diff options
Diffstat (limited to 'jetty-security/src/main/java/org/eclipse/jetty/security/authentication')
4 files changed, 116 insertions, 48 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java index b1a2c6061e..3853ebd6de 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DeferredAuthentication.java @@ -28,6 +28,7 @@ import java.util.Locale; import javax.servlet.ServletOutputStream; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; +import javax.servlet.WriteListener; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletResponse; @@ -111,7 +112,7 @@ public class DeferredAuthentication implements Authentication.Deferred /* ------------------------------------------------------------ */ /** - * @see org.eclipse.jetty.server.Authentication.Deferred#login(java.lang.String, java.lang.String) + * @see org.eclipse.jetty.server.Authentication.Deferred#login(String, Object, ServletRequest) */ @Override public Authentication login(String username, Object password, ServletRequest request) @@ -313,6 +314,11 @@ public class DeferredAuthentication implements Authentication.Deferred public void setContentLength(int len) { } + + public void setContentLengthLong(long len) + { + + } @Override public void setContentType(String type) @@ -348,6 +354,7 @@ public class DeferredAuthentication implements Authentication.Deferred return 0; } + }; /* ------------------------------------------------------------ */ @@ -355,17 +362,33 @@ public class DeferredAuthentication implements Authentication.Deferred /* ------------------------------------------------------------ */ private static ServletOutputStream __nullOut = new ServletOutputStream() { + @Override public void write(int b) throws IOException { } - + + @Override public void print(String s) throws IOException { } - + + @Override public void println(String s) throws IOException { } + + + @Override + public void setWriteListener(WriteListener writeListener) + { + + } + + @Override + public boolean isReady() + { + return false; + } }; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index 71bba4abad..0de728841e 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -36,6 +36,7 @@ import javax.servlet.http.HttpSession; import org.eclipse.jetty.http.HttpHeader; import org.eclipse.jetty.http.HttpHeaderValue; import org.eclipse.jetty.http.HttpMethod; +import org.eclipse.jetty.http.HttpVersion; import org.eclipse.jetty.http.MimeTypes; import org.eclipse.jetty.security.ServerAuthException; import org.eclipse.jetty.security.UserAuthentication; @@ -43,6 +44,7 @@ import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.Authentication.User; import org.eclipse.jetty.server.HttpChannel; import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.Response; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.MultiMap; import org.eclipse.jetty.util.StringUtil; @@ -75,6 +77,7 @@ public class FormAuthenticator extends LoginAuthenticator public final static String __FORM_DISPATCH="org.eclipse.jetty.security.dispatch"; public final static String __J_URI = "org.eclipse.jetty.security.form_URI"; public final static String __J_POST = "org.eclipse.jetty.security.form_POST"; + public final static String __J_METHOD = "org.eclipse.jetty.security.form_METHOD"; public final static String __J_SECURITY_CHECK = "/j_security_check"; public final static String __J_USERNAME = "j_username"; public final static String __J_PASSWORD = "j_password"; @@ -198,6 +201,45 @@ public class FormAuthenticator extends LoginAuthenticator } return user; } + + + /* ------------------------------------------------------------ */ + @Override + public void prepareRequest(ServletRequest request) + { + //if this is a request resulting from a redirect after auth is complete + //(ie its from a redirect to the original request uri) then due to + //browser handling of 302 redirects, the method may not be the same as + //that of the original request. Replace the method and original post + //params (if it was a post). + // + //See Servlet Spec 3.1 sec 13.6.3 + HttpServletRequest httpRequest = (HttpServletRequest)request; + HttpSession session = httpRequest.getSession(false); + if (session == null || session.getAttribute(SessionAuthentication.__J_AUTHENTICATED) == null) + return; //not authenticated yet + + String juri = (String)session.getAttribute(__J_URI); + if (juri == null || juri.length() == 0) + return; //no original uri saved + + String method = (String)session.getAttribute(__J_METHOD); + if (method == null || method.length() == 0) + return; //didn't save original request method + + StringBuffer buf = httpRequest.getRequestURL(); + if (httpRequest.getQueryString() != null) + buf.append("?").append(httpRequest.getQueryString()); + + if (!juri.equals(buf.toString())) + return; //this request is not for the same url as the original + + //restore the original request's method on this request + if (LOG.isDebugEnabled()) LOG.debug("Restoring original method {} for {} with method {}", method, juri,httpRequest.getMethod()); + Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); + HttpMethod m = HttpMethod.fromString(method); + base_request.setMethod(m,m.asString()); + } /* ------------------------------------------------------------ */ @Override @@ -249,7 +291,10 @@ public class FormAuthenticator extends LoginAuthenticator LOG.debug("authenticated {}->{}",form_auth,nuri); response.setContentLength(0); - response.sendRedirect(response.encodeRedirectURL(nuri)); + Response base_response = HttpChannel.getCurrentHttpChannel().getResponse(); + Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); + int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); + base_response.sendRedirect(redirectCode, response.encodeRedirectURL(nuri)); return form_auth; } @@ -273,7 +318,10 @@ public class FormAuthenticator extends LoginAuthenticator else { LOG.debug("auth failed {}->{}",username,_formErrorPage); - response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage))); + Response base_response = HttpChannel.getCurrentHttpChannel().getResponse(); + Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); + int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); + base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage))); } return Authentication.SEND_FAILURE; @@ -298,28 +346,26 @@ public class FormAuthenticator extends LoginAuthenticator String j_uri=(String)session.getAttribute(__J_URI); if (j_uri!=null) { + //check if the request is for the same url as the original and restore + //params if it was a post LOG.debug("auth retry {}->{}",authentication,j_uri); - MultiMap<String> j_post = (MultiMap<String>)session.getAttribute(__J_POST); - if (j_post!=null) - { - LOG.debug("auth rePOST {}->{}",authentication,j_uri); - StringBuffer buf = request.getRequestURL(); - if (request.getQueryString() != null) - buf.append("?").append(request.getQueryString()); + StringBuffer buf = request.getRequestURL(); + if (request.getQueryString() != null) + buf.append("?").append(request.getQueryString()); - if (j_uri.equals(buf.toString())) + if (j_uri.equals(buf.toString())) + { + MultiMap<String> j_post = (MultiMap<String>)session.getAttribute(__J_POST); + if (j_post!=null) { - // This is a retry of an original POST request - // so restore method and parameters - - session.removeAttribute(__J_POST); + LOG.debug("auth rePOST {}->{}",authentication,j_uri); Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); - base_request.setMethod(HttpMethod.POST,HttpMethod.POST.asString()); base_request.setParameters(j_post); } - } - else session.removeAttribute(__J_URI); + session.removeAttribute(__J_METHOD); + session.removeAttribute(__J_POST); + } } } LOG.debug("auth {}",authentication); @@ -344,6 +390,7 @@ public class FormAuthenticator extends LoginAuthenticator if (request.getQueryString() != null) buf.append("?").append(request.getQueryString()); session.setAttribute(__J_URI, buf.toString()); + session.setAttribute(__J_METHOD, request.getMethod()); if (MimeTypes.Type.FORM_ENCODED.is(req.getContentType()) && HttpMethod.POST.is(request.getMethod())) { @@ -366,7 +413,10 @@ public class FormAuthenticator extends LoginAuthenticator else { LOG.debug("challenge {}->{}",session.getId(),_formLoginPage); - response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage))); + Response base_response = HttpChannel.getCurrentHttpChannel().getResponse(); + Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); + int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); + base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage))); } return Authentication.SEND_CONTINUE; } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index 51ad8e9b9d..181c0d9090 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -24,6 +24,7 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.eclipse.jetty.security.Authenticator; +import org.eclipse.jetty.security.Authenticator.AuthConfiguration; import org.eclipse.jetty.security.IdentityService; import org.eclipse.jetty.security.LoginService; import org.eclipse.jetty.server.Request; @@ -40,11 +41,20 @@ public abstract class LoginAuthenticator implements Authenticator protected LoginService _loginService; protected IdentityService _identityService; private boolean _renewSession; - + + + /* ------------------------------------------------------------ */ protected LoginAuthenticator() { } + /* ------------------------------------------------------------ */ + @Override + public void prepareRequest(ServletRequest request) + { + //empty implementation as the default + } + /* ------------------------------------------------------------ */ public UserIdentity login(String username, Object password, ServletRequest request) @@ -58,7 +68,7 @@ public abstract class LoginAuthenticator implements Authenticator return null; } - + /* ------------------------------------------------------------ */ @Override public void setConfiguration(AuthConfiguration configuration) { @@ -70,12 +80,16 @@ public abstract class LoginAuthenticator implements Authenticator throw new IllegalStateException("No IdentityService for "+this+" in "+configuration); _renewSession=configuration.isSessionRenewedOnAuthentication(); } - + + + /* ------------------------------------------------------------ */ public LoginService getLoginService() { return _loginService; } - + + + /* ------------------------------------------------------------ */ /** Change the session id. * The session is changed to a new instance with a new ID if and only if:<ul> * <li>A session exists. diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java index ab0888e6c1..dd4c31a1d2 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java @@ -29,16 +29,15 @@ import javax.servlet.http.HttpSessionBindingEvent; import javax.servlet.http.HttpSessionBindingListener; import javax.servlet.http.HttpSessionEvent; +import org.eclipse.jetty.security.AbstractUserAuthentication; import org.eclipse.jetty.security.LoginService; import org.eclipse.jetty.security.SecurityHandler; -import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.UserIdentity; -import org.eclipse.jetty.server.UserIdentity.Scope; import org.eclipse.jetty.server.session.AbstractSession; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; -public class SessionAuthentication implements Authentication.User, Serializable, HttpSessionActivationListener, HttpSessionBindingListener +public class SessionAuthentication extends AbstractUserAuthentication implements Serializable, HttpSessionActivationListener, HttpSessionBindingListener { private static final Logger LOG = Log.getLogger(SessionAuthentication.class); @@ -48,35 +47,17 @@ public class SessionAuthentication implements Authentication.User, Serializable, public final static String __J_AUTHENTICATED="org.eclipse.jetty.security.UserIdentity"; - private final String _method; private final String _name; private final Object _credentials; - - private transient UserIdentity _userIdentity; private transient HttpSession _session; public SessionAuthentication(String method, UserIdentity userIdentity, Object credentials) { - _method = method; - _userIdentity = userIdentity; - _name=_userIdentity.getUserPrincipal().getName(); + super(method, userIdentity); + _name=userIdentity.getUserPrincipal().getName(); _credentials=credentials; } - public String getAuthMethod() - { - return _method; - } - - public UserIdentity getUserIdentity() - { - return _userIdentity; - } - - public boolean isUserInRole(Scope scope, String role) - { - return _userIdentity.isUserInRole(role, scope); - } private void readObject(ObjectInputStream stream) throws IOException, ClassNotFoundException |