Examples with HttpResponse org.apache.catalina.HttpResponse used on opensource projects

Example 1 with HttpResponse

use of org.apache.catalina.HttpResponse in project Payara by payara.

the class Request method isUserInRole.

/**
 * Return <code>true</code> if the authenticated user principal
 * possesses the specified role name.
 *
 * @param role Role name to be validated
 */
@Override
public boolean isUserInRole(String role) {
    // BEGIN RIMOD 4949842
    /*
         * Must get userPrincipal through getUserPrincipal(), can't assume
         * it has already been set since it may be coming from core.
         */
    Principal userPrincipal = this.getUserPrincipal();
    // Have we got an authenticated principal at all?
    if (userPrincipal == null) {
        return false;
    }
    // Identify the Realm we will use for checking role assignments
    if (context == null) {
        return false;
    }
    Realm realm = context.getRealm();
    if (realm == null) {
        return false;
    }
    // Check for a role alias defined in a <security-role-ref> element
    if (wrapper != null) {
        String realRole = wrapper.findSecurityReference(role);
        // START SJSAS 6232464
        if (realRole != null && realm.hasRole(this, (HttpResponse) response, userPrincipal, realRole)) {
            return true;
        }
    }
    return realm.hasRole(this, (HttpResponse) response, userPrincipal, role);
// END SJSAS 6232464
}

Example 2 with HttpResponse

use of org.apache.catalina.HttpResponse in project Payara by payara.

the class AuthenticatorBase method postInvoke.

/**
 * A post-request processing implementation that does nothing.
 *
 * Very few Valves override this behaviour as most Valve logic is used for request processing.
 */
@Override
public void postInvoke(Request request, Response response) throws IOException, ServletException {
    Realm realm = this.context.getRealm();
    HttpRequest hrequest = (HttpRequest) request;
    HttpResponse hresponse = (HttpResponse) response;
    /*
         * Check realm for null since app may have been undeployed by the time its pipeline is invoked on the way out, in which
         * case its realm will have been set to null. See IT 6801
         */
    if (realm != null) {
        realm.invokePostAuthenticateDelegate(hrequest, hresponse, context);
    }
}

Example 3 with HttpResponse

use of org.apache.catalina.HttpResponse in project Payara by payara.

the class AuthenticatorBase method invoke.

// --------------------------------------------------------- Public Methods
/**
 * Enforce the security restrictions in the web application deployment descriptor of our associated Context.
 *
 * @param request Request to be processed
 * @param response Response to be processed
 *
 * @exception IOException if an input/output error occurs
 * @exception ServletException if thrown by a processing element
 */
@Override
public int invoke(Request request, Response response) throws IOException, ServletException {
    // START GlassFish 247
    if (!context.getAvailable()) {
        try {
            ((HttpServletResponse) response.getResponse()).sendError(SC_SERVICE_UNAVAILABLE);
        } catch (IllegalStateException | IOException e) {
            ;
        }
        return END_PIPELINE;
    }
    // END GlassFish 247
    HttpRequest hrequest = (HttpRequest) request;
    HttpResponse hresponse = (HttpResponse) response;
    if (log.isLoggable(FINE)) {
        log.fine("Security checking request " + ((HttpServletRequest) request.getRequest()).getMethod() + " " + ((HttpServletRequest) request.getRequest()).getRequestURI());
    }
    LoginConfig config = this.context.getLoginConfig();
    // Have we got a cached authenticated Principal to record?
    if (cache) {
        Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal();
        if (principal == null) {
            Session session = getSession(hrequest);
            if (session != null) {
                principal = session.getPrincipal();
                if (principal != null) {
                    if (log.isLoggable(FINE)) {
                        log.fine("We have cached auth type " + session.getAuthType() + " for principal " + session.getPrincipal());
                    }
                    hrequest.setAuthType(session.getAuthType());
                    hrequest.setUserPrincipal(principal);
                }
            }
        }
    }
    Realm realm = this.context.getRealm();
    // Is this request URI subject to a security constraint?
    SecurityConstraint[] constraints = realm.findSecurityConstraints(hrequest, this.context);
    if (constraints == null) {
        log.fine(" Not subject to any constraint");
        return processSecurityCheck(hrequest, hresponse, config);
    }
    log.fine(" Calling hasUserDataPermission()");
    if (!realm.hasUserDataPermission(hrequest, hresponse, constraints)) {
        log.fine(" Failed hasUserDataPermission() test");
        // HTTP status code, so we do not have to do anything special
        return END_PIPELINE;
    }
    int preAuthenticateCheckResult = realm.preAuthenticateCheck(hrequest, hresponse, constraints, disableProxyCaching, securePagesWithPragma, (sso != null));
    if (preAuthenticateCheckResult == AUTHENTICATE_NOT_NEEDED) {
        return processSecurityCheck(hrequest, hresponse, config);
    }
    if (preAuthenticateCheckResult == AUTHENTICATE_NEEDED) {
        log.fine(" Calling authenticate()");
        boolean authenticateResult = realm.invokeAuthenticateDelegate(hrequest, hresponse, context, this, false);
        if (!authenticateResult) {
            log.fine(" Failed authenticate() test");
            return END_PIPELINE;
        }
    } else if (preAuthenticateCheckResult == AUTHENTICATED_NOT_AUTHORIZED) {
        return END_PIPELINE;
    }
    log.log(FINE, " Calling accessControl()");
    if (!realm.hasResourcePermission(hrequest, hresponse, constraints, this.context)) {
        log.log(Level.FINE, " Failed accessControl() test");
        Auditor[] auditors = context.getAuditors();
        if (auditors != null) {
            for (int j = 0; j < auditors.length; j++) {
                auditors[j].webInvocation(hrequest, false);
            }
        }
        /*
             * ASSERT: AccessControl method has already set the appropriate HTTP status code, so we do not have to do anything
             * special
             */
        return END_PIPELINE;
    }
    Auditor[] auditors = this.context.getAuditors();
    if (auditors != null) {
        boolean success = true;
        for (int j = 0; j < auditors.length; j++) {
            try {
                auditors[j].webInvocation(hrequest, true);
            } catch (Exception e) {
                success = false;
            }
        }
        if (!success) {
            // fail authorization if auditor blew up
            return END_PIPELINE;
        }
    }
    // Any and all specified constraints have been satisfied
    log.fine("Successfully passed all security constraints");
    return INVOKE_NEXT;
}

Example 4 with HttpResponse

use of org.apache.catalina.HttpResponse in project Payara by payara.

the class Request method addSessionCookie.

private void addSessionCookie() {
    if (context != null && context.getCookies() && response != null) {
        String jvmRoute = ((StandardContext) getContext()).getJvmRoute();
        /*
             * Check if context has been configured with jvmRoute for
             * Apache LB. If it has, do not add the JSESSIONID cookie
             * here, but rely on OutputBuffer#addSessionCookieWithJvmRoute
             * to add the jvmRoute enhanced JSESSIONID as a cookie right
             * before the response is flushed.
             */
        if (jvmRoute == null) {
            Cookie newCookie = new Cookie(getContext().getSessionCookieName(), session.getId());
            configureSessionCookie(newCookie);
            ((HttpResponse) response).addSessionCookieInternal(newCookie);
        }
    }
}

Example 5 with HttpResponse

use of org.apache.catalina.HttpResponse in project Payara by payara.

the class FormAuthenticator method saveRequest.

/**
 * Save the original request information into our session.
 *
 * @param request The request to be saved
 * @param session The session to contain the saved information
 */
protected void saveRequest(HttpRequest request, Session session) throws IOException {
    // Create and populate a SavedRequest object for this request
    HttpServletRequest httpServletRequest = (HttpServletRequest) request.getRequest();
    SavedRequest savedRequest = new SavedRequest();
    // Copy cookies
    Cookie[] cookies = httpServletRequest.getCookies();
    if (cookies != null) {
        for (Cookie cookie : cookies) {
            savedRequest.addCookie(cookie);
        }
    }
    // Copy headers
    Enumeration<String> names = httpServletRequest.getHeaderNames();
    while (names.hasMoreElements()) {
        String name = names.nextElement();
        Enumeration<String> values = httpServletRequest.getHeaders(name);
        while (values.hasMoreElements()) {
            savedRequest.addHeader(name, values.nextElement());
        }
    }
    savedRequest.setContentLength(httpServletRequest.getContentLength());
    // Copy locales
    Enumeration<Locale> locales = httpServletRequest.getLocales();
    while (locales.hasMoreElements()) {
        savedRequest.addLocale(locales.nextElement());
    }
    // May need to acknowledge a 100-continue expectation
    ((HttpResponse) request.getResponse()).sendAcknowledgement();
    ByteChunk body = new ByteChunk();
    body.setLimit(request.getConnector().getMaxSavePostSize());
    byte[] buffer = new byte[4096];
    int bytesRead;
    InputStream is = request.getStream();
    while ((bytesRead = is.read(buffer)) >= 0) {
        body.append(buffer, 0, bytesRead);
    }
    // Only save the request body if there is something to save
    if (body.getLength() > 0) {
        savedRequest.setContentType(httpServletRequest.getContentType());
        savedRequest.setBody(body);
    }
    savedRequest.setMethod(httpServletRequest.getMethod());
    savedRequest.setQueryString(httpServletRequest.getQueryString());
    savedRequest.setRequestURI(httpServletRequest.getRequestURI());
    // Stash the SavedRequest in our session for later use
    session.setNote(FORM_REQUEST_NOTE, savedRequest);
}