.asString());
if (!mandatory)
{
return _deferred;
}
-
+
// check to see if we have authorization headers required to continue
if ( header == null )
{
@@ -78,29 +80,29 @@ public class SpnegoAuthenticator extends LoginAuthenticator
{
return Authentication.UNAUTHENTICATED;
}
-
+
LOG.debug("SpengoAuthenticator: sending challenge");
res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return Authentication.SEND_CONTINUE;
- }
+ }
catch (IOException ioe)
{
throw new ServerAuthException(ioe);
- }
+ }
}
else if (header != null && header.startsWith(HttpHeader.NEGOTIATE.asString()))
{
String spnegoToken = header.substring(10);
-
+
UserIdentity user = _loginService.login(null,spnegoToken);
-
+
if ( user != null )
{
return new UserAuthentication(getAuthMethod(),user);
}
}
-
+
return Authentication.UNAUTHENTICATED;
}
diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
index 52b35c8ad8..1d903c4ad0 100644
--- a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
@@ -1,15 +1,20 @@
-// ========================================================================
-// Copyright (c) 2004-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
@@ -21,6 +26,7 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.concurrent.TimeUnit;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -85,6 +91,26 @@ public class ConstraintTest
RequestHandler _handler = new RequestHandler();
_security.setHandler(_handler);
+ _security.setConstraintMappings(getConstraintMappings(), getKnownRoles());
+ }
+
+ @After
+ public void stopServer() throws Exception
+ {
+ _server.stop();
+ }
+
+ public Set<String> getKnownRoles()
+ {
+ Set<String> knownRoles=new HashSet<>();
+ knownRoles.add("user");
+ knownRoles.add("administrator");
+
+ return knownRoles;
+ }
+
+ private List<ConstraintMapping> getConstraintMappings()
+ {
Constraint constraint0 = new Constraint();
constraint0.setAuthenticate(true);
constraint0.setName("forbid");
@@ -132,18 +158,7 @@ public class ConstraintTest
mapping5.setConstraint(constraint5);
mapping5.setMethod("POST");
-
- Set<String> knownRoles=new HashSet<>();
- knownRoles.add("user");
- knownRoles.add("administrator");
-
- _security.setConstraintMappings(Arrays.asList(mapping0, mapping1, mapping2, mapping3, mapping4, mapping5), knownRoles);
- }
-
- @After
- public void stopServer() throws Exception
- {
- _server.stop();
+ return Arrays.asList(mapping0, mapping1, mapping2, mapping3, mapping4, mapping5);
}
@Test
@@ -761,20 +776,22 @@ public class ConstraintTest
_security.setHandler(check);
_security.setAuthenticator(new BasicAuthenticator());
_security.setStrict(false);
+
_server.start();
String response;
- response = _connector.getResponses("GET /ctx/noauth/info HTTP/1.0\r\n\r\n");
+ response = _connector.getResponses("GET /ctx/noauth/info HTTP/1.0\r\n\r\n", 100000, TimeUnit.MILLISECONDS);
assertThat(response,startsWith("HTTP/1.1 200 OK"));
response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" +
"Authorization: Basic " + B64Code.encode("user2:password") + "\r\n" +
- "\r\n");
+ "\r\n", 100000, TimeUnit.MILLISECONDS);
assertThat(response,startsWith("HTTP/1.1 500 "));
_server.stop();
RoleRefHandler roleref = new RoleRefHandler();
+ roleref.setHandler(_security.getHandler());
_security.setHandler(roleref);
roleref.setHandler(check);
@@ -782,7 +799,7 @@ public class ConstraintTest
response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" +
"Authorization: Basic " + B64Code.encode("user2:password") + "\r\n" +
- "\r\n");
+ "\r\n", 100000, TimeUnit.MILLISECONDS);
assertThat(response,startsWith("HTTP/1.1 200 OK"));
}
@@ -832,6 +849,7 @@ public class ConstraintTest
}
private class RequestHandler extends AbstractHandler
{
+ @Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response ) throws IOException, ServletException
{
baseRequest.setHandled(true);
@@ -863,16 +881,19 @@ public class ConstraintTest
UserIdentity.Scope scope = new UserIdentity.Scope()
{
+ @Override
public String getContextPath()
{
return "/";
}
+ @Override
public String getName()
{
return "someServlet";
}
+ @Override
public Map<String, String> getRoleRefMap()
{
Map<String, String> map = new HashMap<>();
@@ -896,6 +917,7 @@ public class ConstraintTest
private class RoleCheckHandler extends AbstractHandler
{
+ @Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response ) throws IOException, ServletException
{
((Request) request).setHandled(true);
diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
index b477908ea9..321031f061 100644
--- a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
@@ -1,24 +1,25 @@
-// ========================================================================
-// Copyright (c) 2004-2009 Mort Bay Consulting Pty. Ltd.
-// ------------------------------------------------------------------------
-// All rights reserved. This program and the accompanying materials
-// are made available under the terms of the Eclipse Public License v1.0
-// and Apache License v2.0 which accompanies this distribution.
-// The Eclipse Public License is available at
-// http://www.eclipse.org/legal/epl-v10.html
-// The Apache License v2.0 is available at
-// http://www.opensource.org/licenses/apache2.0.php
-// You may elect to redistribute this code under either of these licenses.
-// ========================================================================
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
package org.eclipse.jetty.security;
-import static org.junit.Assert.assertThat;
-import static org.junit.matchers.JUnitMatchers.containsString;
-
import java.io.IOException;
import java.util.Arrays;
-
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -41,6 +42,9 @@ import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+import static org.junit.Assert.assertThat;
+import static org.junit.matchers.JUnitMatchers.containsString;
+
/**
* @version $Revision: 1441 $ $Date: 2010-04-02 12:28:17 +0200 (Fri, 02 Apr 2010) $
*/
diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java
index 3e70b3efbb..8b75805674 100644
--- a/jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/PropertyUserStoreTest.java
@@ -1,16 +1,22 @@
+//
+// ========================================================================
+// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
+
package org.eclipse.jetty.security;
-//========================================================================
-//Copyright 2011-2012 Mort Bay Consulting Pty. Ltd.
-//------------------------------------------------------------------------
-//All rights reserved. This program and the accompanying materials
-//are made available under the terms of the Eclipse Public License v1.0
-//and Apache License v2.0 which accompanies this distribution.
-//The Eclipse Public License is available at
-//http://www.eclipse.org/legal/epl-v10.html
-//The Apache License v2.0 is available at
-//http://www.opensource.org/licenses/apache2.0.php
-//You may elect to redistribute this code under either of these licenses.
-//========================================================================
import java.io.BufferedWriter;
import java.io.File;
@@ -20,7 +26,6 @@ import java.util.List;
import java.util.concurrent.atomic.AtomicInteger;
import junit.framework.Assert;
-
import org.eclipse.jetty.util.security.Credential;
import org.junit.After;
import org.junit.Before;
@@ -135,7 +140,7 @@ public class PropertyUserStoreTest
{
Thread.sleep(10);
}
-
+
Assert.assertNotNull("Failed to retrieve UserIdentity from PropertyUserStore directly", store.getUserIdentity("skip"));
Assert.assertEquals(4,userCount.get());

Back to the top