9. Araxis Merge File Comparison Report

Produced by Araxis Merge on 11/20/2017 2:16:16 PM GMT Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

9.1 Files compared

#	Location	File	Last Modified
1	C:\Merge Test Files\8.0.47\java\org\apache\catalina\authenticator	AuthenticatorBase.java	Fri Sep 29 16:53:28 2017 UTC
2	C:\Merge Test Files\8.5.23\java\org\apache\catalina\authenticator	AuthenticatorBase.java	Thu Sep 28 11:32:16 2017 UTC

9.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	111	1516
Changed	65	489
Inserted	20	247
Removed	25	26

9.3 Comparison options

Whitespace	Consecutive whitespace is treated as a single space
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

9.4 Active regular expressions

No regular expressions were active.

9.5 Comparison detail

1	/*	1	/*
2	* License d to the A pache Soft ware Found ation (ASF ) under on e or more	2	* License d to the A pache Soft ware Found ation (ASF ) under on e or more
3	* contrib utor licen se agreeme nts. See the NOTICE file dist ributed wi th	3	* contrib utor licen se agreeme nts. See the NOTICE file dist ributed wi th
4	* this wo rk for add itional in formation regarding copyright ownership.	4	* this wo rk for add itional in formation regarding copyright ownership.
5	* The ASF licenses this file to You und er the Apa che Licens e, Version 2.0	5	* The ASF licenses this file to You und er the Apa che Licens e, Version 2.0
6	* (the "L icense"); you may no t use this file exce pt in comp liance wit h	6	* (the "L icense"); you may no t use this file exce pt in comp liance wit h
7	* the Lic ense. You may obtai n a copy o f the Lice nse at	7	* the Lic ense. You may obtai n a copy o f the Lice nse at
8	*	8	*
9	* ht tp://www.a pache.org/ licenses/L ICENSE-2.0	9	* ht tp://www.a pache.org/ licenses/L ICENSE-2.0
10	*	10	*
11	* Unless required b y applicab le law or agreed to in writing , software	11	* Unless required b y applicab le law or agreed to in writing , software
12	* distrib uted under the Licen se is dist ributed on an "AS IS " BASIS,	12	* distrib uted under the Licen se is dist ributed on an "AS IS " BASIS,
13	* WITHOUT WARRANTIE S OR CONDI TIONS OF A NY KIND, e ither expr ess or imp lied.	13	* WITHOUT WARRANTIE S OR CONDI TIONS OF A NY KIND, e ither expr ess or imp lied.
14	* See the License f or the spe cific lang uage gover ning permi ssions and	14	* See the License f or the spe cific lang uage gover ning permi ssions and
15	* limitat ions under the Licen se.	15	* limitat ions under the Licen se.
16	*/	16	*/
17	package or g.apache.c atalina.au thenticato r;	17	package or g.apache.c atalina.au thenticato r;
18		18
19	import jav a.io.IOExc eption;	19	import jav a.io.IOExc eption;
20	import jav a.security .Principal ;	20	import jav a.security .Principal ;
21	import jav a.security .cert.X509 Certificat e;	21	import jav a.security .cert.X509 Certificat e;
22	import jav a.text.Sim pleDateFor mat;	22	import jav a.text.Sim pleDateFor mat;
23	import jav a.util.Dat e;	23	import jav a.util.Dat e;
24	import jav a.util.Loc ale;	24	import jav a.util.Loc ale;
		25	import jav a.util.Map ;
		26	import jav a.util.Set ;
25		27
		28	import jav ax.securit y.auth.Sub ject;
		29	import jav ax.securit y.auth.cal lback.Call backHandle r;
		30	import jav ax.securit y.auth.mes sage.AuthE xception;
		31	import jav ax.securit y.auth.mes sage.AuthS tatus;
		32	import jav ax.securit y.auth.mes sage.Messa geInfo;
		33	import jav ax.securit y.auth.mes sage.confi g.AuthConf igFactory;
		34	import jav ax.securit y.auth.mes sage.confi g.AuthConf igProvider ;
		35	import jav ax.securit y.auth.mes sage.confi g.ClientAu thConfig;
		36	import jav ax.securit y.auth.mes sage.confi g.Registra tionListen er;
		37	import jav ax.securit y.auth.mes sage.confi g.ServerAu thConfig;
		38	import jav ax.securit y.auth.mes sage.confi g.ServerAu thContext;
		39	import jav ax.servlet .ServletCo ntext;
26	import jav ax.servlet .ServletEx ception;	40	import jav ax.servlet .ServletEx ception;
27	import jav ax.servlet .http.Cook ie;	41	import jav ax.servlet .http.Cook ie;
28	import jav ax.servlet .http.Http ServletReq uest;	42	import jav ax.servlet .http.Http ServletReq uest;
29	import jav ax.servlet .http.Http ServletRes ponse;	43	import jav ax.servlet .http.Http ServletRes ponse;
30		44
31	import org .apache.ca talina.Aut henticator ;	45	import org .apache.ca talina.Aut henticator ;
32	import org .apache.ca talina.Con tainer;	46	import org .apache.ca talina.Con tainer;
33	import org .apache.ca talina.Con text;	47	import org .apache.ca talina.Con text;
34	import org .apache.ca talina.Glo bals;	48	import org .apache.ca talina.Glo bals;
35	import org .apache.ca talina.Lif ecycleExce ption;	49	import org .apache.ca talina.Lif ecycleExce ption;
36	import org .apache.ca talina.Man ager;	50	import org .apache.ca talina.Man ager;
37	import org .apache.ca talina.Rea lm;	51	import org .apache.ca talina.Rea lm;
38	import org .apache.ca talina.Ses sion;	52	import org .apache.ca talina.Ses sion;
39	import org .apache.ca talina.Tom catPrincip al;	53	import org .apache.ca talina.Tom catPrincip al;
40	import org .apache.ca talina.Val ve;	54	import org .apache.ca talina.Val ve;
41	import org .apache.ca talina.Wra pper;	55	import org .apache.ca talina.Wra pper;
		56	import org .apache.ca talina.aut henticator .jaspic.Ca llbackHand lerImpl;
		57	import org .apache.ca talina.aut henticator .jaspic.Me ssageInfoI mpl;
42	import org .apache.ca talina.con nector.Req uest;	58	import org .apache.ca talina.con nector.Req uest;
43	import org .apache.ca talina.con nector.Res ponse;	59	import org .apache.ca talina.con nector.Res ponse;
44	import org .apache.ca talina.rea lm.Generic Principal;	60	import org .apache.ca talina.rea lm.Generic Principal;
45	import org .apache.ca talina.uti l.SessionI dGenerator Base;	61	import org .apache.ca talina.uti l.SessionI dGenerator Base;
46	import org .apache.ca talina.uti l.Standard SessionIdG enerator;	62	import org .apache.ca talina.uti l.Standard SessionIdG enerator;
47	import org .apache.ca talina.val ves.ValveB ase;	63	import org .apache.ca talina.val ves.ValveB ase;
48	import org .apache.co yote.Actio nCode;	64	import org .apache.co yote.Actio nCode;
49	import org .apache.ju li.logging .Log;	65	import org .apache.ju li.logging .Log;
50	import org .apache.ju li.logging .LogFactor y;	66	import org .apache.ju li.logging .LogFactor y;
51	import org .apache.to mcat.util. ExceptionU tils;	67	import org .apache.to mcat.util. ExceptionU tils;
52	import org .apache.to mcat.util. descriptor .web.Login Config;	68	import org .apache.to mcat.util. descriptor .web.Login Config;
53	import org .apache.to mcat.util. descriptor .web.Secur ityConstra int;	69	import org .apache.to mcat.util. descriptor .web.Secur ityConstra int;
54	import org .apache.to mcat.util. http.FastH ttpDateFor mat;	70	import org .apache.to mcat.util. http.FastH ttpDateFor mat;
55	import org .apache.to mcat.util. res.String Manager;	71	import org .apache.to mcat.util. res.String Manager;
56		72
57
58	/**	73	/**
59	* Basic i mplementat ion of the <b>Valve< /b> interf ace that e nforces th e	74	* Basic i mplementat ion of the <b>Valve< /b> interf ace that e nforces th e
60	* <code>& lt;securit y-constrai nt></co de> elemen ts in the web applic ation	75	* <code>& lt;securit y-constrai nt></co de> elemen ts in the web applic ation
61	* deploym ent descri ptor. This funct ionality i s implemen ted as a V alve	76	* deploym ent descri ptor. This functiona lity is im plemented as a Valve so that
62	* so that it can be omitted in environme nts that d o not requ ire these	77	* it can be omitted in environme nts that d o not requ ire these features.
63	* features. Individual implement ations of each suppo rted authe ntication	78	* Individual implement ations of each suppo rted authe ntication method ca n
64	* method can subclass t his base c lass as re quired.	79	* subclass t his base c lass as re quired.
65	* <p>	80	* <p>
66	* <b>USAG E CONSTRAI NT</b>: When this class is u tilized, t he Context to	81	* <b>USAG E CONSTRAI NT</b>: Wh en this cl ass is uti lized, the Context t o which it
67	* which it is attache d (or a pa rent Conta iner in a hierarchy) must have an	82	* is attache d (or a pa rent Conta iner in a hierarchy) must have an associate d
68	* associated Realm that can be us ed for aut henticatin g users an d enumerat ing	83	* Realm that can be us ed for aut henticatin g users an d enumerat ing the roles to
69	* the roles to which they have been assigned.	84	* which they have been assigned.
70	* <p>	85	* <p>
71	* <b>USAG E CONSTRAI NT</b>: T his Valve is only us eful when processing HTTP	86	* <b>USAG E CONSTRAI NT</b>: Th is Valve i s only use ful when p rocessing HTTP
72	* request s. Reques ts of any other type will simp ly be pass ed through .	87	* request s. Request s of any o ther type will simpl y be passe d through.
73	*	88	*
74	* @author Craig R. McClanahan	89	* @author Craig R. McClanahan
75	*/	90	*/
76	public abs tract clas s Authenti catorBase extends Va lveBase	91	public abs tract clas s Authenti catorBase extends Va lveBase
77	implements Authentic ator {	92	implements Authentic ator , Registra tionListen er {
78		93
79	privat e static f inal Log l og = LogFa ctory.getL og(Authent icatorBase .class);	94	privat e static f inal Log l og = LogFa ctory.getL og(Authent icatorBase .class);
80		95
		96	/**
		97	* "Ex pires" hea der always set to Da te(1), so generate o nce only
		98	*/
		99	privat e static f inal Strin g DATE_ONE =
		100	(new Sim pleDateFor mat(FastHt tpDateForm at.RFC1123 _DATE, Loc ale.US)).f ormat(new Date(1));
81		101
82	//---- ---------- ---------- ---------- ---------- ---------- Construct or	102	privat e static f inal AuthC onfigProvi der NO_PRO VIDER_AVAI LABLE = ne w NoOpAuth ConfigProv ider();
83	public Authentic atorBase() {
84	su per(true);
85	}
86
87	// --- ---------- ---------- ---------- ---------- ---------- Instance Variables
88		103
		104	/**
		105	* The string ma nager for this packa ge.
		106	*/
		107	protec ted static final Str ingManager sm = Stri ngManager. getManager (Authentic atorBase.c lass);
89		108
90	/**	109	/**
91	* Aut henticatio n header	110	* Aut henticatio n header
92	*/	111	*/
93	protec ted static final Str ing AUTH_H EADER_NAME = "WWW-Au thenticate ";	112	protec ted static final Str ing AUTH_H EADER_NAME = "WWW-Au thenticate ";
94		113
95	/**	114	/**
96	* Def ault authe ntication realm name .	115	* Def ault authe ntication realm name .
97	*/	116	*/
98	protec ted static final Str ing REALM_ NAME = "Au thenticati on require d";	117	protec ted static final Str ing REALM_ NAME = "Au thenticati on require d";
99		118
		119	protec ted static String ge tRealmName (Context c ontext) {
		120	if (context == null) {
		121	// Very unlikely
		122	return R EALM_NAME;
		123	}
		124
		125	Lo ginConfig config = c ontext.get LoginConfi g();
		126	if (config = = null) {
		127	return R EALM_NAME;
		128	}
		129
		130	St ring resul t = config .getRealmN ame();
		131	if (result = = null) {
		132	return R EALM_NAME;
		133	}
		134
		135	re turn resul t;
		136	}
		137
		138	// --- ---------- ---------- ---------- ---------- ---------- - Construc tor
		139
		140	public Authentic atorBase() {
		141	su per(true);
		142	}
		143
		144	// --- ---------- ---------- ---------- ---------- ---------- Instance Variables
		145
100	/**	146	/**
101	* Sho uld a sess ion always be used o nce a user is authen ticated? T his may	147	* Sho uld a sess ion always be used o nce a user is authen ticated? T his may
102	* off er some pe rformance benefits s ince the s ession can then be u sed to	148	* off er some pe rformance benefits s ince the s ession can then be u sed to
103	* cac he the aut henticated Principal , hence re moving the need to	149	* cac he the aut henticated Principal , hence re moving the need to
104	* aut henticate the user v ia the Rea lm on ever y request. This may be of help	150	* aut henticate the user v ia the Rea lm on ever y request. This may be of help
105	* for combinati ons such a s BASIC au thenticati on used wi th the JND IRealm or	151	* for combinati ons such a s BASIC au thenticati on used wi th the JND IRealm or
106	* Dat aSourceRea lms. Howev er there w ill also b e the perf ormance co st of	152	* Dat aSourceRea lms. Howev er there w ill also b e the perf ormance co st of
107	* cre ating and GC'ing the session. By default , a sessio n will not be	153	* cre ating and GC'ing the session. By default , a sessio n will not be
108	* cre ated.	154	* cre ated.
109	*/	155	*/
110	protec ted boolea n alwaysUs eSession = false;	156	protec ted boolea n alwaysUs eSession = false;
111		157
112
113	/**	158	/**
114	* Should w e cache au thenticate d Principa ls if the request is part of	159	* Should w e cache au thenticate d Principa ls if the request is part of an
115	* an HTTP sessi on?	160	* HTTP sessi on?
116	*/	161	*/
117	protec ted boolea n cache = true;	162	protec ted boolea n cache = true;
118		163
119
120	/**	164	/**
121	* Sho uld the se ssion ID, if any, be changed u pon a succ essful	165	* Sho uld the se ssion ID, if any, be changed u pon a succ essful
122	* aut henticatio n to preve nt a sessi on fixatio n attack?	166	* aut henticatio n to preve nt a sessi on fixatio n attack?
123	*/	167	*/
124	protec ted boolea n changeSe ssionIdOnA uthenticat ion = true ;	168	protec ted boolea n changeSe ssionIdOnA uthenticat ion = true ;
125		169
126	/**	170	/**
127	* The Context t o which th is Valve i s attached .	171	* The Context t o which th is Valve i s attached .
128	*/	172	*/
129	protec ted Contex t context = null;	173	protec ted Contex t context = null;
130		174
131
132	/**	175	/**
133	* Flag to determine if we disa ble proxy caching, o r leave th e issue	176	* Flag to determine if we disa ble proxy caching, o r leave th e issue up to
134	* up to the webapp developer .	177	* the webapp developer .
135	*/	178	*/
136	protec ted boolea n disableP roxyCachin g = true;	179	protec ted boolea n disableP roxyCachin g = true;
137		180
138	/**	181	/**
139	* Fla g to deter mine if we disable p roxy cachi ng with he aders inco mpatible	182	* Fla g to deter mine if we disable p roxy cachi ng with he aders inco mpatible
140	* wit h IE.	183	* wit h IE.
141	*/	184	*/
142	protec ted boolea n securePa gesWithPra gma = fals e;	185	protec ted boolea n securePa gesWithPra gma = fals e;
143		186
144	/**	187	/**
145	* The Java clas s name of the secure random nu mber gener ator class to be	188	* The Java clas s name of the secure random nu mber gener ator class to be
146	* use d when gen erating SS O session identifier s. The ran dom number generator	189	* use d when gen erating SS O session identifier s. The ran dom number generator
147	* cla ss must be self-seed ing and ha ve a zero- argument c onstructor . If not	190	* cla ss must be self-seed ing and ha ve a zero- argument c onstructor . If not
148	* spe cified, an instance of {@link java.secur ity.Secure Random} wi ll be	191	* spe cified, an instance of {@link java.secur ity.Secure Random} wi ll be
149	* gen erated.	192	* gen erated.
150	*/	193	*/
151	protec ted String secureRan domClass = null;	194	protec ted String secureRan domClass = null;
152		195
153	/**	196	/**
154	* The name of t he algorit hm to use to create instances of	197	* The name of t he algorit hm to use to create instances of
155	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate S SO session	198	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate S SO session
156	* IDs . If no al gorithm is specified , SHA1PRNG is used. To use the platform	199	* IDs . If no al gorithm is specified , SHA1PRNG is used. To use the platform
157	* def ault (whic h may be S HA1PRNG), specify th e empty st ring. If a n invalid	200	* def ault (whic h may be S HA1PRNG), specify th e empty st ring. If a n invalid
158	* alg orithm and /or provid er is spec ified the SecureRand om instanc es will be	201	* alg orithm and /or provid er is spec ified the SecureRand om instanc es will be
159	* cre ated using the defau lts. If th at fails, the Secure Random ins tances	202	* cre ated using the defau lts. If th at fails, the Secure Random ins tances
160	* wil l be creat ed using p latform de faults.	203	* wil l be creat ed using p latform de faults.
161	*/	204	*/
162	protec ted String secureRan domAlgorit hm = "SHA1 PRNG";	205	protec ted String secureRan domAlgorit hm = "SHA1 PRNG";
163		206
164	/**	207	/**
165	* The name of t he provide r to use t o create i nstances o f	208	* The name of t he provide r to use t o create i nstances o f
166	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate s ession SSO	209	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate s ession SSO
167	* IDs . If no al gorithm is specified the of SH A1PRNG def ault is us ed. If an	210	* IDs . If no al gorithm is specified the of SH A1PRNG def ault is us ed. If an
168	* inv alid algor ithm and/o r provider is specif ied the Se cureRandom instances	211	* inv alid algor ithm and/o r provider is specif ied the Se cureRandom instances
169	* wil l be creat ed using t he default s. If that fails, th e SecureRa ndom	212	* wil l be creat ed using t he default s. If that fails, th e SecureRa ndom
170	* ins tances wil l be creat ed using p latform de faults.	213	* ins tances wil l be creat ed using p latform de faults.
171	*/	214	*/
172	protec ted String secureRan domProvide r = null;	215	protec ted String secureRan domProvide r = null;
173		216
174	protec ted Sessio nIdGenerat orBase ses sionIdGene rator = nu ll;	217	protec ted Sessio nIdGenerat orBase ses sionIdGene rator = nu ll;
175		218
176	/**	219	/**
177	* The string ma nager for this packa ge.	220	* The Sing leSignOn i mplementat ion in our request p rocessing chain, if there
178	*/	221	* i s one.
179	protec ted static final Str ingManager sm =
180	St ringManage r.getManag er(Constan ts.Package );
181
182
183	/**
184	* The Sing leSignOn i mplementat ion in our request p rocessing chain,
185	* i f there i s one.
186	*/	222	*/
187	protec ted Single SignOn sso = null;	223	protec ted Single SignOn sso = null;
188		224
189		225	privat e volatile String ja spicAppCon textID = n ull;
190	/**	226	privat e volatile AuthConfi gProvider jaspicProv ider = nul l;
191	* "Ex pires" hea der always set to Da te(1), so generate o nce only
192	*/
193	privat e static f inal Strin g DATE_ONE =
194	(n ew SimpleD ateFormat( FastHttpDa teFormat.R FC1123_DAT E,
195	Locale.US) ).format(n ew Date(1) );
196
197
198	protec ted static String ge tRealmName (Context c ontext) {
199	if (context == null) {
200	// Very unlikely
201	return R EALM_NAME;
202	}
203
204	Lo ginConfig config = c ontext.get LoginConfi g();
205	if (config = = null) {
206	return R EALM_NAME;
207	}
208
209	St ring resul t = config .getRealmN ame();
210	if (result = = null) {
211	return R EALM_NAME;
212	}
213
214	re turn resul t;
215	}
216		227
217		228
218	// --- ---------- ---------- ---------- ---------- ---------- -------- P roperties	229	// --- ---------- ---------- ---------- ---------- ---------- -------- P roperties
219		230
220
221	public boolean g etAlwaysUs eSession() {	231	public boolean g etAlwaysUs eSession() {
222	re turn alway sUseSessio n;	232	re turn alway sUseSessio n;
223	}	233	}
224		234
225
226	public void setA lwaysUseSe ssion(bool ean always UseSession ) {	235	public void setA lwaysUseSe ssion(bool ean always UseSession ) {
227	th is.alwaysU seSession = alwaysUs eSession;	236	th is.alwaysU seSession = alwaysUs eSession;
228	}	237	}
229		238
230
231	/**	239	/**
232	* Ret urn the ca che authen ticated Pr incipals f lag.	240	* Ret urn the ca che authen ticated Pr incipals f lag.
		241	*
		242	* @re turn <code >true</cod e> if auth enticated Principals will be c ached,
		243	* other wise <code >false</co de>
233	*/	244	*/
234	public boolean g etCache() {	245	public boolean g etCache() {
235		246	return this.cache ;
236	return ( this.cache ) ;
237
238	}	247	}
239		248
240
241	/**	249	/**
242	* Set the cache authentic ated Princ ipals flag .	250	* Set the cache authentic ated Princ ipals flag .
243	*	251	*
244	* @param c ache The new c ache flag	252	* @param c ache
		253	* Th e new cach e flag
245	*/	254	*/
246	public void setC ache(boole an cache) {	255	public void setC ache(boole an cache) {
247
248	th is.cache = cache;	256	th is.cache = cache;
249
250	}	257	}
251		258
252
253	/**	259	/**
254	* Ret urn the Co ntainer to which thi s Valve is attached.	260	* Ret urn the Co ntainer to which thi s Valve is attached.
255	*/	261	*/
256	@Overr ide	262	@Overr ide
257	public Container getContai ner() {	263	public Container getContai ner() {
258		264	return this.conte xt ;
259	return ( this.conte xt ) ;
260
261	}	265	}
262		266
263
264	/**	267	/**
265	* Set the Conta iner to wh ich this V alve is at tached.	268	* Set the Conta iner to wh ich this V alve is at tached.
266	*	269	*
267	* @param con tainer The contai ner to whi ch we are attached	270	* @pa ram contai ner
		271	* The contai ner to whi ch we are attached
268	*/	272	*/
269	@Overr ide	273	@Overr ide
270	public void setC ontainer(C ontainer c ontainer) {	274	public void setC ontainer(C ontainer c ontainer) {
271		275
272	if (containe r != null && !(conta iner insta nceof Cont ext)) {	276	if (containe r != null && !(conta iner insta nceof Cont ext)) {
273	throw new IllegalArg umentExcep tion	277	throw new IllegalArg umentExcep tion (sm.getStr ing("authe nticator.n otContext" ));
274	(sm. getString( "authentic ator.notCo ntext"));
275	}	278	}
276		279
277	su per.setCon tainer(con tainer);	280	su per.setCon tainer(con tainer);
278	th is.context = (Contex t) contain er;	281	th is.context = (Contex t) contain er;
279		282
280	}	283	}
281		284
282
283	/**	285	/**
284	* Ret urn the fl ag that st ates if we add heade rs to disa ble cachin g by	286	* Ret urn the fl ag that st ates if we add heade rs to disa ble cachin g by
285	* pro xies.	287	* pro xies.
		288	*
		289	* @re turn <code >true</cod e> if the headers wi ll be adde d, otherwi se
		290	* <code >false</co de>
286	*/	291	*/
287	public boolean g etDisableP roxyCachin g() {	292	public boolean g etDisableP roxyCachin g() {
288	re turn disab leProxyCac hing;	293	re turn disab leProxyCac hing;
289	}	294	}
290		295
291	/**	296	/**
292	* Set the value of the fl ag that st ates if we add heade rs to disa ble	297	* Set the value of the fl ag that st ates if we add heade rs to disa ble
293	* cac hing by pr oxies.	298	* cac hing by pr oxies.
294	* @param noc ache <code>true </code> if we add he aders to d isable pro xy	299	*
295	* caching, <code>fals e</code> i f we leave the heade rs alone.	300	* @pa ram nocach e
		301	* <code>true </code> if we add he aders to d isable pro xy caching,
		302	* <code>fals e</code> i f we leave the heade rs alone.
296	*/	303	*/
297	public void setD isableProx yCaching(b oolean noc ache) {	304	public void setD isableProx yCaching(b oolean noc ache) {
298	di sableProxy Caching = nocache;	305	di sableProxy Caching = nocache;
299	}	306	}
300		307
301	/**	308	/**
302	* Ret urn the fl ag that st ates, if p roxy cachi ng is disa bled, what headers	309	* Ret urn the fl ag that st ates, if p roxy cachi ng is disa bled, what headers
303	* we add to dis able the c aching.	310	* we add to dis able the c aching.
		311	*
		312	* @re turn <code >true</cod e> if a Pr agma heade r should b e used, ot herwise
		313	* <code >false</co de>
304	*/	314	*/
305	public boolean g etSecurePa gesWithPra gma() {	315	public boolean g etSecurePa gesWithPra gma() {
306	re turn secur ePagesWith Pragma;	316	re turn secur ePagesWith Pragma;
307	}	317	}
308		318
309	/**	319	/**
310	* Set the value of the fl ag that st ates what headers we add to di sable	320	* Set the value of the fl ag that st ates what headers we add to di sable
311	* pro xy caching .	321	* pro xy caching .
312	* @param sec urePagesWi thPragma <code>true </code> if we add he aders whic h	322	*
313	* are incomp atible with downl oading off ice docume nts in IE under SSL but	323	* @pa ram secure PagesWithP ragma
314	* which fix a cach ing proble m in Mozil la.	324	* <code>true </code> if we add he aders whic h are incom patible
		325	* with downl oading off ice docume nts in IE under SSL but which
		326	* fix a cach ing proble m in Mozil la.
315	*/	327	*/
316	public void setS ecurePages WithPragma (boolean s ecurePages WithPragma ) {	328	public void setS ecurePages WithPragma (boolean s ecurePages WithPragma ) {
317	th is.secureP agesWithPr agma = sec urePagesWi thPragma;	329	th is.secureP agesWithPr agma = sec urePagesWi thPragma;
318	}	330	}
319		331
320	/**	332	/**
321	* Ret urn the fl ag that st ates if we should ch ange the s ession ID of an	333	* Ret urn the fl ag that st ates if we should ch ange the s ession ID of an
322	* exi sting sess ion upon s uccessful authentica tion.	334	* exi sting sess ion upon s uccessful authentica tion.
323	*	335	*
324	* @re turn <code >true</cod e> to chan ge session ID upon s uccessful	336	* @re turn <code >true</cod e> to chan ge session ID upon s uccessful
325	* authe ntication, <code>fal se</code> to do not perform th e change.	337	* authe ntication, <code>fal se</code> to do not perform th e change.
326	*/	338	*/
327	public boolean g etChangeSe ssionIdOnA uthenticat ion() {	339	public boolean g etChangeSe ssionIdOnA uthenticat ion() {
328	re turn chang eSessionId OnAuthenti cation;	340	re turn chang eSessionId OnAuthenti cation;
329	}	341	}
330		342
331	/**	343	/**
332	* Set the value of the fl ag that st ates if we should ch ange the s ession ID	344	* Set the value of the fl ag that st ates if we should ch ange the s ession ID
333	* of an existin g session upon succe ssful auth entication .	345	* of an existin g session upon succe ssful auth entication .
334	*	346	*
335	* @param c hangeSessi onIdOnAuth entication	347	* @param c hangeSessi onIdOnAuth entication <code>tru e</code> t o change
336	* <c ode>true</ code> to c hange sess ion ID upo n successf ul	348	* session ID upon succ essful authentica tion, <cod e>false</c ode>
337	* authentica tion, <cod e>false</c ode> to do not perform t he	349	* to do not pe rform the change.
338	* ch ange.
339	*/	350	*/
340	public voi d setChang eSessionId OnAuthenti cation(	351	public voi d setChang eSessionId OnAuthenti cation( boolean ch angeSessio nIdOnAuthe ntication) {
341	boolean changeSess ionIdOnAut henticatio n) {
342	th is.changeS essionIdOn Authentica tion = cha ngeSession IdOnAuthen tication;	352	th is.changeS essionIdOn Authentica tion = cha ngeSession IdOnAuthen tication;
343	}	353	}
344		354
345	/**	355	/**
346	* Ret urn the se cure rando m number g enerator c lass name.	356	* Ret urn the se cure rando m number g enerator c lass name.
		357	*
		358	* @re turn The f ully quali fied name of the Sec ureRandom implementa tion to
		359	* use
347	*/	360	*/
348	public String ge tSecureRan domClass() {	361	public String ge tSecureRan domClass() {
349		362	return this.secur eRandomCla ss ;
350	return ( this.secur eRandomCla ss ) ;
351
352	}	363	}
353		364
354
355	/**	365	/**
356	* Set the secur e random n umber gene rator clas s name.	366	* Set the secur e random n umber gene rator clas s name.
357	*	367	*
358	* @param s ecureRando mClass The new s ecure rand om number generator class	368	* @param s ecureRando mClass
359	* name	369	* Th e new secu re random number gen erator cla ss name
360	*/	370	*/
361	public void setS ecureRando mClass(Str ing secure RandomClas s) {	371	public void setS ecureRando mClass(Str ing secure RandomClas s) {
362	th is.secureR andomClass = secureR andomClass ;	372	th is.secureR andomClass = secureR andomClass ;
363	}	373	}
364		374
365
366	/**	375	/**
367	* Ret urn the se cure rando m number g enerator a lgorithm n ame.	376	* Ret urn the se cure rando m number g enerator a lgorithm n ame.
		377	*
		378	* @re turn The n ame of the SecureRan dom algori thm used
368	*/	379	*/
369	public String ge tSecureRan domAlgorit hm() {	380	public String ge tSecureRan domAlgorit hm() {
370	re turn secur eRandomAlg orithm;	381	re turn secur eRandomAlg orithm;
371	}	382	}
372		383
373
374	/**	384	/**
375	* Set the secur e random n umber gene rator algo rithm name .	385	* Set the secur e random n umber gene rator algo rithm name .
376	*	386	*
377	* @param s ecureRando mAlgorithm The new s ecure rand om number generator	387	* @param s ecureRando mAlgorithm
378	* algorithm name	388	* The new se cure rando m number g enerator algorithm name
379	*/	389	*/
380	public void setS ecureRando mAlgorithm (String se cureRandom Algorithm) {	390	public void setS ecureRando mAlgorithm (String se cureRandom Algorithm) {
381	th is.secureR andomAlgor ithm = sec ureRandomA lgorithm;	391	th is.secureR andomAlgor ithm = sec ureRandomA lgorithm;
382	}	392	}
383		393
384
385	/**	394	/**
386	* Ret urn the se cure rando m number g enerator p rovider na me.	395	* Ret urn the se cure rando m number g enerator p rovider na me.
		396	*
		397	* @re turn The n ame of the SecureRan dom provid er
387	*/	398	*/
388	public String ge tSecureRan domProvide r() {	399	public String ge tSecureRan domProvide r() {
389	re turn secur eRandomPro vider;	400	re turn secur eRandomPro vider;
390	}	401	}
391		402
392
393	/**	403	/**
394	* Set the secur e random n umber gene rator prov ider name.	404	* Set the secur e random n umber gene rator prov ider name.
395	*	405	*
396	* @param s ecureRando mProvider The new s ecure rand om number generator	406	* @param s ecureRando mProvider
397	* provider n ame	407	* The new se cure rando m number g enerator provider n ame
398	*/	408	*/
399	public void setS ecureRando mProvider( String sec ureRandomP rovider) {	409	public void setS ecureRando mProvider( String sec ureRandomP rovider) {
400	th is.secureR andomProvi der = secu reRandomPr ovider;	410	th is.secureR andomProvi der = secu reRandomPr ovider;
401	}	411	}
402		412
403
404
405	// --- ---------- ---------- ---------- ---------- ---------- ---- Publi c Methods	413	// --- ---------- ---------- ---------- ---------- ---------- ---- Publi c Methods
406		414
407
408	/**	415	/**
409	* Enf orce the s ecurity re strictions in the we b applicat ion deploy ment	416	* Enf orce the s ecurity re strictions in the we b applicat ion deploy ment
410	* des criptor of our assoc iated Cont ext.	417	* des criptor of our assoc iated Cont ext.
411	*	418	*
412	* @param r equest Request t o be proce ssed	419	* @param r equest
413	* @param res ponse Response t o be proce ssed	420	* Re quest to b e processe d
		421	* @pa ram respon se
		422	* Response t o be proce ssed
414	*	423	*
415	* @excepti on IOExcep tion if an inp ut/output error occu rs	424	* @excepti on IOExcep tion
416	* @exception ServletEx ception if thrown by a proce ssing elem ent	425	* if an in put/output error occ urs
		426	* @ex ception Se rvletExcep tion
		427	* if thrown by a proce ssing elem ent
417	*/	428	*/
418	@Overr ide	429	@Overr ide
419	public voi d invoke(R equest req uest, Resp onse respo nse)	430	public voi d invoke(R equest req uest, Resp onse respo nse) throws IO Exception, ServletEx ception {
420	th rows IOExc eption, Se rvletExcep tion {
421		431
422	if (log.isDe bugEnabled ()) {	432	if (log.isDe bugEnabled ()) {
423	log.debug( "Security checking r equest " +	433	log.debug( "Security checking r equest " + request.g etMethod() + " " +
424	request.ge t Method() + " " + req uest.get RequestURI ());	434	request.ge t RequestURI ());
425	}	435	}
426		436
427	// Have we g ot a cache d authenti cated Prin cipal to r ecord?	437	// Have we g ot a cache d authenti cated Prin cipal to r ecord?
428	if (cache) {	438	if (cache) {
429	Principa l principa l = reques t.getUserP rincipal() ;	439	Principa l principa l = reques t.getUserP rincipal() ;
430	if (prin cipal == n ull) {	440	if (prin cipal == n ull) {
431	Sess ion sessio n = reques t.getSessi onInternal (false);	441	Sess ion sessio n = reques t.getSessi onInternal (false);
432	if ( session != null) {	442	if ( session != null) {
433	principal = session. getPrincip al();	443	principal = session. getPrincip al();
434	if (princi pal != nul l) {	444	if (princi pal != nul l) {
435	if (lo g.isDebugE nabled()) {	445	if (lo g.isDebugE nabled()) {
436	log.debug( "We have c ached auth type " +	446	log.debug( "We have c ached auth type " + session.g etAuthType () +
437	session. getAuthTyp e() +	447	" for prin cipal " + principal );
438	" for prin cipal " +
439	session. getPrincip al());
440	}	448	}
441	reques t.setAuthT ype(sessio n.getAuthT ype());	449	reques t.setAuthT ype(sessio n.getAuthT ype());
442	reques t.setUserP rincipal(p rincipal);	450	reques t.setUserP rincipal(p rincipal);
443	}	451	}
444	}	452	}
445	}	453	}
446	}	454	}
447		455
448	// Special h andling fo r form-bas ed logins to deal wi th the cas e	456	bo olean auth Required = isContinu ationRequi red(reques t);
449	// where the login for m (and the refore the "j_securi ty_check" URI
450	// to which it submits ) might be outside t he secured area
451	St ring conte xtPath = t his.contex t.getPath( );
452	St ring decod edRequestU RI = reque st.getDeco dedRequest URI();
453	if (decodedR equestURI. startsWith (contextPa th) &&
454	deco dedRequest URI.endsWi th(Constan ts.FORM_AC TION)) {
455	if (!aut henticate( request, r esponse)) {
456	if ( log.isDebu gEnabled() ) {
457	log.debug( " Failed a uthenticat e() test ? ?" + decod edRequestU RI );
458	}
459	retu rn;
460	}
461	}
462
463	// Special h andling fo r form-bas ed logins to deal wi th the cas e where
464	// a resourc e is prote cted for s ome HTTP m ethods but not prote cted for
465	// GET which is used a fter authe ntication when redir ecting to the
466	// protected resource.
467	// TODO: Thi s is simil ar to the FormAuthen ticator.ma tchRequest () logic
468	// Is there a wa y to remov e the dupl ication?
469	Se ssion sess ion = requ est.getSes sionIntern al(false);
470	if (session != null) {
471	SavedReq uest saved Request =
472	(SavedRequ est) sessi on.getNote (Constants .FORM_REQU EST_NOTE);
473	if (save dRequest ! = null &&
474	decodedReq uestURI.eq uals(saved Request.ge tDecodedRe questURI() ) &&
475	!authentic ate(reques t, respons e)) {
476	if ( log.isDebu gEnabled() ) {
477	log.debug( " Failed a uthenticat e() test") ;
478	}
479	/*
480	* A SSERT: Aut henticator already s et the app ropriate
481	* H TTP status code, so we do not have to do anything
482	* s pecial
483	*/
484	retu rn;
485	}
486	}
487		457
488	// The Servl et may spe cify secur ity constr aints thro ugh annota tions.	458	// The Servl et may spe cify secur ity constr aints thro ugh annota tions.
489	// Ensure th at they ha ve been pr ocessed be fore const raints are checked	459	// Ensure th at they ha ve been pr ocessed be fore const raints are checked
490	Wrapper wr apper = re quest.get MappingDat a().w rapper ;	460	Wrapper wr apper = re quest.get W rapper () ;
491	if (wrapper != null) {	461	if (wrapper != null) {
492	wrapper. servletSec urityAnnot ationScan( );	462	wrapper. servletSec urityAnnot ationScan( );
493	}	463	}
494		464
495	Re alm realm = this.con text.getRe alm();	465	Re alm realm = this.con text.getRe alm();
496	// Is this r equest URI subject t o a securi ty constra int?	466	// Is this r equest URI subject t o a securi ty constra int?
497	SecurityCo nstraint [] constra ints	467	SecurityCo nstraint [] constra ints = realm.f indSecurit yConstrain ts(request , this.con text);
498	= realm. findSecuri tyConstrai nts(reques t, this.co ntext);	468
		469	Au thConfigPr ovider jas picProvide r = getJas picProvide r();
		470	if (jaspicPr ovider != null) {
		471	authRequ ired = tru e;
		472	}
499		473
500	if (constr aints == n ull && !co ntext.getP reemptiveA uthenticat ion() ) {	474	if (constr aints == n ull && !co ntext.getP reemptiveA uthenticat ion() && !authR equired ) {
501	if (log. isDebugEna bled()) {	475	if (log. isDebugEna bled()) {
502	log. debug(" No t subject to any con straint");	476	log. debug(" No t subject to any con straint");
503	}	477	}
504	getNext( ).invoke(r equest, re sponse);	478	getNext( ).invoke(r equest, re sponse);
505	return;	479	return;
506	}	480	}
507		481
508	// Make sure that cons trained re sources ar e not cach ed by web proxies	482	// Make sure that cons trained re sources ar e not cach ed by web proxies
509	// or browse rs as cach ing can pr ovide a se curity hol e	483	// or browse rs as cach ing can pr ovide a se curity hol e
510	if (constrai nts != nul l && disab leProxyCac hing &&	484	if (constrai nts != nul l && disab leProxyCac hing &&
511	!"POST". equalsIgno reCase(req uest.getMe thod())) {	485	!"PO ST".equals IgnoreCase (request.g etMethod() )) {
512	if (secu rePagesWit hPragma) {	486	if (secu rePagesWit hPragma) {
513	// N ote: These can cause problems with downl oading fil es with IE	487	// N ote: These can cause problems with downl oading fil es with IE
514	resp onse.setHe ader("Prag ma", "No-c ache");	488	resp onse.setHe ader("Prag ma", "No-c ache");
515	resp onse.setHe ader("Cach e-Control" , "no-cach e");	489	resp onse.setHe ader("Cach e-Control" , "no-cach e");
516	} else {	490	} else {
517	resp onse.setHe ader("Cach e-Control" , "private ");	491	resp onse.setHe ader("Cach e-Control" , "private ");
518	}	492	}
519	response .setHeader ("Expires" , DATE_ONE );	493	response .setHeader ("Expires" , DATE_ONE );
520	}	494	}
521		495
522	in t i;
523	if (constrai nts != nul l) {	496	if (constrai nts != nul l) {
524	// Enfor ce any use r data con straint fo r this sec urity cons traint	497	// Enfor ce any use r data con straint fo r this sec urity cons traint
525	if (log. isDebugEna bled()) {	498	if (log. isDebugEna bled()) {
526	log. debug(" Ca lling hasU serDataPer mission()" );	499	log. debug(" Ca lling hasU serDataPer mission()" );
527	}	500	}
528	if (!realm .hasUserDa taPermissi on(request , response ,	501	if (!realm .hasUserDa taPermissi on(request , response , constrain ts)) {
529	const raints)) {
530	if ( log.isDebu gEnabled() ) {	502	if ( log.isDebu gEnabled() ) {
531	log.debug( " Failed h asUserData Permission () test");	503	log.debug( " Failed h asUserData Permission () test");
532	}	504	}
533	/*	505	/*
534	* ASSERT: Authentica tor alread y set the appropriat e	506	* ASSERT: Authentica tor alread y set the appropriat e HTTP stat us
535	* HTTP statu s code, so w e do not h ave to do anything s pecial	507	* code, so w e do not h ave to do anything s pecial
536	*/	508	*/
537	retu rn;	509	retu rn;
538	}	510	}
539	}	511	}
540		512
541	// Since aut henticate modifies t he respons e on failu re,	513	// Since aut henticate modifies t he respons e on failu re,
542	// we have t o check fo r allow-fr om-all fir st.	514	// we have t o check fo r allow-fr om-all fir st.
543	boolean a uth Requi r e d ;	515	boolean h a sA uth Const r aint = fal s e ;
544	if (constr aints = = null) {	516	if (constr aints ! = null) {
545	authRequ ired = fal se;	517	h a sA uth Const r aint = true;
546	} else {	518	for (i nt i = 0; i < con straints.l ength && h a sA uth Const r aint ; i++) {
547	a uth Requi r ed = true;	519	if (!constrai nts[i].get AuthConstr aint()) {
548	for (i = 0; i < con straints.l ength && a uth Requi r ed ; i++) {	520	h a sA uth Const r aint = false;
549	if (!constrai nts[i].get AuthConstr aint()) {	521	} else if (!constrai nts[i].get AllRoles() &&
550	a uth Requi r ed = false;
551	break;
552	} else if (!constrai nts[i].get AllRoles() &&
553	!const raints[i]. getAuthent icatedUser s()) {	522	!const raints[i]. getAuthent icatedUser s()) {
554	String [] roles = constrain ts[i].find AuthRoles( );	523	String [] roles = constrain ts[i].find AuthRoles( );
555	if (roles == null \|\| ro les.length == 0) {	524	if (roles == null \|\| ro les.length == 0) {
556	a uth Requi r ed = false;	525	h a sA uth Const r aint = false;
557	break;	526	}
558	}	527	}
559	}	528	}
560	}	529	}
		530
		531	if (!authReq uired && h asAuthCons traint) {
		532	authRequ ired = tru e;
561	}	533	}
562		534
563	if (!authReq uired && c ontext.get Preemptive Authentica tion()) {	535	if (!authReq uired && c ontext.get Preemptive Authentica tion()) {
564	authRequ ired =	536	authRequ ired =
565	request.ge tCoyoteReq uest().get MimeHeader s().getVal ue(	537	request.ge tCoyoteReq uest().get MimeHeader s().getVal ue( "authoriza tion") != null;
566	"autho rization") != null;
567	}	538	}
568		539
569	if (!authR equired && context.g etPreempti veAuthenti cation() &&	540	if (!authR equired && context.g etPreempti veAuthenti cation()
570	HttpServle tRequest.C LIENT_CERT _AUTH.equa ls(getAuth Method())) {	541	&& HttpServle tRequest.C LIENT_CERT _AUTH.equa ls(getAuth Method())) {
571	X509Cert ificate[] certs = ge tRequestCe rtificates (request);	542	X509Cert ificate[] certs = ge tRequestCe rtificates (request);
572	authRequ ired = cer ts != null && certs. length > 0 ;	543	authRequ ired = cer ts != null && certs. length > 0 ;
573	}	544	}
574		545
575	if (authRequi red) {	546	Ja spicState jaspicStat e = null;
		547
		548	if (authRequi red) {
576	if (log. isDebugEna bled()) {	549	if (log. isDebugEna bled()) {
577	log. debug(" Ca lling auth enticate() ");	550	log. debug(" Ca lling auth enticate() ");
578	}	551	}
579	if ( !authentic ate (request, response )) {	552
		553	if (jasp icProvider != null) {
		554	jasp icState = getJaspicS tate(jaspi cProvider, request, response, hasAuthCon straint);
		555	if ( jaspicStat e == null) {
		556	return;
		557	}
		558	}
		559
		560	if (jasp icProvider == null & & !doAuthe nticate(re quest, res ponse) \|\|
		561	jaspicProv ider != nu ll &&
		562	!authentic ate Jaspic (request, response , jaspicSt ate, false )) {
580	if ( log.isDebu gEnabled() ) {	563	if ( log.isDebu gEnabled() ) {
581	log.debug( " Failed a uthenticat e() test") ;	564	log.debug( " Failed a uthenticat e() test") ;
582	}	565	}
583	/*	566	/*
584	* ASSERT: Authentica tor alread y set the appropriat e	567	* ASSERT: Authentica tor alread y set the appropriat e HTTP stat us
585	* HTTP statu s code, so w e do not h ave to do anything	568	* code, so w e do not h ave to do anything special
586	* s pecial
587	*/	569	*/
588	retu rn;	570	retu rn;
589	}	571	}
590		572
591	}	573	}
592		574
593	if (constrai nts != nul l) {	575	if (constrai nts != nul l) {
594	if (log. isDebugEna bled()) {	576	if (log. isDebugEna bled()) {
595	log. debug(" Ca lling acce ssControl( )");	577	log. debug(" Ca lling acce ssControl( )");
596	}	578	}
597	if (!realm .hasResour cePermissi on(request , response ,	579	if (!realm .hasResour cePermissi on(request , response , constrain ts, this.c ontext)) {
598	const raints,
599	this. context)) {
600	if ( log.isDebu gEnabled() ) {	580	if ( log.isDebu gEnabled() ) {
601	log.debug( " Failed a ccessContr ol() test" );	581	log.debug( " Failed a ccessContr ol() test" );
602	}	582	}
603	/*	583	/*
604	* ASSERT: AccessCont rol method has alrea dy set the	584	* ASSERT: AccessCont rol method has alrea dy set the appropria te
605	* appropriat e HTTP statu s code, so we do not have to d o	585	* HTTP statu s code, so we do not have to d o anything special
606	* a nything sp ecial
607	*/	586	*/
608	retu rn;	587	retu rn;
609	}	588	}
610	}	589	}
611		590
612	// Any and a ll specifi ed constra ints have been satis fied	591	// Any and a ll specifi ed constra ints have been satis fied
613	if (log.isDe bugEnabled ()) {	592	if (log.isDe bugEnabled ()) {
614	log.debu g(" Succes sfully pas sed all se curity con straints") ;	593	log.debu g(" Succes sfully pas sed all se curity con straints") ;
615	}	594	}
616	ge tNext().in voke(reque st, respon se);	595	ge tNext().in voke(reque st, respon se);
617		596
		597	if (jaspicPr ovider != null) {
		598	secureRe sponseJspi c(request, response, jaspicSta te);
		599	}
		600	}
		601
		602
		603	@Overr ide
		604	public boolean a uthenticat e(Request request, H ttpServlet Response h ttpRespons e)
		605	throws I OException {
		606
		607	Au thConfigPr ovider jas picProvide r = getJas picProvide r();
		608
		609	if (jaspicPr ovider == null) {
		610	return d oAuthentic ate(reques t, httpRes ponse);
		611	} else {
		612	Response response = request. getRespons e();
		613	JaspicSt ate jaspic State = ge tJaspicSta te(jaspicP rovider, r equest, re sponse, tr ue);
		614	if (jasp icState == null) {
		615	retu rn false;
		616	}
		617
		618	boolean result = a uthenticat eJaspic(re quest, res ponse, jas picState, true);
		619
		620	secureRe sponseJspi c(request, response, jaspicSta te);
		621
		622	return r esult;
		623	}
		624	}
		625
		626
		627	privat e void sec ureRespons eJspic(Req uest reque st, Respon se respons e, JaspicS tate state ) {
		628	tr y {
		629	state.se rverAuthCo ntext.secu reResponse (state.mes sageInfo, null);
		630	request. setRequest ((HttpServ letRequest ) state.me ssageInfo. getRequest Message()) ;
		631	response .setRespon se((HttpSe rvletRespo nse) state .messageIn fo.getResp onseMessag e());
		632	} catch (Aut hException e) {
		633	log.warn (sm.getStr ing("authe nticator.j aspicSecur eResponseF ail"), e);
		634	}
		635	}
		636
		637
		638	privat e JaspicSt ate getJas picState(A uthConfigP rovider ja spicProvid er, Reques t request,
		639	Response response, boolean a uthMandato ry) throws IOExcepti on {
		640	Ja spicState jaspicStat e = new Ja spicState( );
		641
		642	ja spicState. messageInf o =
		643	new MessageInf oImpl(requ est.getReq uest(), re sponse.get Response() , authMand atory);
		644
		645	tr y {
		646	ServerAu thConfig s erverAuthC onfig = ja spicProvid er.getServ erAuthConf ig(
		647	"HttpServl et", jaspi cAppContex tID, Callb ackHandler Impl.getIn stance());
		648	String a uthContext ID = serve rAuthConfi g.getAuthC ontextID(j aspicState .messageIn fo);
		649	jaspicSt ate.server AuthContex t = server AuthConfig .getAuthCo ntext(auth ContextID, null, nul l);
		650	} catch (Aut hException e) {
		651	log.warn (sm.getStr ing("authe nticator.j aspicServe rAuthConte xtFail"), e);
		652	response .sendError (HttpServl etResponse .SC_INTERN AL_SERVER_ ERROR);
		653	return n ull;
		654	}
		655
		656	re turn jaspi cState;
618	}	657	}
619		658
620		659
621	// --- ---------- ---------- ---------- ---------- ---------- - Protecte d Methods	660	// --- ---------- ---------- ---------- ---------- ---------- - Protecte d Methods
622		661
623	/**	662	/**
		663	* Pro vided for sub-classe s to imple ment their specific authentica tion
		664	* mec hanism.
		665	*
		666	* @pa ram reques t The requ est that t riggered t he authent ication
		667	* @pa ram respon se The res ponse asso ciated wit h the requ est
		668	*
		669	* @re turn {@cod e true} if the the u ser was au thenticate d, otherwi se {@code
		670	* false }, in whic h case an authentica tion chall enge will have been
		671	* writt en to the response
		672	*
		673	* @th rows IOExc eption If an I/O pro blem occur red during the authe ntication
		674	* pro cess
		675	*/
		676	protec ted abstra ct boolean doAuthent icate(Requ est reques t, HttpSer vletRespon se respons e)
		677	throws I OException ;
		678
		679
		680	/**
		681	* Doe s this aut henticator require t hat {@link #authenti cate(Reque st,
		682	* Htt pServletRe sponse)} i s called t o continue an authen tication p rocess
		683	* tha t started in a previ ous reques t?
		684	*
		685	* @pa ram reques t The requ est curren tly being processed
		686	*
		687	* @re turn {@cod e true} if authentic ate() must be called , otherwis e
		688	* {@cod e false}
		689	*/
		690	protec ted boolea n isContin uationRequ ired(Reque st request ) {
		691	re turn false ;
		692	}
		693
		694
		695	/**
624	* Loo k for the X509 certi ficate cha in in the Request un der the ke y	696	* Loo k for the X509 certi ficate cha in in the Request un der the ke y
625	* <co de>javax.s ervlet.req uest.X509C ertificate </code>. I f not foun d, trigger	697	* <co de>javax.s ervlet.req uest.X509C ertificate </code>. I f not foun d, trigger
626	* ext racting th e certific ate chain from the C oyote requ est.	698	* ext racting th e certific ate chain from the C oyote requ est.
627	*	699	*
628	* @param r equest Request to be proces sed	700	* @param r equest
		701	* Re quest to b e processe d
629	*	702	*
630	* @return The X509 c ertificate chain if found, <co de>null</c ode>	703	* @return The X509 c ertificate chain if found, <co de>null</c ode> otherwise .
631	* otherw ise.
632	*/	704	*/
633	protec ted X509Ce rtificate[ ] getReque stCertific ates(final Request r equest)	705	protec ted X509Ce rtificate[ ] getReque stCertific ates(final Request r equest)
634	throws I llegalStat eException {	706	throws I llegalStat eException {
635		707
636	X5 09Certific ate certs[ ] =	708	X5 09Certific ate certs[ ] =
637	(X50 9Certifica te[]) requ est.getAtt ribute(Glo bals.CERTI FICATES_AT TR);	709	(X50 9Certifica te[]) requ est.getAtt ribute(Glo bals.CERTI FICATES_AT TR);
638		710
639	if ((certs = = null) \|\| (certs.le ngth < 1)) {	711	if ((certs = = null) \|\| (certs.le ngth < 1)) {
640	try {	712	try {
641	requ est.getCoy oteRequest ().action( ActionCode .REQ_SSL_C ERTIFICATE , null);	713	requ est.getCoy oteRequest ().action( ActionCode .REQ_SSL_C ERTIFICATE , null);
642	cert s = (X509C ertificate []) reques t.getAttri bute(Globa ls.CERTIFI CATES_ATTR );	714	cert s = (X509C ertificate []) reques t.getAttri bute(Globa ls.CERTIFI CATES_ATTR );
643	} catch (IllegalSt ateExcepti on ise) {	715	} catch (IllegalSt ateExcepti on ise) {
644	// R equest bod y was too large for save buffe r	716	// R equest bod y was too large for save buffe r
645	// R eturn null which wil l trigger an auth fa ilure	717	// R eturn null which wil l trigger an auth fa ilure
646	}	718	}
647	}	719	}
648		720
649	re turn certs ;	721	re turn certs ;
650	}	722	}
651		723
652
653	/**	724	/**
654	* Associat e the spec ified sing le sign on identifie r with the	725	* Associat e the spec ified sing le sign on identifie r with the specified
655	* specified Session.	726	* Session.
656	*	727	*
657	* @param s soId Single si gn on iden tifier	728	* @param s soId
658	* @param ses sion Session to be associ ated	729	* Si ngle sign on identif ier
		730	* @pa ram sessio n
		731	* Session to be associ ated
659	*/	732	*/
660	protec ted void a ssociate(S tring ssoI d, Session session) {	733	protec ted void a ssociate(S tring ssoI d, Session session) {
661		734
662	if (sso == n ull) {	735	if (sso == n ull) {
663	return;	736	return;
664	}	737	}
665	ss o.associat e(ssoId, s ession);	738	ss o.associat e(ssoId, s ession);
666		739
667	}	740	}
668		741
669		742
670	/**	743	privat e boolean authentica teJaspic(R equest req uest, Resp onse respo nse, Jaspi cState sta te,
671	* Aut henticate the user m aking this request, based on t he login	744	boolean requirePri ncipal) {
672	* con figuration of the {@ link Conte xt} with w hich this Authentica tor is	745
673	* ass ociated. Return <co de>true</c ode> if an y specifie d constrai nt has	746	bo olean cach edAuth = c heckForCac hedAuthent ication(re quest, res ponse, fal se);
674	* bee n satisfie d, or <cod e>false</c ode> if we have crea ted a resp onse	747	Su bject clie nt = new S ubject();
675	* cha llenge alr eady.	748	Au thStatus a uthStatus;
676	*	749	tr y {
677	* @pa ram reques t Request we are pro cessing	750	authStat us = state .serverAut hContext.v alidateReq uest(state .messageIn fo, client , null);
678	* @pa ram respon se Respons e we are p opulating	751	} catch (Aut hException e) {
679	*	752	log.debu g(sm.getSt ring("auth enticator. loginFail" ), e);
680	* @ex ception IO Exception if an inpu t/output e rror occur s	753	return f alse;
681	*/	754	}
682	@Overr ide	755
683	public abstract boolean au thenticate (Request r equest,	756	re quest.setR equest((Ht tpServletR equest) st ate.messag eInfo.getR equestMess age());
684	HttpServ letRespons e response ) throws I OException ;	757	re sponse.set Response(( HttpServle tResponse) state.mes sageInfo.g etResponse Message()) ;
		758
		759	if (authStat us == Auth Status.SUC CESS) {
		760	GenericP rincipal p rincipal = getPrinci pal(client );
		761	if (log. isDebugEna bled()) {
		762	log. debug("Aut henticated user: " + principal );
		763	}
		764	if (prin cipal == n ull) {
		765	requ est.setUse rPrincipal (null);
		766	requ est.setAut hType(null );
		767	if ( requirePri ncipal) {
		768	return fal se;
		769	}
		770	} else i f (cachedA uth == fal se \|\|
		771	!principal .getUserPr incipal(). equals(req uest.getUs erPrincipa l())) {
		772	// S kip regist ration if authentica tion crede ntials wer e
		773	// c ached and the Princi pal did no t change.
		774	requ est.setNot e(Constant s.REQ_JASP IC_SUBJECT _NOTE, cli ent);
		775	@Sup pressWarni ngs("rawty pes")// JA SPIC API u ses raw ty pes
		776	Map map = stat e.messageI nfo.getMap ();
		777	if ( map != nul l && map.c ontainsKey ("javax.se rvlet.http .registerS ession")) {
		778	register(r equest, re sponse, pr incipal, " JASPIC", n ull, null, true, tru e);
		779	} el se {
		780	register(r equest, re sponse, pr incipal, " JASPIC", n ull, null) ;
		781	}
		782	}
		783	return t rue;
		784	}
		785	re turn false ;
		786	}
		787
		788
		789	privat e GenericP rincipal g etPrincipa l(Subject subject) {
		790	if (subject == null) {
		791	return n ull;
		792	}
		793
		794	Se t<GenericP rincipal> principals = subject .getPrivat eCredentia ls(Generic Principal. class);
		795	if (principa ls.isEmpty ()) {
		796	return n ull;
		797	}
		798
		799	re turn princ ipals.iter ator().nex t();
		800	}
685		801
686		802
687	/**	803	/**
688	* Che ck to see if the use r has alre ady been a uthenticat ed earlier in the	804	* Che ck to see if the use r has alre ady been a uthenticat ed earlier in the
689	* pro cessing ch ain or if there is e nough info rmation av ailable to	805	* pro cessing ch ain or if there is e nough info rmation av ailable to
690	* aut henticate the user w ithout req uiring fur ther user interactio n.	806	* aut henticate the user w ithout req uiring fur ther user interactio n.
691	*	807	*
692	* @param r equest The curre nt request	808	* @param r equest
693	* @param res ponse The curren t re spons e	809	* The curren t re qu e st
694	* @param use SSO Should inf ormation a vailable f rom SSO be used to a ttempt	810	* @pa ram respon se
695	* to authentica te the cur rent user?	811	* Th e current response
		812	* @pa ram useSSO
		813	* Should inf ormation a vailable f rom SSO be used to a ttempt to
		814	* authentica te the cur rent user?
696	*	815	*
697	* @re turn <code >true</cod e> if the user was a uthenticat ed via the cache,	816	* @re turn <code >true</cod e> if the user was a uthenticat ed via the cache,
698	* other wise <code >false</co de>	817	* other wise <code >false</co de>
699	*/	818	*/
700	protected boolean ch eckForCach edAuthenti cation(Req uest reque st,	819	protected boolean ch eckForCach edAuthenti cation(Req uest reque st, HttpServl etResponse response, boolean u seSSO) {
701	HttpServ letRespons e response , boolean useSSO) {
702		820
703	// Has the u ser alread y been aut henticated ?	821	// Has the u ser alread y been aut henticated ?
704	Pr incipal pr incipal = request.ge tUserPrinc ipal();	822	Pr incipal pr incipal = request.ge tUserPrinc ipal();
705	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);	823	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);
706	if (principa l != null) {	824	if (principa l != null) {
707	if (log. isDebugEna bled()) {	825	if (log. isDebugEna bled()) {
708	log. debug(sm.g etString(" authentica tor.check. found", pr incipal.ge tName()));	826	log. debug(sm.g etString(" authentica tor.check. found", pr incipal.ge tName()));
709	}	827	}
710	// Assoc iate the s ession wit h any exis ting SSO s ession. Ev en if	828	// Assoc iate the s ession wit h any exis ting SSO s ession. Ev en if
711	// useSS O is false , this wil l ensure c oordinated session	829	// useSS O is false , this wil l ensure c oordinated session
712	// inval idation at log out.	830	// inval idation at log out.
713	if (ssoI d != null) {	831	if (ssoI d != null) {
714	asso ciate(ssoI d, request .getSessio nInternal( true));	832	asso ciate(ssoI d, request .getSessio nInternal( true));
715	}	833	}
716	return t rue;	834	return t rue;
717	}	835	}
718		836
719	// Is there an SSO ses sion again st which w e can try to reauthe nticate?	837	// Is there an SSO ses sion again st which w e can try to reauthe nticate?
720	if (useSSO & & ssoId != null) {	838	if (useSSO & & ssoId != null) {
721	if (log. isDebugEna bled()) {	839	if (log. isDebugEna bled()) {
722	log. debug(sm.g etString(" authentica tor.check. sso", ssoI d));	840	log. debug(sm.g etString(" authentica tor.check. sso", ssoI d));
723	}	841	}
724	/ * Try to r eauthentic ate using data cache d by SSO. If this fa ils,	842	/*
725	either the original SSO logon was of DIG EST or SSL (which	843	* Try to r eauthentic ate using data cache d by SSO. If this fa ils,
726	we can't rea uthenticat e ourselve s because there is n o	844	* either the original SSO logon was of DIG EST or SSL (which we
727	cached username and passwo rd), or th e realm de nied	845	* can't rea uthenticat e ourselve s because there is n o cached
728	the user's reauthent ication fo r some rea son.	846	* username and passwo rd), or th e realm de nied the user' s
729	In either case we ha ve to prompt th e user for a logon */	847	* reauthent ication fo r some rea son. In either case we h ave to
		848	* prompt th e user for a logon
		849	*/
730	if (reau thenticate FromSSO(ss oId, reque st)) {	850	if (reau thenticate FromSSO(ss oId, reque st)) {
731	retu rn true;	851	retu rn true;
732	}	852	}
733	}	853	}
734		854
735	// Has the C onnector p rovided a pre-authen ticated Pr incipal th at now	855	// Has the C onnector p rovided a pre-authen ticated Pr incipal th at now
736	// needs to be authori zed?	856	// needs to be authori zed?
737	if (request. getCoyoteR equest().g etRemoteUs erNeedsAut horization ()) {	857	if (request. getCoyoteR equest().g etRemoteUs erNeedsAut horization ()) {
738	String u sername = request.ge tCoyoteReq uest().get RemoteUser ().toStrin g();	858	String u sername = request.ge tCoyoteReq uest().get RemoteUser ().toStrin g();
739	if (user name != nu ll) {	859	if (user name != nu ll) {
740	if ( log.isDebu gEnabled() ) {	860	if ( log.isDebu gEnabled() ) {
741	log.debug( sm.getStri ng("authen ticator.ch eck.author ize", user name));	861	log.debug( sm.getStri ng("authen ticator.ch eck.author ize", user name));
742	}	862	}
743	Prin cipal auth orized = c ontext.get Realm().au thenticate (username) ;	863	Prin cipal auth orized = c ontext.get Realm().au thenticate (username) ;
744	if ( authorized == null) {	864	if ( authorized == null) {
745	// Realm d oesn't rec ognise use r. Create a user wit h no roles	865	// Realm d oesn't rec ognise use r. Create a user wit h no roles
746	// from th e authenti cated user name	866	// from th e authenti cated user name
747	if (log.is DebugEnabl ed()) {	867	if (log.is DebugEnabl ed()) {
748	log.de bug(sm.get String("au thenticato r.check.au thorizeFai l", userna me));	868	log.de bug(sm.get String("au thenticato r.check.au thorizeFai l", userna me));
749	}	869	}
750	authorized = new Gen ericPrinci pal(userna me, null, null);	870	authorized = new Gen ericPrinci pal(userna me, null, null);
751	}	871	}
752	Stri ng authTyp e = reques t.getAuthT ype();	872	Stri ng authTyp e = reques t.getAuthT ype();
753	if ( authType = = null \|\| authType.l ength() == 0) {	873	if ( authType = = null \|\| authType.l ength() == 0) {
754	authType = getAuthMe thod();	874	authType = getAuthMe thod();
755	}	875	}
756	regi ster(reque st, respon se, author ized, auth Type, user name, null );	876	regi ster(reque st, respon se, author ized, auth Type, user name, null );
757	retu rn true;	877	retu rn true;
758	}	878	}
759	}	879	}
760	re turn false ;	880	re turn false ;
761	}	881	}
762		882
763
764	/**	883	/**
765	* Attempts reauthent ication to the <code >Realm</co de> using	884	* Attempts reauthent ication to the <code >Realm</co de> using the crede ntials
766	* the creden tials included i n argument <code>ent ry</code>.	885	* included i n argument <code>ent ry</code>.
767	*	886	*
768	* @param sso Id identifier of Single SignOn ses sion with which the	887	* @pa ram ssoId
769	* caller is associated	888	* identifier of Single SignOn ses sion with which the caller is
770	* @param req uest the reques t that nee ds to be a uthenticat ed	889	* associated
		890	* @pa ram reques t
		891	* the reques t that nee ds to be a uthenticat ed
		892	* @re turn <code >true</cod e> if the reauthenti cation fro m SSL occu rred
771	*/	893	*/
772	protec ted boolea n reauthen ticateFrom SSO(String ssoId, Re quest requ est) {	894	protec ted boolea n reauthen ticateFrom SSO(String ssoId, Re quest requ est) {
773		895
774	if (sso == n ull \|\| sso Id == null ) {	896	if (sso == n ull \|\| sso Id == null ) {
775	return f alse;	897	return f alse;
776	}	898	}
777		899
778	bo olean reau thenticate d = false;	900	bo olean reau thenticate d = false;
779		901
780	Co ntainer pa rent = get Container( );	902	Co ntainer pa rent = get Container( );
781	if (parent ! = null) {	903	if (parent ! = null) {
782	Realm re alm = pare nt.getReal m();	904	Realm re alm = pare nt.getReal m();
783	if (real m != null) {	905	if (real m != null) {
784	reau thenticate d = sso.re authentica te(ssoId, realm, req uest);	906	reau thenticate d = sso.re authentica te(ssoId, realm, req uest);
785	}	907	}
786	}	908	}
787		909
788	if (reauthen ticated) {	910	if (reauthen ticated) {
789	associat e(ssoId, r equest.get SessionInt ernal(true ));	911	associat e(ssoId, r equest.get SessionInt ernal(true ));
790		912
791	if (log. isDebugEna bled()) {	913	if (log. isDebugEna bled()) {
792	log. debug(" Re authentica ted cached principal '" +	914	log. debug(" Re authentica ted cached principal '" +
793	requ est.getUse rPrincipal ().getName () +	915	reques t.getUserP rincipal() .getName() +
794	"' w ith auth t ype '" + request.ge tAuthType( ) + "'");	916	"' wit h auth typ e '" + req uest.getAu thType() + "'");
795	}	917	}
796	}	918	}
797		919
798	re turn reaut henticated ;	920	re turn reaut henticated ;
799	}	921	}
800		922
801
802	/**	923	/**
803	* Reg ister an a uthenticat ed Princip al and aut henticatio n type in our	924	* Reg ister an a uthenticat ed Princip al and aut henticatio n type in our
804	* req uest, in t he current session ( if there i s one), an d with our	925	* req uest, in t he current session ( if there i s one), an d with our
805	* SingleSi gnOn valve , if there is one. Set the ap propriate cookie	926	* SingleSi gnOn valve , if there is one. S et the app ropriate c ookie to be
806	* to be returned.	927	* returned.
807	*	928	*
808	* @param req uest The servle t request we are pro cessing	929	* @pa ram reques t
809	* @param res ponse The servle t response we are ge nerating	930	* The servle t request we are pro cessing
810	* @param pri ncipal The authen ticated Pr incipal to be regist ered	931	* @pa ram respon se
811	* @param aut hType The authen tication t ype to be registered	932	* The servle t response we are ge nerating
812	* @param use rname Username u sed to aut henticate (if any)	933	* @pa ram princi pal
813	* @param pas sword Password u sed to aut henticate (if any)	934	* The authen ticated Pr incipal to be regist ered
		935	* @pa ram authTy pe
		936	* The authen tication t ype to be registered
		937	* @pa ram userna me
		938	* Username u sed to aut henticate (if any)
		939	* @pa ram passwo rd
		940	* Password u sed to aut henticate (if any)
814	*/	941	*/
815	public voi d register (Request r equest, Ht tpServletR esponse re sponse,	942	public voi d register (Request r equest, Ht tpServletR esponse re sponse, Principal principal ,
816	Pr incipal pr incipal, S tring auth Type,	943	String a uthType, S tring user name, Stri ng passwor d) {
817	String username, String pas sword ) {	944	re gister(req uest, resp onse, prin cipal, aut hType, use rname, pas sword, alw aysUseSess ion, cache );
		945	}
		946
		947
		948	privat e void reg ister(Requ est reques t, HttpSer vletRespon se respons e, Princip al princip al,
		949	String authType, String username, String pas sword , boolean al waysUseSes sion,
		950	boolean cache) {
818		951
819	if (log.isDe bugEnabled ()) {	952	if (log.isDe bugEnabled ()) {
820	String n ame = (pri ncipal == null) ? "n one" : pri ncipal.get Name();	953	String n ame = (pri ncipal == null) ? "n one" : pri ncipal.get Name();
821	log.debug( "Authentic ated '" + name + "' with type '" + authT ype +	954	log.debug( "Authentic ated '" + name + "' with type '" + authT ype + "'");
822	"'");
823	}	955	}
824		956
825	// Cache the authentic ation info rmation in our reque st	957	// Cache the authentic ation info rmation in our reque st
826	re quest.setA uthType(au thType);	958	re quest.setA uthType(au thType);
827	re quest.setU serPrincip al(princip al);	959	re quest.setU serPrincip al(princip al);
828		960
829	Se ssion sess ion = requ est.getSes sionIntern al(false);	961	Se ssion sess ion = requ est.getSes sionIntern al(false);
830		962
831	if (session != null) {	963	if (session != null) {
832	// If th e principa l is null then this is a logou t. No need to change	964	// If th e principa l is null then this is a logou t. No need to change
833	// the s ession ID. See BZ 59 043.	965	// the s ession ID. See BZ 59 043.
834	if (chan geSessionI dOnAuthent ication && principal != null) {	966	if (chan geSessionI dOnAuthent ication && principal != null) {
835	Stri ng oldId = null;	967	Stri ng oldId = null;
836	if ( log.isDebu gEnabled() ) {	968	if ( log.isDebu gEnabled() ) {
837	oldId = se ssion.getI d();	969	oldId = se ssion.getI d();
838	}	970	}
839	Mana ger manage r = reques t.getConte xt().getMa nager();	971	Mana ger manage r = reques t.getConte xt().getMa nager();
840	mana ger.change SessionId( session);	972	mana ger.change SessionId( session);
841	requ est.change SessionId( session.ge tId());	973	requ est.change SessionId( session.ge tId());
842	if ( log.isDebu gEnabled() ) {	974	if ( log.isDebu gEnabled() ) {
843	log.debug( sm.getStri ng("authen ticator.ch angeSessio nId",	975	log.debug( sm.getStri ng("authen ticator.ch angeSessio nId",
844	ol dId, sessi on.getId() ));	976	ol dId, sessi on.getId() ));
845	}	977	}
846	}	978	}
847	} else if (a lwaysUseSe ssion) {	979	} else if (a lwaysUseSe ssion) {
848	session = request. getSession Internal(t rue);	980	session = request. getSession Internal(t rue);
849	}	981	}
850		982
851	// Cache the authentic ation info rmation in our sessi on, if any	983	// Cache the authentic ation info rmation in our sessi on, if any
852	if (cache) {	984	if (cache) {
853	if (sess ion != nul l) {	985	if (sess ion != nul l) {
854	sess ion.setAut hType(auth Type);	986	sess ion.setAut hType(auth Type);
855	sess ion.setPri ncipal(pri ncipal);	987	sess ion.setPri ncipal(pri ncipal);
856	if ( username ! = null) {	988	if ( username ! = null) {
857	session.se tNote(Cons tants.SESS _USERNAME_ NOTE, user name);	989	session.se tNote(Cons tants.SESS _USERNAME_ NOTE, user name);
858	} el se {	990	} el se {
859	session.re moveNote(C onstants.S ESS_USERNA ME_NOTE);	991	session.re moveNote(C onstants.S ESS_USERNA ME_NOTE);
860	}	992	}
861	if ( password ! = null) {	993	if ( password ! = null) {
862	session.se tNote(Cons tants.SESS _PASSWORD_ NOTE, pass word);	994	session.se tNote(Cons tants.SESS _PASSWORD_ NOTE, pass word);
863	} el se {	995	} el se {
864	session.re moveNote(C onstants.S ESS_PASSWO RD_NOTE);	996	session.re moveNote(C onstants.S ESS_PASSWO RD_NOTE);
865	}	997	}
866	}	998	}
867	}	999	}
868		1000
869	// Construct a cookie to be retu rned to th e client	1001	// Construct a cookie to be retu rned to th e client
870	if (sso == n ull) {	1002	if (sso == n ull) {
871	return;	1003	return;
872	}	1004	}
873		1005
874	// Only crea te a new S SO entry i f the SSO did not al ready set a note	1006	// Only crea te a new S SO entry i f the SSO did not al ready set a note
875	// for an ex isting ent ry (as it would do w ith subseq uent reque sts	1007	// for an ex isting ent ry (as it would do w ith subseq uent reque sts
876	// for DIGES T and SSL authentica ted contex ts)	1008	// for DIGES T and SSL authentica ted contex ts)
877	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);	1009	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);
878	if (ssoId == null) {	1010	if (ssoId == null) {
879	// Const ruct a coo kie to be returned t o the clie nt	1011	// Const ruct a coo kie to be returned t o the clie nt
880	ssoId = sessionIdG enerator.g enerateSes sionId();	1012	ssoId = sessionIdG enerator.g enerateSes sionId();
881	Cookie c ookie = ne w Cookie(C onstants.S INGLE_SIGN _ON_COOKIE , ssoId);	1013	Cookie c ookie = ne w Cookie(C onstants.S INGLE_SIGN _ON_COOKIE , ssoId);
882	cookie.s etMaxAge(- 1);	1014	cookie.s etMaxAge(- 1);
883	cookie.s etPath("/" );	1015	cookie.s etPath("/" );
884		1016
885	// Bugzi lla 41217	1017	// Bugzi lla 41217
886	cookie.s etSecure(r equest.isS ecure());	1018	cookie.s etSecure(r equest.isS ecure());
887		1019
888	// Bugzi lla 34724	1020	// Bugzi lla 34724
889	String s soDomain = sso.getCo okieDomain ();	1021	String s soDomain = sso.getCo okieDomain ();
890	if (ssoDomain != null) {	1022	if (ssoDomain != null) {
891	cook ie.setDoma in(ssoDoma in);	1023	cook ie.setDoma in(ssoDoma in);
892	}	1024	}
893		1025
894	// Configu re httpOnl y on SSO c ookie usin g same rul es as sess ion cookies	1026	// Configu re httpOnl y on SSO c ookie usin g same rul es as sess ion
895	if (reques t.getServl etContext( ).getSessi onCookieCo nfig().isH ttpOnly() \|\|	1027	// cooki es
896	request.ge tContext() .getUseHtt pOnly()) {	1028	if (reques t.getServl etContext( ).getSessi onCookieCo nfig().isH ttpOnly()
		1029	\|\| request.ge tContext() .getUseHtt pOnly()) {
897	cook ie.setHttp Only(true) ;	1030	cook ie.setHttp Only(true) ;
898	}	1031	}
899		1032
900	response .addCookie (cookie);	1033	response .addCookie (cookie);
901		1034
902	// Regis ter this p rincipal w ith our SS O valve	1035	// Regis ter this p rincipal w ith our SS O valve
903	sso.regi ster(ssoId , principa l, authTyp e, usernam e, passwor d);	1036	sso.regi ster(ssoId , principa l, authTyp e, usernam e, passwor d);
904	request. setNote(Co nstants.RE Q_SSOID_NO TE, ssoId) ;	1037	request. setNote(Co nstants.RE Q_SSOID_NO TE, ssoId) ;
905		1038
906	} else {	1039	} else {
907	if (prin cipal == n ull) {	1040	if (prin cipal == n ull) {
908	// R egistering a program matic logo ut	1041	// R egistering a program matic logo ut
909	sso. deregister (ssoId);	1042	sso. deregister (ssoId);
910	requ est.remove Note(Const ants.REQ_S SOID_NOTE) ;	1043	requ est.remove Note(Const ants.REQ_S SOID_NOTE) ;
911	retu rn;	1044	retu rn;
912	} else {	1045	} else {
913	// U pdate the SSO sessio n with the latest au thenticati on data	1046	// U pdate the SSO sessio n with the latest au thenticati on data
914	sso. update(sso Id, princi pal, authT ype, usern ame, passw ord);	1047	sso. update(sso Id, princi pal, authT ype, usern ame, passw ord);
915	}	1048	}
916	}	1049	}
917		1050
918	// Fix for B ug 10040	1051	// Fix for B ug 10040
919	// Always as sociate a session wi th a new S SO reqistr ation.	1052	// Always as sociate a session wi th a new S SO reqistr ation.
920	// SSO entri es are onl y removed from the S SO registr y map when	1053	// SSO entri es are onl y removed from the S SO registr y map when
921	// associate d sessions are destr oyed; if a new SSO e ntry is cr eated	1054	// associate d sessions are destr oyed; if a new SSO e ntry is cr eated
922	// above for this requ est and th e user nev er revisit s the cont ext, the	1055	// above for this requ est and th e user nev er revisit s the cont ext, the
923	// SSO entry will neve r be clear ed if we d on't assoc iate the s ession	1056	// SSO entry will neve r be clear ed if we d on't assoc iate the s ession
924	if (session == null) {	1057	if (session == null) {
925	session = request. getSession Internal(t rue);	1058	session = request. getSession Internal(t rue);
926	}	1059	}
927	ss o.associat e(ssoId, s ession);	1060	ss o.associat e(ssoId, s ession);
928		1061
929	}	1062	}
930		1063
931	@Overr ide	1064	@Overr ide
932	public voi d login(St ring usern ame, Strin g password , Request request)	1065	public voi d login(St ring usern ame, Strin g password , Request request) throws Se rvletExcep tion {
933	throws S ervletExce ption {
934	Pr incipal pr incipal = doLogin(re quest, use rname, pas sword);	1066	Pr incipal pr incipal = doLogin(re quest, use rname, pas sword);
935	register(r equest, re quest.getR esponse(), principal ,	1067	register(r equest, re quest.getR esponse(), principal , getAuthMe thod(), us ername, pa ssword);
936	getAuthMet hod(), use rname, pas sword);
937	}	1068	}
938		1069
939	protec ted abstra ct String getAuthMet hod();	1070	protec ted abstra ct String getAuthMet hod();
940		1071
941	/**	1072	/**
942	* Pro cess the l ogin reque st.	1073	* Pro cess the l ogin reque st.
943	*	1074	*
944	* @param r equest Associated request	1075	* @param r equest
945	* @param usern a me The u s e r	1076	* As sociated r equest
946	* @param pas sword The passwo rd	1077	* @pa ram userna me
		1078	* Th e user
		1079	* @param p a s swo r d
		1080	* The passwo rd
947	* @re turn The au thenticate d Principa l	1081	* @re turn The a uthenticat ed Princip al
948	* @th rows Servl etExceptio n	1082	* @th rows Servl etExceptio n
		1083	* N o principa l was auth enticated with the s pecified c redentials
949	*/	1084	*/
950	protected Principal doLogin(Re quest requ est, Strin g username ,	1085	protected Principal doLogin(Re quest requ est, Strin g username , String pa ssword)
951	String pas sword) throws Ser vletExcept ion {	1086	throws Ser vletExcept ion {
952	Pr incipal p = context. getRealm() .authentic ate(userna me, passwo rd);	1087	Pr incipal p = context. getRealm() .authentic ate(userna me, passwo rd);
953	if (p == nul l) {	1088	if (p == nul l) {
954	throw ne w ServletE xception(s m.getStrin g("authent icator.log inFail"));	1089	throw ne w ServletE xception(s m.getStrin g("authent icator.log inFail"));
955	}	1090	}
956	re turn p;	1091	re turn p;
957	}	1092	}
958		1093
959	@Overr ide	1094	@Overr ide
960	public void logo ut(Request request) {	1095	public void logo ut(Request request) {
		1096	Au thConfigPr ovider pro vider = ge tJaspicPro vider();
		1097	if (provider != null) {
		1098	MessageI nfo messag eInfo = ne w MessageI nfoImpl(re quest, req uest.getRe sponse(), true);
		1099	Subject client = ( Subject) r equest.get Note(Const ants.REQ_J ASPIC_SUBJ ECT_NOTE);
		1100	if (clie nt == null ) {
		1101	retu rn;
		1102	}
		1103
		1104	ServerAu thContext serverAuth Context;
		1105	try {
		1106	Serv erAuthConf ig serverA uthConfig = provider .getServer AuthConfig ("HttpServ let",
		1107	jaspic AppContext ID, Callba ckHandlerI mpl.getIns tance());
		1108	Stri ng authCon textID = s erverAuthC onfig.getA uthContext ID(message Info);
		1109	serv erAuthCont ext = serv erAuthConf ig.getAuth Context(au thContextI D, null, n ull);
		1110	serv erAuthCont ext.cleanS ubject(mes sageInfo, client);
		1111	} catch (AuthExcep tion e) {
		1112	log. debug(sm.g etString(" authentica tor.jaspic CleanSubje ctFail"), e);
		1113	}
		1114	}
		1115
961	Pr incipal p = request. getPrincip al();	1116	Pr incipal p = request. getPrincip al();
962	if (p instan ceof Tomca tPrincipal ) {	1117	if (p instan ceof Tomca tPrincipal ) {
963	try {	1118	try {
964	((To mcatPrinci pal) p).lo gout();	1119	((To mcatPrinci pal) p).lo gout();
965	} catch (Throwable t) {	1120	} catch (Throwable t) {
966	Exce ptionUtils .handleThr owable(t);	1121	Exce ptionUtils .handleThr owable(t);
967	log. debug(sm.g etString(" authentica tor.tomcat PrincipalL ogoutFail" ), t);	1122	log. debug(sm.g etString(" authentica tor.tomcat PrincipalL ogoutFail" ), t);
968	}	1123	}
969	}	1124	}
970		1125
971	re gister(req uest, requ est.getRes ponse(), n ull, null, null, nul l);	1126	re gister(req uest, requ est.getRes ponse(), n ull, null, null, nul l);
972	}	1127	}
973		1128
		1129
974	/**	1130	/**
975	* Start th is compone nt and imp lement the requireme nts	1131	* Start th is compone nt and imp lement the requireme nts of
976	* of {@link org .apache.ca talina.uti l.Lifecycl eBase#star tInternal( )}.	1132	* {@link org .apache.ca talina.uti l.Lifecycl eBase#star tInternal( )}.
977	*	1133	*
978	* @excepti on Lifecyc leExceptio n if this c omponent d etects a f atal error	1134	* @excepti on Lifecyc leExceptio n
979	* that preve nts this component from being used	1135	* if this component detects a fatal erro r that pre vents this
		1136	* component from being used
980	*/	1137	*/
981	@Overr ide	1138	@Overr ide
982	protec ted synchr onized voi d startInt ernal() th rows Lifec ycleExcept ion {	1139	protec ted synchr onized voi d startInt ernal() th rows Lifec ycleExcept ion {
		1140	Se rvletConte xt servlet Context = context.ge tServletCo ntext();
		1141	ja spicAppCon textID = s ervletCont ext.getVir tualServer Name() + " " +
		1142	serv letContext .getContex tPath();
983		1143
984	// Look up t he SingleS ignOn impl ementation in our re quest proc essing	1144	// Look up t he SingleS ignOn impl ementation in our re quest proc essing
985	// path, if there is o ne	1145	// path, if there is o ne
986	Co ntainer pa rent = con text.getPa rent();	1146	Co ntainer pa rent = con text.getPa rent();
987	wh ile ((sso == null) & & (parent != null)) {	1147	wh ile ((sso == null) & & (parent != null)) {
988	Valve va lves[] = p arent.getP ipeline(). getValves( );	1148	Valve va lves[] = p arent.getP ipeline(). getValves( );
989	for (int i = 0; i < valves.l ength; i++ ) {	1149	for (int i = 0; i < valves.l ength; i++ ) {
990	if ( valves[i] instanceof SingleSig nOn) {	1150	if ( valves[i] instanceof SingleSig nOn) {
991	sso = (Sin gleSignOn) valves[i] ;	1151	sso = (Sin gleSignOn) valves[i] ;
992	break;	1152	break;
993	}	1153	}
994	}	1154	}
995	if (sso == null) {	1155	if (sso == null) {
996	pare nt = paren t.getParen t();	1156	pare nt = paren t.getParen t();
997	}	1157	}
998	}	1158	}
999	if (log.isDe bugEnabled ()) {	1159	if (log.isDe bugEnabled ()) {
1000	if (sso != null) {	1160	if (sso != null) {
1001	log. debug("Fou nd SingleS ignOn Valv e at " + s so);	1161	log. debug("Fou nd SingleS ignOn Valv e at " + s so);
1002	} else {	1162	} else {
1003	log. debug("No SingleSign On Valve i s present" );	1163	log. debug("No SingleSign On Valve i s present" );
1004	}	1164	}
1005	}	1165	}
1006		1166
1007	se ssionIdGen erator = n ew Standar dSessionId Generator( );	1167	se ssionIdGen erator = n ew Standar dSessionId Generator( );
1008	se ssionIdGen erator.set SecureRand omAlgorith m(getSecur eRandomAlg orithm());	1168	se ssionIdGen erator.set SecureRand omAlgorith m(getSecur eRandomAlg orithm());
1009	se ssionIdGen erator.set SecureRand omClass(ge tSecureRan domClass() );	1169	se ssionIdGen erator.set SecureRand omClass(ge tSecureRan domClass() );
1010	se ssionIdGen erator.set SecureRand omProvider (getSecure RandomProv ider());	1170	se ssionIdGen erator.set SecureRand omProvider (getSecure RandomProv ider());
1011		1171
1012	su per.startI nternal();	1172	su per.startI nternal();
1013	}	1173	}
1014		1174
1015
1016	/**	1175	/**
1017	* Stop thi s componen t and impl ement the requiremen ts	1176	* Stop thi s componen t and impl ement the requiremen ts of
1018	* of {@link org .apache.ca talina.uti l.Lifecycl eBase#stop Internal() }.	1177	* {@link org .apache.ca talina.uti l.Lifecycl eBase#stop Internal() }.
1019	*	1178	*
1020	* @excepti on Lifecyc leExceptio n if this c omponent d etects a f atal error	1179	* @excepti on Lifecyc leExceptio n
1021	* that preve nts this component from being used	1180	* if this component detects a fatal erro r that pre vents this
		1181	* component from being used
1022	*/	1182	*/
1023	@Overr ide	1183	@Overr ide
1024	protec ted synchr onized voi d stopInte rnal() thr ows Lifecy cleExcepti on {	1184	protec ted synchr onized voi d stopInte rnal() thr ows Lifecy cleExcepti on {
1025		1185
1026	su per.stopIn ternal();	1186	su per.stopIn ternal();
1027		1187
1028	ss o = null;	1188	ss o = null;
1029	}	1189	}
		1190
		1191
		1192	privat e AuthConf igProvider getJaspic Provider() {
		1193	Au thConfigPr ovider pro vider = ja spicProvid er;
		1194	if (provider == null) {
		1195	provider = findJas picProvide r();
		1196	}
		1197	if (provider == NO_PRO VIDER_AVAI LABLE) {
		1198	return n ull;
		1199	}
		1200	re turn provi der;
		1201	}
		1202
		1203
		1204	privat e AuthConf igProvider findJaspi cProvider( ) {
		1205	Au thConfigFa ctory fact ory = Auth ConfigFact ory.getFac tory();
		1206	Au thConfigPr ovider pro vider = nu ll;
		1207	if (factory != null) {
		1208	provider = factory .getConfig Provider(" HttpServle t", jaspic AppContext ID, this);
		1209	}
		1210	if (provider == null) {
		1211	provider = NO_PROV IDER_AVAIL ABLE;
		1212	}
		1213	ja spicProvid er = provi der;
		1214	re turn provi der;
		1215	}
		1216
		1217
		1218	@Overr ide
		1219	public void noti fy(String layer, Str ing appCon text) {
		1220	fi ndJaspicPr ovider();
		1221	}
		1222
		1223
		1224	privat e static c lass Jaspi cState {
		1225	pu blic Messa geInfo mes sageInfo = null;
		1226	pu blic Serve rAuthConte xt serverA uthContext = null;
		1227	}
		1228
		1229
		1230	privat e static c lass NoOpA uthConfigP rovider im plements A uthConfigP rovider {
		1231
		1232	@O verride
		1233	pu blic Clien tAuthConfi g getClien tAuthConfi g(String l ayer, Stri ng appCont ext, Callb ackHandler handler)
		1234	thro ws AuthExc eption {
		1235	return n ull;
		1236	}
		1237
		1238	@O verride
		1239	pu blic Serve rAuthConfi g getServe rAuthConfi g(String l ayer, Stri ng appCont ext, Callb ackHandler handler)
		1240	thro ws AuthExc eption {
		1241	return n ull;
		1242	}
		1243
		1244	@O verride
		1245	pu blic void refresh() {
		1246	}
		1247	}
1030	}	1248	}