Source Code Cross Referenced for ExtendedFormAuthenticator.java in  » EJB-Server-JBoss-4.2.1 » tomcat » org » jboss » web » tomcat » security » Java Source Code / Java DocumentationJava Source Code and Java Documentation

001:        /*
002:         * JBoss, Home of Professional Open Source.
003:         * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004:         * as indicated by the @author tags. See the copyright.txt file in the
005:         * distribution for a full listing of individual contributors.
006:         *
007:         * This is free software; you can redistribute it and/or modify it
008:         * under the terms of the GNU Lesser General Public License as
009:         * published by the Free Software Foundation; either version 2.1 of
010:         * the License, or (at your option) any later version.
011:         *
012:         * This software is distributed in the hope that it will be useful,
013:         * but WITHOUT ANY WARRANTY; without even the implied warranty of
014:         * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015:         * Lesser General Public License for more details.
016:         *
017:         * You should have received a copy of the GNU Lesser General Public
018:         * License along with this software; if not, write to the Free
019:         * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020:         * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021:         */
022:        package org.jboss.web.tomcat.security;
023:
024:        import java.io.IOException;
025:
026:        import javax.servlet.http.HttpSession;
027:
028:        import org.apache.catalina.Session;
029:        import org.apache.catalina.authenticator.Constants;
030:        import org.apache.catalina.authenticator.FormAuthenticator;
031:        import org.apache.catalina.connector.Request;
032:        import org.apache.catalina.connector.Response;
033:        import org.apache.catalina.deploy.LoginConfig;
034:
035:        import org.jboss.logging.Logger;
036:
037:        /**
038:         * An extension of the form authenticator that associates the j_username with
039:         * the session under the attribute name j_username for use by form login/error
040:         * pages. If the includePassword attribute is true, the j_password value is
041:         * also included in the session under the attribute name j_password. In
042:         * addition, it maps any authentication exception found in the
043:         * SecurityAssociation to the session attribute name j_exception.
044:         * 
045:         * @author Scott.Stark@jboss.org
046:         * @version $Revision: 57206 $
047:         */
048:        public class ExtendedFormAuthenticator extends FormAuthenticator {
049:            public static final String LOGIN_EXCEPTION = "j_exception";
050:            public static final String DID_POPULATE = "did_populate";
051:            private static Logger log = Logger
052:                    .getLogger(ExtendedFormAuthenticator.class);
053:            private static boolean trace = log.isTraceEnabled();
054:            private boolean includePassword;
055:
056:            public boolean isIncludePassword() {
057:                return includePassword;
058:            }
059:
060:            public void setIncludePassword(boolean includePassword) {
061:                this .includePassword = includePassword;
062:            }
063:
064:            /**
065:             * Authenticate the user making this request, based on the specified
066:             * login configuration.  Return <code>true</code> if any specified
067:             * constraint has been satisfied, or <code>false</code> if we have
068:             * created a response challenge already.
069:             *
070:             * @param request Request we are processing
071:             * @param response Response we are creating
072:             * @param config    Login configuration describing how authentication
073:             *              should be performed
074:             *
075:             * @exception IOException if an input/output error occurs
076:             */
077:            public boolean authenticate(Request request, Response response,
078:                    LoginConfig config) throws IOException {
079:
080:                boolean didPopulate = false;
081:
082:                //let super class handle the authenticate().
083:                boolean alreadyAuthenticated = super .authenticate(request,
084:                        response, config);
085:
086:                Session session = request.getSessionInternal(false);
087:                if (session != null) {
088:                    //get session note(used internally) to indicate if did populateSession.
089:                    Boolean b = (Boolean) session.getNote(DID_POPULATE);
090:                    if (b != null)
091:                        didPopulate = b.booleanValue();
092:                }
093:
094:                //if user not already authenticated and did populate not called..
095:                if (!alreadyAuthenticated && !didPopulate) {
096:                    populateSession(request);
097:                }
098:
099:                //remove the note since not needed anymore, if set.
100:                session.removeNote(DID_POPULATE);
101:
102:                //pass return value on.
103:                return alreadyAuthenticated;
104:            }
105:
106:            /**
107:             * Dispatch to the form error-page
108:             * 
109:             * @param request Request we are processing
110:             * @param response Response we are creating
111:             * @param config Login configuration describing how authentication should
112:             * be performed
113:             */
114:            protected void forwardToErrorPage(Request request,
115:                    Response response, LoginConfig config) {
116:                if (trace)
117:                    log.trace("forwardToErrorPage");
118:                populateSession(request);
119:                super .forwardToErrorPage(request, response, config);
120:                SecurityAssociationActions.clearAuthException();
121:            }
122:
123:            /**
124:             * Dispatch to the form login-page
125:             * 
126:             * @param request Request we are processing
127:             * @param response Response we are creating
128:             * @param config Login configuration describing how authentication should
129:             * be performed
130:             */
131:            protected void forwardToLoginPage(Request request,
132:                    Response response, LoginConfig config) {
133:                if (trace)
134:                    log.trace("forwardToLoginPage");
135:                populateSession(request);
136:                super .forwardToLoginPage(request, response, config);
137:            }
138:
139:            /**
140:             * Populates the session the request belongs to with authentication data
141:             * as descibed above.  If the request does not have an associated session
142:             * does nothing.
143:             *
144:             * @param request Request we are processing
145:             */
146:            protected void populateSession(Request request) {
147:                Session session = request.getSessionInternal(false);
148:
149:                //if there is a session to store data under...
150:                if (session != null) {
151:                    HttpSession httpSession = session.getSession();
152:
153:                    if (trace)
154:                        log.trace("SessionID: " + httpSession.getId());
155:
156:                    //store username.
157:                    String username = request
158:                            .getParameter(Constants.FORM_USERNAME);
159:                    if (trace)
160:                        log.trace("Setting " + Constants.FORM_USERNAME + " = "
161:                                + username);
162:                    httpSession.setAttribute(Constants.FORM_USERNAME, username);
163:
164:                    //store password if requested.
165:                    if (includePassword) {
166:                        String password = request
167:                                .getParameter(Constants.FORM_PASSWORD);
168:                        String displayPassword = (password == null ? " = null"
169:                                : " = --hidden--");
170:                        if (trace)
171:                            log.trace("Setting " + Constants.FORM_PASSWORD
172:                                    + displayPassword);
173:                        httpSession.setAttribute(Constants.FORM_PASSWORD,
174:                                password);
175:                    }
176:
177:                    //store SecurityAssociation context exception.
178:                    Throwable t = SecurityAssociationActions.getAuthException();
179:                    if (trace)
180:                        log.trace("Setting " + LOGIN_EXCEPTION + " = " + t);
181:                    httpSession.setAttribute(LOGIN_EXCEPTION, t);
182:
183:                    //finally, set a note so we do not do this again.
184:                    session.setNote(DID_POPULATE, Boolean.TRUE);
185:                } else {
186:                    if (trace)
187:                        log.trace("No Session to store login parameters in");
188:                }
189:            }
190:
191:        }