Example 16 with HttpSession
use of javax.servlet.http.HttpSession in project jetty.project by eclipse.
the class SessionHandler method checkRequestedSessionId.
/* ------------------------------------------------------------ */
/**
* Look for a requested session ID in cookies and URI parameters
*
* @param baseRequest the request to check
* @param request the request to check
*/
protected void checkRequestedSessionId(Request baseRequest, HttpServletRequest request) {
String requested_session_id = request.getRequestedSessionId();
if (requested_session_id != null) {
HttpSession session = getHttpSession(requested_session_id);
if (session != null && isValid(session))
baseRequest.setSession(session);
return;
} else if (!DispatcherType.REQUEST.equals(baseRequest.getDispatcherType()))
return;
boolean requested_session_id_from_cookie = false;
HttpSession session = null;
// Look for session id cookie
if (isUsingCookies()) {
Cookie[] cookies = request.getCookies();
if (cookies != null && cookies.length > 0) {
final String sessionCookie = getSessionCookieConfig().getName();
for (int i = 0; i < cookies.length; i++) {
if (sessionCookie.equalsIgnoreCase(cookies[i].getName())) {
requested_session_id = cookies[i].getValue();
requested_session_id_from_cookie = true;
if (LOG.isDebugEnabled())
LOG.debug("Got Session ID {} from cookie", requested_session_id);
if (requested_session_id != null) {
session = getHttpSession(requested_session_id);
if (session != null && isValid(session)) {
break;
}
} else {
LOG.warn("null session id from cookie");
}
}
}
}
}
if (requested_session_id == null || session == null) {
String uri = request.getRequestURI();
String prefix = getSessionIdPathParameterNamePrefix();
if (prefix != null) {
int s = uri.indexOf(prefix);
if (s >= 0) {
s += prefix.length();
int i = s;
while (i < uri.length()) {
char c = uri.charAt(i);
if (c == ';' || c == '#' || c == '?' || c == '/')
break;
i++;
}
requested_session_id = uri.substring(s, i);
requested_session_id_from_cookie = false;
session = getHttpSession(requested_session_id);
if (LOG.isDebugEnabled())
LOG.debug("Got Session ID {} from URL", requested_session_id);
}
}
}
baseRequest.setRequestedSessionId(requested_session_id);
baseRequest.setRequestedSessionIdFromCookie(requested_session_id != null && requested_session_id_from_cookie);
if (session != null && isValid(session))
baseRequest.setSession(session);
}
Also used :
Cookie(javax.servlet.http.Cookie)
HttpCookie(org.eclipse.jetty.http.HttpCookie)
HttpSession(javax.servlet.http.HttpSession)
Example 17 with HttpSession
use of javax.servlet.http.HttpSession in project jetty.project by eclipse.
the class SessionHandler method complete.
/* ------------------------------------------------------------ */
/**
* Called by the {@link SessionHandler} when a session is last accessed by a request.
*
* @param session the session object
* @see #access(HttpSession, boolean)
*/
public void complete(HttpSession session) {
if (session == null)
return;
Session s = ((SessionIf) session).getSession();
try {
s.complete();
_sessionCache.put(s.getId(), s);
} catch (Exception e) {
LOG.warn(e);
}
}
Also used :
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
HttpSession(javax.servlet.http.HttpSession)
Example 18 with HttpSession
use of javax.servlet.http.HttpSession in project jetty.project by eclipse.
the class JaspiAuthenticator method login.
/**
* @see org.eclipse.jetty.security.authentication.LoginAuthenticator#login(java.lang.String, java.lang.Object, javax.servlet.ServletRequest)
*/
@Override
public UserIdentity login(String username, Object password, ServletRequest request) {
UserIdentity user = _loginService.login(username, password, request);
if (user != null) {
renewSession((HttpServletRequest) request, null);
HttpSession session = ((HttpServletRequest) request).getSession(true);
if (session != null) {
SessionAuthentication sessionAuth = new SessionAuthentication(getAuthMethod(), user, password);
session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, sessionAuth);
}
}
return user;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpSession(javax.servlet.http.HttpSession)
UserIdentity(org.eclipse.jetty.server.UserIdentity)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
Example 19 with HttpSession
use of javax.servlet.http.HttpSession in project jetty.project by eclipse.
the class JaspiAuthenticator method validateRequest.
public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException {
try {
String authContextId = _authConfig.getAuthContextID(messageInfo);
ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties);
Subject clientSubject = new Subject();
AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, _serviceSubject);
if (authStatus == AuthStatus.SEND_CONTINUE)
return Authentication.SEND_CONTINUE;
if (authStatus == AuthStatus.SEND_FAILURE)
return Authentication.SEND_FAILURE;
if (authStatus == AuthStatus.SUCCESS) {
Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
UserIdentity userIdentity;
if (ids.size() > 0) {
userIdentity = ids.iterator().next();
} else {
CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback();
if (principalCallback == null) {
return Authentication.UNAUTHENTICATED;
}
Principal principal = principalCallback.getPrincipal();
if (principal == null) {
String principalName = principalCallback.getName();
Set<Principal> principals = principalCallback.getSubject().getPrincipals();
for (Principal p : principals) {
if (p.getName().equals(principalName)) {
principal = p;
break;
}
}
if (principal == null) {
return Authentication.UNAUTHENTICATED;
}
}
GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback();
String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups);
}
HttpSession session = ((HttpServletRequest) messageInfo.getRequestMessage()).getSession(false);
Authentication cached = (session == null ? null : (SessionAuthentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED));
if (cached != null)
return cached;
return new UserAuthentication(getAuthMethod(), userIdentity);
}
if (authStatus == AuthStatus.SEND_SUCCESS) {
// we are processing a message in a secureResponse dialog.
return Authentication.SEND_SUCCESS;
}
if (authStatus == AuthStatus.FAILURE) {
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return Authentication.SEND_FAILURE;
}
// should not happen
throw new IllegalStateException("No AuthStatus returned");
} catch (IOException | AuthException e) {
throw new ServerAuthException(e);
}
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
UserIdentity(org.eclipse.jetty.server.UserIdentity)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthException(javax.security.auth.message.AuthException)
ServerAuthException(org.eclipse.jetty.security.ServerAuthException)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
IOException(java.io.IOException)
ServerAuthException(org.eclipse.jetty.security.ServerAuthException)
UserAuthentication(org.eclipse.jetty.security.UserAuthentication)
Subject(javax.security.auth.Subject)
ServerAuthContext(javax.security.auth.message.config.ServerAuthContext)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback)
GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback)
AuthStatus(javax.security.auth.message.AuthStatus)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
UserAuthentication(org.eclipse.jetty.security.UserAuthentication)
Authentication(org.eclipse.jetty.server.Authentication)
Principal(java.security.Principal)
Example 20 with HttpSession
use of javax.servlet.http.HttpSession in project jetty.project by eclipse.
the class FormAuthModule method validateRequest.
@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
String uri = request.getRequestURI();
if (uri == null)
uri = URIUtil.SLASH;
boolean mandatory = isMandatory(messageInfo);
mandatory |= isJSecurityCheck(uri);
HttpSession session = request.getSession(mandatory);
// not mandatory or its the login or login error page don't authenticate
if (!mandatory || isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(), request.getPathInfo())))
// TODO return null for do nothing?
return AuthStatus.SUCCESS;
try {
// Handle a request for authentication.
if (isJSecurityCheck(uri)) {
final String username = request.getParameter(__J_USERNAME);
final String password = request.getParameter(__J_PASSWORD);
boolean success = tryLogin(messageInfo, clientSubject, response, session, username, new Password(password));
if (success) {
// Redirect to original request
String nuri = null;
synchronized (session) {
nuri = (String) session.getAttribute(__J_URI);
}
if (nuri == null || nuri.length() == 0) {
nuri = request.getContextPath();
if (nuri.length() == 0)
nuri = URIUtil.SLASH;
}
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri));
return AuthStatus.SEND_CONTINUE;
}
// not authenticated
if (LOG.isDebugEnabled())
LOG.debug("Form authentication FAILED for " + StringUtil.printable(username));
if (_formErrorPage == null) {
if (response != null)
response.sendError(HttpServletResponse.SC_FORBIDDEN);
} else {
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formErrorPage)));
}
// that occur?
return AuthStatus.SEND_FAILURE;
}
// Check if the session is already authenticated.
SessionAuthentication sessionAuth = (SessionAuthentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
if (sessionAuth != null) {
//to FormAuthModule
if (sessionAuth.getUserIdentity().getSubject() == null)
return AuthStatus.SEND_FAILURE;
Set<Object> credentials = sessionAuth.getUserIdentity().getSubject().getPrivateCredentials();
if (credentials == null || credentials.isEmpty())
//if no private credentials, assume it cannot be authenticated
return AuthStatus.SEND_FAILURE;
clientSubject.getPrivateCredentials().addAll(credentials);
clientSubject.getPrivateCredentials().add(sessionAuth.getUserIdentity());
return AuthStatus.SUCCESS;
}
// if we can't send challenge
if (DeferredAuthentication.isDeferred(response))
return AuthStatus.SUCCESS;
// redirect to login page
StringBuffer buf = request.getRequestURL();
if (request.getQueryString() != null)
buf.append("?").append(request.getQueryString());
synchronized (session) {
session.setAttribute(__J_URI, buf.toString());
}
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formLoginPage)));
return AuthStatus.SEND_CONTINUE;
} catch (IOException e) {
throw new AuthException(e.getMessage());
} catch (UnsupportedCallbackException e) {
throw new AuthException(e.getMessage());
}
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthException(javax.security.auth.message.AuthException)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
Password(org.eclipse.jetty.util.security.Password)
Aggregations
HttpSession (javax.servlet.http.HttpSession)730
HttpServletRequest (javax.servlet.http.HttpServletRequest)151
Test (org.junit.Test)110
IOException (java.io.IOException)80
HttpServletResponse (javax.servlet.http.HttpServletResponse)80
ServletException (javax.servlet.ServletException)75
ArrayList (java.util.ArrayList)65
RequestDispatcher (javax.servlet.RequestDispatcher)59
HashMap (java.util.HashMap)48
Map (java.util.Map)44
Locale (java.util.Locale)39
Properties (java.util.Properties)39
PrintWriter (java.io.PrintWriter)38
Cookie (javax.servlet.http.Cookie)27
List (java.util.List)24
SQLException (java.sql.SQLException)23
WebUser (org.compiere.util.WebUser)23
FlakyTest (org.apache.geode.test.junit.categories.FlakyTest)20
IntegrationTest (org.apache.geode.test.junit.categories.IntegrationTest)20
ModelAndView (org.springframework.web.servlet.ModelAndView)20
