diff options
Diffstat (limited to 'jetty-security/src/main/java/org/eclipse/jetty/security')
35 files changed, 857 insertions, 653 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java index 0f255300c8..c9ed72a86e 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java @@ -1,20 +1,24 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; import java.util.Set; - import javax.servlet.ServletContext; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; @@ -27,10 +31,10 @@ import org.eclipse.jetty.server.Server; * Authenticator Interface * <p> * An Authenticator is responsible for checking requests and sending - * response challenges in order to authenticate a request. + * response challenges in order to authenticate a request. * Various types of {@link Authentication} are returned in order to * signal the next step in authentication. - * + * * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ */ public interface Authenticator @@ -41,27 +45,27 @@ public interface Authenticator * @param configuration */ void setConfiguration(AuthConfiguration configuration); - + /* ------------------------------------------------------------ */ /** * @return The name of the authentication method */ String getAuthMethod(); - + /* ------------------------------------------------------------ */ /** Validate a response * @param request The request * @param response The response * @param mandatory True if authentication is mandatory. - * @return An Authentication. If Authentication is successful, this will be a {@link org.eclipse.jetty.server.Authentication.User}. If a response has + * @return An Authentication. If Authentication is successful, this will be a {@link org.eclipse.jetty.server.Authentication.User}. If a response has * been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will - * implement {@link org.eclipse.jetty.server.Authentication.ResponseSent}. If Authentication is not manditory, then a + * implement {@link org.eclipse.jetty.server.Authentication.ResponseSent}. If Authentication is not manditory, then a * {@link org.eclipse.jetty.server.Authentication.Deferred} may be returned. - * + * * @throws ServerAuthException */ Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException; - + /* ------------------------------------------------------------ */ /** * @param request @@ -72,33 +76,33 @@ public interface Authenticator * @throws ServerAuthException */ boolean secureResponse(ServletRequest request, ServletResponse response, boolean mandatory, User validatedUser) throws ServerAuthException; - - + + /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ - /** + /** * Authenticator Configuration */ interface AuthConfiguration { String getAuthMethod(); String getRealmName(); - + /** Get a SecurityHandler init parameter * @see SecurityHandler#getInitParameter(String) * @param param parameter name * @return Parameter value or null */ String getInitParameter(String param); - + /* ------------------------------------------------------------ */ /** Get a SecurityHandler init parameter names * @see SecurityHandler#getInitParameterNames() * @return Set of parameter names */ Set<String> getInitParameterNames(); - + LoginService getLoginService(); IdentityService getIdentityService(); boolean isSessionRenewedOnAuthentication(); @@ -107,7 +111,7 @@ public interface Authenticator /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ - /** + /** * Authenticator Factory */ interface Factory diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java index 2ec8d8db01..92c880a5b1 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintAware.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java index 36c82fe0d8..fee3836bbf 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintMapping.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2004-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java index 10f0050e68..d323fce2a7 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 1999-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; @@ -231,10 +236,8 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr @Override protected void doStop() throws Exception { - _constraintMap.clear(); - _constraintMappings.clear(); - _roles.clear(); super.doStop(); + _constraintMap.clear(); } protected void processConstraintMapping(ConstraintMapping mapping) diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java b/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java index 9e202beb9a..dba70232af 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java index 4dee1d083b..b04a78d4cc 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java index 2b2b746276..06e0f205c9 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java @@ -1,20 +1,24 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; import java.security.Principal; - import javax.security.auth.Subject; import org.eclipse.jetty.server.UserIdentity; @@ -26,7 +30,7 @@ import org.eclipse.jetty.server.UserIdentity; * This service handles only role reference maps passed in an * associated {@link org.eclipse.jetty.server.UserIdentity.Scope}. If there are roles * refs present, then associate will wrap the UserIdentity with one - * that uses the role references in the + * that uses the role references in the * {@link org.eclipse.jetty.server.UserIdentity#isUserInRole(String, org.eclipse.jetty.server.UserIdentity.Scope)} * implementation. All other operations are effectively noops. * @@ -37,10 +41,10 @@ public class DefaultIdentityService implements IdentityService public DefaultIdentityService() { } - + /* ------------------------------------------------------------ */ - /** - * If there are roles refs present in the scope, then wrap the UserIdentity + /** + * If there are roles refs present in the scope, then wrap the UserIdentity * with one that uses the role references in the {@link UserIdentity#isUserInRole(String, org.eclipse.jetty.server.UserIdentity.Scope)} */ public Object associate(UserIdentity user) @@ -49,7 +53,7 @@ public class DefaultIdentityService implements IdentityService } /* ------------------------------------------------------------ */ - public void disassociate(Object previous) + public void disassociate(Object previous) { } @@ -81,5 +85,5 @@ public class DefaultIdentityService implements IdentityService { return new DefaultUserIdentity(subject,userPrincipal,roles); } - + } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java index e9d2b9a7d3..ca196134ca 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java @@ -1,20 +1,24 @@ -// ======================================================================== -// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; import java.security.Principal; - import javax.security.auth.Subject; import org.eclipse.jetty.server.UserIdentity; @@ -26,11 +30,11 @@ import org.eclipse.jetty.server.UserIdentity; * */ public class DefaultUserIdentity implements UserIdentity -{ +{ private final Subject _subject; private final Principal _userPrincipal; private final String[] _roles; - + public DefaultUserIdentity(Subject subject, Principal userPrincipal, String[] roles) { _subject=subject; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java b/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java index 06c589b03a..38444236a5 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; @@ -17,7 +22,6 @@ import java.security.SecureRandom; import java.util.HashMap; import java.util.Map; import java.util.Random; - import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java index 34f7a5cede..7c4be2ddff 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 1996-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java index e05a000b2e..ac7d67b9d2 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java @@ -1,20 +1,24 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; import java.security.Principal; - import javax.security.auth.Subject; import org.eclipse.jetty.server.Request; @@ -23,26 +27,26 @@ import org.eclipse.jetty.server.UserIdentity; /* ------------------------------------------------------------ */ /** * Associates UserIdentities from with threads and UserIdentity.Contexts. - * + * */ public interface IdentityService { - final static String[] NO_ROLES = new String[]{}; - + final static String[] NO_ROLES = new String[]{}; + /* ------------------------------------------------------------ */ /** * Associate a user identity with the current thread. - * This is called with as a thread enters the + * This is called with as a thread enters the * {@link SecurityHandler#handle(String, Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)} * method and then again with a null argument as that call exits. * @param user The current user or null for no user to associated. * @return an object representing the previous associated state */ Object associate(UserIdentity user); - + /* ------------------------------------------------------------ */ - /** - * Disassociate the user identity from the current thread + /** + * Disassociate the user identity from the current thread * and restore previous identity. * @param previous The opaque object returned from a call to {@link IdentityService#associate(UserIdentity)} */ @@ -56,7 +60,7 @@ public interface IdentityService * @return The previous runAsToken or null. */ Object setRunAs(UserIdentity user, RunAsToken token); - + /* ------------------------------------------------------------ */ /** * Disassociate the current runAsToken from the thread @@ -69,7 +73,7 @@ public interface IdentityService /** * Create a new UserIdentity for use with this identity service. * The UserIdentity should be immutable and able to be cached. - * + * * @param subject Subject to include in UserIdentity * @param userPrincipal Principal to include in UserIdentity. This will be returned from getUserPrincipal calls * @param roles set of roles to include in UserIdentity. diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java index 44e7ef078e..d01f2a9701 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2003-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java index 01675fe140..39567a25d0 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java index 5ca896fb15..9d7079ff3c 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; @@ -20,7 +25,6 @@ import java.security.Principal; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; - import javax.security.auth.Subject; import org.eclipse.jetty.server.UserIdentity; @@ -35,7 +39,7 @@ import org.eclipse.jetty.util.security.Credential; /** * A login service that keeps UserIdentities in a concurrent map * either as the source or a cache of the users. - * + * */ public abstract class MappedLoginService extends AbstractLifeCycle implements LoginService { @@ -49,7 +53,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo protected MappedLoginService() { } - + /* ------------------------------------------------------------ */ /** Get the name. * @return the name @@ -58,7 +62,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo { return _name; } - + /* ------------------------------------------------------------ */ /** Get the identityService. * @return the identityService @@ -67,7 +71,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo { return _identityService; } - + /* ------------------------------------------------------------ */ /** Get the users. * @return the users @@ -76,7 +80,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo { return _users; } - + /* ------------------------------------------------------------ */ /** Set the identityService. * @param identityService the identityService to set @@ -131,17 +135,17 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo /* ------------------------------------------------------------ */ public void logout(UserIdentity identity) - { + { LOG.debug("logout {}",identity); } - + /* ------------------------------------------------------------ */ @Override public String toString() { return this.getClass().getSimpleName()+"["+_name+"]"; } - + /* ------------------------------------------------------------ */ /** Put user into realm. * Called by implementations to put the user data loaded from @@ -158,7 +162,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo else { Credential credential = (info instanceof Credential)?(Credential)info:Credential.getCredential(info.toString()); - + Principal userPrincipal = new KnownUser(userName,credential); Subject subject = new Subject(); subject.getPrincipals().add(userPrincipal); @@ -166,11 +170,11 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo subject.setReadOnly(); identity=_identityService.newUserIdentity(subject,userPrincipal,IdentityService.NO_ROLES); } - + _users.put(userName,identity); return identity; } - + /* ------------------------------------------------------------ */ /** Put user into realm. * @param userName The user to add @@ -184,7 +188,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo Subject subject = new Subject(); subject.getPrincipals().add(userPrincipal); subject.getPrivateCredentials().add(credential); - + if (roles!=null) for (String role : roles) subject.getPrincipals().add(new RolePrincipal(role)); @@ -193,13 +197,13 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo UserIdentity identity=_identityService.newUserIdentity(subject,userPrincipal,roles); _users.put(userName,identity); return identity; - } - + } + /* ------------------------------------------------------------ */ public void removeUser(String username) { _users.remove(username); - } + } /* ------------------------------------------------------------ */ /** @@ -208,10 +212,10 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo public UserIdentity login(String username, Object credentials) { UserIdentity user = _users.get(username); - + if (user==null) user = loadUser(username); - + if (user!=null) { UserPrincipal principal = (UserPrincipal)user.getUserPrincipal(); @@ -226,16 +230,16 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo { if (_users.containsKey(user.getUserPrincipal().getName())) return true; - + if (loadUser(user.getUserPrincipal().getName())!=null) return true; - + return false; } /* ------------------------------------------------------------ */ protected abstract UserIdentity loadUser(String username); - + /* ------------------------------------------------------------ */ protected abstract void loadUsers() throws IOException; @@ -248,7 +252,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo boolean authenticate(Object credentials); public boolean isAuthenticated(); } - + /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ @@ -282,14 +286,14 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo { return "Anonymous"; } - + public boolean authenticate(Object credentials) { return false; } - + } - + /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ @@ -298,7 +302,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo private static final long serialVersionUID = -6226920753748399662L; private final String _name; private final Credential _credential; - + /* -------------------------------------------------------- */ public KnownUser(String name,Credential credential) { @@ -311,13 +315,13 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo { return _credential!=null && _credential.check(credentials); } - + /* ------------------------------------------------------------ */ public String getName() { return _name; } - + /* -------------------------------------------------------- */ public boolean isAuthenticated() { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java b/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java index 1c95cc1a23..afff5c1033 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java @@ -1,16 +1,22 @@ +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// + package org.eclipse.jetty.security; -//======================================================================== -//Copyright 2011-2012 Mort Bay Consulting Pty. Ltd. -//------------------------------------------------------------------------ -//All rights reserved. This program and the accompanying materials -//are made available under the terms of the Eclipse Public License v1.0 -//and Apache License v2.0 which accompanies this distribution. -//The Eclipse Public License is available at -//http://www.eclipse.org/legal/epl-v10.html -//The Apache License v2.0 is available at -//http://www.opensource.org/licenses/apache2.0.php -//You may elect to redistribute this code under either of these licenses. -//======================================================================== import java.io.File; import java.io.FilenameFilter; @@ -24,7 +30,6 @@ import java.util.List; import java.util.Map; import java.util.Properties; import java.util.Set; - import javax.security.auth.Subject; import org.eclipse.jetty.security.MappedLoginService.KnownUser; @@ -40,16 +45,16 @@ import org.eclipse.jetty.util.security.Credential; /** * PropertyUserStore - * + * * This class monitors a property file of the format mentioned below and notifies registered listeners of the changes to the the given file. - * + * * <PRE> * username: password [,rolename ...] * </PRE> - * + * * Passwords may be clear text, obfuscated or checksummed. The class com.eclipse.Util.Password should be used to generate obfuscated passwords or password * checksums. - * + * * If DIGEST Authentication is used, the password must be in a recoverable format, either plain text or OBF:. */ public class PropertyUserStore extends AbstractLifeCycle @@ -78,7 +83,7 @@ public class PropertyUserStore extends AbstractLifeCycle { _config = config; } - + /* ------------------------------------------------------------ */ public UserIdentity getUserIdentity(String userName) { @@ -151,7 +156,7 @@ public class PropertyUserStore extends AbstractLifeCycle } known.add(username); Credential credential = Credential.getCredential(credentials); - + Principal userPrincipal = new KnownUser(username,credential); Subject subject = new Subject(); subject.getPrincipals().add(userPrincipal); @@ -164,9 +169,9 @@ public class PropertyUserStore extends AbstractLifeCycle subject.getPrincipals().add(new RolePrincipal(role)); } } - + subject.setReadOnly(); - + _knownUserIdentities.put(username,_identityService.newUserIdentity(subject,userPrincipal,roleArray)); notifyUpdate(username,credential,roleArray); } @@ -210,8 +215,8 @@ public class PropertyUserStore extends AbstractLifeCycle /** * Depending on the value of the refresh interval, this method will either start up a scanner thread that will monitor the properties file for changes after * it has initially loaded it. Otherwise the users will be loaded and there will be no active monitoring thread so changes will not be detected. - * - * + * + * * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart() */ protected void doStart() throws Exception @@ -294,7 +299,7 @@ public class PropertyUserStore extends AbstractLifeCycle /** * Notifies the registered listeners of potential updates to a user - * + * * @param username * @param credential * @param roleArray @@ -312,7 +317,7 @@ public class PropertyUserStore extends AbstractLifeCycle /** * notifies the registered listeners that a user has been removed. - * + * * @param username */ private void notifyRemove(String username) diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java b/jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java index 35df88ce8f..de61c8b2e1 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java b/jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java index 02ee2d20e0..7c1872a1ae 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/RoleRunAsToken.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java b/jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java index 7bf84ccd87..a0793f7e89 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/RunAsToken.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index 0baeef255b..19441d5b60 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; @@ -23,16 +28,20 @@ import java.util.Set; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSessionEvent; +import javax.servlet.http.HttpSessionListener; import org.eclipse.jetty.security.authentication.DeferredAuthentication; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.Handler; +import org.eclipse.jetty.server.HttpChannel; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Response; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.ContextHandler.Context; import org.eclipse.jetty.server.handler.HandlerWrapper; +import org.eclipse.jetty.server.session.AbstractSessionManager; import org.eclipse.jetty.util.component.LifeCycle; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; @@ -285,6 +294,33 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti getInitParameter(name)==null) setInitParameter(name,context.getInitParameter(name)); } + + //register a session listener to handle securing sessions when authentication is performed + context.getContextHandler().addEventListener(new HttpSessionListener() + { + + public void sessionDestroyed(HttpSessionEvent se) + { + + } + + public void sessionCreated(HttpSessionEvent se) + { + //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user + HttpChannel channel = HttpChannel.getCurrentHttpChannel(); + + if (channel == null) + return; + Request request = channel.getRequest(); + if (request == null) + return; + + if (request.isSecure()) + { + se.getSession().setAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); + } + } + }); } // complicated resolution of login and identity service to handle diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java index d0f26943bf..546da84f6c 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ServerAuthException.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java index 77583395db..1e1bd6ab96 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java @@ -1,23 +1,24 @@ -// ======================================================================== -// Copyright (c) Webtide LLC -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. // -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. // -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== // -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== package org.eclipse.jetty.security; import java.util.Properties; - import javax.security.auth.Subject; import org.eclipse.jetty.server.UserIdentity; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java index 9d689ddfaa..c62610b462 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java @@ -1,23 +1,25 @@ -package org.eclipse.jetty.security; -//======================================================================== -//Copyright (c) Webtide LLC -//------------------------------------------------------------------------ -//All rights reserved. This program and the accompanying materials -//are made available under the terms of the Eclipse Public License v1.0 -//and Apache License v2.0 which accompanies this distribution. // -//The Eclipse Public License is available at -//http://www.eclipse.org/legal/epl-v10.html +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php // -//The Apache License v2.0 is available at -//http://www.opensource.org/licenses/apache2.0.php +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== // -//You may elect to redistribute this code under either of these licenses. -//======================================================================== + +package org.eclipse.jetty.security; import java.security.Principal; import java.util.List; - import javax.security.auth.Subject; import org.eclipse.jetty.server.UserIdentity; @@ -27,15 +29,15 @@ public class SpnegoUserIdentity implements UserIdentity private Subject _subject; private Principal _principal; private List<String> _roles; - + public SpnegoUserIdentity( Subject subject, Principal principal, List<String> roles ) { _subject = subject; _principal = principal; _roles = roles; } - - + + public Subject getSubject() { return _subject; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java index d3c31e684d..cdf1f1a1fb 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java @@ -1,15 +1,20 @@ -//======================================================================== -//Copyright 2011-2012 Mort Bay Consulting Pty. Ltd. -//------------------------------------------------------------------------ -//All rights reserved. This program and the accompanying materials -//are made available under the terms of the Eclipse Public License v1.0 -//and Apache License v2.0 which accompanies this distribution. -//The Eclipse Public License is available at -//http://www.eclipse.org/legal/epl-v10.html -//The Apache License v2.0 is available at -//http://www.opensource.org/licenses/apache2.0.php -//You may elect to redistribute this code under either of these licenses. -//======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java index da55e961c4..7846d8cfb7 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/UserAuthentication.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java b/jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java index e1d4369242..508ffbc2e5 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/UserDataConstraint.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java index dec0ee78d1..96927abf98 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java @@ -1,20 +1,24 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; import java.io.IOException; - import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; @@ -33,13 +37,13 @@ import org.eclipse.jetty.util.security.Constraint; /** * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ */ -public class BasicAuthenticator extends LoginAuthenticator -{ +public class BasicAuthenticator extends LoginAuthenticator +{ /* ------------------------------------------------------------ */ public BasicAuthenticator() { } - + /* ------------------------------------------------------------ */ /** * @see org.eclipse.jetty.security.Authenticator#getAuthMethod() @@ -63,9 +67,9 @@ public class BasicAuthenticator extends LoginAuthenticator { if (!mandatory) return _deferred; - + if (credentials != null) - { + { int space=credentials.indexOf(' '); if (space>0) { @@ -83,7 +87,7 @@ public class BasicAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(username,password); if (user!=null) { - renewSessionOnAuthentication(request,response); + renewSession(request,response); return new UserAuthentication(getAuthMethod(),user); } } @@ -93,7 +97,7 @@ public class BasicAuthenticator extends LoginAuthenticator if (_deferred.isDeferred(response)) return Authentication.UNAUTHENTICATED; - + response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "basic realm=\"" + _loginService.getName() + '"'); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return Authentication.SEND_CONTINUE; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java index 2522037550..0db6551c5a 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; @@ -19,7 +24,6 @@ import java.security.Principal; import java.security.cert.CRL; import java.security.cert.X509Certificate; import java.util.Collection; - import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; @@ -65,7 +69,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator private boolean _enableOCSP = false; /** Location of OCSP Responder */ private String _ocspResponderURL; - + public ClientCertAuthenticator() { super(); @@ -75,7 +79,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator { return Constraint.__CERT_AUTH; } - + /** * @return Authentication for request * @throws ServerAuthException @@ -84,7 +88,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator { if (!mandatory) return _deferred; - + HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); @@ -94,7 +98,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator // Need certificates. if (certs != null && certs.length > 0) { - + if (_validateCerts) { KeyStore trustStore = getKeyStore(null, @@ -104,7 +108,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator CertificateValidator validator = new CertificateValidator(trustStore, crls); validator.validate(certs); } - + for (X509Certificate cert: certs) { if (cert==null) @@ -119,18 +123,18 @@ public class ClientCertAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(username,credential); if (user!=null) { - renewSessionOnAuthentication(request,response); + renewSession(request,response); return new UserAuthentication(getAuthMethod(),user); } } } - + if (!_deferred.isDeferred(response)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return Authentication.SEND_FAILURE; } - + return Authentication.UNAUTHENTICATED; } catch (Exception e) @@ -305,9 +309,9 @@ public class ClientCertAuthenticator extends LoginAuthenticator { _maxCertPathLength = maxCertPathLength; } - + /* ------------------------------------------------------------ */ - /** + /** * @return true if CRL Distribution Points support is enabled */ public boolean isEnableCRLDP() @@ -325,7 +329,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator } /* ------------------------------------------------------------ */ - /** + /** * @return true if On-Line Certificate Status Protocol support is enabled */ public boolean isEnableOCSP() @@ -343,7 +347,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator } /* ------------------------------------------------------------ */ - /** + /** * @return Location of the OCSP Responder */ public String getOcspResponderURL() diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java index bab7e9b0ba..d3435d3f60 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; @@ -19,7 +24,6 @@ import java.io.PrintWriter; import java.util.Collection; import java.util.Collections; import java.util.Locale; - import javax.servlet.ServletOutputStream; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; @@ -55,7 +59,7 @@ public class DeferredAuthentication implements Authentication.Deferred throw new NullPointerException("No Authenticator"); this._authenticator = authenticator; } - + /* ------------------------------------------------------------ */ public DeferredAuthentication(LoginAuthenticator authenticator) { @@ -63,7 +67,7 @@ public class DeferredAuthentication implements Authentication.Deferred throw new NullPointerException("No Authenticator"); this._authenticator = authenticator; } - + /* ------------------------------------------------------------ */ /** Get the identityService. * @return the identityService @@ -103,7 +107,7 @@ public class DeferredAuthentication implements Authentication.Deferred try { Authentication authentication = _authenticator.validateRequest(request,__deferredResponse,true); - + if (authentication!=null && (authentication instanceof Authentication.User) && !(authentication instanceof Authentication.ResponseSent)) { if (_identityService!=null) @@ -117,7 +121,7 @@ public class DeferredAuthentication implements Authentication.Deferred } return this; } - + /* ------------------------------------------------------------ */ /** * @see org.eclipse.jetty.server.Authentication.Deferred#authenticate(javax.servlet.ServletRequest, javax.servlet.ServletResponse) @@ -173,7 +177,7 @@ public class DeferredAuthentication implements Authentication.Deferred { return response==__deferredResponse; } - + /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ @@ -362,5 +366,5 @@ public class DeferredAuthentication implements Authentication.Deferred } }; - + } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java index 505831963b..ba3e964b9f 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; @@ -21,7 +26,6 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentLinkedQueue; import java.util.concurrent.ConcurrentMap; import java.util.concurrent.atomic.AtomicInteger; - import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; @@ -46,8 +50,8 @@ import org.eclipse.jetty.util.security.Credential; /** * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ - * - * The nonce max age in ms can be set with the {@link SecurityHandler#setInitParameter(String, String)} + * + * The nonce max age in ms can be set with the {@link SecurityHandler#setInitParameter(String, String)} * using the name "maxNonceAge" */ public class DigestAuthenticator extends LoginAuthenticator @@ -83,7 +87,7 @@ public class DigestAuthenticator extends LoginAuthenticator public void setConfiguration(AuthConfiguration configuration) { super.setConfiguration(configuration); - + String mna=configuration.getInitParameter("maxNonceAge"); if (mna!=null) { @@ -93,7 +97,7 @@ public class DigestAuthenticator extends LoginAuthenticator } } } - + /* ------------------------------------------------------------ */ public synchronized void setMaxNonceAge(long maxNonceAgeInMillis) { @@ -117,7 +121,7 @@ public class DigestAuthenticator extends LoginAuthenticator { if (!mandatory) return _deferred; - + HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString()); @@ -127,7 +131,7 @@ public class DigestAuthenticator extends LoginAuthenticator boolean stale = false; if (credentials != null) { - if (LOG.isDebugEnabled()) + if (LOG.isDebugEnabled()) LOG.debug("Credentials: " + credentials); QuotedStringTokenizer tokenizer = new QuotedStringTokenizer(credentials, "=, ", true, false); final Digest digest = new Digest(request.getMethod()); @@ -169,7 +173,7 @@ public class DigestAuthenticator extends LoginAuthenticator digest.qop = tok; else if ("uri".equalsIgnoreCase(name)) digest.uri = tok; - else if ("response".equalsIgnoreCase(name)) + else if ("response".equalsIgnoreCase(name)) digest.response = tok; name=null; } @@ -183,11 +187,11 @@ public class DigestAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(digest.username,digest); if (user!=null) { - renewSessionOnAuthentication(request,response); + renewSession(request,response); return new UserAuthentication(getAuthMethod(),user); } } - else if (n == 0) + else if (n == 0) stale = true; } @@ -195,7 +199,7 @@ public class DigestAuthenticator extends LoginAuthenticator if (!_deferred.isDeferred(response)) { String domain = request.getContextPath(); - if (domain == null) + if (domain == null) domain = "/"; response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Digest realm=\"" + _loginService.getName() + "\", domain=\"" @@ -222,7 +226,7 @@ public class DigestAuthenticator extends LoginAuthenticator public String newNonce(Request request) { Nonce nonce; - + do { byte[] nounce = new byte[24]; @@ -232,7 +236,7 @@ public class DigestAuthenticator extends LoginAuthenticator } while (_nonceCount.putIfAbsent(nonce._nonce,nonce)!=null); _nonceQueue.add(nonce); - + return nonce._nonce; } @@ -250,7 +254,7 @@ public class DigestAuthenticator extends LoginAuthenticator { expired = request.getTimeStamp()-_maxNonceAgeMs; } - + Nonce nonce=_nonceQueue.peek(); while (nonce!=null && nonce._ts<expired) { @@ -258,14 +262,14 @@ public class DigestAuthenticator extends LoginAuthenticator _nonceCount.remove(nonce._nonce); nonce=_nonceQueue.peek(); } - - + + try { nonce = _nonceCount.get(digest.nonce); if (nonce==null) return 0; - + long count = Long.parseLong(digest.nc,16); if (count>Integer.MAX_VALUE) return 0; @@ -274,7 +278,7 @@ public class DigestAuthenticator extends LoginAuthenticator old=nonce._nc.get(); if (count<=old) return -1; - + return 1; } catch (Exception e) diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index 26196b7119..ce758f5be7 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -1,22 +1,26 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; import java.io.IOException; import java.util.Collections; import java.util.Enumeration; - import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.ServletRequest; @@ -134,6 +138,7 @@ public class FormAuthenticator extends LoginAuthenticator } /* ------------------------------------------------------------ */ + @Override public String getAuthMethod() { return Constraint.__FORM_AUTH; @@ -177,6 +182,7 @@ public class FormAuthenticator extends LoginAuthenticator } /* ------------------------------------------------------------ */ + @Override public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException { HttpServletRequest request = (HttpServletRequest)req; @@ -189,8 +195,8 @@ public class FormAuthenticator extends LoginAuthenticator if (!mandatory) return _deferred; - if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo()))) - return Authentication.NOT_CHECKED; + if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())) &&!DeferredAuthentication.isDeferred(response)) + return _deferred; HttpSession session = request.getSession(true); @@ -203,29 +209,34 @@ public class FormAuthenticator extends LoginAuthenticator final String password = request.getParameter(__J_PASSWORD); UserIdentity user = _loginService.login(username,password); + LOG.debug("jsecuritycheck {} {}",username,user); if (user!=null) { - session=renewSessionOnAuthentication(request,response); + session=renewSession(request,response); // Redirect to original request String nuri; + FormAuthentication form_auth; synchronized(session) { nuri = (String) session.getAttribute(__J_URI); - } - if (nuri == null || nuri.length() == 0) - { - nuri = request.getContextPath(); - if (nuri.length() == 0) - nuri = URIUtil.SLASH; + if (nuri == null || nuri.length() == 0) + { + nuri = request.getContextPath(); + if (nuri.length() == 0) + nuri = URIUtil.SLASH; + } + + Authentication cached=new SessionAuthentication(getAuthMethod(),user,password); + session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached); + form_auth = new FormAuthentication(getAuthMethod(),user); } + LOG.debug("authenticated {}->{}",form_auth,nuri); + response.setContentLength(0); response.sendRedirect(response.encodeRedirectURL(nuri)); - - Authentication cached=new SessionAuthentication(getAuthMethod(),user,password); - session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached); - return new FormAuthentication(getAuthMethod(),user); + return form_auth; } // not authenticated @@ -233,11 +244,13 @@ public class FormAuthenticator extends LoginAuthenticator LOG.debug("Form authentication FAILED for " + StringUtil.printable(username)); if (_formErrorPage == null) { + LOG.debug("auth failed {}->403",username); if (response != null) response.sendError(HttpServletResponse.SC_FORBIDDEN); } else if (_dispatch) { + LOG.debug("auth failed {}=={}",username,_formErrorPage); RequestDispatcher dispatcher = request.getRequestDispatcher(_formErrorPage); response.setHeader(HttpHeader.CACHE_CONTROL.asString(),HttpHeaderValue.NO_CACHE.asString()); response.setDateHeader(HttpHeader.EXPIRES.asString(),1); @@ -245,6 +258,7 @@ public class FormAuthenticator extends LoginAuthenticator } else { + LOG.debug("auth failed {}->{}",username,_formErrorPage); response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage))); } @@ -260,43 +274,51 @@ public class FormAuthenticator extends LoginAuthenticator _loginService!=null && !_loginService.validate(((Authentication.User)authentication).getUserIdentity())) { - + LOG.debug("auth revoked {}",authentication); session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED); } else { - String j_uri=(String)session.getAttribute(__J_URI); - if (j_uri!=null) + synchronized (session) { - MultiMap j_post = (MultiMap)session.getAttribute(__J_POST); - if (j_post!=null) + String j_uri=(String)session.getAttribute(__J_URI); + if (j_uri!=null) { - StringBuffer buf = request.getRequestURL(); - if (request.getQueryString() != null) - buf.append("?").append(request.getQueryString()); - - if (j_uri.equals(buf.toString())) + LOG.debug("auth retry {}->{}",authentication,j_uri); + MultiMap<String> j_post = (MultiMap<String>)session.getAttribute(__J_POST); + if (j_post!=null) { - // This is a retry of an original POST request - // so restore method and parameters - - session.removeAttribute(__J_POST); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); - base_request.setMethod(HttpMethod.POST,HttpMethod.POST.asString()); - base_request.setParameters(j_post); + LOG.debug("auth rePOST {}->{}",authentication,j_uri); + StringBuffer buf = request.getRequestURL(); + if (request.getQueryString() != null) + buf.append("?").append(request.getQueryString()); + + if (j_uri.equals(buf.toString())) + { + // This is a retry of an original POST request + // so restore method and parameters + + session.removeAttribute(__J_POST); + Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); + base_request.setMethod(HttpMethod.POST,HttpMethod.POST.asString()); + base_request.setParameters(j_post); + } } + else + session.removeAttribute(__J_URI); } - else - session.removeAttribute(__J_URI); - } + LOG.debug("auth {}",authentication); return authentication; } } // if we can't send challenge if (DeferredAuthentication.isDeferred(response)) + { + LOG.debug("auth deferred {}",session.getId()); return Authentication.UNAUTHENTICATED; + } // remember the current URI synchronized (session) @@ -313,7 +335,7 @@ public class FormAuthenticator extends LoginAuthenticator { Request base_request = (req instanceof Request)?(Request)req:HttpChannel.getCurrentHttpChannel().getRequest(); base_request.extractParameters(); - session.setAttribute(__J_POST, new MultiMap(base_request.getParameters())); + session.setAttribute(__J_POST, new MultiMap<String>(base_request.getParameters())); } } } @@ -321,6 +343,7 @@ public class FormAuthenticator extends LoginAuthenticator // send the the challenge if (_dispatch) { + LOG.debug("challenge {}=={}",session.getId(),_formLoginPage); RequestDispatcher dispatcher = request.getRequestDispatcher(_formLoginPage); response.setHeader(HttpHeader.CACHE_CONTROL.asString(),HttpHeaderValue.NO_CACHE.asString()); response.setDateHeader(HttpHeader.EXPIRES.asString(),1); @@ -328,11 +351,10 @@ public class FormAuthenticator extends LoginAuthenticator } else { + LOG.debug("challenge {}->{}",session.getId(),_formLoginPage); response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage))); } return Authentication.SEND_CONTINUE; - - } catch (IOException | ServletException e) { @@ -361,6 +383,7 @@ public class FormAuthenticator extends LoginAuthenticator } /* ------------------------------------------------------------ */ + @Override public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException { return true; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index c730a9bab5..d44a21ea9e 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -1,22 +1,23 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Map; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; @@ -24,10 +25,14 @@ import javax.servlet.http.HttpSession; import org.eclipse.jetty.security.Authenticator; import org.eclipse.jetty.security.IdentityService; import org.eclipse.jetty.security.LoginService; +import org.eclipse.jetty.server.session.AbstractSessionManager; +import org.eclipse.jetty.util.log.Log; +import org.eclipse.jetty.util.log.Logger; public abstract class LoginAuthenticator implements Authenticator { - public final static String SESSION_SECURED="org.eclipse.jetty.security.secured"; + private static final Logger LOG = Log.getLogger(LoginAuthenticator.class); + protected final DeferredAuthentication _deferred=new DeferredAuthentication(this); protected LoginService _loginService; protected IdentityService _identityService; @@ -47,40 +52,40 @@ public abstract class LoginAuthenticator implements Authenticator throw new IllegalStateException("No IdentityService for "+this+" in "+configuration); _renewSession=configuration.isSessionRenewedOnAuthentication(); } - + public LoginService getLoginService() { return _loginService; } - - /* ------------------------------------------------------------ */ - /** Change the session when the request is authenticated for the first time + + /** Change the session id. + * The session is changed to a new instance with a new ID if and only if:<ul> + * <li>A session exists. + * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true. + * <li>The session ID has been given to unauthenticated responses + * </ul> * @param request * @param response * @return The new session. */ - protected HttpSession renewSessionOnAuthentication(HttpServletRequest request, HttpServletResponse response) + protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response) { HttpSession httpSession = request.getSession(false); - if (_renewSession && httpSession!=null && httpSession.getAttribute(SESSION_SECURED)==null) + + if (_renewSession && httpSession!=null) { - synchronized (this) + synchronized (httpSession) { - Map<String,Object> attributes = new HashMap<String, Object>(); - for (Enumeration<String> e=httpSession.getAttributeNames();e.hasMoreElements();) + //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users + //(indicated by SESSION_SECURED not being set on the session) then we should change id + if (httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE) { - String name=e.nextElement(); - attributes.put(name,httpSession.getAttribute(name)); - httpSession.removeAttribute(name); + HttpSession newSession = AbstractSessionManager.renewSession(request, httpSession,true); + LOG.debug("renew {}->{}",httpSession.getId(),newSession.getId()); + httpSession=newSession; } - httpSession.invalidate(); - httpSession = request.getSession(true); - httpSession.setAttribute(SESSION_SECURED,Boolean.TRUE); - for (Map.Entry<String, Object> entry: attributes.entrySet()) - httpSession.setAttribute(entry.getKey(),entry.getValue()); } } - return httpSession; } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java index 06a285c298..27fa01f8ab 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java @@ -1,27 +1,31 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; import java.security.Principal; - import javax.security.auth.Subject; /** * This is similar to the jaspi PasswordValidationCallback but includes user * principal and group info as well. - * + * * @version $Rev: 4792 $ $Date: 2009-03-18 22:55:52 +0100 (Wed, 18 Mar 2009) $ */ public interface LoginCallback @@ -31,7 +35,7 @@ public interface LoginCallback public String getUserName(); public Object getCredential(); - + public boolean isSuccess(); public void setSuccess(boolean success); @@ -41,10 +45,10 @@ public interface LoginCallback public void setUserPrincipal(Principal userPrincipal); public String[] getRoles(); - + public void setRoles(String[] roles); - + public void clearPassword(); - + } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java index 0d3c299833..003ccbd09c 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java @@ -1,20 +1,24 @@ -// ======================================================================== -// Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; import java.security.Principal; - import javax.security.auth.Subject; import org.eclipse.jetty.security.IdentityService; @@ -22,7 +26,7 @@ import org.eclipse.jetty.security.IdentityService; /** * This is similar to the jaspi PasswordValidationCallback but includes user * principal and group info as well. - * + * * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $ */ public class LoginCallbackImpl implements LoginCallback diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java index e63e597cca..7e7ec72d49 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java @@ -1,15 +1,20 @@ -// ======================================================================== -// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== +// +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== +// package org.eclipse.jetty.security.authentication; @@ -17,7 +22,6 @@ package org.eclipse.jetty.security.authentication; import java.io.IOException; import java.io.ObjectInputStream; import java.io.Serializable; - import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSessionActivationListener; import javax.servlet.http.HttpSessionBindingEvent; @@ -29,6 +33,7 @@ import org.eclipse.jetty.security.SecurityHandler; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.server.UserIdentity.Scope; +import org.eclipse.jetty.server.session.AbstractSessionManager; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; @@ -38,17 +43,17 @@ public class SessionAuthentication implements Authentication.User, Serializable, private static final long serialVersionUID = -4643200685888258706L; - + public final static String __J_AUTHENTICATED="org.eclipse.jetty.security.UserIdentity"; private final String _method; private final String _name; private final Object _credentials; - + private transient UserIdentity _userIdentity; private transient HttpSession _session; - + public SessionAuthentication(String method, UserIdentity userIdentity, Object credentials) { _method = method; @@ -72,62 +77,66 @@ public class SessionAuthentication implements Authentication.User, Serializable, return _userIdentity.isUserInRole(role, scope); } - private void readObject(ObjectInputStream stream) - throws IOException, ClassNotFoundException + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { stream.defaultReadObject(); - + SecurityHandler security=SecurityHandler.getCurrentSecurityHandler(); if (security==null) throw new IllegalStateException("!SecurityHandler"); LoginService login_service=security.getLoginService(); if (login_service==null) throw new IllegalStateException("!LoginService"); - + _userIdentity=login_service.login(_name,_credentials); LOG.debug("Deserialized and relogged in {}",this); } - + public void logout() { if (_session!=null && _session.getAttribute(__J_AUTHENTICATED)!=null) _session.removeAttribute(__J_AUTHENTICATED); - else + else doLogout(); } - + private void doLogout() { SecurityHandler security=SecurityHandler.getCurrentSecurityHandler(); if (security!=null) security.logout(this); if (_session!=null) - _session.removeAttribute(LoginAuthenticator.SESSION_SECURED); + _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED); } - + @Override public String toString() { - return "Session"+super.toString(); + return String.format("%s@%x{%s,%s}",this.getClass().getSimpleName(),hashCode(),_session==null?"-":_session.getId(),_userIdentity); } + @Override public void sessionWillPassivate(HttpSessionEvent se) { } + @Override public void sessionDidActivate(HttpSessionEvent se) { if (_session==null) _session=se.getSession(); } + @Override public void valueBound(HttpSessionBindingEvent event) { } + @Override public void valueUnbound(HttpSessionBindingEvent event) { doLogout(); } - -}
\ No newline at end of file + +} diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java index dfe4192543..87193ba0cf 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java @@ -1,22 +1,24 @@ -package org.eclipse.jetty.security.authentication; -//======================================================================== -//Copyright (c) Webtide LLC -//------------------------------------------------------------------------ -//All rights reserved. This program and the accompanying materials -//are made available under the terms of the Eclipse Public License v1.0 -//and Apache License v2.0 which accompanies this distribution. // -//The Eclipse Public License is available at -//http://www.eclipse.org/legal/epl-v10.html +// ======================================================================== +// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php // -//The Apache License v2.0 is available at -//http://www.opensource.org/licenses/apache2.0.php +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== // -//You may elect to redistribute this code under either of these licenses. -//======================================================================== -import java.io.IOException; +package org.eclipse.jetty.security.authentication; +import java.io.IOException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; @@ -35,14 +37,14 @@ import org.eclipse.jetty.util.security.Constraint; public class SpnegoAuthenticator extends LoginAuthenticator { private static final Logger LOG = Log.getLogger(SpnegoAuthenticator.class); - + private String _authMethod = Constraint.__SPNEGO_AUTH; - + public SpnegoAuthenticator() { - + } - + /** * Allow for a custom authMethod value to be set for instances where SPENGO may not be appropriate * @param authMethod @@ -51,24 +53,24 @@ public class SpnegoAuthenticator extends LoginAuthenticator { _authMethod = authMethod; } - + public String getAuthMethod() { return _authMethod; } public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException - { + { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; - + String header = req.getHeader(HttpHeader.AUTHORIZATION.asString()); if (!mandatory) { return _deferred; } - + // check to see if we have authorization headers required to continue if ( header == null ) { @@ -78,29 +80,29 @@ public class SpnegoAuthenticator extends LoginAuthenticator { return Authentication.UNAUTHENTICATED; } - + LOG.debug("SpengoAuthenticator: sending challenge"); res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString()); res.sendError(HttpServletResponse.SC_UNAUTHORIZED); return Authentication.SEND_CONTINUE; - } + } catch (IOException ioe) { throw new ServerAuthException(ioe); - } + } } else if (header != null && header.startsWith(HttpHeader.NEGOTIATE.asString())) { String spnegoToken = header.substring(10); - + UserIdentity user = _loginService.login(null,spnegoToken); - + if ( user != null ) { return new UserAuthentication(getAuthMethod(),user); } } - + return Authentication.UNAUTHENTICATED; } |