Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to 'jetty-security/src/main/java/org/eclipse/jetty/security')
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java30
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java212
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java12
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java4
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java18
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java54
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java24
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java194
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java54
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java6
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java12
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java19
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java21
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java46
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java44
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java178
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java44
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java10
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java2
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java34
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java39
21 files changed, 557 insertions, 500 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java
index 8b19ba799c..2e079db390 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java
@@ -32,10 +32,10 @@ import org.eclipse.jetty.server.Server;
* Authenticator Interface
* <p>
* An Authenticator is responsible for checking requests and sending
- * response challenges in order to authenticate a request.
+ * response challenges in order to authenticate a request.
* Various types of {@link Authentication} are returned in order to
* signal the next step in authentication.
- *
+ *
* @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
*/
public interface Authenticator
@@ -46,27 +46,27 @@ public interface Authenticator
* @param configuration
*/
void setConfiguration(AuthConfiguration configuration);
-
+
/* ------------------------------------------------------------ */
/**
* @return The name of the authentication method
*/
String getAuthMethod();
-
+
/* ------------------------------------------------------------ */
/** Validate a response
* @param request The request
* @param response The response
* @param mandatory True if authentication is mandatory.
- * @return An Authentication. If Authentication is successful, this will be a {@link org.eclipse.jetty.server.Authentication.User}. If a response has
+ * @return An Authentication. If Authentication is successful, this will be a {@link org.eclipse.jetty.server.Authentication.User}. If a response has
* been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will
- * implement {@link org.eclipse.jetty.server.Authentication.ResponseSent}. If Authentication is not manditory, then a
+ * implement {@link org.eclipse.jetty.server.Authentication.ResponseSent}. If Authentication is not manditory, then a
* {@link org.eclipse.jetty.server.Authentication.Deferred} may be returned.
- *
+ *
* @throws ServerAuthException
*/
Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException;
-
+
/* ------------------------------------------------------------ */
/**
* @param request
@@ -77,33 +77,33 @@ public interface Authenticator
* @throws ServerAuthException
*/
boolean secureResponse(ServletRequest request, ServletResponse response, boolean mandatory, User validatedUser) throws ServerAuthException;
-
-
+
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
- /**
+ /**
* Authenticator Configuration
*/
interface AuthConfiguration
{
String getAuthMethod();
String getRealmName();
-
+
/** Get a SecurityHandler init parameter
* @see SecurityHandler#getInitParameter(String)
* @param param parameter name
* @return Parameter value or null
*/
String getInitParameter(String param);
-
+
/* ------------------------------------------------------------ */
/** Get a SecurityHandler init parameter names
* @see SecurityHandler#getInitParameterNames()
* @return Set of parameter names
*/
Set<String> getInitParameterNames();
-
+
LoginService getLoginService();
IdentityService getIdentityService();
boolean isSessionRenewedOnAuthentication();
@@ -112,7 +112,7 @@ public interface Authenticator
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
- /**
+ /**
* Authenticator Factory
*/
interface Factory
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
index c1f147a4c2..fd9a415d66 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
@@ -23,6 +23,7 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
+import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
@@ -31,40 +32,37 @@ import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.CopyOnWriteArraySet;
-import org.eclipse.jetty.http.HttpSchemes;
import javax.servlet.HttpConstraintElement;
import javax.servlet.HttpMethodConstraintElement;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
+import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.http.PathMap;
-import org.eclipse.jetty.server.AbstractHttpConnection;
-import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.HttpChannel;
+import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.UserIdentity;
-import org.eclipse.jetty.util.StringMap;
-import org.eclipse.jetty.util.TypeUtil;
import org.eclipse.jetty.util.security.Constraint;
/* ------------------------------------------------------------ */
/**
* Handler to enforce SecurityConstraints. This implementation is servlet spec
- * 3.0 compliant and precomputes the constraint combinations for runtime
+ * 3.0 compliant and pre-computes the constraint combinations for runtime
* efficiency.
*
*/
public class ConstraintSecurityHandler extends SecurityHandler implements ConstraintAware
{
private static final String OMISSION_SUFFIX = ".omission";
-
- private final List<ConstraintMapping> _constraintMappings= new CopyOnWriteArrayList<ConstraintMapping>();
- private final Set<String> _roles = new CopyOnWriteArraySet<String>();
- private final PathMap _constraintMap = new PathMap();
+ private static final String ALL_METHODS = "*";
+ private final List<ConstraintMapping> _constraintMappings= new CopyOnWriteArrayList<>();
+ private final Set<String> _roles = new CopyOnWriteArraySet<>();
+ private final PathMap<Map<String, RoleInfo>> _constraintMap = new PathMap<>();
private boolean _strict = true;
-
-
+
/* ------------------------------------------------------------ */
/**
* @return
@@ -265,11 +263,12 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
//See spec 13.4.1.2 p127 - add an omission for every method name to the default constraint
if (methodOmissions.size() > 0)
defaultMapping.setMethodOmissions(methodOmissions.toArray(new String[methodOmissions.size()]));
-
+
return mappings;
}
+
/* ------------------------------------------------------------ */
/** Get the strict mode.
* @return true if the security handler is running in strict mode.
@@ -304,12 +303,14 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
/**
* @return Returns the constraintMappings.
*/
+ @Override
public List<ConstraintMapping> getConstraintMappings()
{
return _constraintMappings;
}
/* ------------------------------------------------------------ */
+ @Override
public Set<String> getRoles()
{
return _roles;
@@ -351,6 +352,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
* The constraintMappings to set.
* @param roles The known roles (or null to determine them from the mappings)
*/
+ @Override
public void setConstraintMappings(List<ConstraintMapping> constraintMappings, Set<String> roles)
{
_constraintMappings.clear();
@@ -358,14 +360,14 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
if (roles==null)
{
- roles = new HashSet<String>();
+ roles = new HashSet<>();
for (ConstraintMapping cm : constraintMappings)
{
String[] cmr = cm.getConstraint().getRoles();
if (cmr!=null)
{
for (String r : cmr)
- if (!"*".equals(r))
+ if (!ALL_METHODS.equals(r))
roles.add(r);
}
}
@@ -401,6 +403,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
/**
* @see org.eclipse.jetty.security.ConstraintAware#addConstraintMapping(org.eclipse.jetty.security.ConstraintMapping)
*/
+ @Override
public void addConstraintMapping(ConstraintMapping mapping)
{
_constraintMappings.add(mapping);
@@ -418,13 +421,14 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
/**
* @see org.eclipse.jetty.security.ConstraintAware#addRole(java.lang.String)
*/
+ @Override
public void addRole(String role)
{
boolean modified = _roles.add(role);
- if (isStarted() && modified && _strict)
+ if (isStarted() && modified && isStrict())
{
// Add the new role to currently defined any role role infos
- for (Map<String,RoleInfo> map : (Collection<Map<String,RoleInfo>>)_constraintMap.values())
+ for (Map<String,RoleInfo> map : _constraintMap.values())
{
for (RoleInfo info : map.values())
{
@@ -458,10 +462,8 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
@Override
protected void doStop() throws Exception
{
- _constraintMap.clear();
- _constraintMappings.clear();
- _roles.clear();
super.doStop();
+ _constraintMap.clear();
}
@@ -474,24 +476,25 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
*/
protected void processConstraintMapping(ConstraintMapping mapping)
{
- Map<String, RoleInfo> mappings = (Map<String, RoleInfo>)_constraintMap.get(mapping.getPathSpec());
+ Map<String, RoleInfo> mappings = _constraintMap.get(mapping.getPathSpec());
if (mappings == null)
{
- mappings = new StringMap();
+ mappings = new HashMap<String,RoleInfo>();
_constraintMap.put(mapping.getPathSpec(),mappings);
}
- RoleInfo allMethodsRoleInfo = mappings.get(null);
+ RoleInfo allMethodsRoleInfo = mappings.get(ALL_METHODS);
if (allMethodsRoleInfo != null && allMethodsRoleInfo.isForbidden())
return;
-
+
if (mapping.getMethodOmissions() != null && mapping.getMethodOmissions().length > 0)
{
-
processConstraintMappingWithMethodOmissions(mapping, mappings);
return;
}
- String httpMethod = mapping.getMethod();
+ String httpMethod = mapping.getMethod();
+ if (httpMethod==null)
+ httpMethod=ALL_METHODS;
RoleInfo roleInfo = mappings.get(httpMethod);
if (roleInfo == null)
{
@@ -510,10 +513,10 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
if (roleInfo.isForbidden())
{
- if (httpMethod == null)
+ if (httpMethod.equals(ALL_METHODS))
{
mappings.clear();
- mappings.put(null,roleInfo);
+ mappings.put(ALL_METHODS,roleInfo);
}
}
else
@@ -548,23 +551,20 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
protected void processConstraintMappingWithMethodOmissions (ConstraintMapping mapping, Map<String, RoleInfo> mappings)
{
String[] omissions = mapping.getMethodOmissions();
-
- for (String omission:omissions)
+ StringBuilder sb = new StringBuilder();
+ for (int i=0; i<omissions.length; i++)
{
- //for each method omission, see if there is already a RoleInfo for it in mappings
- RoleInfo ri = mappings.get(omission+OMISSION_SUFFIX);
- if (ri == null)
- {
- //if not, make one
- ri = new RoleInfo();
- mappings.put(omission+OMISSION_SUFFIX, ri);
- }
-
- //initialize RoleInfo or combine from ConstraintMapping
- configureRoleInfo(ri, mapping);
+ if (i > 0)
+ sb.append(".");
+ sb.append(omissions[i]);
}
+ sb.append(OMISSION_SUFFIX);
+
+ RoleInfo ri = new RoleInfo();
+ mappings.put(sb.toString(), ri);
+ configureRoleInfo(ri, mapping);
}
-
+
/* ------------------------------------------------------------ */
/**
@@ -593,32 +593,32 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
if (ri.isChecked())
{
if (mapping.getConstraint().isAnyRole())
- {
- if (_strict)
- {
- // * means "all defined roles"
- for (String role : _roles)
+ {
+ if (_strict)
+ {
+ // * means "all defined roles"
+ for (String role : _roles)
ri.addRole(role);
- }
- else
- // * means any role
+ }
+ else
+ // * means any role
ri.setAnyRole(true);
- }
- else
- {
+ }
+ else
+ {
String[] newRoles = mapping.getConstraint().getRoles();
- for (String role : newRoles)
- {
- if (_strict &&!_roles.contains(role))
- throw new IllegalArgumentException("Attempt to use undeclared role: " + role + ", known roles: " + _roles);
+ for (String role : newRoles)
+ {
+ if (_strict &&!_roles.contains(role))
+ throw new IllegalArgumentException("Attempt to use undeclared role: " + role + ", known roles: " + _roles);
ri.addRole(role);
- }
- }
- }
- }
- }
+ }
+ }
+ }
+ }
+ }
+
-
/* ------------------------------------------------------------ */
/**
* Find constraints that apply to the given path.
@@ -627,12 +627,13 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
* <ol>
* <li>A mapping of an exact method name </li>
* <li>A mapping will null key that matches every method name</li>
- * <li>Mappings with keys of the form "method.omission" that indicates it will match every method name EXCEPT that given</li>
+ * <li>Mappings with keys of the form "&lt;method&gt;.&lt;method&gt;.&lt;method&gt;.omission" that indicates it will match every method name EXCEPT those given</li>
* </ol>
*
* @see org.eclipse.jetty.security.SecurityHandler#prepareConstraintInfo(java.lang.String, org.eclipse.jetty.server.Request)
*/
- protected Object prepareConstraintInfo(String pathInContext, Request request)
+ @Override
+ protected RoleInfo prepareConstraintInfo(String pathInContext, Request request)
{
Map<String, RoleInfo> mappings = (Map<String, RoleInfo>)_constraintMap.match(pathInContext);
@@ -646,7 +647,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
List<RoleInfo> applicableConstraints = new ArrayList<RoleInfo>();
//Get info for constraint that matches all methods if it exists
- RoleInfo all = mappings.get(null);
+ RoleInfo all = mappings.get(ALL_METHODS);
if (all != null)
applicableConstraints.add(all);
@@ -655,7 +656,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
//(ie matches because target method is not omitted, hence considered covered by the constraint)
for (Entry<String, RoleInfo> entry: mappings.entrySet())
{
- if (entry.getKey() != null && entry.getKey().contains(OMISSION_SUFFIX) && !(httpMethod+OMISSION_SUFFIX).equals(entry.getKey()))
+ if (entry.getKey() != null && entry.getKey().endsWith(OMISSION_SUFFIX) && ! entry.getKey().contains(httpMethod))
applicableConstraints.add(entry.getValue());
}
@@ -673,64 +674,36 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
}
return roleInfo;
}
+
return null;
}
-
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.security.SecurityHandler#checkUserDataPermissions(java.lang.String, org.eclipse.jetty.server.Request, org.eclipse.jetty.server.Response, java.lang.Object)
- */
- protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, Object constraintInfo) throws IOException
+
+ @Override
+ protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, RoleInfo roleInfo) throws IOException
{
- if (constraintInfo == null)
+ if (roleInfo == null)
return true;
- RoleInfo roleInfo = (RoleInfo)constraintInfo;
if (roleInfo.isForbidden())
return false;
-
UserDataConstraint dataConstraint = roleInfo.getUserDataConstraint();
if (dataConstraint == null || dataConstraint == UserDataConstraint.None)
- {
return true;
- }
- AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection();
- Connector connector = connection.getConnector();
- if (dataConstraint == UserDataConstraint.Integral)
- {
- if (connector.isIntegral(request))
- return true;
- if (connector.getIntegralPort() > 0)
- {
- String scheme=connector.getIntegralScheme();
- int port=connector.getIntegralPort();
- String url = (HttpSchemes.HTTPS.equalsIgnoreCase(scheme) && port==443)
- ? "https://"+request.getServerName()+request.getRequestURI()
- : scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI();
- if (request.getQueryString() != null)
- url += "?" + request.getQueryString();
- response.setContentLength(0);
- response.sendRedirect(url);
- }
- else
- response.sendError(Response.SC_FORBIDDEN,"!Integral");
+ HttpConfiguration httpConfig = HttpChannel.getCurrentHttpChannel().getHttpConfiguration();
- request.setHandled(true);
- return false;
- }
- else if (dataConstraint == UserDataConstraint.Confidential)
+
+ if (dataConstraint == UserDataConstraint.Confidential || dataConstraint == UserDataConstraint.Integral)
{
- if (connector.isConfidential(request))
+ if (request.isSecure())
return true;
- if (connector.getConfidentialPort() > 0)
+ if (httpConfig.getSecurePort() > 0)
{
- String scheme=connector.getConfidentialScheme();
- int port=connector.getConfidentialPort();
- String url = (HttpSchemes.HTTPS.equalsIgnoreCase(scheme) && port==443)
+ String scheme = httpConfig.getSecureScheme();
+ int port = httpConfig.getSecurePort();
+ String url = ("https".equalsIgnoreCase(scheme) && port==443)
? "https://"+request.getServerName()+request.getRequestURI()
: scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI();
if (request.getQueryString() != null)
@@ -739,7 +712,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
response.sendRedirect(url);
}
else
- response.sendError(Response.SC_FORBIDDEN,"!Confidential");
+ response.sendError(HttpStatus.FORBIDDEN_403,"!Secure");
request.setHandled(true);
return false;
@@ -750,18 +723,11 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
}
}
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.security.SecurityHandler#isAuthMandatory(org.eclipse.jetty.server.Request, org.eclipse.jetty.server.Response, java.lang.Object)
- */
+
+ @Override
protected boolean isAuthMandatory(Request baseRequest, Response base_response, Object constraintInfo)
{
- if (constraintInfo == null)
- {
- return false;
- }
- return ((RoleInfo)constraintInfo).isChecked();
+ return constraintInfo != null && ((RoleInfo)constraintInfo).isChecked();
}
@@ -799,15 +765,13 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
@Override
public void dump(Appendable out,String indent) throws IOException
{
- dumpThis(out);
- dump(out,indent,
+ // TODO these should all be beans
+ dumpBeans(out,indent,
Collections.singleton(getLoginService()),
Collections.singleton(getIdentityService()),
Collections.singleton(getAuthenticator()),
Collections.singleton(_roles),
- _constraintMap.entrySet(),
- getBeans(),
- TypeUtil.asList(getHandlers()));
+ _constraintMap.entrySet());
}
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java
index 96e7700fcb..d8bad6326f 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultIdentityService.java
@@ -31,7 +31,7 @@ import org.eclipse.jetty.server.UserIdentity;
* This service handles only role reference maps passed in an
* associated {@link org.eclipse.jetty.server.UserIdentity.Scope}. If there are roles
* refs present, then associate will wrap the UserIdentity with one
- * that uses the role references in the
+ * that uses the role references in the
* {@link org.eclipse.jetty.server.UserIdentity#isUserInRole(String, org.eclipse.jetty.server.UserIdentity.Scope)}
* implementation. All other operations are effectively noops.
*
@@ -42,10 +42,10 @@ public class DefaultIdentityService implements IdentityService
public DefaultIdentityService()
{
}
-
+
/* ------------------------------------------------------------ */
- /**
- * If there are roles refs present in the scope, then wrap the UserIdentity
+ /**
+ * If there are roles refs present in the scope, then wrap the UserIdentity
* with one that uses the role references in the {@link UserIdentity#isUserInRole(String, org.eclipse.jetty.server.UserIdentity.Scope)}
*/
public Object associate(UserIdentity user)
@@ -54,7 +54,7 @@ public class DefaultIdentityService implements IdentityService
}
/* ------------------------------------------------------------ */
- public void disassociate(Object previous)
+ public void disassociate(Object previous)
{
}
@@ -86,5 +86,5 @@ public class DefaultIdentityService implements IdentityService
{
return new DefaultUserIdentity(subject,userPrincipal,roles);
}
-
+
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java
index 8283dbbd43..28b0cb3a44 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultUserIdentity.java
@@ -31,11 +31,11 @@ import org.eclipse.jetty.server.UserIdentity;
*
*/
public class DefaultUserIdentity implements UserIdentity
-{
+{
private final Subject _subject;
private final Principal _userPrincipal;
private final String[] _roles;
-
+
public DefaultUserIdentity(Subject subject, Principal userPrincipal, String[] roles)
{
_subject=subject;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java
index 77d6008583..88952f5b64 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/IdentityService.java
@@ -28,26 +28,26 @@ import org.eclipse.jetty.server.UserIdentity;
/* ------------------------------------------------------------ */
/**
* Associates UserIdentities from with threads and UserIdentity.Contexts.
- *
+ *
*/
public interface IdentityService
{
- final static String[] NO_ROLES = new String[]{};
-
+ final static String[] NO_ROLES = new String[]{};
+
/* ------------------------------------------------------------ */
/**
* Associate a user identity with the current thread.
- * This is called with as a thread enters the
+ * This is called with as a thread enters the
* {@link SecurityHandler#handle(String, Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}
* method and then again with a null argument as that call exits.
* @param user The current user or null for no user to associated.
* @return an object representing the previous associated state
*/
Object associate(UserIdentity user);
-
+
/* ------------------------------------------------------------ */
- /**
- * Disassociate the user identity from the current thread
+ /**
+ * Disassociate the user identity from the current thread
* and restore previous identity.
* @param previous The opaque object returned from a call to {@link IdentityService#associate(UserIdentity)}
*/
@@ -61,7 +61,7 @@ public interface IdentityService
* @return The previous runAsToken or null.
*/
Object setRunAs(UserIdentity user, RunAsToken token);
-
+
/* ------------------------------------------------------------ */
/**
* Disassociate the current runAsToken from the thread
@@ -74,7 +74,7 @@ public interface IdentityService
/**
* Create a new UserIdentity for use with this identity service.
* The UserIdentity should be immutable and able to be cached.
- *
+ *
* @param subject Subject to include in UserIdentity
* @param userPrincipal Principal to include in UserIdentity. This will be returned from getUserPrincipal calls
* @param roles set of roles to include in UserIdentity.
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
index f39738cc3c..41648d6a6c 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
@@ -40,7 +40,7 @@ import org.eclipse.jetty.util.security.Credential;
/**
* A login service that keeps UserIdentities in a concurrent map
* either as the source or a cache of the users.
- *
+ *
*/
public abstract class MappedLoginService extends AbstractLifeCycle implements LoginService
{
@@ -54,7 +54,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
protected MappedLoginService()
{
}
-
+
/* ------------------------------------------------------------ */
/** Get the name.
* @return the name
@@ -63,7 +63,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return _name;
}
-
+
/* ------------------------------------------------------------ */
/** Get the identityService.
* @return the identityService
@@ -72,7 +72,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return _identityService;
}
-
+
/* ------------------------------------------------------------ */
/** Get the users.
* @return the users
@@ -81,7 +81,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return _users;
}
-
+
/* ------------------------------------------------------------ */
/** Set the identityService.
* @param identityService the identityService to set
@@ -136,17 +136,17 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
/* ------------------------------------------------------------ */
public void logout(UserIdentity identity)
- {
+ {
LOG.debug("logout {}",identity);
}
-
+
/* ------------------------------------------------------------ */
@Override
public String toString()
{
return this.getClass().getSimpleName()+"["+_name+"]";
}
-
+
/* ------------------------------------------------------------ */
/** Put user into realm.
* Called by implementations to put the user data loaded from
@@ -163,7 +163,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
else
{
Credential credential = (info instanceof Credential)?(Credential)info:Credential.getCredential(info.toString());
-
+
Principal userPrincipal = new KnownUser(userName,credential);
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
@@ -171,11 +171,11 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
subject.setReadOnly();
identity=_identityService.newUserIdentity(subject,userPrincipal,IdentityService.NO_ROLES);
}
-
+
_users.put(userName,identity);
return identity;
}
-
+
/* ------------------------------------------------------------ */
/** Put user into realm.
* @param userName The user to add
@@ -189,7 +189,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
subject.getPrivateCredentials().add(credential);
-
+
if (roles!=null)
for (String role : roles)
subject.getPrincipals().add(new RolePrincipal(role));
@@ -198,13 +198,13 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
UserIdentity identity=_identityService.newUserIdentity(subject,userPrincipal,roles);
_users.put(userName,identity);
return identity;
- }
-
+ }
+
/* ------------------------------------------------------------ */
public void removeUser(String username)
{
_users.remove(username);
- }
+ }
/* ------------------------------------------------------------ */
/**
@@ -213,10 +213,10 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
public UserIdentity login(String username, Object credentials)
{
UserIdentity user = _users.get(username);
-
+
if (user==null)
user = loadUser(username);
-
+
if (user!=null)
{
UserPrincipal principal = (UserPrincipal)user.getUserPrincipal();
@@ -231,16 +231,16 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
if (_users.containsKey(user.getUserPrincipal().getName()))
return true;
-
+
if (loadUser(user.getUserPrincipal().getName())!=null)
return true;
-
+
return false;
}
/* ------------------------------------------------------------ */
protected abstract UserIdentity loadUser(String username);
-
+
/* ------------------------------------------------------------ */
protected abstract void loadUsers() throws IOException;
@@ -253,7 +253,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
boolean authenticate(Object credentials);
public boolean isAuthenticated();
}
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
@@ -287,14 +287,14 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return "Anonymous";
}
-
+
public boolean authenticate(Object credentials)
{
return false;
}
-
+
}
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
@@ -303,7 +303,7 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
private static final long serialVersionUID = -6226920753748399662L;
private final String _name;
private final Credential _credential;
-
+
/* -------------------------------------------------------- */
public KnownUser(String name,Credential credential)
{
@@ -316,13 +316,13 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
{
return _credential!=null && _credential.check(credentials);
}
-
+
/* ------------------------------------------------------------ */
public String getName()
{
return _name;
}
-
+
/* -------------------------------------------------------- */
public boolean isAuthenticated()
{
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java b/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java
index 075107e468..9e84953881 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/PropertyUserStore.java
@@ -46,16 +46,16 @@ import org.eclipse.jetty.util.security.Credential;
/**
* PropertyUserStore
- *
+ *
* This class monitors a property file of the format mentioned below and notifies registered listeners of the changes to the the given file.
- *
+ *
* <PRE>
* username: password [,rolename ...]
* </PRE>
- *
+ *
* Passwords may be clear text, obfuscated or checksummed. The class com.eclipse.Util.Password should be used to generate obfuscated passwords or password
* checksums.
- *
+ *
* If DIGEST Authentication is used, the password must be in a recoverable format, either plain text or OBF:.
*/
public class PropertyUserStore extends AbstractLifeCycle
@@ -84,7 +84,7 @@ public class PropertyUserStore extends AbstractLifeCycle
{
_config = config;
}
-
+
/* ------------------------------------------------------------ */
public UserIdentity getUserIdentity(String userName)
{
@@ -157,7 +157,7 @@ public class PropertyUserStore extends AbstractLifeCycle
}
known.add(username);
Credential credential = Credential.getCredential(credentials);
-
+
Principal userPrincipal = new KnownUser(username,credential);
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
@@ -170,9 +170,9 @@ public class PropertyUserStore extends AbstractLifeCycle
subject.getPrincipals().add(new RolePrincipal(role));
}
}
-
+
subject.setReadOnly();
-
+
_knownUserIdentities.put(username,_identityService.newUserIdentity(subject,userPrincipal,roleArray));
notifyUpdate(username,credential,roleArray);
}
@@ -216,8 +216,8 @@ public class PropertyUserStore extends AbstractLifeCycle
/**
* Depending on the value of the refresh interval, this method will either start up a scanner thread that will monitor the properties file for changes after
* it has initially loaded it. Otherwise the users will be loaded and there will be no active monitoring thread so changes will not be detected.
- *
- *
+ *
+ *
* @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart()
*/
protected void doStart() throws Exception
@@ -300,7 +300,7 @@ public class PropertyUserStore extends AbstractLifeCycle
/**
* Notifies the registered listeners of potential updates to a user
- *
+ *
* @param username
* @param credential
* @param roleArray
@@ -318,7 +318,7 @@ public class PropertyUserStore extends AbstractLifeCycle
/**
* notifies the registered listeners that a user has been removed.
- *
+ *
* @param username
*/
private void notifyRemove(String username)
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index 1699c214b4..edb5f9156d 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -20,9 +20,9 @@ package org.eclipse.jetty.security;
import java.io.IOException;
import java.security.Principal;
+import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -33,17 +33,16 @@ import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
-import org.eclipse.jetty.server.AbstractHttpConnection;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.HttpChannel;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.handler.ContextHandler.Context;
import org.eclipse.jetty.server.handler.HandlerWrapper;
-import org.eclipse.jetty.server.session.AbstractSessionManager;
-import org.eclipse.jetty.util.component.LifeCycle;
+import org.eclipse.jetty.server.session.AbstractSession;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@@ -55,11 +54,11 @@ import org.eclipse.jetty.util.log.Logger;
* or will be create during {@link #start()} with a call to
* either the default or set AuthenticatorFactory.
* <p>
- * SecurityHandler has a set of initparameters that are used by the
+ * SecurityHandler has a set of initparameters that are used by the
* Authentication.Configuration. At startup, any context init parameters
- * that start with "org.eclipse.jetty.security." that do not have
- * values in the SecurityHandler init parameters, are copied.
- *
+ * that start with "org.eclipse.jetty.security." that do not have
+ * values in the SecurityHandler init parameters, are copied.
+ *
*/
public abstract class SecurityHandler extends HandlerWrapper implements Authenticator.AuthConfiguration
{
@@ -73,19 +72,22 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
private String _authMethod;
private final Map<String,String> _initParameters=new HashMap<String,String>();
private LoginService _loginService;
- private boolean _loginServiceShared;
private IdentityService _identityService;
private boolean _renewSession=true;
+ private boolean _discoveredIdentityService = false;
+ private boolean _discoveredLoginService = false;
/* ------------------------------------------------------------ */
protected SecurityHandler()
{
+ addBean(_authenticatorFactory);
}
-
+
/* ------------------------------------------------------------ */
/** Get the identityService.
* @return the identityService
*/
+ @Override
public IdentityService getIdentityService()
{
return _identityService;
@@ -99,6 +101,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
{
if (isStarted())
throw new IllegalStateException("Started");
+ updateBean(_identityService,identityService);
_identityService = identityService;
}
@@ -106,6 +109,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
/** Get the loginService.
* @return the loginService
*/
+ @Override
public LoginService getLoginService()
{
return _loginService;
@@ -119,8 +123,8 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
{
if (isStarted())
throw new IllegalStateException("Started");
+ updateBean(_loginService,loginService);
_loginService = loginService;
- _loginServiceShared=false;
}
@@ -139,7 +143,10 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
{
if (isStarted())
throw new IllegalStateException("Started");
+ updateBean(_authenticator,authenticator);
_authenticator = authenticator;
+ if (_authenticator!=null)
+ _authMethod=_authenticator.getAuthMethod();
}
/* ------------------------------------------------------------ */
@@ -160,6 +167,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
{
if (isRunning())
throw new IllegalStateException("running");
+ updateBean(_authenticatorFactory,authenticatorFactory);
_authenticatorFactory = authenticatorFactory;
}
@@ -167,6 +175,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
/**
* @return the realmName
*/
+ @Override
public String getRealmName()
{
return _realmName;
@@ -188,6 +197,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
/**
* @return the authMethod
*/
+ @Override
public String getAuthMethod()
{
return _authMethod;
@@ -204,7 +214,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
throw new IllegalStateException("running");
_authMethod = authMethod;
}
-
+
/* ------------------------------------------------------------ */
/**
* @return True if forwards to welcome files are authenticated
@@ -228,17 +238,19 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
}
/* ------------------------------------------------------------ */
+ @Override
public String getInitParameter(String key)
{
return _initParameters.get(key);
}
-
+
/* ------------------------------------------------------------ */
+ @Override
public Set<String> getInitParameterNames()
{
return _initParameters.keySet();
}
-
+
/* ------------------------------------------------------------ */
/** Set an initialization parameter.
* @param key
@@ -252,12 +264,12 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
throw new IllegalStateException("running");
return _initParameters.put(key,value);
}
-
+
/* ------------------------------------------------------------ */
protected LoginService findLoginService()
{
- List<LoginService> list = getServer().getBeans(LoginService.class);
-
+ Collection<LoginService> list = getServer().getBeans(LoginService.class);
+
String realm=getRealmName();
if (realm!=null)
{
@@ -266,18 +278,18 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
return service;
}
else if (list.size()==1)
- return list.get(0);
+ return list.iterator().next();
return null;
}
-
+
/* ------------------------------------------------------------ */
protected IdentityService findIdentityService()
{
return getServer().getBean(IdentityService.class);
}
-
+
/* ------------------------------------------------------------ */
- /**
+ /**
*/
@Override
protected void doStart()
@@ -299,53 +311,54 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
//register a session listener to handle securing sessions when authentication is performed
context.getContextHandler().addEventListener(new HttpSessionListener()
{
-
+ @Override
public void sessionDestroyed(HttpSessionEvent se)
{
-
}
-
+
+ @Override
public void sessionCreated(HttpSessionEvent se)
- {
+ {
//if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user
- AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection();
- if (connection == null)
+ HttpChannel<?> channel = HttpChannel.getCurrentHttpChannel();
+
+ if (channel == null)
return;
- Request request = connection.getRequest();
+ Request request = channel.getRequest();
if (request == null)
return;
if (request.isSecure())
{
- se.getSession().setAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
+ se.getSession().setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
}
}
});
}
-
+
// complicated resolution of login and identity service to handle
// many different ways these can be constructed and injected.
-
+
if (_loginService==null)
{
- _loginService=findLoginService();
- if (_loginService!=null)
- _loginServiceShared=true;
+ setLoginService(findLoginService());
+ _discoveredLoginService = true;
}
-
+
if (_identityService==null)
{
-
if (_loginService!=null)
- _identityService=_loginService.getIdentityService();
+ setIdentityService(_loginService.getIdentityService());
if (_identityService==null)
- _identityService=findIdentityService();
-
+ setIdentityService(findIdentityService());
+
if (_identityService==null && _realmName!=null)
- _identityService=new DefaultIdentityService();
+ setIdentityService(new DefaultIdentityService());
+
+ _discoveredIdentityService = true;
}
-
+
if (_loginService!=null)
{
if (_loginService.getIdentityService()==null)
@@ -354,46 +367,40 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
throw new IllegalStateException("LoginService has different IdentityService to "+this);
}
- if (!_loginServiceShared && _loginService instanceof LifeCycle)
- ((LifeCycle)_loginService).start();
-
- if (_authenticator==null && _authenticatorFactory!=null && _identityService!=null)
- {
- _authenticator=_authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this, _identityService, _loginService);
- if (_authenticator!=null)
- _authMethod=_authenticator.getAuthMethod();
- }
+ Authenticator.Factory authenticatorFactory = getAuthenticatorFactory();
+ if (_authenticator==null && authenticatorFactory!=null && _identityService!=null)
+ setAuthenticator(authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this, _identityService, _loginService));
- if (_authenticator==null)
- {
- if (_realmName!=null)
- {
- LOG.warn("No ServerAuthentication for "+this);
- throw new IllegalStateException("No ServerAuthentication");
- }
- }
- else
- {
+ if (_authenticator!=null)
_authenticator.setConfiguration(this);
- if (_authenticator instanceof LifeCycle)
- ((LifeCycle)_authenticator).start();
+ else if (_realmName!=null)
+ {
+ LOG.warn("No Authenticator for "+this);
+ throw new IllegalStateException("No Authenticator");
}
super.doStart();
}
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.handler.HandlerWrapper#doStop()
- */
@Override
+ /* ------------------------------------------------------------ */
protected void doStop() throws Exception
{
- super.doStop();
+ //if we discovered the services (rather than had them explicitly configured), remove them.
+ if (_discoveredIdentityService)
+ {
+ removeBean(_identityService);
+ _identityService = null;
+
+ }
- if (!_loginServiceShared && _loginService instanceof LifeCycle)
- ((LifeCycle)_loginService).stop();
+ if (_discoveredLoginService)
+ {
+ removeBean(_loginService);
+ _loginService = null;
+ }
+ super.doStop();
}
/* ------------------------------------------------------------ */
@@ -405,7 +412,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
case ASYNC:
return true;
case FORWARD:
- if (_checkWelcomeFiles && request.getAttribute("org.eclipse.jetty.server.welcome") != null)
+ if (isCheckWelcomeFiles() && request.getAttribute("org.eclipse.jetty.server.welcome") != null)
{
request.removeAttribute("org.eclipse.jetty.server.welcome");
return true;
@@ -415,7 +422,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
return false;
}
}
-
+
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.security.Authenticator.AuthConfiguration#isSessionRenewedOnAuthentication()
@@ -424,7 +431,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
{
return _renewSession;
}
-
+
/* ------------------------------------------------------------ */
/** Set renew the session on Authentication.
* <p>
@@ -435,7 +442,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
{
_renewSession=renew;
}
-
+
/* ------------------------------------------------------------ */
/*
* @see org.eclipse.jetty.server.Handler#handle(java.lang.String,
@@ -447,18 +454,18 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
{
final Response base_response = baseRequest.getResponse();
final Handler handler=getHandler();
-
+
if (handler==null)
return;
final Authenticator authenticator = _authenticator;
-
+
if (checkSecurity(baseRequest))
{
- Object constraintInfo = prepareConstraintInfo(pathInContext, baseRequest);
-
+ RoleInfo roleInfo = prepareConstraintInfo(pathInContext, baseRequest);
+
// Check data constraints
- if (!checkUserDataPermissions(pathInContext, baseRequest, base_response, constraintInfo))
+ if (!checkUserDataPermissions(pathInContext, baseRequest, base_response, roleInfo))
{
if (!baseRequest.isHandled())
{
@@ -469,12 +476,12 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
}
// is Auth mandatory?
- boolean isAuthMandatory =
- isAuthMandatory(baseRequest, base_response, constraintInfo);
+ boolean isAuthMandatory =
+ isAuthMandatory(baseRequest, base_response, roleInfo);
if (isAuthMandatory && authenticator==null)
{
- LOG.warn("No authenticator for: "+constraintInfo);
+ LOG.warn("No authenticator for: "+roleInfo);
if (!baseRequest.isHandled())
{
response.sendError(Response.SC_FORBIDDEN);
@@ -482,7 +489,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
}
return;
}
-
+
// check authentication
Object previousIdentity = null;
try
@@ -510,7 +517,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
if (isAuthMandatory)
{
- boolean authorized=checkWebResourcePermissions(pathInContext, baseRequest, base_response, constraintInfo, userAuth.getUserIdentity());
+ boolean authorized=checkWebResourcePermissions(pathInContext, baseRequest, base_response, roleInfo, userAuth.getUserIdentity());
if (!authorized)
{
response.sendError(Response.SC_FORBIDDEN, "!role");
@@ -518,7 +525,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
return;
}
}
-
+
handler.handle(pathInContext, baseRequest, request, response);
if (authenticator!=null)
authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
@@ -582,9 +589,8 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
Context context = ContextHandler.getCurrentContext();
if (context==null)
return null;
-
- SecurityHandler security = context.getContextHandler().getChildHandlerByClass(SecurityHandler.class);
- return security;
+
+ return context.getContextHandler().getChildHandlerByClass(SecurityHandler.class);
}
/* ------------------------------------------------------------ */
@@ -596,7 +602,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
{
login_service.logout(user.getUserIdentity());
}
-
+
IdentityService identity_service=getIdentityService();
if (identity_service!=null)
{
@@ -605,12 +611,12 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
identity_service.disassociate(previous);
}
}
-
+
/* ------------------------------------------------------------ */
- protected abstract Object prepareConstraintInfo(String pathInContext, Request request);
+ protected abstract RoleInfo prepareConstraintInfo(String pathInContext, Request request);
/* ------------------------------------------------------------ */
- protected abstract boolean checkUserDataPermissions(String pathInContext, Request request, Response response, Object constraintInfo) throws IOException;
+ protected abstract boolean checkUserDataPermissions(String pathInContext, Request request, Response response, RoleInfo constraintInfo) throws IOException;
/* ------------------------------------------------------------ */
protected abstract boolean isAuthMandatory(Request baseRequest, Response base_response, Object constraintInfo);
@@ -619,7 +625,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
protected abstract boolean checkWebResourcePermissions(String pathInContext, Request request, Response response, Object constraintInfo,
UserIdentity userIdentity) throws IOException;
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
public class NotChecked implements Principal
@@ -641,7 +647,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
}
}
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
public static Principal __NO_USER = new Principal()
@@ -657,7 +663,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
return "No User";
}
};
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/**
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
index e13cb96eb4..e412f8f27e 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
@@ -23,11 +23,11 @@ import java.util.Properties;
import javax.security.auth.Subject;
import org.eclipse.jetty.server.UserIdentity;
+import org.eclipse.jetty.util.B64Code;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.resource.Resource;
-import org.eclipse.jetty.util.security.B64Code;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
@@ -42,25 +42,26 @@ public class SpnegoLoginService extends AbstractLifeCycle implements LoginServic
protected IdentityService _identityService;// = new LdapIdentityService();
protected String _name;
private String _config;
-
+
private String _targetName;
public SpnegoLoginService()
{
-
+
}
-
+
public SpnegoLoginService( String name )
{
setName(name);
}
-
+
public SpnegoLoginService( String name, String config )
{
setName(name);
setConfig(config);
}
-
+
+ @Override
public String getName()
{
return _name;
@@ -72,50 +73,51 @@ public class SpnegoLoginService extends AbstractLifeCycle implements LoginServic
{
throw new IllegalStateException("Running");
}
-
+
_name = name;
}
-
+
public String getConfig()
{
return _config;
}
-
+
public void setConfig( String config )
{
if (isRunning())
{
throw new IllegalStateException("Running");
}
-
+
_config = config;
}
-
-
-
+
+
+
@Override
protected void doStart() throws Exception
{
Properties properties = new Properties();
Resource resource = Resource.newResource(_config);
properties.load(resource.getInputStream());
-
+
_targetName = properties.getProperty("targetName");
-
+
LOG.debug("Target Name {}", _targetName);
-
+
super.doStart();
}
/**
* username will be null since the credentials will contain all the relevant info
*/
+ @Override
public UserIdentity login(String username, Object credentials)
{
String encodedAuthToken = (String)credentials;
-
+
byte[] authToken = B64Code.decode(encodedAuthToken);
-
+
GSSManager manager = GSSManager.getInstance();
try
{
@@ -138,7 +140,7 @@ public class SpnegoLoginService extends AbstractLifeCycle implements LoginServic
{
String clientName = gContext.getSrcName().toString();
String role = clientName.substring(clientName.indexOf('@') + 1);
-
+
LOG.debug("SpnegoUserRealm: established a security context");
LOG.debug("Client Principal is: " + gContext.getSrcName());
LOG.debug("Server Principal is: " + gContext.getTargName());
@@ -148,7 +150,7 @@ public class SpnegoLoginService extends AbstractLifeCycle implements LoginServic
Subject subject = new Subject();
subject.getPrincipals().add(user);
-
+
return _identityService.newUserIdentity(subject,user, new String[]{role});
}
}
@@ -162,24 +164,28 @@ public class SpnegoLoginService extends AbstractLifeCycle implements LoginServic
return null;
}
+ @Override
public boolean validate(UserIdentity user)
{
return false;
}
+ @Override
public IdentityService getIdentityService()
{
return _identityService;
}
+ @Override
public void setIdentityService(IdentityService service)
{
_identityService = service;
}
- public void logout(UserIdentity user) {
- // TODO Auto-generated method stub
-
- }
+ @Override
+ public void logout(UserIdentity user)
+ {
+ // TODO Auto-generated method stub
+ }
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java
index 333748bb76..d7d05f5efa 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserIdentity.java
@@ -30,15 +30,15 @@ public class SpnegoUserIdentity implements UserIdentity
private Subject _subject;
private Principal _principal;
private List<String> _roles;
-
+
public SpnegoUserIdentity( Subject subject, Principal principal, List<String> roles )
{
_subject = subject;
_principal = principal;
_roles = roles;
}
-
-
+
+
public Subject getSubject()
{
return _subject;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java
index ee8b4bfaa3..167a2ffe5a 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoUserPrincipal.java
@@ -20,26 +20,26 @@ package org.eclipse.jetty.security;
import java.security.Principal;
-import org.eclipse.jetty.util.security.B64Code;
+import org.eclipse.jetty.util.B64Code;
public class SpnegoUserPrincipal implements Principal
{
private final String _name;
private byte[] _token;
private String _encodedToken;
-
+
public SpnegoUserPrincipal( String name, String encodedToken )
{
_name = name;
_encodedToken = encodedToken;
}
-
+
public SpnegoUserPrincipal( String name, byte[] token )
{
_name = name;
_token = token;
}
-
+
public String getName()
{
return _name;
@@ -53,7 +53,7 @@ public class SpnegoUserPrincipal implements Principal
}
return _token;
}
-
+
public String getEncodedToken()
{
if ( _encodedToken == null )
@@ -61,5 +61,5 @@ public class SpnegoUserPrincipal implements Principal
_encodedToken = new String(B64Code.encode(_token,true));
}
return _encodedToken;
- }
+ }
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
index b5d85b3031..56d3fe41ad 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
@@ -25,7 +25,7 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.eclipse.jetty.http.HttpHeaders;
+import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.server.Authentication;
@@ -38,17 +38,18 @@ import org.eclipse.jetty.util.security.Constraint;
/**
* @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
*/
-public class BasicAuthenticator extends LoginAuthenticator
-{
+public class BasicAuthenticator extends LoginAuthenticator
+{
/* ------------------------------------------------------------ */
public BasicAuthenticator()
{
}
-
+
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.security.Authenticator#getAuthMethod()
*/
+ @Override
public String getAuthMethod()
{
return Constraint.__BASIC_AUTH;
@@ -60,11 +61,12 @@ public class BasicAuthenticator extends LoginAuthenticator
/**
* @see org.eclipse.jetty.security.Authenticator#validateRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse, boolean)
*/
+ @Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
{
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
- String credentials = request.getHeader(HttpHeaders.AUTHORIZATION);
+ String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
try
{
@@ -72,7 +74,7 @@ public class BasicAuthenticator extends LoginAuthenticator
return new DeferredAuthentication(this);
if (credentials != null)
- {
+ {
int space=credentials.indexOf(' ');
if (space>0)
{
@@ -99,8 +101,8 @@ public class BasicAuthenticator extends LoginAuthenticator
if (DeferredAuthentication.isDeferred(response))
return Authentication.UNAUTHENTICATED;
-
- response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "basic realm=\"" + _loginService.getName() + '"');
+
+ response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "basic realm=\"" + _loginService.getName() + '"');
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return Authentication.SEND_CONTINUE;
}
@@ -110,6 +112,7 @@ public class BasicAuthenticator extends LoginAuthenticator
}
}
+ @Override
public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
{
return true;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
index 6b026fcbe5..fea1371058 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
@@ -70,23 +70,25 @@ public class ClientCertAuthenticator extends LoginAuthenticator
private boolean _enableOCSP = false;
/** Location of OCSP Responder */
private String _ocspResponderURL;
-
+
public ClientCertAuthenticator()
{
super();
}
+ @Override
public String getAuthMethod()
{
return Constraint.__CERT_AUTH;
}
-
+
/**
* @return Authentication for request
* @throws ServerAuthException
*/
+ @Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
{
if (!mandatory)
@@ -101,7 +103,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
// Need certificates.
if (certs != null && certs.length > 0)
{
-
+
if (_validateCerts)
{
KeyStore trustStore = getKeyStore(null,
@@ -111,7 +113,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
CertificateValidator validator = new CertificateValidator(trustStore, crls);
validator.validate(certs);
}
-
+
for (X509Certificate cert: certs)
{
if (cert==null)
@@ -136,7 +138,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return Authentication.SEND_FAILURE;
}
-
+
return Authentication.UNAUTHENTICATED;
}
catch (Exception e)
@@ -183,6 +185,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
return CertificateUtils.loadCRL(crlPath);
}
+ @Override
public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
{
return true;
@@ -311,9 +314,9 @@ public class ClientCertAuthenticator extends LoginAuthenticator
{
_maxCertPathLength = maxCertPathLength;
}
-
+
/* ------------------------------------------------------------ */
- /**
+ /**
* @return true if CRL Distribution Points support is enabled
*/
public boolean isEnableCRLDP()
@@ -331,7 +334,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
- /**
+ /**
* @return true if On-Line Certificate Status Protocol support is enabled
*/
public boolean isEnableOCSP()
@@ -349,7 +352,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
- /**
+ /**
* @return Location of the OCSP Responder
*/
public String getOcspResponderURL()
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java
index 36b7a934f2..d47a65d1fc 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java
@@ -29,10 +29,8 @@ import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.ServerAuthException;
@@ -61,12 +59,13 @@ public class DeferredAuthentication implements Authentication.Deferred
/**
* @see org.eclipse.jetty.server.Authentication.Deferred#authenticate(ServletRequest)
*/
+ @Override
public Authentication authenticate(ServletRequest request)
{
try
{
Authentication authentication = _authenticator.validateRequest(request,__deferredResponse,true);
-
+
if (authentication!=null && (authentication instanceof Authentication.User) && !(authentication instanceof Authentication.ResponseSent))
{
LoginService login_service= _authenticator.getLoginService();
@@ -85,11 +84,12 @@ public class DeferredAuthentication implements Authentication.Deferred
return this;
}
-
+
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.Authentication.Deferred#authenticate(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
*/
+ @Override
public Authentication authenticate(ServletRequest request, ServletResponse response)
{
try
@@ -113,6 +113,7 @@ public class DeferredAuthentication implements Authentication.Deferred
/**
* @see org.eclipse.jetty.server.Authentication.Deferred#login(java.lang.String, java.lang.String)
*/
+ @Override
public Authentication login(String username, Object password, ServletRequest request)
{
UserIdentity identity = _authenticator.login(username, password, request);
@@ -142,152 +143,185 @@ public class DeferredAuthentication implements Authentication.Deferred
{
return response==__deferredResponse;
}
-
+
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
/* ------------------------------------------------------------ */
final static HttpServletResponse __deferredResponse = new HttpServletResponse()
{
+ @Override
public void addCookie(Cookie cookie)
{
}
+ @Override
public void addDateHeader(String name, long date)
{
}
+ @Override
public void addHeader(String name, String value)
{
}
+ @Override
public void addIntHeader(String name, int value)
{
}
+ @Override
public boolean containsHeader(String name)
{
return false;
}
+ @Override
public String encodeRedirectURL(String url)
{
return null;
}
+ @Override
public String encodeRedirectUrl(String url)
{
return null;
}
+ @Override
public String encodeURL(String url)
{
return null;
}
+ @Override
public String encodeUrl(String url)
{
return null;
}
+ @Override
public void sendError(int sc) throws IOException
{
}
+ @Override
public void sendError(int sc, String msg) throws IOException
{
}
+ @Override
public void sendRedirect(String location) throws IOException
{
}
+ @Override
public void setDateHeader(String name, long date)
{
}
+ @Override
public void setHeader(String name, String value)
{
}
+ @Override
public void setIntHeader(String name, int value)
{
}
+ @Override
public void setStatus(int sc)
{
}
+ @Override
public void setStatus(int sc, String sm)
{
}
+ @Override
public void flushBuffer() throws IOException
{
}
+ @Override
public int getBufferSize()
{
return 1024;
}
+ @Override
public String getCharacterEncoding()
{
return null;
}
+ @Override
public String getContentType()
{
return null;
}
+ @Override
public Locale getLocale()
{
return null;
}
+ @Override
public ServletOutputStream getOutputStream() throws IOException
{
return __nullOut;
}
+ @Override
public PrintWriter getWriter() throws IOException
{
return IO.getNullPrintWriter();
}
+ @Override
public boolean isCommitted()
{
return true;
}
+ @Override
public void reset()
{
}
+ @Override
public void resetBuffer()
{
}
+ @Override
public void setBufferSize(int size)
{
}
+ @Override
public void setCharacterEncoding(String charset)
{
}
+ @Override
public void setContentLength(int len)
{
}
+ @Override
public void setContentType(String type)
{
}
+ @Override
public void setLocale(Locale loc)
{
}
+ @Override
public Collection<String> getHeaderNames()
{
return Collections.emptyList();
@@ -331,5 +365,5 @@ public class DeferredAuthentication implements Authentication.Deferred
}
};
-
+
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
index eabdc8cfec..5abd9113b5 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
@@ -33,7 +33,7 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.eclipse.jetty.http.HttpHeaders;
+import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
@@ -52,8 +52,8 @@ import org.eclipse.jetty.util.security.Credential;
/**
* @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
- *
- * The nonce max age in ms can be set with the {@link SecurityHandler#setInitParameter(String, String)}
+ *
+ * The nonce max age in ms can be set with the {@link SecurityHandler#setInitParameter(String, String)}
* using the name "maxNonceAge"
*/
public class DigestAuthenticator extends LoginAuthenticator
@@ -104,7 +104,7 @@ public class DigestAuthenticator extends LoginAuthenticator
public void setConfiguration(AuthConfiguration configuration)
{
super.setConfiguration(configuration);
-
+
String mna=configuration.getInitParameter("maxNonceAge");
if (mna!=null)
{
@@ -112,7 +112,6 @@ public class DigestAuthenticator extends LoginAuthenticator
}
}
-
/* ------------------------------------------------------------ */
public int getMaxNonceCount()
{
@@ -124,26 +123,28 @@ public class DigestAuthenticator extends LoginAuthenticator
{
_maxNC = maxNC;
}
-
+
/* ------------------------------------------------------------ */
- public void setMaxNonceAge(long maxNonceAgeInMillis)
+ public long getMaxNonceAge()
{
- _maxNonceAgeMs = maxNonceAgeInMillis;
+ return _maxNonceAgeMs;
}
/* ------------------------------------------------------------ */
- public long getMaxNonceAge()
+ public synchronized void setMaxNonceAge(long maxNonceAgeInMillis)
{
- return _maxNonceAgeMs;
+ _maxNonceAgeMs = maxNonceAgeInMillis;
}
/* ------------------------------------------------------------ */
+ @Override
public String getAuthMethod()
{
return Constraint.__DIGEST_AUTH;
}
/* ------------------------------------------------------------ */
+ @Override
public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
{
return true;
@@ -152,6 +153,7 @@ public class DigestAuthenticator extends LoginAuthenticator
/* ------------------------------------------------------------ */
+ @Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
{
if (!mandatory)
@@ -159,14 +161,14 @@ public class DigestAuthenticator extends LoginAuthenticator
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
- String credentials = request.getHeader(HttpHeaders.AUTHORIZATION);
+ String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
try
{
boolean stale = false;
if (credentials != null)
{
- if (LOG.isDebugEnabled())
+ if (LOG.isDebugEnabled())
LOG.debug("Credentials: " + credentials);
QuotedStringTokenizer tokenizer = new QuotedStringTokenizer(credentials, "=, ", true, false);
final Digest digest = new Digest(request.getMethod());
@@ -208,7 +210,7 @@ public class DigestAuthenticator extends LoginAuthenticator
digest.qop = tok;
else if ("uri".equalsIgnoreCase(name))
digest.uri = tok;
- else if ("response".equalsIgnoreCase(name))
+ else if ("response".equalsIgnoreCase(name))
digest.response = tok;
name=null;
}
@@ -226,7 +228,7 @@ public class DigestAuthenticator extends LoginAuthenticator
return new UserAuthentication(getAuthMethod(),user);
}
}
- else if (n == 0)
+ else if (n == 0)
stale = true;
}
@@ -234,9 +236,9 @@ public class DigestAuthenticator extends LoginAuthenticator
if (!DeferredAuthentication.isDeferred(response))
{
String domain = request.getContextPath();
- if (domain == null)
+ if (domain == null)
domain = "/";
- response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "Digest realm=\"" + _loginService.getName()
+ response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Digest realm=\"" + _loginService.getName()
+ "\", domain=\""
+ domain
+ "\", nonce=\""
@@ -261,7 +263,7 @@ public class DigestAuthenticator extends LoginAuthenticator
public String newNonce(Request request)
{
Nonce nonce;
-
+
do
{
byte[] nounce = new byte[24];
@@ -271,7 +273,7 @@ public class DigestAuthenticator extends LoginAuthenticator
}
while (_nonceMap.putIfAbsent(nonce._nonce,nonce)!=null);
_nonceQueue.add(nonce);
-
+
return nonce._nonce;
}
@@ -292,19 +294,21 @@ public class DigestAuthenticator extends LoginAuthenticator
_nonceMap.remove(nonce._nonce);
nonce=_nonceQueue.peek();
}
-
+
// Now check the requested nonce
try
{
nonce = _nonceMap.get(digest.nonce);
if (nonce==null)
return 0;
-
+
long count = Long.parseLong(digest.nc,16);
if (count>=_maxNC)
return 0;
+
if (nonce.seen((int)count))
return -1;
+
return 1;
}
catch (Exception e)
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
index 21e83150e4..71bba4abad 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
@@ -33,14 +33,15 @@ import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
-import org.eclipse.jetty.http.HttpHeaders;
-import org.eclipse.jetty.http.HttpMethods;
+import org.eclipse.jetty.http.HttpHeader;
+import org.eclipse.jetty.http.HttpHeaderValue;
+import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
-import org.eclipse.jetty.server.AbstractHttpConnection;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Authentication.User;
+import org.eclipse.jetty.server.HttpChannel;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.MultiMap;
@@ -52,18 +53,18 @@ import org.eclipse.jetty.util.security.Constraint;
/**
* FORM Authenticator.
- *
+ *
* <p>This authenticator implements form authentication will use dispatchers to
* the login page if the {@link #__FORM_DISPATCH} init parameter is set to true.
* Otherwise it will redirect.</p>
- *
+ *
* <p>The form authenticator redirects unauthenticated requests to a log page
* which should use a form to gather username/password from the user and send them
- * to the /j_security_check URI within the context. FormAuthentication uses
+ * to the /j_security_check URI within the context. FormAuthentication uses
* {@link SessionAuthentication} to wrap Authentication results so that they
* are associated with the session.</p>
- *
- *
+ *
+ *
*/
public class FormAuthenticator extends LoginAuthenticator
{
@@ -99,7 +100,7 @@ public class FormAuthenticator extends LoginAuthenticator
setErrorPage(error);
_dispatch=dispatch;
}
-
+
/* ------------------------------------------------------------ */
/**
* If true, uris that cause a redirect to a login page will always
@@ -112,14 +113,14 @@ public class FormAuthenticator extends LoginAuthenticator
{
_alwaysSaveUri = alwaysSave;
}
-
-
+
+
/* ------------------------------------------------------------ */
public boolean getAlwaysSaveUri ()
{
return _alwaysSaveUri;
}
-
+
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.security.authentication.LoginAuthenticator#setConfiguration(org.eclipse.jetty.security.Authenticator.AuthConfiguration)
@@ -139,6 +140,7 @@ public class FormAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
+ @Override
public String getAuthMethod()
{
return Constraint.__FORM_AUTH;
@@ -154,7 +156,7 @@ public class FormAuthenticator extends LoginAuthenticator
}
_formLoginPage = path;
_formLoginPath = path;
- if (_formLoginPath.indexOf('?') > 0)
+ if (_formLoginPath.indexOf('?') > 0)
_formLoginPath = _formLoginPath.substring(0, _formLoginPath.indexOf('?'));
}
@@ -176,7 +178,7 @@ public class FormAuthenticator extends LoginAuthenticator
_formErrorPage = path;
_formErrorPath = path;
- if (_formErrorPath.indexOf('?') > 0)
+ if (_formErrorPath.indexOf('?') > 0)
_formErrorPath = _formErrorPath.substring(0, _formErrorPath.indexOf('?'));
}
}
@@ -198,8 +200,9 @@ public class FormAuthenticator extends LoginAuthenticator
}
/* ------------------------------------------------------------ */
+ @Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
- {
+ {
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
String uri = request.getRequestURI();
@@ -214,7 +217,7 @@ public class FormAuthenticator extends LoginAuthenticator
return new DeferredAuthentication(this);
HttpSession session = request.getSession(true);
-
+
try
{
// Handle a request for authentication.
@@ -222,13 +225,15 @@ public class FormAuthenticator extends LoginAuthenticator
{
final String username = request.getParameter(__J_USERNAME);
final String password = request.getParameter(__J_PASSWORD);
-
+
UserIdentity user = login(username, password, request);
+ LOG.debug("jsecuritycheck {} {}",username,user);
session = request.getSession(true);
if (user!=null)
{
// Redirect to original request
String nuri;
+ FormAuthentication form_auth;
synchronized(session)
{
nuri = (String) session.getAttribute(__J_URI);
@@ -236,78 +241,88 @@ public class FormAuthenticator extends LoginAuthenticator
if (nuri == null || nuri.length() == 0)
{
nuri = request.getContextPath();
- if (nuri.length() == 0)
+ if (nuri.length() == 0)
nuri = URIUtil.SLASH;
}
+ form_auth = new FormAuthentication(getAuthMethod(),user);
}
- response.setContentLength(0);
+ LOG.debug("authenticated {}->{}",form_auth,nuri);
+
+ response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri));
-
- return new FormAuthentication(getAuthMethod(),user);
+ return form_auth;
}
-
+
// not authenticated
- if (LOG.isDebugEnabled())
+ if (LOG.isDebugEnabled())
LOG.debug("Form authentication FAILED for " + StringUtil.printable(username));
if (_formErrorPage == null)
{
- if (response != null)
+ LOG.debug("auth failed {}->403",username);
+ if (response != null)
response.sendError(HttpServletResponse.SC_FORBIDDEN);
}
else if (_dispatch)
{
+ LOG.debug("auth failed {}=={}",username,_formErrorPage);
RequestDispatcher dispatcher = request.getRequestDispatcher(_formErrorPage);
- response.setHeader(HttpHeaders.CACHE_CONTROL,"No-cache");
- response.setDateHeader(HttpHeaders.EXPIRES,1);
+ response.setHeader(HttpHeader.CACHE_CONTROL.asString(),HttpHeaderValue.NO_CACHE.asString());
+ response.setDateHeader(HttpHeader.EXPIRES.asString(),1);
dispatcher.forward(new FormRequest(request), new FormResponse(response));
}
else
{
+ LOG.debug("auth failed {}->{}",username,_formErrorPage);
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage)));
}
-
+
return Authentication.SEND_FAILURE;
}
-
+
// Look for cached authentication
Authentication authentication = (Authentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
- if (authentication != null)
+ if (authentication != null)
{
// Has authentication been revoked?
- if (authentication instanceof Authentication.User &&
+ if (authentication instanceof Authentication.User &&
_loginService!=null &&
!_loginService.validate(((Authentication.User)authentication).getUserIdentity()))
{
-
+ LOG.debug("auth revoked {}",authentication);
session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
}
else
{
- String j_uri=(String)session.getAttribute(__J_URI);
- if (j_uri!=null)
+ synchronized (session)
{
- MultiMap<String> j_post = (MultiMap<String>)session.getAttribute(__J_POST);
- if (j_post!=null)
+ String j_uri=(String)session.getAttribute(__J_URI);
+ if (j_uri!=null)
{
- StringBuffer buf = request.getRequestURL();
- if (request.getQueryString() != null)
- buf.append("?").append(request.getQueryString());
-
- if (j_uri.equals(buf.toString()))
+ LOG.debug("auth retry {}->{}",authentication,j_uri);
+ MultiMap<String> j_post = (MultiMap<String>)session.getAttribute(__J_POST);
+ if (j_post!=null)
{
- // This is a retry of an original POST request
- // so restore method and parameters
+ LOG.debug("auth rePOST {}->{}",authentication,j_uri);
+ StringBuffer buf = request.getRequestURL();
+ if (request.getQueryString() != null)
+ buf.append("?").append(request.getQueryString());
+
+ if (j_uri.equals(buf.toString()))
+ {
+ // This is a retry of an original POST request
+ // so restore method and parameters
- session.removeAttribute(__J_POST);
- Request base_request = (req instanceof Request)?(Request)req:AbstractHttpConnection.getCurrentConnection().getRequest();
- base_request.setMethod(HttpMethods.POST);
- base_request.setParameters(j_post);
+ session.removeAttribute(__J_POST);
+ Request base_request = HttpChannel.getCurrentHttpChannel().getRequest();
+ base_request.setMethod(HttpMethod.POST,HttpMethod.POST.asString());
+ base_request.setParameters(j_post);
+ }
}
+ else
+ session.removeAttribute(__J_URI);
}
- else
- session.removeAttribute(__J_URI);
-
}
+ LOG.debug("auth {}",authentication);
return authentication;
}
}
@@ -324,52 +339,48 @@ public class FormAuthenticator extends LoginAuthenticator
{
// But only if it is not set already, or we save every uri that leads to a login form redirect
if (session.getAttribute(__J_URI)==null || _alwaysSaveUri)
- {
+ {
StringBuffer buf = request.getRequestURL();
if (request.getQueryString() != null)
buf.append("?").append(request.getQueryString());
session.setAttribute(__J_URI, buf.toString());
-
- if (MimeTypes.FORM_ENCODED.equalsIgnoreCase(req.getContentType()) && HttpMethods.POST.equals(request.getMethod()))
+
+ if (MimeTypes.Type.FORM_ENCODED.is(req.getContentType()) && HttpMethod.POST.is(request.getMethod()))
{
- Request base_request = (req instanceof Request)?(Request)req:AbstractHttpConnection.getCurrentConnection().getRequest();
- base_request.extractParameters();
+ Request base_request = (req instanceof Request)?(Request)req:HttpChannel.getCurrentHttpChannel().getRequest();
+ base_request.extractParameters();
session.setAttribute(__J_POST, new MultiMap<String>(base_request.getParameters()));
}
}
}
-
+
// send the the challenge
if (_dispatch)
{
+ LOG.debug("challenge {}=={}",session.getId(),_formLoginPage);
RequestDispatcher dispatcher = request.getRequestDispatcher(_formLoginPage);
- response.setHeader(HttpHeaders.CACHE_CONTROL,"No-cache");
- response.setDateHeader(HttpHeaders.EXPIRES,1);
+ response.setHeader(HttpHeader.CACHE_CONTROL.asString(),HttpHeaderValue.NO_CACHE.asString());
+ response.setDateHeader(HttpHeader.EXPIRES.asString(),1);
dispatcher.forward(new FormRequest(request), new FormResponse(response));
}
else
{
+ LOG.debug("challenge {}->{}",session.getId(),_formLoginPage);
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage)));
}
return Authentication.SEND_CONTINUE;
-
-
}
- catch (IOException e)
- {
- throw new ServerAuthException(e);
- }
- catch (ServletException e)
+ catch (IOException | ServletException e)
{
throw new ServerAuthException(e);
}
}
-
+
/* ------------------------------------------------------------ */
public boolean isJSecurityCheck(String uri)
{
int jsc = uri.indexOf(__J_SECURITY_CHECK);
-
+
if (jsc<0)
return false;
int e=jsc+__J_SECURITY_CHECK.length();
@@ -378,14 +389,15 @@ public class FormAuthenticator extends LoginAuthenticator
char c = uri.charAt(e);
return c==';'||c=='#'||c=='/'||c=='?';
}
-
+
/* ------------------------------------------------------------ */
public boolean isLoginOrErrorPage(String pathInContext)
{
return pathInContext != null && (pathInContext.equals(_formErrorPath) || pathInContext.equals(_formLoginPath));
}
-
+
/* ------------------------------------------------------------ */
+ @Override
public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
{
return true;
@@ -407,7 +419,7 @@ public class FormAuthenticator extends LoginAuthenticator
return -1;
return super.getDateHeader(name);
}
-
+
@Override
public String getHeader(String name)
{
@@ -417,16 +429,16 @@ public class FormAuthenticator extends LoginAuthenticator
}
@Override
- public Enumeration getHeaderNames()
+ public Enumeration<String> getHeaderNames()
{
return Collections.enumeration(Collections.list(super.getHeaderNames()));
}
@Override
- public Enumeration getHeaders(String name)
+ public Enumeration<String> getHeaders(String name)
{
if (name.toLowerCase(Locale.ENGLISH).startsWith("if-"))
- return Collections.enumeration(Collections.EMPTY_LIST);
+ return Collections.<String>enumeration(Collections.<String>emptyList());
return super.getHeaders(name);
}
}
@@ -460,30 +472,30 @@ public class FormAuthenticator extends LoginAuthenticator
if (notIgnored(name))
super.setDateHeader(name,date);
}
-
+
@Override
public void setHeader(String name, String value)
{
if (notIgnored(name))
super.setHeader(name,value);
}
-
+
private boolean notIgnored(String name)
{
- if (HttpHeaders.CACHE_CONTROL.equalsIgnoreCase(name) ||
- HttpHeaders.PRAGMA.equalsIgnoreCase(name) ||
- HttpHeaders.ETAG.equalsIgnoreCase(name) ||
- HttpHeaders.EXPIRES.equalsIgnoreCase(name) ||
- HttpHeaders.LAST_MODIFIED.equalsIgnoreCase(name) ||
- HttpHeaders.AGE.equalsIgnoreCase(name))
+ if (HttpHeader.CACHE_CONTROL.is(name) ||
+ HttpHeader.PRAGMA.is(name) ||
+ HttpHeader.ETAG.is(name) ||
+ HttpHeader.EXPIRES.is(name) ||
+ HttpHeader.LAST_MODIFIED.is(name) ||
+ HttpHeader.AGE.is(name))
return false;
return true;
}
}
-
+
/* ------------------------------------------------------------ */
/** This Authentication represents a just completed Form authentication.
- * Subsequent requests from the same user are authenticated by the presents
+ * Subsequent requests from the same user are authenticated by the presents
* of a {@link SessionAuthentication} instance in their session.
*/
public static class FormAuthentication extends UserAuthentication implements Authentication.ResponseSent
@@ -492,7 +504,7 @@ public class FormAuthenticator extends LoginAuthenticator
{
super(method,userIdentity);
}
-
+
@Override
public String toString()
{
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
index 23b09e8483..51ad8e9b9d 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
@@ -26,12 +26,17 @@ import javax.servlet.http.HttpSession;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
-import org.eclipse.jetty.server.Authentication;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.UserIdentity;
-import org.eclipse.jetty.server.session.AbstractSessionManager;
+import org.eclipse.jetty.server.session.AbstractSession;
+import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.log.Logger;
public abstract class LoginAuthenticator implements Authenticator
{
+ private static final Logger LOG = Log.getLogger(LoginAuthenticator.class);
+
protected LoginService _loginService;
protected IdentityService _identityService;
private boolean _renewSession;
@@ -47,13 +52,14 @@ public abstract class LoginAuthenticator implements Authenticator
UserIdentity user = _loginService.login(username,password);
if (user!=null)
{
- renewSession((HttpServletRequest)request, null);
+ renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null));
return user;
}
return null;
}
+ @Override
public void setConfiguration(AuthConfiguration configuration)
{
_loginService=configuration.getLoginService();
@@ -64,12 +70,12 @@ public abstract class LoginAuthenticator implements Authenticator
throw new IllegalStateException("No IdentityService for "+this+" in "+configuration);
_renewSession=configuration.isSessionRenewedOnAuthentication();
}
-
+
public LoginService getLoginService()
{
return _loginService;
}
-
+
/** Change the session id.
* The session is changed to a new instance with a new ID if and only if:<ul>
* <li>A session exists.
@@ -83,14 +89,30 @@ public abstract class LoginAuthenticator implements Authenticator
protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
{
HttpSession httpSession = request.getSession(false);
-
- //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
- //(indicated by SESSION_SECURED not being set on the session) then we should change id
- if (_renewSession && httpSession!=null && httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
+
+ if (_renewSession && httpSession!=null)
{
- synchronized (this)
+ synchronized (httpSession)
{
- httpSession = AbstractSessionManager.renewSession(request, httpSession,true);
+ //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
+ //(indicated by SESSION_SECURED not being set on the session) then we should change id
+ if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
+ {
+ if (httpSession instanceof AbstractSession)
+ {
+ AbstractSession abstractSession = (AbstractSession)httpSession;
+ String oldId = abstractSession.getId();
+ abstractSession.renewId(request);
+ abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
+ if (abstractSession.isIdChanged() && response != null && (response instanceof Response))
+ ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure()));
+ LOG.debug("renew {}->{}",oldId,abstractSession.getId());
+ }
+ else
+ LOG.warn("Unable to renew session "+httpSession);
+
+ return httpSession;
+ }
}
}
return httpSession;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java
index cc042f93ea..c3a21e5d20 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallback.java
@@ -26,7 +26,7 @@ import javax.security.auth.Subject;
/**
* This is similar to the jaspi PasswordValidationCallback but includes user
* principal and group info as well.
- *
+ *
* @version $Rev: 4792 $ $Date: 2009-03-18 22:55:52 +0100 (Wed, 18 Mar 2009) $
*/
public interface LoginCallback
@@ -36,7 +36,7 @@ public interface LoginCallback
public String getUserName();
public Object getCredential();
-
+
public boolean isSuccess();
public void setSuccess(boolean success);
@@ -46,10 +46,10 @@ public interface LoginCallback
public void setUserPrincipal(Principal userPrincipal);
public String[] getRoles();
-
+
public void setRoles(String[] roles);
-
+
public void clearPassword();
-
+
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java
index 630f64f5f0..7a263e85a8 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginCallbackImpl.java
@@ -27,7 +27,7 @@ import org.eclipse.jetty.security.IdentityService;
/**
* This is similar to the jaspi PasswordValidationCallback but includes user
* principal and group info as well.
- *
+ *
* @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
*/
public class LoginCallbackImpl implements LoginCallback
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
index 5f2b7b5df6..ab0888e6c1 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
@@ -34,7 +34,7 @@ import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.UserIdentity.Scope;
-import org.eclipse.jetty.server.session.AbstractSessionManager;
+import org.eclipse.jetty.server.session.AbstractSession;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@@ -44,17 +44,17 @@ public class SessionAuthentication implements Authentication.User, Serializable,
private static final long serialVersionUID = -4643200685888258706L;
-
+
public final static String __J_AUTHENTICATED="org.eclipse.jetty.security.UserIdentity";
private final String _method;
private final String _name;
private final Object _credentials;
-
+
private transient UserIdentity _userIdentity;
private transient HttpSession _session;
-
+
public SessionAuthentication(String method, UserIdentity userIdentity, Object credentials)
{
_method = method;
@@ -78,22 +78,22 @@ public class SessionAuthentication implements Authentication.User, Serializable,
return _userIdentity.isUserInRole(role, scope);
}
- private void readObject(ObjectInputStream stream)
- throws IOException, ClassNotFoundException
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException
{
stream.defaultReadObject();
-
+
SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
if (security==null)
throw new IllegalStateException("!SecurityHandler");
LoginService login_service=security.getLoginService();
if (login_service==null)
throw new IllegalStateException("!LoginService");
-
+
_userIdentity=login_service.login(_name,_credentials);
LOG.debug("Deserialized and relogged in {}",this);
}
-
+
public void logout()
{
if (_session!=null && _session.getAttribute(__J_AUTHENTICATED)!=null)
@@ -101,27 +101,29 @@ public class SessionAuthentication implements Authentication.User, Serializable,
doLogout();
}
-
+
private void doLogout()
{
SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
if (security!=null)
security.logout(this);
if (_session!=null)
- _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED);
+ _session.removeAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED);
}
-
+
@Override
public String toString()
{
- return "Session"+super.toString();
+ return String.format("%s@%x{%s,%s}",this.getClass().getSimpleName(),hashCode(),_session==null?"-":_session.getId(),_userIdentity);
}
+ @Override
public void sessionWillPassivate(HttpSessionEvent se)
{
}
+ @Override
public void sessionDidActivate(HttpSessionEvent se)
{
if (_session==null)
@@ -130,6 +132,7 @@ public class SessionAuthentication implements Authentication.User, Serializable,
}
}
+ @Override
public void valueBound(HttpSessionBindingEvent event)
{
if (_session==null)
@@ -138,9 +141,10 @@ public class SessionAuthentication implements Authentication.User, Serializable,
}
}
+ @Override
public void valueUnbound(HttpSessionBindingEvent event)
{
doLogout();
}
-
-} \ No newline at end of file
+
+}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java
index ab1b8edc27..a26e14dc82 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java
@@ -25,7 +25,7 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.eclipse.jetty.http.HttpHeaders;
+import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.server.Authentication;
@@ -38,14 +38,12 @@ import org.eclipse.jetty.util.security.Constraint;
public class SpnegoAuthenticator extends LoginAuthenticator
{
private static final Logger LOG = Log.getLogger(SpnegoAuthenticator.class);
-
private String _authMethod = Constraint.__SPNEGO_AUTH;
-
+
public SpnegoAuthenticator()
{
-
}
-
+
/**
* Allow for a custom authMethod value to be set for instances where SPENGO may not be appropriate
* @param authMethod
@@ -54,26 +52,26 @@ public class SpnegoAuthenticator extends LoginAuthenticator
{
_authMethod = authMethod;
}
-
+
+ @Override
public String getAuthMethod()
{
return _authMethod;
}
-
-
+ @Override
public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
- {
+ {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
-
- String header = req.getHeader(HttpHeaders.AUTHORIZATION);
+
+ String header = req.getHeader(HttpHeader.AUTHORIZATION.asString());
if (!mandatory)
{
return new DeferredAuthentication(this);
}
-
+
// check to see if we have authorization headers required to continue
if ( header == null )
{
@@ -83,32 +81,33 @@ public class SpnegoAuthenticator extends LoginAuthenticator
{
return Authentication.UNAUTHENTICATED;
}
-
+
LOG.debug("SpengoAuthenticator: sending challenge");
- res.setHeader(HttpHeaders.WWW_AUTHENTICATE, HttpHeaders.NEGOTIATE);
+ res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return Authentication.SEND_CONTINUE;
- }
+ }
catch (IOException ioe)
{
throw new ServerAuthException(ioe);
- }
+ }
}
- else if (header != null && header.startsWith(HttpHeaders.NEGOTIATE))
+ else if (header != null && header.startsWith(HttpHeader.NEGOTIATE.asString()))
{
String spnegoToken = header.substring(10);
-
+
UserIdentity user = login(null,spnegoToken, request);
-
+
if ( user != null )
{
return new UserAuthentication(getAuthMethod(),user);
}
}
-
+
return Authentication.UNAUTHENTICATED;
}
+ @Override
public boolean secureResponse(ServletRequest request, ServletResponse response, boolean mandatory, User validatedUser) throws ServerAuthException
{
return true;

Back to the top