ExtendedFormAuthenticator


1   /*
2   * JBoss, Home of Professional Open Source
3   * Copyright 2005, JBoss Inc., and individual contributors as indicated
4   * by the @authors tag. See the copyright.txt in the distribution for a
5   * full listing of individual contributors.
6   *
7   * This is free software; you can redistribute it and/or modify it
8   * under the terms of the GNU Lesser General Public License as
9   * published by the Free Software Foundation; either version 2.1 of
10  * the License, or (at your option) any later version.
11  *
12  * This software is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this software; if not, write to the Free
19  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21  */
22  package org.jboss.web.tomcat.security;
23  
24  import java.io.IOException  ;
25  
26  import javax.servlet.http.HttpSession  ;
27  
28  import org.apache.catalina.Session;
29  import org.apache.catalina.authenticator.Constants;
30  import org.apache.catalina.authenticator.FormAuthenticator;
31  import org.apache.catalina.connector.Request;
32  import org.apache.catalina.connector.Response;
33  import org.apache.catalina.deploy.LoginConfig;
34  
35  import org.jboss.logging.Logger;
36  
37  /**
38   * An extension of the form authenticator that associates the j_username with
39   * the session under the attribute name j_username for use by form login/error
40   * pages. If the includePassword attribute is true, the j_password value is
41   * also included in the session under the attribute name j_password. In
42   * addition, it maps any authentication exception found in the
43   * SecurityAssociation to the session attribute name j_exception.
44   * 
45   * @author Scott.Stark@jboss.org
46   * @version $Revision: 45559 $
47   */
48  public class ExtendedFormAuthenticator extends FormAuthenticator
49  {
50     public static final String   LOGIN_EXCEPTION = "j_exception";
51     public static final String   DID_POPULATE = "did_populate";
52     private static Logger log = Logger.getLogger(ExtendedFormAuthenticator.class);
53     private static boolean trace = log.isTraceEnabled();
54     private boolean includePassword;
55  
56     public boolean isIncludePassword()
57     {
58        return includePassword;
59     }
60     public void setIncludePassword(boolean includePassword)
61     {
62        this.includePassword = includePassword;
63     }
64     
65     /**
66      * Authenticate the user making this request, based on the specified
67      * login configuration.  Return <code>true</code> if any specified
68      * constraint has been satisfied, or <code>false</code> if we have
69      * created a response challenge already.
70      *
71      * @param request Request we are processing
72      * @param response Response we are creating
73      * @param config    Login configuration describing how authentication
74      *              should be performed
75      *
76      * @exception IOException if an input/output error occurs
77      */
78     public boolean authenticate(Request request,
79                     Response response,
80                     LoginConfig config)
81        throws IOException   {
82  
83        boolean didPopulate = false;
84  
85        //let super class handle the authenticate().
86        boolean alreadyAuthenticated = super.authenticate(request, response, config);
87  
88        Session   session = request.getSessionInternal(false);
89        if(session != null)
90        {
91       //get session note(used internally) to indicate if did populateSession.
92       Boolean   b = (Boolean  )session.getNote(DID_POPULATE);
93       if(b!=null)
94          didPopulate = b.booleanValue();
95        }
96  
97        //if user not already authenticated and did populate not called..
98        if(!alreadyAuthenticated && !didPopulate)
99        {
100      populateSession(request);
101       }
102 
103       //remove the note since not needed anymore, if set.
104       session.removeNote(DID_POPULATE);
105 
106       //pass return value on.
107       return alreadyAuthenticated;
108    }
109 
110 
111    /**
112     * Dispatch to the form error-page
113     * 
114     * @param request Request we are processing
115     * @param response Response we are creating
116     * @param config Login configuration describing how authentication should
117     * be performed
118     */
119    protected void forwardToErrorPage(Request request, Response response, LoginConfig config)
120    {
121       if( trace )
122          log.trace("forwardToErrorPage");
123       populateSession(request);
124       super.forwardToErrorPage(request, response, config);
125       SecurityAssociationActions.clearAuthException();
126    }
127 
128    /**
129     * Dispatch to the form login-page
130     * 
131     * @param request Request we are processing
132     * @param response Response we are creating
133     * @param config Login configuration describing how authentication should
134     * be performed
135     */
136    protected void forwardToLoginPage(Request request, Response response, LoginConfig config)
137    {
138       if( trace )
139          log.trace("forwardToLoginPage");
140       populateSession(request);
141       super.forwardToLoginPage(request, response, config);
142    }
143 
144    /**
145     * Populates the session the request belongs to with authentication data
146     * as descibed above.  If the request does not have an associated session
147     * does nothing.
148     *
149     * @param request Request we are processing
150     */
151    protected void populateSession(Request request)
152    {
153       Session   session = request.getSessionInternal(false);
154 
155       //if there is a session to store data under...
156       if(session != null)
157       {
158      HttpSession   httpSession = session.getSession();
159 
160      if(trace)
161         log.trace("SessionID: " + httpSession.getId());
162 
163      //store username.
164      String   username = request.getParameter(Constants.FORM_USERNAME);
165      if(trace)
166         log.trace("Setting " + Constants.FORM_USERNAME + " = " + username);
167      httpSession.setAttribute(Constants.FORM_USERNAME, username);
168 
169      //store password if requested.
170      if(includePassword)
171      {
172         String   password = request.getParameter(Constants.FORM_PASSWORD);
173         String   displayPassword = (password==null?" = null":" = --hidden--");
174         if(trace)
175            log.trace("Setting " + Constants.FORM_PASSWORD + displayPassword);
176         httpSession.setAttribute(Constants.FORM_PASSWORD, password);
177      }
178 
179      //store SecurityAssociation context exception.
180      Throwable   t = SecurityAssociationActions.getAuthException();
181      if(trace)
182         log.trace("Setting " + LOGIN_EXCEPTION + " = " + t);
183      httpSession.setAttribute(LOGIN_EXCEPTION, t);
184         
185      //finally, set a note so we do not do this again.
186      session.setNote(DID_POPULATE, Boolean.TRUE);
187       }
188       else
189       {
190      if(trace)
191         log.trace("No Session to store login parameters in");
192       }
193    }
194    
195 }
196
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags