/*
- * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.19 2003/06/09 11:02:43 maxcooper Exp $
- * $Revision: 1.19 $
- * $Date: 2003/06/09 11:02:43 $
+ * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.20 2003/07/07 04:18:29 maxcooper Exp $
+ * $Revision: 1.20 $
+ * $Date: 2003/07/07 04:18:29 $
*
* ====================================================================
* The SecurityFilter Software License, Version 1.1
* @author Max Cooper (max@maxcooper.com)
* @author Daya Sharma (iamdaya@yahoo.com, billydaya@sbcglobal.net)
* @author Torgeir Veimo (torgeir@pobox.com)
- * @version $Revision: 1.19 $ $Date: 2003/06/09 11:02:43 $
+ * @version $Revision: 1.20 $ $Date: 2003/07/07 04:18:29 $
*/
public class SecurityFilter implements Filter {
public static final String CONFIG_FILE_KEY = "config";
hReq.getSession().removeAttribute(BASIC_WINDOW_SHOWN);
processLogin(wrappedRequest, hRes);
return;
- } else {
- if (requestURL.endsWith(loginSubmitPattern)) {
- processLogin(wrappedRequest, hRes);
- return;
- }
+ } else if (requestURL.endsWith(loginSubmitPattern)) {
+ processLogin(wrappedRequest, hRes);
+ return;
}
// only check the request for a security constraint match if it doesn't
}
private boolean basicAuthentication(HttpServletRequest hReq) {
- return authMethod.equalsIgnoreCase("basic") && hReq.getSession().getAttribute(BASIC_WINDOW_SHOWN) != null
- && hReq.getHeader("Authorization") != null;
+ return (
+ authMethod.equalsIgnoreCase("basic")
+ && hReq.getSession().getAttribute(BASIC_WINDOW_SHOWN) != null
+ && hReq.getHeader("Authorization") != null
+ );
}
/**
) throws IOException, ServletException {
// save this request
saveRequestInformation(request);
+
// redirect to login page
- request.getSession().setAttribute(BASIC_WINDOW_SHOWN, "shown");
- int loginAttempts = 1;
- if (request.getSession().getAttribute(LOGIN_ATTEMPTS) != null) {
- loginAttempts = ((Integer) request.getSession().getAttribute(LOGIN_ATTEMPTS)).intValue();
- loginAttempts += 1;
- }
- // todo: we can put some useful message here, perhaps a internationlizable format of message.
- tooManyIncorrectLogins = "Sorry you are having problems logging in, please try again";
- String loginAttemptMessage = "Login attempt number " + loginAttempts;
- String logo;
if (basic) {
+ request.getSession().setAttribute(BASIC_WINDOW_SHOWN, "shown");
+ int loginAttempts = 1;
+ if (request.getSession().getAttribute(LOGIN_ATTEMPTS) != null) {
+ loginAttempts = ((Integer) request.getSession().getAttribute(LOGIN_ATTEMPTS)).intValue();
+ loginAttempts += 1;
+ }
+ // todo: we can put some useful message here, perhaps a internationlizable format of message.
+ tooManyIncorrectLogins = "Sorry you are having problems logging in, please try again";
+ String loginAttemptMessage = "Login attempt number " + loginAttempts;
+ String logo;
if (loginAttempts <= 3) {
String realm = String.valueOf(Math.random());
if (loginAttempts < 2) {
SecurityRequestWrapper request,
HttpServletResponse response
) throws IOException, ServletException {
- String username = request.getParameter(FORM_USERNAME);
- String password = request.getParameter(FORM_PASSWORD);
- if (basic && username == null && password == null) {
+ String username;
+ String password;
+ if (basic) {
username = parseUsername(request.getHeader("Authorization"));
password = parsePassword(request.getHeader("Authorization"));
+ } else {
+ username = request.getParameter(FORM_USERNAME);
+ password = request.getParameter(FORM_PASSWORD);
}
Principal principal = realm.authenticate(username, password);
if (principal != null) {
// the session will be invalidated even if the user authenticates as the same user.
request.setUserPrincipal(principal);
String continueToURL = getContinueToURL(request);
- request.getSession().setAttribute(DUMMY_TOKEN, DUMMY_TOKEN);
- // remove the saved request from the session.
+ if (basic) {
+ // what does this do?
+ request.getSession().setAttribute(DUMMY_TOKEN, DUMMY_TOKEN);
+ }
// This is the url that the user was initially accessing before being prompted for login.
- removeSavedRequest(request.getSession());
response.sendRedirect(response.encodeRedirectURL(continueToURL));
} else {
// login failed
}
}
- private void removeSavedRequest(HttpSession session) {
- session.removeAttribute(SecurityFilter.SAVED_REQUEST_URL);
- session.removeAttribute(SecurityFilter.SAVED_REQUEST);
- }
-
/**
* Get the URL to continue to after successful login. This may be the SAVED_REQUEST_URL if the authorization
* sequence was initiated by the filter, or the default URL (as specified in the config file) if a login
* @param request the current request
*/
protected String getContinueToURL(HttpServletRequest request) {
- HttpSession session = request.getSession();
- String savedURL = (String) session.getAttribute(SAVED_REQUEST_URL);
+ String savedURL = (String) request.getSession().getAttribute(SAVED_REQUEST_URL);
if (savedURL != null) {
return savedURL;
} else {
String savedURL = (String) session.getAttribute(SecurityFilter.SAVED_REQUEST_URL);
if (savedURL != null && savedURL.equals(getSaveableURL(request))) {
// this is a request for the request that caused the login,
- // return the SavedRequest
- return (SavedRequest) session.getAttribute(SecurityFilter.SAVED_REQUEST);
+ // get the SavedRequest from the session
+ SavedRequest saved = (SavedRequest) session.getAttribute(SecurityFilter.SAVED_REQUEST);
+ // remove the saved request info from the session
+ session.removeAttribute(SecurityFilter.SAVED_REQUEST_URL);
+ session.removeAttribute(SecurityFilter.SAVED_REQUEST);
+ // and return the SavedRequest
+ return saved;
} else {
return null;
}
return saveableURL.toString();
}
+ /**
+ * Parse the username out of the BASIC authorization header string.
+ * @param authorization
+ * @return
+ */
private String parseUsername(String authorization) {
- String unencoded = getdecodedString(authorization);
+ String unencoded = decodeBasicAuthorizationString(authorization);
if (unencoded == null) {
return null;
} else {
}
}
- private String getdecodedString(String authorization) {
- if (authorization == null || !authorization.toLowerCase().startsWith("basic ")) {
- return null;
- } else {
- authorization = authorization.substring(6).trim();
- // Decode and parse the authorization credentials
- return new String(base64Helper.decodeBase64(authorization.getBytes()));
- }
- }
-
+ /**
+ * Parse the password out of the BASIC authorization header string.
+ * @param authorization
+ * @return
+ */
private String parsePassword(String authorization) {
- String unencoded = getdecodedString(authorization);
+ String unencoded = decodeBasicAuthorizationString(authorization);
if (unencoded == null) {
return null;
} else {
}
}
}
+
+ /**
+ * Decode the BASIC authorization string.
+ *
+ * @param authorization
+ * @return
+ */
+ private String decodeBasicAuthorizationString(String authorization) {
+ if (authorization == null || !authorization.toLowerCase().startsWith("basic ")) {
+ return null;
+ } else {
+ authorization = authorization.substring(6).trim();
+ // Decode and parse the authorization credentials
+ return new String(base64Helper.decodeBase64(authorization.getBytes()));
+ }
+ }
}
// ------------------------------------------------------------------------
projects / securityfilter.git / commitdiff