Google Git
Sign in
eclipse / rap / org.apache.tomcat / 19e34879509ffaf8c601d4f90cf4bbdbea1f8465 / . / bundles / org.apache.tomcat / src / org / apache / catalina / authenticator / FormAuthenticator.java
blob: 4f5f5684ec26da9011ac9faede6e21b010c08b08 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.authenticator;
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Locale;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.coyote.ActionCode;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.CharChunk;
import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.http.MimeHeaders;
/**
* An <b>Authenticator</b> and <b>Valve</b> implementation of FORM BASED
* Authentication, as described in the Servlet API Specification, Version 2.2.
*
* @author Craig R. McClanahan
* @author Remy Maucherat
* @version $Id: FormAuthenticator.java,v 1.1 2011/06/28 21:08:24 rherrmann Exp $
*/
public class FormAuthenticator
extends AuthenticatorBase {
private static final Log log = LogFactory.getLog(FormAuthenticator.class);
// ----------------------------------------------------- Instance Variables
/**
* Descriptive information about this implementation.
*/
protected static final String info =
"org.apache.catalina.authenticator.FormAuthenticator/1.0";
/**
* Character encoding to use to read the username and password parameters
* from the request. If not set, the encoding of the request body will be
* used.
*/
protected String characterEncoding = null;
/**
* Landing page to use if a user tries to access the login page directly or
* if the session times out during login. If not set, error responses will
* be sent instead.
*/
protected String landingPage = null;
// ------------------------------------------------------------- Properties
/**
* Return descriptive information about this Valve implementation.
*/
@Override
public String getInfo() {
return (info);
}
/**
* Return the character encoding to use to read the username and password.
*/
public String getCharacterEncoding() {
return characterEncoding;
}
/**
* Set the character encoding to be used to read the username and password.
*/
public void setCharacterEncoding(String encoding) {
characterEncoding = encoding;
}
/**
* Return the landing page to use when FORM auth is mis-used.
*/
public String getLandingPage() {
return landingPage;
}
/**
* Set the landing page to use when the FORM auth is mis-used.
*/
public void setLandingPage(String landingPage) {
this.landingPage = landingPage;
}
// --------------------------------------------------------- Public Methods
/**
* Authenticate the user making this request, based on the specified
* login configuration. Return <code>true</code> if any specified
* constraint has been satisfied, or <code>false</code> if we have
* created a response challenge already.
*
* @param request Request we are processing
* @param response Response we are creating
* @param config Login configuration describing how authentication
* should be performed
*
* @exception IOException if an input/output error occurs
*/
@Override
public boolean authenticate(Request request,
HttpServletResponse response,
LoginConfig config)
throws IOException {
// References to objects we will need later
Session session = null;
// Have we already authenticated someone?
Principal principal = request.getUserPrincipal();
String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
if (principal != null) {
if (log.isDebugEnabled())
log.debug("Already authenticated '" +
principal.getName() + "'");
// Associate the session with any existing SSO session
if (ssoId != null)
associate(ssoId, request.getSessionInternal(true));
return (true);
}
// Is there an SSO session against which we can try to reauthenticate?
if (ssoId != null) {
if (log.isDebugEnabled())
log.debug("SSO Id " + ssoId + " set; attempting " +
"reauthentication");
// Try to reauthenticate using data cached by SSO. If this fails,
// either the original SSO logon was of DIGEST or SSL (which
// we can't reauthenticate ourselves because there is no
// cached username and password), or the realm denied
// the user's reauthentication for some reason.
// In either case we have to prompt the user for a logon */
if (reauthenticateFromSSO(ssoId, request))
return true;
}
// Have we authenticated this user before but have caching disabled?
if (!cache) {
session = request.getSessionInternal(true);
if (log.isDebugEnabled())
log.debug("Checking for reauthenticate in session " + session);
String username =
(String) session.getNote(Constants.SESS_USERNAME_NOTE);
String password =
(String) session.getNote(Constants.SESS_PASSWORD_NOTE);
if ((username != null) && (password != null)) {
if (log.isDebugEnabled())
log.debug("Reauthenticating username '" + username + "'");
principal =
context.getRealm().authenticate(username, password);
if (principal != null) {
session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
if (!matchRequest(request)) {
register(request, response, principal,
Constants.FORM_METHOD,
username, password);
return (true);
}
}
if (log.isDebugEnabled())
log.debug("Reauthentication failed, proceed normally");
}
}
// Is this the re-submit of the original request URI after successful
// authentication? If so, forward the *original* request instead.
if (matchRequest(request)) {
session = request.getSessionInternal(true);
if (log.isDebugEnabled())
log.debug("Restore request from session '"
+ session.getIdInternal()
+ "'");
principal = (Principal)
session.getNote(Constants.FORM_PRINCIPAL_NOTE);
register(request, response, principal, Constants.FORM_METHOD,
(String) session.getNote(Constants.SESS_USERNAME_NOTE),
(String) session.getNote(Constants.SESS_PASSWORD_NOTE));
// If we're caching principals we no longer need the username
// and password in the session, so remove them
if (cache) {
session.removeNote(Constants.SESS_USERNAME_NOTE);
session.removeNote(Constants.SESS_PASSWORD_NOTE);
}
if (restoreRequest(request, session)) {
if (log.isDebugEnabled())
log.debug("Proceed to restored request");
return (true);
} else {
if (log.isDebugEnabled())
log.debug("Restore of original request failed");
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
return (false);
}
}
// Acquire references to objects we will need to evaluate
MessageBytes uriMB = MessageBytes.newInstance();
CharChunk uriCC = uriMB.getCharChunk();
uriCC.setLimit(-1);
String contextPath = request.getContextPath();
String requestURI = request.getDecodedRequestURI();
// Is this the action request from the login page?
boolean loginAction =
requestURI.startsWith(contextPath) &&
requestURI.endsWith(Constants.FORM_ACTION);
// No -- Save this request and redirect to the form login page
if (!loginAction) {
session = request.getSessionInternal(true);
if (log.isDebugEnabled())
log.debug("Save request in session '" + session.getIdInternal() + "'");
try {
saveRequest(request, session);
} catch (IOException ioe) {
log.debug("Request body too big to save during authentication");
response.sendError(HttpServletResponse.SC_FORBIDDEN,
sm.getString("authenticator.requestBodyTooBig"));
return (false);
}
forwardToLoginPage(request, response, config);
return (false);
}
// Yes -- Acknowledge the request, validate the specified credentials
// and redirect to the error page if they are not correct
request.getResponse().sendAcknowledgement();
Realm realm = context.getRealm();
if (characterEncoding != null) {
request.setCharacterEncoding(characterEncoding);
}
String username = request.getParameter(Constants.FORM_USERNAME);
String password = request.getParameter(Constants.FORM_PASSWORD);
if (log.isDebugEnabled())
log.debug("Authenticating username '" + username + "'");
principal = realm.authenticate(username, password);
if (principal == null) {
forwardToErrorPage(request, response, config);
return (false);
}
if (log.isDebugEnabled())
log.debug("Authentication of '" + username + "' was successful");
if (session == null)
session = request.getSessionInternal(false);
if (session == null) {
if (containerLog.isDebugEnabled())
containerLog.debug
("User took so long to log on the session expired");
if (landingPage == null) {
response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
sm.getString("authenticator.sessionExpired"));
} else {
// Make the authenticator think the user originally requested
// the landing page
String uri = request.getContextPath() + landingPage;
SavedRequest saved = new SavedRequest();
saved.setRequestURI(uri);
request.getSessionInternal(true).setNote(
Constants.FORM_REQUEST_NOTE, saved);
response.sendRedirect(response.encodeRedirectURL(uri));
}
return (false);
}
// Save the authenticated Principal in our session
session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
// Save the username and password as well
session.setNote(Constants.SESS_USERNAME_NOTE, username);
session.setNote(Constants.SESS_PASSWORD_NOTE, password);
// Redirect the user to the original request URI (which will cause
// the original request to be restored)
requestURI = savedRequestURL(session);
if (log.isDebugEnabled())
log.debug("Redirecting to original '" + requestURI + "'");
if (requestURI == null)
if (landingPage == null) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST,
sm.getString("authenticator.formlogin"));
} else {
// Make the authenticator think the user originally requested
// the landing page
String uri = request.getContextPath() + landingPage;
SavedRequest saved = new SavedRequest();
saved.setRequestURI(uri);
session.setNote(Constants.FORM_REQUEST_NOTE, saved);
response.sendRedirect(response.encodeRedirectURL(uri));
}
else
response.sendRedirect(response.encodeRedirectURL(requestURI));
return (false);
}
@Override
protected String getAuthMethod() {
return Constants.FORM_METHOD;
}
// ------------------------------------------------------ Protected Methods
/**
* Called to forward to the login page
*
* @param request Request we are processing
* @param response Response we are populating
* @param config Login configuration describing how authentication
* should be performed
* @throws IOException If the forward to the login page fails and the call
* to {@link HttpServletResponse#sendError(int, String)}
* throws an {@link IOException}
*/
protected void forwardToLoginPage(Request request,
HttpServletResponse response, LoginConfig config)
throws IOException {
RequestDispatcher disp =
context.getServletContext().getRequestDispatcher
(config.getLoginPage());
try {
if (context.fireRequestInitEvent(request)) {
disp.forward(request.getRequest(), response);
context.fireRequestDestroyEvent(request);
}
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
String msg = sm.getString("formAuthenticator.forwardLoginFail");
log.warn(msg, t);
request.setAttribute(RequestDispatcher.ERROR_EXCEPTION, t);
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
msg);
}
}
/**
* Called to forward to the error page
*
* @param request Request we are processing
* @param response Response we are populating
* @param config Login configuration describing how authentication
* should be performed
* @throws IOException If the forward to the error page fails and the call
* to {@link HttpServletResponse#sendError(int, String)}
* throws an {@link IOException}
*/
protected void forwardToErrorPage(Request request,
HttpServletResponse response, LoginConfig config)
throws IOException {
RequestDispatcher disp =
context.getServletContext().getRequestDispatcher
(config.getErrorPage());
try {
if (context.fireRequestInitEvent(request)) {
disp.forward(request.getRequest(), response);
context.fireRequestDestroyEvent(request);
}
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
String msg = sm.getString("formAuthenticator.forwardErrorFail");
log.warn(msg, t);
request.setAttribute(RequestDispatcher.ERROR_EXCEPTION, t);
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
msg);
}
}
/**
* Does this request match the saved one (so that it must be the redirect
* we signaled after successful authentication?
*
* @param request The request to be verified
*/
protected boolean matchRequest(Request request) {
// Has a session been created?
Session session = request.getSessionInternal(false);
if (session == null)
return (false);
// Is there a saved request?
SavedRequest sreq = (SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
if (sreq == null)
return (false);
// Is there a saved principal?
if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null)
return (false);
// Does the request URI match?
String requestURI = request.getRequestURI();
if (requestURI == null)
return (false);
return (requestURI.equals(sreq.getRequestURI()));
}
/**
* Restore the original request from information stored in our session.
* If the original request is no longer present (because the session
* timed out), return <code>false</code>; otherwise, return
* <code>true</code>.
*
* @param request The request to be restored
* @param session The session containing the saved information
*/
protected boolean restoreRequest(Request request, Session session)
throws IOException {
// Retrieve and remove the SavedRequest object from our session
SavedRequest saved = (SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
session.removeNote(Constants.FORM_REQUEST_NOTE);
session.removeNote(Constants.FORM_PRINCIPAL_NOTE);
if (saved == null)
return (false);
// Modify our current request to reflect the original one
request.clearCookies();
Iterator<Cookie> cookies = saved.getCookies();
while (cookies.hasNext()) {
request.addCookie(cookies.next());
}
MimeHeaders rmh = request.getCoyoteRequest().getMimeHeaders();
rmh.recycle();
boolean cachable = "GET".equalsIgnoreCase(saved.getMethod()) ||
"HEAD".equalsIgnoreCase(saved.getMethod());
Iterator<String> names = saved.getHeaderNames();
while (names.hasNext()) {
String name = names.next();
// The browser isn't expecting this conditional response now.
// Assuming that it can quietly recover from an unexpected 412.
// BZ 43687
if(!("If-Modified-Since".equalsIgnoreCase(name) ||
(cachable && "If-None-Match".equalsIgnoreCase(name)))) {
Iterator<String> values = saved.getHeaderValues(name);
while (values.hasNext()) {
rmh.addValue(name).setString(values.next());
}
}
}
request.clearLocales();
Iterator<Locale> locales = saved.getLocales();
while (locales.hasNext()) {
request.addLocale(locales.next());
}
request.getCoyoteRequest().getParameters().recycle();
request.getCoyoteRequest().getParameters().setQueryStringEncoding(
request.getConnector().getURIEncoding());
// Swallow any request body since we will be replacing it
byte[] buffer = new byte[4096];
InputStream is = request.getInputStream();
while (is.read(buffer) >= 0) {
// Ignore request body
}
if ("POST".equalsIgnoreCase(saved.getMethod())) {
ByteChunk body = saved.getBody();
if (body != null) {
request.getCoyoteRequest().action
(ActionCode.REQ_SET_BODY_REPLAY, body);
// Set content type
MessageBytes contentType = MessageBytes.newInstance();
//If no content type specified, use default for POST
String savedContentType = saved.getContentType();
if (savedContentType == null) {
savedContentType = "application/x-www-form-urlencoded";
}
contentType.setString(savedContentType);
request.getCoyoteRequest().setContentType(contentType);
}
}
request.getCoyoteRequest().method().setString(saved.getMethod());
request.getCoyoteRequest().queryString().setString
(saved.getQueryString());
request.getCoyoteRequest().requestURI().setString
(saved.getRequestURI());
return (true);
}
/**
* Save the original request information into our session.
*
* @param request The request to be saved
* @param session The session to contain the saved information
* @throws IOException
*/
protected void saveRequest(Request request, Session session)
throws IOException {
// Create and populate a SavedRequest object for this request
SavedRequest saved = new SavedRequest();
Cookie cookies[] = request.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++)
saved.addCookie(cookies[i]);
}
Enumeration<String> names = request.getHeaderNames();
while (names.hasMoreElements()) {
String name = names.nextElement();
Enumeration<String> values = request.getHeaders(name);
while (values.hasMoreElements()) {
String value = values.nextElement();
saved.addHeader(name, value);
}
}
Enumeration<Locale> locales = request.getLocales();
while (locales.hasMoreElements()) {
Locale locale = locales.nextElement();
saved.addLocale(locale);
}
if ("POST".equalsIgnoreCase(request.getMethod())) {
// May need to acknowledge a 100-continue expectation
request.getResponse().sendAcknowledgement();
ByteChunk body = new ByteChunk();
body.setLimit(request.getConnector().getMaxSavePostSize());
byte[] buffer = new byte[4096];
int bytesRead;
InputStream is = request.getInputStream();
while ( (bytesRead = is.read(buffer) ) >= 0) {
body.append(buffer, 0, bytesRead);
}
saved.setContentType(request.getContentType());
saved.setBody(body);
}
saved.setMethod(request.getMethod());
saved.setQueryString(request.getQueryString());
saved.setRequestURI(request.getRequestURI());
// Stash the SavedRequest in our session for later use
session.setNote(Constants.FORM_REQUEST_NOTE, saved);
}
/**
* Return the request URI (with the corresponding query string, if any)
* from the saved request so that we can redirect to it.
*
* @param session Our current session
*/
protected String savedRequestURL(Session session) {
SavedRequest saved =
(SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
if (saved == null)
return (null);
StringBuilder sb = new StringBuilder(saved.getRequestURI());
if (saved.getQueryString() != null) {
sb.append('?');
sb.append(saved.getQueryString());
}
return (sb.toString());
}
}