Search in sources :

Example 26 with ServletRequest

use of javax.servlet.ServletRequest in project blade by biezhi.

the class FormAuthenticator method validateRequest.

/* ------------------------------------------------------------ */
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    Request base_request = Request.getBaseRequest(request);
    Response base_response = base_request.getResponse();
    String uri = request.getRequestURI();
    if (uri == null)
        uri = URIUtil.SLASH;
    mandatory |= isJSecurityCheck(uri);
    if (!mandatory)
        return new DeferredAuthentication(this);
    if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(), request.getPathInfo())) && !DeferredAuthentication.isDeferred(response))
        return new DeferredAuthentication(this);
    HttpSession session = request.getSession(true);
    try {
        // Handle a request for authentication.
        if (isJSecurityCheck(uri)) {
            final String username = request.getParameter(__J_USERNAME);
            final String password = request.getParameter(__J_PASSWORD);
            UserIdentity user = login(username, password, request);
            LOG.debug("jsecuritycheck {} {}", username, user);
            session = request.getSession(true);
            if (user != null) {
                // Redirect to original request
                String nuri;
                FormAuthentication form_auth;
                synchronized (session) {
                    nuri = (String) session.getAttribute(__J_URI);
                    if (nuri == null || nuri.length() == 0) {
                        nuri = request.getContextPath();
                        if (nuri.length() == 0)
                            nuri = URIUtil.SLASH;
                    }
                    form_auth = new FormAuthentication(getAuthMethod(), user);
                }
                LOG.debug("authenticated {}->{}", form_auth, nuri);
                response.setContentLength(0);
                int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
                base_response.sendRedirect(redirectCode, response.encodeRedirectURL(nuri));
                return form_auth;
            }
            // not authenticated
            if (LOG.isDebugEnabled())
                LOG.debug("Form authentication FAILED for " + StringUtil.printable(username));
            if (_formErrorPage == null) {
                LOG.debug("auth failed {}->403", username);
                if (response != null)
                    response.sendError(HttpServletResponse.SC_FORBIDDEN);
            } else if (_dispatch) {
                LOG.debug("auth failed {}=={}", username, _formErrorPage);
                RequestDispatcher dispatcher = request.getRequestDispatcher(_formErrorPage);
                response.setHeader(HttpHeader.CACHE_CONTROL.asString(), HttpHeaderValue.NO_CACHE.asString());
                response.setDateHeader(HttpHeader.EXPIRES.asString(), 1);
                dispatcher.forward(new FormRequest(request), new FormResponse(response));
            } else {
                LOG.debug("auth failed {}->{}", username, _formErrorPage);
                int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
                base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formErrorPage)));
            }
            return Authentication.SEND_FAILURE;
        }
        // Look for cached authentication
        Authentication authentication = (Authentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
        if (authentication != null) {
            // Has authentication been revoked?
            if (authentication instanceof User && _loginService != null && !_loginService.validate(((User) authentication).getUserIdentity())) {
                LOG.debug("auth revoked {}", authentication);
                session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
            } else {
                synchronized (session) {
                    String j_uri = (String) session.getAttribute(__J_URI);
                    if (j_uri != null) {
                        //check if the request is for the same url as the original and restore
                        //params if it was a post
                        LOG.debug("auth retry {}->{}", authentication, j_uri);
                        StringBuffer buf = request.getRequestURL();
                        if (request.getQueryString() != null)
                            buf.append("?").append(request.getQueryString());
                        if (j_uri.equals(buf.toString())) {
                            MultiMap<String> j_post = (MultiMap<String>) session.getAttribute(__J_POST);
                            if (j_post != null) {
                                LOG.debug("auth rePOST {}->{}", authentication, j_uri);
                                base_request.setContentParameters(j_post);
                            }
                            session.removeAttribute(__J_URI);
                            session.removeAttribute(__J_METHOD);
                            session.removeAttribute(__J_POST);
                        }
                    }
                }
                LOG.debug("auth {}", authentication);
                return authentication;
            }
        }
        // if we can't send challenge
        if (DeferredAuthentication.isDeferred(response)) {
            LOG.debug("auth deferred {}", session.getId());
            return Authentication.UNAUTHENTICATED;
        }
        // remember the current URI
        synchronized (session) {
            // But only if it is not set already, or we save every uri that leads to a login form redirect
            if (session.getAttribute(__J_URI) == null || _alwaysSaveUri) {
                StringBuffer buf = request.getRequestURL();
                if (request.getQueryString() != null)
                    buf.append("?").append(request.getQueryString());
                session.setAttribute(__J_URI, buf.toString());
                session.setAttribute(__J_METHOD, request.getMethod());
                if (MimeTypes.Type.FORM_ENCODED.is(req.getContentType()) && HttpMethod.POST.is(request.getMethod())) {
                    MultiMap<String> formParameters = new MultiMap<>();
                    base_request.extractFormParameters(formParameters);
                    session.setAttribute(__J_POST, formParameters);
                }
            }
        }
        // send the the challenge
        if (_dispatch) {
            LOG.debug("challenge {}=={}", session.getId(), _formLoginPage);
            RequestDispatcher dispatcher = request.getRequestDispatcher(_formLoginPage);
            response.setHeader(HttpHeader.CACHE_CONTROL.asString(), HttpHeaderValue.NO_CACHE.asString());
            response.setDateHeader(HttpHeader.EXPIRES.asString(), 1);
            dispatcher.forward(new FormRequest(request), new FormResponse(response));
        } else {
            LOG.debug("challenge {}->{}", session.getId(), _formLoginPage);
            int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
            base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formLoginPage)));
        }
        return Authentication.SEND_CONTINUE;
    } catch (IOException | ServletException e) {
        throw new ServerAuthException(e);
    }
}
Also used : User(org.eclipse.jetty.server.Authentication.User) HttpSession(javax.servlet.http.HttpSession) UserIdentity(org.eclipse.jetty.server.UserIdentity) Request(org.eclipse.jetty.server.Request) HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletRequest(javax.servlet.ServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) IOException(java.io.IOException) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) Constraint(org.eclipse.jetty.util.security.Constraint) RequestDispatcher(javax.servlet.RequestDispatcher) HttpServletRequest(javax.servlet.http.HttpServletRequest) Response(org.eclipse.jetty.server.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServletResponse(javax.servlet.ServletResponse) ServletException(javax.servlet.ServletException) MultiMap(org.eclipse.jetty.util.MultiMap) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication)

Example 27 with ServletRequest

use of javax.servlet.ServletRequest in project blade by biezhi.

the class FormAuthenticator method prepareRequest.

/* ------------------------------------------------------------ */
@Override
public void prepareRequest(ServletRequest request) {
    //if this is a request resulting from a redirect after auth is complete
    //(ie its from a redirect to the original request uri) then due to 
    //browser handling of 302 redirects, the method may not be the same as
    //that of the original request. Replace the method and original post
    //params (if it was a post).
    //
    //See Servlet Spec 3.1 sec 13.6.3
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpSession session = httpRequest.getSession(false);
    if (session == null || session.getAttribute(SessionAuthentication.__J_AUTHENTICATED) == null)
        //not authenticated yet
        return;
    String juri = (String) session.getAttribute(__J_URI);
    if (juri == null || juri.length() == 0)
        //no original uri saved
        return;
    String method = (String) session.getAttribute(__J_METHOD);
    if (method == null || method.length() == 0)
        //didn't save original request method
        return;
    StringBuffer buf = httpRequest.getRequestURL();
    if (httpRequest.getQueryString() != null)
        buf.append("?").append(httpRequest.getQueryString());
    if (!juri.equals(buf.toString()))
        //this request is not for the same url as the original
        return;
    //restore the original request's method on this request
    if (LOG.isDebugEnabled())
        LOG.debug("Restoring original method {} for {} with method {}", method, juri, httpRequest.getMethod());
    Request base_request = Request.getBaseRequest(request);
    base_request.setMethod(method);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpSession(javax.servlet.http.HttpSession) Request(org.eclipse.jetty.server.Request) HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletRequest(javax.servlet.ServletRequest)

Example 28 with ServletRequest

use of javax.servlet.ServletRequest in project hadoop by apache.

the class TestHostnameFilter method testMissingHostname.

@Test
public void testMissingHostname() throws Exception {
    ServletRequest request = Mockito.mock(ServletRequest.class);
    Mockito.when(request.getRemoteAddr()).thenReturn(null);
    ServletResponse response = Mockito.mock(ServletResponse.class);
    final AtomicBoolean invoked = new AtomicBoolean();
    FilterChain chain = new FilterChain() {

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
            assertTrue(HostnameFilter.get().contains("???"));
            invoked.set(true);
        }
    };
    Filter filter = new HostnameFilter();
    filter.init(null);
    assertNull(HostnameFilter.get());
    filter.doFilter(request, response, chain);
    assertTrue(invoked.get());
    assertNull(HostnameFilter.get());
    filter.destroy();
}
Also used : ServletRequest(javax.servlet.ServletRequest) ServletResponse(javax.servlet.ServletResponse) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) Filter(javax.servlet.Filter) FilterChain(javax.servlet.FilterChain) Test(org.junit.Test)

Example 29 with ServletRequest

use of javax.servlet.ServletRequest in project hadoop by apache.

the class TestMDCFilter method mdc.

@Test
public void mdc() throws Exception {
    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
    Mockito.when(request.getUserPrincipal()).thenReturn(null);
    Mockito.when(request.getMethod()).thenReturn("METHOD");
    Mockito.when(request.getPathInfo()).thenReturn("/pathinfo");
    ServletResponse response = Mockito.mock(ServletResponse.class);
    final AtomicBoolean invoked = new AtomicBoolean();
    FilterChain chain = new FilterChain() {

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
            assertEquals(MDC.get("hostname"), null);
            assertEquals(MDC.get("user"), null);
            assertEquals(MDC.get("method"), "METHOD");
            assertEquals(MDC.get("path"), "/pathinfo");
            invoked.set(true);
        }
    };
    MDC.clear();
    Filter filter = new MDCFilter();
    filter.init(null);
    filter.doFilter(request, response, chain);
    assertTrue(invoked.get());
    assertNull(MDC.get("hostname"));
    assertNull(MDC.get("user"));
    assertNull(MDC.get("method"));
    assertNull(MDC.get("path"));
    Mockito.when(request.getUserPrincipal()).thenReturn(new Principal() {

        @Override
        public String getName() {
            return "name";
        }
    });
    invoked.set(false);
    chain = new FilterChain() {

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
            assertEquals(MDC.get("hostname"), null);
            assertEquals(MDC.get("user"), "name");
            assertEquals(MDC.get("method"), "METHOD");
            assertEquals(MDC.get("path"), "/pathinfo");
            invoked.set(true);
        }
    };
    filter.doFilter(request, response, chain);
    assertTrue(invoked.get());
    HostnameFilter.HOSTNAME_TL.set("HOST");
    invoked.set(false);
    chain = new FilterChain() {

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
            assertEquals(MDC.get("hostname"), "HOST");
            assertEquals(MDC.get("user"), "name");
            assertEquals(MDC.get("method"), "METHOD");
            assertEquals(MDC.get("path"), "/pathinfo");
            invoked.set(true);
        }
    };
    filter.doFilter(request, response, chain);
    assertTrue(invoked.get());
    HostnameFilter.HOSTNAME_TL.remove();
    filter.destroy();
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletException(javax.servlet.ServletException) ServletResponse(javax.servlet.ServletResponse) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) ServletRequest(javax.servlet.ServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) Filter(javax.servlet.Filter) FilterChain(javax.servlet.FilterChain) IOException(java.io.IOException) Principal(java.security.Principal) Test(org.junit.Test)

Example 30 with ServletRequest

use of javax.servlet.ServletRequest in project gocd by gocd.

the class BasicAuthenticationFilterTest method shouldConvey_itsBasicProcessingFilter.

@Test
public void shouldConvey_itsBasicProcessingFilter() throws IOException, ServletException {
    BasicAuthenticationFilter filter = new BasicAuthenticationFilter(localizer);
    final Boolean[] hadBasicMarkOnInsideAuthenticationManager = new Boolean[] { false };
    filter.setAuthenticationManager(new AuthenticationManager() {

        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            hadBasicMarkOnInsideAuthenticationManager[0] = BasicAuthenticationFilter.isProcessingBasicAuth();
            return new UsernamePasswordAuthenticationToken("school-principal", "u can be principal if you know this!");
        }
    });
    assertThat(BasicAuthenticationFilter.isProcessingBasicAuth(), is(false));
    MockHttpServletRequest httpRequest = new MockHttpServletRequest();
    httpRequest.addHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString("loser:boozer".getBytes()));
    filter.doFilterHttp(httpRequest, new MockHttpServletResponse(), new FilterChain() {

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
        }
    });
    assertThat(BasicAuthenticationFilter.isProcessingBasicAuth(), is(false));
    assertThat(hadBasicMarkOnInsideAuthenticationManager[0], is(true));
}
Also used : ServletRequest(javax.servlet.ServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) ServletResponse(javax.servlet.ServletResponse) AuthenticationException(org.springframework.security.AuthenticationException) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) FilterChain(javax.servlet.FilterChain) UsernamePasswordAuthenticationToken(org.springframework.security.providers.UsernamePasswordAuthenticationToken) IOException(java.io.IOException) AuthenticationManager(org.springframework.security.AuthenticationManager) ServletException(javax.servlet.ServletException) Authentication(org.springframework.security.Authentication) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Aggregations

ServletRequest (javax.servlet.ServletRequest)314 HttpServletRequest (javax.servlet.http.HttpServletRequest)188 ServletResponse (javax.servlet.ServletResponse)183 HttpServletResponse (javax.servlet.http.HttpServletResponse)118 FilterChain (javax.servlet.FilterChain)113 Test (org.junit.Test)82 IOException (java.io.IOException)65 ServletException (javax.servlet.ServletException)64 Filter (javax.servlet.Filter)41 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)28 Injector (com.google.inject.Injector)26 JspException (javax.servlet.jsp.JspException)26 RequestContext (com.agiletec.aps.system.RequestContext)25 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)25 FilterConfig (javax.servlet.FilterConfig)24 MockFilterChain (org.springframework.mock.web.MockFilterChain)24 ServletContext (javax.servlet.ServletContext)23 HttpSession (javax.servlet.http.HttpSession)21 ServletTestUtils.newFakeHttpServletRequest (com.google.inject.servlet.ServletTestUtils.newFakeHttpServletRequest)18 ServletTestUtils.newFakeHttpServletResponse (com.google.inject.servlet.ServletTestUtils.newFakeHttpServletResponse)18