From: maxcooper Date: Mon, 7 Jul 2003 04:18:29 +0000 (+0000) Subject: reformatted and refactored a few things X-Git-Tag: rel-2_0-alpha1~59 X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=5233944c6392e2c81dd79ded39a2b3a2da45185f;p=securityfilter.git reformatted and refactored a few things fixed keep-POSTed-params functionality --- diff --git a/src/share/org/securityfilter/filter/SecurityFilter.java b/src/share/org/securityfilter/filter/SecurityFilter.java index 1e01596..9e0ae99 100644 --- a/src/share/org/securityfilter/filter/SecurityFilter.java +++ b/src/share/org/securityfilter/filter/SecurityFilter.java @@ -1,7 +1,7 @@ /* - * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.19 2003/06/09 11:02:43 maxcooper Exp $ - * $Revision: 1.19 $ - * $Date: 2003/06/09 11:02:43 $ + * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.20 2003/07/07 04:18:29 maxcooper Exp $ + * $Revision: 1.20 $ + * $Date: 2003/07/07 04:18:29 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 @@ -77,7 +77,7 @@ import java.util.*; * @author Max Cooper (max@maxcooper.com) * @author Daya Sharma (iamdaya@yahoo.com, billydaya@sbcglobal.net) * @author Torgeir Veimo (torgeir@pobox.com) - * @version $Revision: 1.19 $ $Date: 2003/06/09 11:02:43 $ + * @version $Revision: 1.20 $ $Date: 2003/07/07 04:18:29 $ */ public class SecurityFilter implements Filter { public static final String CONFIG_FILE_KEY = "config"; @@ -162,11 +162,9 @@ public class SecurityFilter implements Filter { hReq.getSession().removeAttribute(BASIC_WINDOW_SHOWN); processLogin(wrappedRequest, hRes); return; - } else { - if (requestURL.endsWith(loginSubmitPattern)) { - processLogin(wrappedRequest, hRes); - return; - } + } else if (requestURL.endsWith(loginSubmitPattern)) { + processLogin(wrappedRequest, hRes); + return; } // only check the request for a security constraint match if it doesn't @@ -225,8 +223,11 @@ public class SecurityFilter implements Filter { } private boolean basicAuthentication(HttpServletRequest hReq) { - return authMethod.equalsIgnoreCase("basic") && hReq.getSession().getAttribute(BASIC_WINDOW_SHOWN) != null - && hReq.getHeader("Authorization") != null; + return ( + authMethod.equalsIgnoreCase("basic") + && hReq.getSession().getAttribute(BASIC_WINDOW_SHOWN) != null + && hReq.getHeader("Authorization") != null + ); } /** @@ -357,18 +358,19 @@ public class SecurityFilter implements Filter { ) throws IOException, ServletException { // save this request saveRequestInformation(request); + // redirect to login page - request.getSession().setAttribute(BASIC_WINDOW_SHOWN, "shown"); - int loginAttempts = 1; - if (request.getSession().getAttribute(LOGIN_ATTEMPTS) != null) { - loginAttempts = ((Integer) request.getSession().getAttribute(LOGIN_ATTEMPTS)).intValue(); - loginAttempts += 1; - } - // todo: we can put some useful message here, perhaps a internationlizable format of message. - tooManyIncorrectLogins = "Sorry you are having problems logging in, please try again"; - String loginAttemptMessage = "Login attempt number " + loginAttempts; - String logo; if (basic) { + request.getSession().setAttribute(BASIC_WINDOW_SHOWN, "shown"); + int loginAttempts = 1; + if (request.getSession().getAttribute(LOGIN_ATTEMPTS) != null) { + loginAttempts = ((Integer) request.getSession().getAttribute(LOGIN_ATTEMPTS)).intValue(); + loginAttempts += 1; + } + // todo: we can put some useful message here, perhaps a internationlizable format of message. + tooManyIncorrectLogins = "Sorry you are having problems logging in, please try again"; + String loginAttemptMessage = "Login attempt number " + loginAttempts; + String logo; if (loginAttempts <= 3) { String realm = String.valueOf(Math.random()); if (loginAttempts < 2) { @@ -404,11 +406,14 @@ public class SecurityFilter implements Filter { SecurityRequestWrapper request, HttpServletResponse response ) throws IOException, ServletException { - String username = request.getParameter(FORM_USERNAME); - String password = request.getParameter(FORM_PASSWORD); - if (basic && username == null && password == null) { + String username; + String password; + if (basic) { username = parseUsername(request.getHeader("Authorization")); password = parsePassword(request.getHeader("Authorization")); + } else { + username = request.getParameter(FORM_USERNAME); + password = request.getParameter(FORM_PASSWORD); } Principal principal = realm.authenticate(username, password); if (principal != null) { @@ -418,10 +423,11 @@ public class SecurityFilter implements Filter { // the session will be invalidated even if the user authenticates as the same user. request.setUserPrincipal(principal); String continueToURL = getContinueToURL(request); - request.getSession().setAttribute(DUMMY_TOKEN, DUMMY_TOKEN); - // remove the saved request from the session. + if (basic) { + // what does this do? + request.getSession().setAttribute(DUMMY_TOKEN, DUMMY_TOKEN); + } // This is the url that the user was initially accessing before being prompted for login. - removeSavedRequest(request.getSession()); response.sendRedirect(response.encodeRedirectURL(continueToURL)); } else { // login failed @@ -436,11 +442,6 @@ public class SecurityFilter implements Filter { } } - private void removeSavedRequest(HttpSession session) { - session.removeAttribute(SecurityFilter.SAVED_REQUEST_URL); - session.removeAttribute(SecurityFilter.SAVED_REQUEST); - } - /** * Get the URL to continue to after successful login. This may be the SAVED_REQUEST_URL if the authorization * sequence was initiated by the filter, or the default URL (as specified in the config file) if a login @@ -449,8 +450,7 @@ public class SecurityFilter implements Filter { * @param request the current request */ protected String getContinueToURL(HttpServletRequest request) { - HttpSession session = request.getSession(); - String savedURL = (String) session.getAttribute(SAVED_REQUEST_URL); + String savedURL = (String) request.getSession().getAttribute(SAVED_REQUEST_URL); if (savedURL != null) { return savedURL; } else { @@ -481,8 +481,13 @@ public class SecurityFilter implements Filter { String savedURL = (String) session.getAttribute(SecurityFilter.SAVED_REQUEST_URL); if (savedURL != null && savedURL.equals(getSaveableURL(request))) { // this is a request for the request that caused the login, - // return the SavedRequest - return (SavedRequest) session.getAttribute(SecurityFilter.SAVED_REQUEST); + // get the SavedRequest from the session + SavedRequest saved = (SavedRequest) session.getAttribute(SecurityFilter.SAVED_REQUEST); + // remove the saved request info from the session + session.removeAttribute(SecurityFilter.SAVED_REQUEST_URL); + session.removeAttribute(SecurityFilter.SAVED_REQUEST); + // and return the SavedRequest + return saved; } else { return null; } @@ -548,8 +553,13 @@ public class SecurityFilter implements Filter { return saveableURL.toString(); } + /** + * Parse the username out of the BASIC authorization header string. + * @param authorization + * @return + */ private String parseUsername(String authorization) { - String unencoded = getdecodedString(authorization); + String unencoded = decodeBasicAuthorizationString(authorization); if (unencoded == null) { return null; } else { @@ -562,18 +572,13 @@ public class SecurityFilter implements Filter { } } - private String getdecodedString(String authorization) { - if (authorization == null || !authorization.toLowerCase().startsWith("basic ")) { - return null; - } else { - authorization = authorization.substring(6).trim(); - // Decode and parse the authorization credentials - return new String(base64Helper.decodeBase64(authorization.getBytes())); - } - } - + /** + * Parse the password out of the BASIC authorization header string. + * @param authorization + * @return + */ private String parsePassword(String authorization) { - String unencoded = getdecodedString(authorization); + String unencoded = decodeBasicAuthorizationString(authorization); if (unencoded == null) { return null; } else { @@ -585,6 +590,22 @@ public class SecurityFilter implements Filter { } } } + + /** + * Decode the BASIC authorization string. + * + * @param authorization + * @return + */ + private String decodeBasicAuthorizationString(String authorization) { + if (authorization == null || !authorization.toLowerCase().startsWith("basic ")) { + return null; + } else { + authorization = authorization.substring(6).trim(); + // Decode and parse the authorization credentials + return new String(base64Helper.decodeBase64(authorization.getBytes())); + } + } } // ------------------------------------------------------------------------