9. Araxis Merge File Comparison Report

Produced by Araxis Merge on 11/20/2017 2:15:51 PM GMT Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

9.1 Files compared

#	Location	File	Last Modified
1	C:\Merge Test Files\8.0.47\java\org\apache\catalina\authenticator	AuthenticatorBase.java	Fri Sep 29 16:53:28 2017 UTC
2	C:\Merge Test Files\8.5.23\java\org\apache\catalina\authenticator	AuthenticatorBase.java	Thu Sep 28 11:32:16 2017 UTC
3	C:\Merge Test Files\9.0.1\java\org\apache\catalina\authenticator	AuthenticatorBase.java	Wed Sep 27 18:33:40 2017 UTC
Note: Merge considers the second file to be the common ancestor of the others.

9.2 Comparison summary

Description	Between Files 1 and 2		Between Files 2 and 3		Relative to Common Ancestor
Description	Text Blocks	Lines	Text Blocks	Lines	Text Blocks	Lines
Unchanged	111	1516	11	2422
Changed	65	489	5	23	63	453
Inserted	20	247	1	1	25	26
Removed	25	26	4	24	16	171
Note: An automatic merge would leave 5 conflict(s).

9.3 Comparison options

Whitespace	Consecutive whitespace is treated as a single space
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

9.4 Active regular expressions

No regular expressions were active.

9.5 Comparison detail

1	/*	1	/*	1	/*
2	* License d to the A pache Soft ware Found ation (ASF ) under on e or more	2	* License d to the A pache Soft ware Found ation (ASF ) under on e or more	2	* License d to the A pache Soft ware Found ation (ASF ) under on e or more
3	* contrib utor licen se agreeme nts. See the NOTICE file dist ributed wi th	3	* contrib utor licen se agreeme nts. See the NOTICE file dist ributed wi th	3	* contrib utor licen se agreeme nts. See the NOTICE file dist ributed wi th
4	* this wo rk for add itional in formation regarding copyright ownership.	4	* this wo rk for add itional in formation regarding copyright ownership.	4	* this wo rk for add itional in formation regarding copyright ownership.
5	* The ASF licenses this file to You und er the Apa che Licens e, Version 2.0	5	* The ASF licenses this file to You und er the Apa che Licens e, Version 2.0	5	* The ASF licenses this file to You und er the Apa che Licens e, Version 2.0
6	* (the "L icense"); you may no t use this file exce pt in comp liance wit h	6	* (the "L icense"); you may no t use this file exce pt in comp liance wit h	6	* (the "L icense"); you may no t use this file exce pt in comp liance wit h
7	* the Lic ense. You may obtai n a copy o f the Lice nse at	7	* the Lic ense. You may obtai n a copy o f the Lice nse at	7	* the Lic ense. You may obtai n a copy o f the Lice nse at
8	*	8	*	8	*
9	* ht tp://www.a pache.org/ licenses/L ICENSE-2.0	9	* ht tp://www.a pache.org/ licenses/L ICENSE-2.0	9	* ht tp://www.a pache.org/ licenses/L ICENSE-2.0
10	*	10	*	10	*
11	* Unless required b y applicab le law or agreed to in writing , software	11	* Unless required b y applicab le law or agreed to in writing , software	11	* Unless required b y applicab le law or agreed to in writing , software
12	* distrib uted under the Licen se is dist ributed on an "AS IS " BASIS,	12	* distrib uted under the Licen se is dist ributed on an "AS IS " BASIS,	12	* distrib uted under the Licen se is dist ributed on an "AS IS " BASIS,
13	* WITHOUT WARRANTIE S OR CONDI TIONS OF A NY KIND, e ither expr ess or imp lied.	13	* WITHOUT WARRANTIE S OR CONDI TIONS OF A NY KIND, e ither expr ess or imp lied.	13	* WITHOUT WARRANTIE S OR CONDI TIONS OF A NY KIND, e ither expr ess or imp lied.
14	* See the License f or the spe cific lang uage gover ning permi ssions and	14	* See the License f or the spe cific lang uage gover ning permi ssions and	14	* See the License f or the spe cific lang uage gover ning permi ssions and
15	* limitat ions under the Licen se.	15	* limitat ions under the Licen se.	15	* limitat ions under the Licen se.
16	*/	16	*/	16	*/
17	package or g.apache.c atalina.au thenticato r;	17	package or g.apache.c atalina.au thenticato r;	17	package or g.apache.c atalina.au thenticato r;
18		18		18
19	import jav a.io.IOExc eption;	19	import jav a.io.IOExc eption;	19	import jav a.io.IOExc eption;
20	import jav a.security .Principal ;	20	import jav a.security .Principal ;	20	import jav a.security .Principal ;
21	import jav a.security .cert.X509 Certificat e;	21	import jav a.security .cert.X509 Certificat e;	21	import jav a.security .cert.X509 Certificat e;
22	import jav a.text.Sim pleDateFor mat;	22	import jav a.text.Sim pleDateFor mat;	22	import jav a.text.Sim pleDateFor mat;
23	import jav a.util.Dat e;	23	import jav a.util.Dat e;	23	import jav a.util.Dat e;
24	import jav a.util.Loc ale;	24	import jav a.util.Loc ale;	24	import jav a.util.Loc ale;
		25	import jav a.util.Map ;	25	import jav a.util.Map ;
				26	import jav a.util.Opt ional;
		26	import jav a.util.Set ;	27	import jav a.util.Set ;
25		27		28
		28	import jav ax.securit y.auth.Sub ject;	29	import jav ax.securit y.auth.Sub ject;
		29	import jav ax.securit y.auth.cal lback.Call backHandle r;
		30	import jav ax.securit y.auth.mes sage.AuthE xception;	30	import jav ax.securit y.auth.mes sage.AuthE xception;
		31	import jav ax.securit y.auth.mes sage.AuthS tatus;	31	import jav ax.securit y.auth.mes sage.AuthS tatus;
		32	import jav ax.securit y.auth.mes sage.Messa geInfo;	32	import jav ax.securit y.auth.mes sage.Messa geInfo;
		33	import jav ax.securit y.auth.mes sage.confi g.AuthConf igFactory;	33	import jav ax.securit y.auth.mes sage.confi g.AuthConf igFactory;
		34	import jav ax.securit y.auth.mes sage.confi g.AuthConf igProvider ;	34	import jav ax.securit y.auth.mes sage.confi g.AuthConf igProvider ;
		35	import jav ax.securit y.auth.mes sage.confi g.ClientAu thConfig;
		36	import jav ax.securit y.auth.mes sage.confi g.Registra tionListen er;	35	import jav ax.securit y.auth.mes sage.confi g.Registra tionListen er;
		37	import jav ax.securit y.auth.mes sage.confi g.ServerAu thConfig;	36	import jav ax.securit y.auth.mes sage.confi g.ServerAu thConfig;
		38	import jav ax.securit y.auth.mes sage.confi g.ServerAu thContext;	37	import jav ax.securit y.auth.mes sage.confi g.ServerAu thContext;
		39	import jav ax.servlet .ServletCo ntext;	38	import jav ax.servlet .ServletCo ntext;
26	import jav ax.servlet .ServletEx ception;	40	import jav ax.servlet .ServletEx ception;	39	import jav ax.servlet .ServletEx ception;
27	import jav ax.servlet .http.Cook ie;	41	import jav ax.servlet .http.Cook ie;	40	import jav ax.servlet .http.Cook ie;
28	import jav ax.servlet .http.Http ServletReq uest;	42	import jav ax.servlet .http.Http ServletReq uest;	41	import jav ax.servlet .http.Http ServletReq uest;
29	import jav ax.servlet .http.Http ServletRes ponse;	43	import jav ax.servlet .http.Http ServletRes ponse;	42	import jav ax.servlet .http.Http ServletRes ponse;
30		44		43
31	import org .apache.ca talina.Aut henticator ;	45	import org .apache.ca talina.Aut henticator ;	44	import org .apache.ca talina.Aut henticator ;
32	import org .apache.ca talina.Con tainer;	46	import org .apache.ca talina.Con tainer;	45	import org .apache.ca talina.Con tainer;
33	import org .apache.ca talina.Con text;	47	import org .apache.ca talina.Con text;	46	import org .apache.ca talina.Con text;
34	import org .apache.ca talina.Glo bals;	48	import org .apache.ca talina.Glo bals;	47	import org .apache.ca talina.Glo bals;
35	import org .apache.ca talina.Lif ecycleExce ption;	49	import org .apache.ca talina.Lif ecycleExce ption;	48	import org .apache.ca talina.Lif ecycleExce ption;
36	import org .apache.ca talina.Man ager;	50	import org .apache.ca talina.Man ager;	49	import org .apache.ca talina.Man ager;
37	import org .apache.ca talina.Rea lm;	51	import org .apache.ca talina.Rea lm;	50	import org .apache.ca talina.Rea lm;
38	import org .apache.ca talina.Ses sion;	52	import org .apache.ca talina.Ses sion;	51	import org .apache.ca talina.Ses sion;
39	import org .apache.ca talina.Tom catPrincip al;	53	import org .apache.ca talina.Tom catPrincip al;	52	import org .apache.ca talina.Tom catPrincip al;
40	import org .apache.ca talina.Val ve;	54	import org .apache.ca talina.Val ve;	53	import org .apache.ca talina.Val ve;
41	import org .apache.ca talina.Wra pper;	55	import org .apache.ca talina.Wra pper;	54	import org .apache.ca talina.Wra pper;
		56	import org .apache.ca talina.aut henticator .jaspic.Ca llbackHand lerImpl;	55	import org .apache.ca talina.aut henticator .jaspic.Ca llbackHand lerImpl;
		57	import org .apache.ca talina.aut henticator .jaspic.Me ssageInfoI mpl;	56	import org .apache.ca talina.aut henticator .jaspic.Me ssageInfoI mpl;
42	import org .apache.ca talina.con nector.Req uest;	58	import org .apache.ca talina.con nector.Req uest;	57	import org .apache.ca talina.con nector.Req uest;
43	import org .apache.ca talina.con nector.Res ponse;	59	import org .apache.ca talina.con nector.Res ponse;	58	import org .apache.ca talina.con nector.Res ponse;
44	import org .apache.ca talina.rea lm.Generic Principal;	60	import org .apache.ca talina.rea lm.Generic Principal;	59	import org .apache.ca talina.rea lm.Generic Principal;
45	import org .apache.ca talina.uti l.SessionI dGenerator Base;	61	import org .apache.ca talina.uti l.SessionI dGenerator Base;	60	import org .apache.ca talina.uti l.SessionI dGenerator Base;
46	import org .apache.ca talina.uti l.Standard SessionIdG enerator;	62	import org .apache.ca talina.uti l.Standard SessionIdG enerator;	61	import org .apache.ca talina.uti l.Standard SessionIdG enerator;
47	import org .apache.ca talina.val ves.ValveB ase;	63	import org .apache.ca talina.val ves.ValveB ase;	62	import org .apache.ca talina.val ves.ValveB ase;
48	import org .apache.co yote.Actio nCode;	64	import org .apache.co yote.Actio nCode;	63	import org .apache.co yote.Actio nCode;
49	import org .apache.ju li.logging .Log;	65	import org .apache.ju li.logging .Log;	64	import org .apache.ju li.logging .Log;
50	import org .apache.ju li.logging .LogFactor y;	66	import org .apache.ju li.logging .LogFactor y;	65	import org .apache.ju li.logging .LogFactor y;
51	import org .apache.to mcat.util. ExceptionU tils;	67	import org .apache.to mcat.util. ExceptionU tils;	66	import org .apache.to mcat.util. ExceptionU tils;
52	import org .apache.to mcat.util. descriptor .web.Login Config;	68	import org .apache.to mcat.util. descriptor .web.Login Config;	67	import org .apache.to mcat.util. descriptor .web.Login Config;
53	import org .apache.to mcat.util. descriptor .web.Secur ityConstra int;	69	import org .apache.to mcat.util. descriptor .web.Secur ityConstra int;	68	import org .apache.to mcat.util. descriptor .web.Secur ityConstra int;
54	import org .apache.to mcat.util. http.FastH ttpDateFor mat;	70	import org .apache.to mcat.util. http.FastH ttpDateFor mat;	69	import org .apache.to mcat.util. http.FastH ttpDateFor mat;
55	import org .apache.to mcat.util. res.String Manager;	71	import org .apache.to mcat.util. res.String Manager;	70	import org .apache.to mcat.util. res.String Manager;
56		72		71
57
58	/**	73	/**	72	/**
59	* Basic i mplementat ion of the <b>Valve< /b> interf ace that e nforces th e	74	* Basic i mplementat ion of the <b>Valve< /b> interf ace that e nforces th e	73	* Basic i mplementat ion of the <b>Valve< /b> interf ace that e nforces th e
60	* <code>& lt;securit y-constrai nt></co de> elemen ts in the web applic ation	75	* <code>& lt;securit y-constrai nt></co de> elemen ts in the web applic ation	74	* <code>& lt;securit y-constrai nt></co de> elemen ts in the web applic ation
61	* deploym ent descri ptor. This funct ionality i s implemen ted as a V alve	76	* deploym ent descri ptor. This functiona lity is im plemented as a Valve so that	75	* deploym ent descri ptor. This functiona lity is im plemented as a Valve so that
62	* so that it can be omitted in environme nts that d o not requ ire these	77	* it can be omitted in environme nts that d o not requ ire these features.	76	* it can be omitted in enviro nments tha t do not r equire the se feature s.
63	* features. Individual implement ations of each suppo rted authe ntication	78	* Individual implement ations of each suppo rted authe ntication method ca n	77	* Individ ual implem entations of each su pported au thenticati on method can
64	* method can subclass t his base c lass as re quired.	79	* subclass t his base c lass as re quired.	78	* subclas s this bas e class as required.
65	* <p>	80	* <p>	79	* <p>
66	* <b>USAG E CONSTRAI NT</b>: When this class is u tilized, t he Context to	81	* <b>USAG E CONSTRAI NT</b>: Wh en this cl ass is uti lized, the Context t o which it	80	* <b>USAG E CONSTRAI NT</b>: Wh en this cl ass is uti lized, the Context t o which it
67	* which it is attache d (or a pa rent Conta iner in a hierarchy) must have an	82	* is attache d (or a pa rent Conta iner in a hierarchy) must have an associate d	81	* is atta ched (or a parent Co ntainer in a hierarc hy) must h ave an ass ociated
68	* associated Realm that can be us ed for aut henticatin g users an d enumerat ing	83	* Realm that can be us ed for aut henticatin g users an d enumerat ing the roles to	82	* Realm t hat can be used for authentica ting users and enume rating the roles to
69	* the roles to which they have been assigned.	84	* which they have been assigned.	83	* which t hey have b een assign ed.
70	* <p>	85	* <p>	84	* <p>
71	* <b>USAG E CONSTRAI NT</b>: T his Valve is only us eful when processing HTTP	86	* <b>USAG E CONSTRAI NT</b>: Th is Valve i s only use ful when p rocessing HTTP	85	* <b>USAG E CONSTRAI NT</b>: Th is Valve i s only use ful when p rocessing HTTP
72	* request s. Reques ts of any other type will simp ly be pass ed through .	87	* request s. Request s of any o ther type will simpl y be passe d through.	86	* request s. Request s of any o ther type will simpl y be passe d through.
73	*	88	*	87	*
74	* @author Craig R. McClanahan	89	* @author Craig R. McClanahan	88	* @author Craig R. McClanahan
75	*/	90	*/	89	*/
76	public abs tract clas s Authenti catorBase extends Va lveBase	91	public abs tract clas s Authenti catorBase extends Va lveBase	90	public abs tract clas s Authenti catorBase extends Va lveBase
77	implements Authentic ator {	92	implements Authentic ator , Registra tionListen er {	91	im plements A uthenticat or, Regist rationList ener {
78		93		92
79	privat e static f inal Log l og = LogFa ctory.getL og(Authent icatorBase .class);	94	privat e static f inal Log l og = LogFa ctory.getL og(Authent icatorBase .class);	93	privat e static f inal Log l og = LogFa ctory.getL og(Authent icatorBase .class);
80		95		94
		96	/**	95	/**
		97	* "Ex pires" hea der always set to Da te(1), so generate o nce only	96	* "Ex pires" hea der always set to Da te(1), so generate o nce only
		98	*/	97	*/
		99	privat e static f inal Strin g DATE_ONE =	98	privat e static f inal Strin g DATE_ONE =
		100	(new Sim pleDateFor mat(FastHt tpDateForm at.RFC1123 _DATE, Loc ale.US)).f ormat(new Date(1));	99	(new Sim pleDateFor mat(FastHt tpDateForm at.RFC1123 _DATE, Loc ale.US)).f ormat(new Date(1));
81		101		100
82	//---- ---------- ---------- ---------- ---------- ---------- Construct or	102	privat e static f inal AuthC onfigProvi der NO_PRO VIDER_AVAI LABLE = ne w NoOpAuth ConfigProv ider();
83	public Authentic atorBase() {
84	su per(true);
85	}
86
87	// --- ---------- ---------- ---------- ---------- ---------- Instance Variables
88		103
		104	/**	101	/**
		105	* The string ma nager for this packa ge.	102	* The string ma nager for this packa ge.
		106	*/	103	*/
		107	protec ted static final Str ingManager sm = Stri ngManager. getManager (Authentic atorBase.c lass);	104	protec ted static final Str ingManager sm = Stri ngManager. getManager (Authentic atorBase.c lass);
89		108		105
90	/**	109	/**	106	/**
91	* Aut henticatio n header	110	* Aut henticatio n header	107	* Aut henticatio n header
92	*/	111	*/	108	*/
93	protec ted static final Str ing AUTH_H EADER_NAME = "WWW-Au thenticate ";	112	protec ted static final Str ing AUTH_H EADER_NAME = "WWW-Au thenticate ";	109	protec ted static final Str ing AUTH_H EADER_NAME = "WWW-Au thenticate ";
94		113		110
95	/**	114	/**	111	/**
96	* Def ault authe ntication realm name .	115	* Def ault authe ntication realm name .	112	* Def ault authe ntication realm name .
97	*/	116	*/	113	*/
98	protec ted static final Str ing REALM_ NAME = "Au thenticati on require d";	117	protec ted static final Str ing REALM_ NAME = "Au thenticati on require d";	114	protec ted static final Str ing REALM_ NAME = "Au thenticati on require d";
99		118		115
		119	protec ted static String ge tRealmName (Context c ontext) {	116	protec ted static String ge tRealmName (Context c ontext) {
		120	if (context == null) {	117	if (context == null) {
		121	// Very unlikely	118	// Very unlikely
		122	return R EALM_NAME;	119	return R EALM_NAME;
		123	}	120	}
		124		121
		125	Lo ginConfig config = c ontext.get LoginConfi g();	122	Lo ginConfig config = c ontext.get LoginConfi g();
		126	if (config = = null) {	123	if (config = = null) {
		127	return R EALM_NAME;	124	return R EALM_NAME;
		128	}	125	}
		129		126
		130	St ring resul t = config .getRealmN ame();	127	St ring resul t = config .getRealmN ame();
		131	if (result = = null) {	128	if (result = = null) {
		132	return R EALM_NAME;	129	return R EALM_NAME;
		133	}	130	}
		134		131
		135	re turn resul t;	132	re turn resul t;
		136	}	133	}
		137		134
		138	// --- ---------- ---------- ---------- ---------- ---------- - Construc tor	135	// --- ---------- ---------- ---------- ---------- ---------- - Construc tor
		139		136
		140	public Authentic atorBase() {	137	public Authentic atorBase() {
		141	su per(true);	138	su per(true);
		142	}	139	}
		143		140
		144	// --- ---------- ---------- ---------- ---------- ---------- Instance Variables	141	// --- ---------- ---------- ---------- ---------- ---------- Instance Variables
		145		142
100	/**	146	/**	143	/**
101	* Sho uld a sess ion always be used o nce a user is authen ticated? T his may	147	* Sho uld a sess ion always be used o nce a user is authen ticated? T his may	144	* Sho uld a sess ion always be used o nce a user is authen ticated? T his may
102	* off er some pe rformance benefits s ince the s ession can then be u sed to	148	* off er some pe rformance benefits s ince the s ession can then be u sed to	145	* off er some pe rformance benefits s ince the s ession can then be u sed to
103	* cac he the aut henticated Principal , hence re moving the need to	149	* cac he the aut henticated Principal , hence re moving the need to	146	* cac he the aut henticated Principal , hence re moving the need to
104	* aut henticate the user v ia the Rea lm on ever y request. This may be of help	150	* aut henticate the user v ia the Rea lm on ever y request. This may be of help	147	* aut henticate the user v ia the Rea lm on ever y request. This may be of help
105	* for combinati ons such a s BASIC au thenticati on used wi th the JND IRealm or	151	* for combinati ons such a s BASIC au thenticati on used wi th the JND IRealm or	148	* for combinati ons such a s BASIC au thenticati on used wi th the JND IRealm or
106	* Dat aSourceRea lms. Howev er there w ill also b e the perf ormance co st of	152	* Dat aSourceRea lms. Howev er there w ill also b e the perf ormance co st of	149	* Dat aSourceRea lms. Howev er there w ill also b e the perf ormance co st of
107	* cre ating and GC'ing the session. By default , a sessio n will not be	153	* cre ating and GC'ing the session. By default , a sessio n will not be	150	* cre ating and GC'ing the session. By default , a sessio n will not be
108	* cre ated.	154	* cre ated.	151	* cre ated.
109	*/	155	*/	152	*/
110	protec ted boolea n alwaysUs eSession = false;	156	protec ted boolea n alwaysUs eSession = false;	153	protec ted boolea n alwaysUs eSession = false;
111		157		154
112
113	/**	158	/**	155	/**
114	* Should w e cache au thenticate d Principa ls if the request is part of	159	* Should w e cache au thenticate d Principa ls if the request is part of an	156	* Sho uld we cac he authent icated Pri ncipals if the reque st is part of an
115	* an HTTP sessi on?	160	* HTTP sessi on?	157	* HTT P session?
116	*/	161	*/	158	*/
117	protec ted boolea n cache = true;	162	protec ted boolea n cache = true;	159	protec ted boolea n cache = true;
118		163		160
119
120	/**	164	/**	161	/**
121	* Sho uld the se ssion ID, if any, be changed u pon a succ essful	165	* Sho uld the se ssion ID, if any, be changed u pon a succ essful	162	* Sho uld the se ssion ID, if any, be changed u pon a succ essful
122	* aut henticatio n to preve nt a sessi on fixatio n attack?	166	* aut henticatio n to preve nt a sessi on fixatio n attack?	163	* aut henticatio n to preve nt a sessi on fixatio n attack?
123	*/	167	*/	164	*/
124	protec ted boolea n changeSe ssionIdOnA uthenticat ion = true ;	168	protec ted boolea n changeSe ssionIdOnA uthenticat ion = true ;	165	protec ted boolea n changeSe ssionIdOnA uthenticat ion = true ;
125		169		166
126	/**	170	/**	167	/**
127	* The Context t o which th is Valve i s attached .	171	* The Context t o which th is Valve i s attached .	168	* The Context t o which th is Valve i s attached .
128	*/	172	*/	169	*/
129	protec ted Contex t context = null;	173	protec ted Contex t context = null;	170	protec ted Contex t context = null;
130		174		171
131
132	/**	175	/**	172	/**
133	* Flag to determine if we disa ble proxy caching, o r leave th e issue	176	* Flag to determine if we disa ble proxy caching, o r leave th e issue up to	173	* Fla g to deter mine if we disable p roxy cachi ng, or lea ve the iss ue up to
134	* up to the webapp developer .	177	* the webapp developer .	174	* the webapp de veloper.
135	*/	178	*/	175	*/
136	protec ted boolea n disableP roxyCachin g = true;	179	protec ted boolea n disableP roxyCachin g = true;	176	protec ted boolea n disableP roxyCachin g = true;
137		180		177
138	/**	181	/**	178	/**
139	* Fla g to deter mine if we disable p roxy cachi ng with he aders inco mpatible	182	* Fla g to deter mine if we disable p roxy cachi ng with he aders inco mpatible	179	* Fla g to deter mine if we disable p roxy cachi ng with he aders inco mpatible
140	* wit h IE.	183	* wit h IE.	180	* wit h IE.
141	*/	184	*/	181	*/
142	protec ted boolea n securePa gesWithPra gma = fals e;	185	protec ted boolea n securePa gesWithPra gma = fals e;	182	protec ted boolea n securePa gesWithPra gma = fals e;
143		186		183
144	/**	187	/**	184	/**
145	* The Java clas s name of the secure random nu mber gener ator class to be	188	* The Java clas s name of the secure random nu mber gener ator class to be	185	* The Java clas s name of the secure random nu mber gener ator class to be
146	* use d when gen erating SS O session identifier s. The ran dom number generator	189	* use d when gen erating SS O session identifier s. The ran dom number generator	186	* use d when gen erating SS O session identifier s. The ran dom number generator
147	* cla ss must be self-seed ing and ha ve a zero- argument c onstructor . If not	190	* cla ss must be self-seed ing and ha ve a zero- argument c onstructor . If not	187	* cla ss must be self-seed ing and ha ve a zero- argument c onstructor . If not
148	* spe cified, an instance of {@link java.secur ity.Secure Random} wi ll be	191	* spe cified, an instance of {@link java.secur ity.Secure Random} wi ll be	188	* spe cified, an instance of {@link java.secur ity.Secure Random} wi ll be
149	* gen erated.	192	* gen erated.	189	* gen erated.
150	*/	193	*/	190	*/
151	protec ted String secureRan domClass = null;	194	protec ted String secureRan domClass = null;	191	protec ted String secureRan domClass = null;
152		195		192
153	/**	196	/**	193	/**
154	* The name of t he algorit hm to use to create instances of	197	* The name of t he algorit hm to use to create instances of	194	* The name of t he algorit hm to use to create instances of
155	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate S SO session	198	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate S SO session	195	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate S SO session
156	* IDs . If no al gorithm is specified , SHA1PRNG is used. To use the platform	199	* IDs . If no al gorithm is specified , SHA1PRNG is used. To use the platform	196	* IDs . If no al gorithm is specified , SHA1PRNG is used. To use the platform
157	* def ault (whic h may be S HA1PRNG), specify th e empty st ring. If a n invalid	200	* def ault (whic h may be S HA1PRNG), specify th e empty st ring. If a n invalid	197	* def ault (whic h may be S HA1PRNG), specify th e empty st ring. If a n invalid
158	* alg orithm and /or provid er is spec ified the SecureRand om instanc es will be	201	* alg orithm and /or provid er is spec ified the SecureRand om instanc es will be	198	* alg orithm and /or provid er is spec ified the SecureRand om instanc es will be
159	* cre ated using the defau lts. If th at fails, the Secure Random ins tances	202	* cre ated using the defau lts. If th at fails, the Secure Random ins tances	199	* cre ated using the defau lts. If th at fails, the Secure Random ins tances
160	* wil l be creat ed using p latform de faults.	203	* wil l be creat ed using p latform de faults.	200	* wil l be creat ed using p latform de faults.
161	*/	204	*/	201	*/
162	protec ted String secureRan domAlgorit hm = "SHA1 PRNG";	205	protec ted String secureRan domAlgorit hm = "SHA1 PRNG";	202	protec ted String secureRan domAlgorit hm = "SHA1 PRNG";
163		206		203
164	/**	207	/**	204	/**
165	* The name of t he provide r to use t o create i nstances o f	208	* The name of t he provide r to use t o create i nstances o f	205	* The name of t he provide r to use t o create i nstances o f
166	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate s ession SSO	209	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate s ession SSO	206	* {@l ink java.s ecurity.Se cureRandom } which ar e used to generate s ession SSO
167	* IDs . If no al gorithm is specified the of SH A1PRNG def ault is us ed. If an	210	* IDs . If no al gorithm is specified the of SH A1PRNG def ault is us ed. If an	207	* IDs . If no al gorithm is specified the of SH A1PRNG def ault is us ed. If an
168	* inv alid algor ithm and/o r provider is specif ied the Se cureRandom instances	211	* inv alid algor ithm and/o r provider is specif ied the Se cureRandom instances	208	* inv alid algor ithm and/o r provider is specif ied the Se cureRandom instances
169	* wil l be creat ed using t he default s. If that fails, th e SecureRa ndom	212	* wil l be creat ed using t he default s. If that fails, th e SecureRa ndom	209	* wil l be creat ed using t he default s. If that fails, th e SecureRa ndom
170	* ins tances wil l be creat ed using p latform de faults.	213	* ins tances wil l be creat ed using p latform de faults.	210	* ins tances wil l be creat ed using p latform de faults.
171	*/	214	*/	211	*/
172	protec ted String secureRan domProvide r = null;	215	protec ted String secureRan domProvide r = null;	212	protec ted String secureRan domProvide r = null;
173		216		213
174	protec ted Sessio nIdGenerat orBase ses sionIdGene rator = nu ll;	217	protec ted Sessio nIdGenerat orBase ses sionIdGene rator = nu ll;	214	protec ted Sessio nIdGenerat orBase ses sionIdGene rator = nu ll;
175		218		215
176	/**	219	/**	216	/**
177	* The string ma nager for this packa ge.	220	* The Sing leSignOn i mplementat ion in our request p rocessing chain, if there	217	* The SingleSig nOn implem entation i n our requ est proces sing chain , if there
178	*/	221	* i s one.	218	* is one.
179	protec ted static final Str ingManager sm =
180	St ringManage r.getManag er(Constan ts.Package );
181
182
183	/**
184	* The Sing leSignOn i mplementat ion in our request p rocessing chain,
185	* i f there i s one.
186	*/	222	*/	219	*/
187	protec ted Single SignOn sso = null;	223	protec ted Single SignOn sso = null;	220	protec ted Single SignOn sso = null;
188		224		221
189		225	privat e volatile String ja spicAppCon textID = n ull;	222	privat e volatile String ja spicAppCon textID = n ull;
190	/**	226	private vo latile AuthConfig Provider jaspicPro vider = nu ll;	223	private vo latile Optional< AuthConfig Provider > jaspicPro vider = nu ll;
191	* "Ex pires" hea der always set to Da te(1), so generate o nce only
192	*/
193	privat e static f inal Strin g DATE_ONE =
194	(n ew SimpleD ateFormat( FastHttpDa teFormat.R FC1123_DAT E,
195	Locale.US) ).format(n ew Date(1) );
196
197
198	protec ted static String ge tRealmName (Context c ontext) {
199	if (context == null) {
200	// Very unlikely
201	return R EALM_NAME;
202	}
203
204	Lo ginConfig config = c ontext.get LoginConfi g();
205	if (config = = null) {
206	return R EALM_NAME;
207	}
208
209	St ring resul t = config .getRealmN ame();
210	if (result = = null) {
211	return R EALM_NAME;
212	}
213
214	re turn resul t;
215	}
216		227		224
217		228		225
218	// --- ---------- ---------- ---------- ---------- ---------- -------- P roperties	229	// --- ---------- ---------- ---------- ---------- ---------- -------- P roperties	226	// --- ---------- ---------- ---------- ---------- ---------- -------- P roperties
219		230		227
220
221	public boolean g etAlwaysUs eSession() {	231	public boolean g etAlwaysUs eSession() {	228	public boolean g etAlwaysUs eSession() {
222	re turn alway sUseSessio n;	232	re turn alway sUseSessio n;	229	re turn alway sUseSessio n;
223	}	233	}	230	}
224		234		231
225
226	public void setA lwaysUseSe ssion(bool ean always UseSession ) {	235	public void setA lwaysUseSe ssion(bool ean always UseSession ) {	232	public void setA lwaysUseSe ssion(bool ean always UseSession ) {
227	th is.alwaysU seSession = alwaysUs eSession;	236	th is.alwaysU seSession = alwaysUs eSession;	233	th is.alwaysU seSession = alwaysUs eSession;
228	}	237	}	234	}
229		238		235
230
231	/**	239	/**	236	/**
232	* Ret urn the ca che authen ticated Pr incipals f lag.	240	* Ret urn the ca che authen ticated Pr incipals f lag.	237	* Ret urn the ca che authen ticated Pr incipals f lag.
		241	*	238	*
		242	* @re turn <code >true</cod e> if auth enticated Principals will be c ached,	239	* @re turn <code >true</cod e> if auth enticated Principals will be c ached,
		243	* other wise <code >false</co de>	240	* other wise <code >false</co de>
233	*/	244	*/	241	*/
234	public boolean g etCache() {	245	public boolean g etCache() {	242	public boolean g etCache() {
235		246	return this.cache ;	243	re turn this. cache;
236	return ( this.cache ) ;
237
238	}	247	}	244	}
239		248		245
240
241	/**	249	/**	246	/**
242	* Set the cache authentic ated Princ ipals flag .	250	* Set the cache authentic ated Princ ipals flag .	247	* Set the cache authentic ated Princ ipals flag .
243	*	251	*	248	*
244	* @param c ache The new c ache flag	252	* @param c ache	249	* @pa ram cache
		253	* Th e new cach e flag	250	* Th e new cach e flag
245	*/	254	*/	251	*/
246	public void setC ache(boole an cache) {	255	public void setC ache(boole an cache) {	252	public void setC ache(boole an cache) {
247
248	th is.cache = cache;	256	th is.cache = cache;	253	th is.cache = cache;
249
250	}	257	}	254	}
251		258		255
252
253	/**	259	/**	256	/**
254	* Ret urn the Co ntainer to which thi s Valve is attached.	260	* Ret urn the Co ntainer to which thi s Valve is attached.	257	* Ret urn the Co ntainer to which thi s Valve is attached.
255	*/	261	*/	258	*/
256	@Overr ide	262	@Overr ide	259	@Overr ide
257	public Container getContai ner() {	263	public Container getContai ner() {	260	public Container getContai ner() {
258		264	return this.conte xt ;	261	re turn this. context;
259	return ( this.conte xt ) ;
260
261	}	265	}	262	}
262		266		263
263
264	/**	267	/**	264	/**
265	* Set the Conta iner to wh ich this V alve is at tached.	268	* Set the Conta iner to wh ich this V alve is at tached.	265	* Set the Conta iner to wh ich this V alve is at tached.
266	*	269	*	266	*
267	* @param con tainer The contai ner to whi ch we are attached	270	* @pa ram contai ner	267	* @pa ram contai ner
		271	* The contai ner to whi ch we are attached	268	* Th e containe r to which we are at tached
268	*/	272	*/	269	*/
269	@Overr ide	273	@Overr ide	270	@Overr ide
270	public void setC ontainer(C ontainer c ontainer) {	274	public void setC ontainer(C ontainer c ontainer) {	271	public void setC ontainer(C ontainer c ontainer) {
271		275		272
272	if (containe r != null && !(conta iner insta nceof Cont ext)) {	276	if (containe r != null && !(conta iner insta nceof Cont ext)) {	273	if (containe r != null && !(conta iner insta nceof Cont ext)) {
273	throw new IllegalArg umentExcep tion	277	throw new IllegalArg umentExcep tion (sm.getStr ing("authe nticator.n otContext" ));	274	throw ne w IllegalA rgumentExc eption(sm. getString( "authentic ator.notCo ntext"));
274	(sm. getString( "authentic ator.notCo ntext"));
275	}	278	}	275	}
276		279		276
277	su per.setCon tainer(con tainer);	280	su per.setCon tainer(con tainer);	277	su per.setCon tainer(con tainer);
278	th is.context = (Contex t) contain er;	281	th is.context = (Contex t) contain er;	278	th is.context = (Contex t) contain er;
279		282		279
280	}	283	}	280	}
281		284		281
282
283	/**	285	/**	282	/**
284	* Ret urn the fl ag that st ates if we add heade rs to disa ble cachin g by	286	* Ret urn the fl ag that st ates if we add heade rs to disa ble cachin g by	283	* Ret urn the fl ag that st ates if we add heade rs to disa ble cachin g by
285	* pro xies.	287	* pro xies.	284	* pro xies.
		288	*	285	*
		289	* @re turn <code >true</cod e> if the headers wi ll be adde d, otherwi se	286	* @re turn <code >true</cod e> if the headers wi ll be adde d, otherwi se
		290	* <code >false</co de>	287	* <code >false</co de>
286	*/	291	*/	288	*/
287	public boolean g etDisableP roxyCachin g() {	292	public boolean g etDisableP roxyCachin g() {	289	public boolean g etDisableP roxyCachin g() {
288	re turn disab leProxyCac hing;	293	re turn disab leProxyCac hing;	290	re turn disab leProxyCac hing;
289	}	294	}	291	}
290		295		292
291	/**	296	/**	293	/**
292	* Set the value of the fl ag that st ates if we add heade rs to disa ble	297	* Set the value of the fl ag that st ates if we add heade rs to disa ble	294	* Set the value of the fl ag that st ates if we add heade rs to disa ble
293	* cac hing by pr oxies.	298	* cac hing by pr oxies.	295	* cac hing by pr oxies.
294	* @param noc ache <code>true </code> if we add he aders to d isable pro xy	299	*	296	*
295	* caching, <code>fals e</code> i f we leave the heade rs alone.	300	* @pa ram nocach e	297	* @pa ram nocach e
		301	* <code>true </code> if we add he aders to d isable pro xy caching,	298	* <c ode>true</ code> if w e add head ers to dis able proxy caching,
		302	* <code>fals e</code> i f we leave the heade rs alone.	299	* <c ode>false< /code> if we leave t he headers alone.
296	*/	303	*/	300	*/
297	public void setD isableProx yCaching(b oolean noc ache) {	304	public void setD isableProx yCaching(b oolean noc ache) {	301	public void setD isableProx yCaching(b oolean noc ache) {
298	di sableProxy Caching = nocache;	305	di sableProxy Caching = nocache;	302	di sableProxy Caching = nocache;
299	}	306	}	303	}
300		307		304
301	/**	308	/**	305	/**
302	* Ret urn the fl ag that st ates, if p roxy cachi ng is disa bled, what headers	309	* Ret urn the fl ag that st ates, if p roxy cachi ng is disa bled, what headers	306	* Ret urn the fl ag that st ates, if p roxy cachi ng is disa bled, what headers
303	* we add to dis able the c aching.	310	* we add to dis able the c aching.	307	* we add to dis able the c aching.
		311	*	308	*
		312	* @re turn <code >true</cod e> if a Pr agma heade r should b e used, ot herwise	309	* @re turn <code >true</cod e> if a Pr agma heade r should b e used, ot herwise
		313	* <code >false</co de>	310	* <code >false</co de>
304	*/	314	*/	311	*/
305	public boolean g etSecurePa gesWithPra gma() {	315	public boolean g etSecurePa gesWithPra gma() {	312	public boolean g etSecurePa gesWithPra gma() {
306	re turn secur ePagesWith Pragma;	316	re turn secur ePagesWith Pragma;	313	re turn secur ePagesWith Pragma;
307	}	317	}	314	}
308		318		315
309	/**	319	/**	316	/**
310	* Set the value of the fl ag that st ates what headers we add to di sable	320	* Set the value of the fl ag that st ates what headers we add to di sable	317	* Set the value of the fl ag that st ates what headers we add to di sable
311	* pro xy caching .	321	* pro xy caching .	318	* pro xy caching .
312	* @param sec urePagesWi thPragma <code>true </code> if we add he aders whic h	322	*	319	*
313	* are incomp atible with downl oading off ice docume nts in IE under SSL but	323	* @pa ram secure PagesWithP ragma	320	* @pa ram secure PagesWithP ragma
314	* which fix a cach ing proble m in Mozil la.	324	* <code>true </code> if we add he aders whic h are incom patible	321	* <c ode>true</ code> if w e add head ers which are incomp atible
		325	* with downl oading off ice docume nts in IE under SSL but which	322	* wi th downloa ding offic e document s in IE un der SSL bu t which
		326	* fix a cach ing proble m in Mozil la.	323	* fi x a cachin g problem in Mozilla .
315	*/	327	*/	324	*/
316	public void setS ecurePages WithPragma (boolean s ecurePages WithPragma ) {	328	public void setS ecurePages WithPragma (boolean s ecurePages WithPragma ) {	325	public void setS ecurePages WithPragma (boolean s ecurePages WithPragma ) {
317	th is.secureP agesWithPr agma = sec urePagesWi thPragma;	329	th is.secureP agesWithPr agma = sec urePagesWi thPragma;	326	th is.secureP agesWithPr agma = sec urePagesWi thPragma;
318	}	330	}	327	}
319		331		328
320	/**	332	/**	329	/**
321	* Ret urn the fl ag that st ates if we should ch ange the s ession ID of an	333	* Ret urn the fl ag that st ates if we should ch ange the s ession ID of an	330	* Ret urn the fl ag that st ates if we should ch ange the s ession ID of an
322	* exi sting sess ion upon s uccessful authentica tion.	334	* exi sting sess ion upon s uccessful authentica tion.	331	* exi sting sess ion upon s uccessful authentica tion.
323	*	335	*	332	*
324	* @re turn <code >true</cod e> to chan ge session ID upon s uccessful	336	* @re turn <code >true</cod e> to chan ge session ID upon s uccessful	333	* @re turn <code >true</cod e> to chan ge session ID upon s uccessful
325	* authe ntication, <code>fal se</code> to do not perform th e change.	337	* authe ntication, <code>fal se</code> to do not perform th e change.	334	* authe ntication, <code>fal se</code> to do not perform th e change.
326	*/	338	*/	335	*/
327	public boolean g etChangeSe ssionIdOnA uthenticat ion() {	339	public boolean g etChangeSe ssionIdOnA uthenticat ion() {	336	public boolean g etChangeSe ssionIdOnA uthenticat ion() {
328	re turn chang eSessionId OnAuthenti cation;	340	re turn chang eSessionId OnAuthenti cation;	337	re turn chang eSessionId OnAuthenti cation;
329	}	341	}	338	}
330		342		339
331	/**	343	/**	340	/**
332	* Set the value of the fl ag that st ates if we should ch ange the s ession ID	344	* Set the value of the fl ag that st ates if we should ch ange the s ession ID	341	* Set the value of the fl ag that st ates if we should ch ange the s ession ID
333	* of an existin g session upon succe ssful auth entication .	345	* of an existin g session upon succe ssful auth entication .	342	* of an existin g session upon succe ssful auth entication .
334	*	346	*	343	*
335	* @param c hangeSessi onIdOnAuth entication	347	* @param c hangeSessi onIdOnAuth entication <code>tru e</code> t o change	344	* @pa ram change SessionIdO nAuthentic ation <cod e>true</co de> to cha nge
336	* <c ode>true</ code> to c hange sess ion ID upo n successf ul	348	* session ID upon succ essful authentica tion, <cod e>false</c ode>	345	* se ssion ID u pon succes sful authe ntication, <code>fal se</code>
337	* authentica tion, <cod e>false</c ode> to do not perform t he	349	* to do not pe rform the change.	346	* to do not pe rform the change.
338	* ch ange.
339	*/	350	*/	347	*/
340	public voi d setChang eSessionId OnAuthenti cation(	351	public voi d setChang eSessionId OnAuthenti cation( boolean ch angeSessio nIdOnAuthe ntication) {	348	public void setC hangeSessi onIdOnAuth entication (boolean c hangeSessi onIdOnAuth entication ) {
341	boolean changeSess ionIdOnAut henticatio n) {
342	th is.changeS essionIdOn Authentica tion = cha ngeSession IdOnAuthen tication;	352	th is.changeS essionIdOn Authentica tion = cha ngeSession IdOnAuthen tication;	349	th is.changeS essionIdOn Authentica tion = cha ngeSession IdOnAuthen tication;
343	}	353	}	350	}
344		354		351
345	/**	355	/**	352	/**
346	* Ret urn the se cure rando m number g enerator c lass name.	356	* Ret urn the se cure rando m number g enerator c lass name.	353	* Ret urn the se cure rando m number g enerator c lass name.
		357	*	354	*
		358	* @re turn The f ully quali fied name of the Sec ureRandom implementa tion to	355	* @re turn The f ully quali fied name of the Sec ureRandom implementa tion to
		359	* use	356	* use
347	*/	360	*/	357	*/
348	public String ge tSecureRan domClass() {	361	public String ge tSecureRan domClass() {	358	public String ge tSecureRan domClass() {
349		362	return this.secur eRandomCla ss ;	359	re turn this. secureRand omClass;
350	return ( this.secur eRandomCla ss ) ;
351
352	}	363	}	360	}
353		364		361
354
355	/**	365	/**	362	/**
356	* Set the secur e random n umber gene rator clas s name.	366	* Set the secur e random n umber gene rator clas s name.	363	* Set the secur e random n umber gene rator clas s name.
357	*	367	*	364	*
358	* @param s ecureRando mClass The new s ecure rand om number generator class	368	* @param s ecureRando mClass	365	* @pa ram secure RandomClas s
359	* name	369	* Th e new secu re random number gen erator cla ss name	366	* Th e new secu re random number gen erator cla ss name
360	*/	370	*/	367	*/
361	public void setS ecureRando mClass(Str ing secure RandomClas s) {	371	public void setS ecureRando mClass(Str ing secure RandomClas s) {	368	public void setS ecureRando mClass(Str ing secure RandomClas s) {
362	th is.secureR andomClass = secureR andomClass ;	372	th is.secureR andomClass = secureR andomClass ;	369	th is.secureR andomClass = secureR andomClass ;
363	}	373	}	370	}
364		374		371
365
366	/**	375	/**	372	/**
367	* Ret urn the se cure rando m number g enerator a lgorithm n ame.	376	* Ret urn the se cure rando m number g enerator a lgorithm n ame.	373	* Ret urn the se cure rando m number g enerator a lgorithm n ame.
		377	*	374	*
		378	* @re turn The n ame of the SecureRan dom algori thm used	375	* @re turn The n ame of the SecureRan dom algori thm used
368	*/	379	*/	376	*/
369	public String ge tSecureRan domAlgorit hm() {	380	public String ge tSecureRan domAlgorit hm() {	377	public String ge tSecureRan domAlgorit hm() {
370	re turn secur eRandomAlg orithm;	381	re turn secur eRandomAlg orithm;	378	re turn secur eRandomAlg orithm;
371	}	382	}	379	}
372		383		380
373
374	/**	384	/**	381	/**
375	* Set the secur e random n umber gene rator algo rithm name .	385	* Set the secur e random n umber gene rator algo rithm name .	382	* Set the secur e random n umber gene rator algo rithm name .
376	*	386	*	383	*
377	* @param s ecureRando mAlgorithm The new s ecure rand om number generator	387	* @param s ecureRando mAlgorithm	384	* @pa ram secure RandomAlgo rithm
378	* algorithm name	388	* The new se cure rando m number g enerator algorithm name	385	* Th e new secu re random number gen erator alg orithm nam e
379	*/	389	*/	386	*/
380	public void setS ecureRando mAlgorithm (String se cureRandom Algorithm) {	390	public void setS ecureRando mAlgorithm (String se cureRandom Algorithm) {	387	public void setS ecureRando mAlgorithm (String se cureRandom Algorithm) {
381	th is.secureR andomAlgor ithm = sec ureRandomA lgorithm;	391	th is.secureR andomAlgor ithm = sec ureRandomA lgorithm;	388	th is.secureR andomAlgor ithm = sec ureRandomA lgorithm;
382	}	392	}	389	}
383		393		390
384
385	/**	394	/**	391	/**
386	* Ret urn the se cure rando m number g enerator p rovider na me.	395	* Ret urn the se cure rando m number g enerator p rovider na me.	392	* Ret urn the se cure rando m number g enerator p rovider na me.
		396	*	393	*
		397	* @re turn The n ame of the SecureRan dom provid er	394	* @re turn The n ame of the SecureRan dom provid er
387	*/	398	*/	395	*/
388	public String ge tSecureRan domProvide r() {	399	public String ge tSecureRan domProvide r() {	396	public String ge tSecureRan domProvide r() {
389	re turn secur eRandomPro vider;	400	re turn secur eRandomPro vider;	397	re turn secur eRandomPro vider;
390	}	401	}	398	}
391		402		399
392
393	/**	403	/**	400	/**
394	* Set the secur e random n umber gene rator prov ider name.	404	* Set the secur e random n umber gene rator prov ider name.	401	* Set the secur e random n umber gene rator prov ider name.
395	*	405	*	402	*
396	* @param s ecureRando mProvider The new s ecure rand om number generator	406	* @param s ecureRando mProvider	403	* @pa ram secure RandomProv ider
397	* provider n ame	407	* The new se cure rando m number g enerator provider n ame	404	* Th e new secu re random number gen erator pro vider name
398	*/	408	*/	405	*/
399	public void setS ecureRando mProvider( String sec ureRandomP rovider) {	409	public void setS ecureRando mProvider( String sec ureRandomP rovider) {	406	public void setS ecureRando mProvider( String sec ureRandomP rovider) {
400	th is.secureR andomProvi der = secu reRandomPr ovider;	410	th is.secureR andomProvi der = secu reRandomPr ovider;	407	th is.secureR andomProvi der = secu reRandomPr ovider;
401	}	411	}	408	}
402		412		409
403
404
405	// --- ---------- ---------- ---------- ---------- ---------- ---- Publi c Methods	413	// --- ---------- ---------- ---------- ---------- ---------- ---- Publi c Methods	410	// --- ---------- ---------- ---------- ---------- ---------- ---- Publi c Methods
406		414		411
407
408	/**	415	/**	412	/**
409	* Enf orce the s ecurity re strictions in the we b applicat ion deploy ment	416	* Enf orce the s ecurity re strictions in the we b applicat ion deploy ment	413	* Enf orce the s ecurity re strictions in the we b applicat ion deploy ment
410	* des criptor of our assoc iated Cont ext.	417	* des criptor of our assoc iated Cont ext.	414	* des criptor of our assoc iated Cont ext.
411	*	418	*	415	*
412	* @param r equest Request t o be proce ssed	419	* @param r equest	416	* @pa ram reques t
413	* @param res ponse Response t o be proce ssed	420	* Re quest to b e processe d	417	* Re quest to b e processe d
		421	* @pa ram respon se	418	* @pa ram respon se
		422	* Response t o be proce ssed	419	* Re sponse to be process ed
414	*	423	*	420	*
415	* @excepti on IOExcep tion if an inp ut/output error occu rs	424	* @excepti on IOExcep tion	421	* @ex ception IO Exception
416	* @exception ServletEx ception if thrown by a proce ssing elem ent	425	* if an in put/output error occ urs	422	* if an in put/output error occ urs
		426	* @ex ception Se rvletExcep tion	423	* @ex ception Se rvletExcep tion
		427	* if thrown by a proce ssing elem ent	424	* if throw n by a pro cessing el ement
417	*/	428	*/	425	*/
418	@Overr ide	429	@Overr ide	426	@Overr ide
419	public voi d invoke(R equest req uest, Resp onse respo nse)	430	public voi d invoke(R equest req uest, Resp onse respo nse) throws IO Exception, ServletEx ception {	427	public void invo ke(Request request, Response r esponse) t hrows IOEx ception, S ervletExce ption {
420	th rows IOExc eption, Se rvletExcep tion {
421		431		428
422	if (log.isDe bugEnabled ()) {	432	if (log.isDe bugEnabled ()) {	429	if (log.isDe bugEnabled ()) {
423	log.debug( "Security checking r equest " +	433	log.debug( "Security checking r equest " + request.g etMethod() + " " +	430	log.debu g("Securit y checking request " + request .getMethod () + " " +
424	request.ge t Method() + " " + req uest.get RequestURI ());	434	request.ge t RequestURI ());	431	request.ge tRequestUR I());
425	}	435	}	432	}
426		436		433
427	// Have we g ot a cache d authenti cated Prin cipal to r ecord?	437	// Have we g ot a cache d authenti cated Prin cipal to r ecord?	434	// Have we g ot a cache d authenti cated Prin cipal to r ecord?
428	if (cache) {	438	if (cache) {	435	if (cache) {
429	Principa l principa l = reques t.getUserP rincipal() ;	439	Principa l principa l = reques t.getUserP rincipal() ;	436	Principa l principa l = reques t.getUserP rincipal() ;
430	if (prin cipal == n ull) {	440	if (prin cipal == n ull) {	437	if (prin cipal == n ull) {
431	Sess ion sessio n = reques t.getSessi onInternal (false);	441	Sess ion sessio n = reques t.getSessi onInternal (false);	438	Sess ion sessio n = reques t.getSessi onInternal (false);
432	if ( session != null) {	442	if ( session != null) {	439	if ( session != null) {
433	principal = session. getPrincip al();	443	principal = session. getPrincip al();	440	principal = session. getPrincip al();
434	if (princi pal != nul l) {	444	if (princi pal != nul l) {	441	if (princi pal != nul l) {
435	if (lo g.isDebugE nabled()) {	445	if (lo g.isDebugE nabled()) {	442	if (lo g.isDebugE nabled()) {
436	log.debug( "We have c ached auth type " +	446	log.debug( "We have c ached auth type " + session.g etAuthType () +	443	lo g.debug("W e have cac hed auth t ype " + se ssion.getA uthType() +
437	session. getAuthTyp e() +	447	" for prin cipal " + principal );	444	" fo r principa l " + prin cipal);
438	" for prin cipal " +
439	session. getPrincip al());
440	}	448	}	445	}
441	reques t.setAuthT ype(sessio n.getAuthT ype());	449	reques t.setAuthT ype(sessio n.getAuthT ype());	446	reques t.setAuthT ype(sessio n.getAuthT ype());
442	reques t.setUserP rincipal(p rincipal);	450	reques t.setUserP rincipal(p rincipal);	447	reques t.setUserP rincipal(p rincipal);
443	}	451	}	448	}
444	}	452	}	449	}
445	}	453	}	450	}
446	}	454	}	451	}
447		455		452
448	// Special h andling fo r form-bas ed logins to deal wi th the cas e	456	bo olean auth Required = isContinu ationRequi red(reques t);	453	bo olean auth Required = isContinu ationRequi red(reques t);
449	// where the login for m (and the refore the "j_securi ty_check" URI
450	// to which it submits ) might be outside t he secured area
451	St ring conte xtPath = t his.contex t.getPath( );
452	St ring decod edRequestU RI = reque st.getDeco dedRequest URI();
453	if (decodedR equestURI. startsWith (contextPa th) &&
454	deco dedRequest URI.endsWi th(Constan ts.FORM_AC TION)) {
455	if (!aut henticate( request, r esponse)) {
456	if ( log.isDebu gEnabled() ) {
457	log.debug( " Failed a uthenticat e() test ? ?" + decod edRequestU RI );
458	}
459	retu rn;
460	}
461	}
462
463	// Special h andling fo r form-bas ed logins to deal wi th the cas e where
464	// a resourc e is prote cted for s ome HTTP m ethods but not prote cted for
465	// GET which is used a fter authe ntication when redir ecting to the
466	// protected resource.
467	// TODO: Thi s is simil ar to the FormAuthen ticator.ma tchRequest () logic
468	// Is there a wa y to remov e the dupl ication?
469	Se ssion sess ion = requ est.getSes sionIntern al(false);
470	if (session != null) {
471	SavedReq uest saved Request =
472	(SavedRequ est) sessi on.getNote (Constants .FORM_REQU EST_NOTE);
473	if (save dRequest ! = null &&
474	decodedReq uestURI.eq uals(saved Request.ge tDecodedRe questURI() ) &&
475	!authentic ate(reques t, respons e)) {
476	if ( log.isDebu gEnabled() ) {
477	log.debug( " Failed a uthenticat e() test") ;
478	}
479	/*
480	* A SSERT: Aut henticator already s et the app ropriate
481	* H TTP status code, so we do not have to do anything
482	* s pecial
483	*/
484	retu rn;
485	}
486	}
487		457		454
488	// The Servl et may spe cify secur ity constr aints thro ugh annota tions.	458	// The Servl et may spe cify secur ity constr aints thro ugh annota tions.	455	// The Servl et may spe cify secur ity constr aints thro ugh annota tions.
489	// Ensure th at they ha ve been pr ocessed be fore const raints are checked	459	// Ensure th at they ha ve been pr ocessed be fore const raints are checked	456	// Ensure th at they ha ve been pr ocessed be fore const raints are checked
490	Wrapper wr apper = re quest.get MappingDat a().w rapper ;	460	Wrapper wr apper = re quest.get W rapper () ;	457	Wr apper wrap per = requ est.getWra pper();
491	if (wrapper != null) {	461	if (wrapper != null) {	458	if (wrapper != null) {
492	wrapper. servletSec urityAnnot ationScan( );	462	wrapper. servletSec urityAnnot ationScan( );	459	wrapper. servletSec urityAnnot ationScan( );
493	}	463	}	460	}
494		464		461
495	Re alm realm = this.con text.getRe alm();	465	Re alm realm = this.con text.getRe alm();	462	Re alm realm = this.con text.getRe alm();
496	// Is this r equest URI subject t o a securi ty constra int?	466	// Is this r equest URI subject t o a securi ty constra int?	463	// Is this r equest URI subject t o a securi ty constra int?
497	SecurityCo nstraint [] constra ints	467	SecurityCo nstraint [] constra ints = realm.f indSecurit yConstrain ts(request , this.con text);	464	Se curityCons traint[] c onstraints = realm.f indSecurit yConstrain ts(request , this.con text);
498	= realm. findSecuri tyConstrai nts(reques t, this.co ntext);	468		465
		469	Au thConfigPr ovider jas picProvide r = getJas picProvide r();	466	Au thConfigPr ovider jas picProvide r = getJas picProvide r();
		470	if (jaspicPr ovider != null) {	467	if (jaspicPr ovider != null) {
		471	authRequ ired = tru e;	468	authRequ ired = tru e;
		472	}	469	}
499		473		470
500	if (constr aints == n ull && !co ntext.getP reemptiveA uthenticat ion() ) {	474	if (constr aints == n ull && !co ntext.getP reemptiveA uthenticat ion() && !authR equired ) {	471	if (constrai nts == nul l && !cont ext.getPre emptiveAut henticatio n() && !au thRequired ) {
501	if (log. isDebugEna bled()) {	475	if (log. isDebugEna bled()) {	472	if (log. isDebugEna bled()) {
502	log. debug(" No t subject to any con straint");	476	log. debug(" No t subject to any con straint");	473	log. debug(" No t subject to any con straint");
503	}	477	}	474	}
504	getNext( ).invoke(r equest, re sponse);	478	getNext( ).invoke(r equest, re sponse);	475	getNext( ).invoke(r equest, re sponse);
505	return;	479	return;	476	return;
506	}	480	}	477	}
507		481		478
508	// Make sure that cons trained re sources ar e not cach ed by web proxies	482	// Make sure that cons trained re sources ar e not cach ed by web proxies	479	// Make sure that cons trained re sources ar e not cach ed by web proxies
509	// or browse rs as cach ing can pr ovide a se curity hol e	483	// or browse rs as cach ing can pr ovide a se curity hol e	480	// or browse rs as cach ing can pr ovide a se curity hol e
510	if (constrai nts != nul l && disab leProxyCac hing &&	484	if (constrai nts != nul l && disab leProxyCac hing &&	481	if (constrai nts != nul l && disab leProxyCac hing &&
511	!"POST". equalsIgno reCase(req uest.getMe thod())) {	485	!"PO ST".equals IgnoreCase (request.g etMethod() )) {	482	!"PO ST".equals IgnoreCase (request.g etMethod() )) {
512	if (secu rePagesWit hPragma) {	486	if (secu rePagesWit hPragma) {	483	if (secu rePagesWit hPragma) {
513	// N ote: These can cause problems with downl oading fil es with IE	487	// N ote: These can cause problems with downl oading fil es with IE	484	// N ote: These can cause problems with downl oading fil es with IE
514	resp onse.setHe ader("Prag ma", "No-c ache");	488	resp onse.setHe ader("Prag ma", "No-c ache");	485	resp onse.setHe ader("Prag ma", "No-c ache");
515	resp onse.setHe ader("Cach e-Control" , "no-cach e");	489	resp onse.setHe ader("Cach e-Control" , "no-cach e");	486	resp onse.setHe ader("Cach e-Control" , "no-cach e");
516	} else {	490	} else {	487	} else {
517	resp onse.setHe ader("Cach e-Control" , "private ");	491	resp onse.setHe ader("Cach e-Control" , "private ");	488	resp onse.setHe ader("Cach e-Control" , "private ");
518	}	492	}	489	}
519	response .setHeader ("Expires" , DATE_ONE );	493	response .setHeader ("Expires" , DATE_ONE );	490	response .setHeader ("Expires" , DATE_ONE );
520	}	494	}	491	}
521		495		492
522	in t i;
523	if (constrai nts != nul l) {	496	if (constrai nts != nul l) {	493	if (constrai nts != nul l) {
524	// Enfor ce any use r data con straint fo r this sec urity cons traint	497	// Enfor ce any use r data con straint fo r this sec urity cons traint	494	// Enfor ce any use r data con straint fo r this sec urity cons traint
525	if (log. isDebugEna bled()) {	498	if (log. isDebugEna bled()) {	495	if (log. isDebugEna bled()) {
526	log. debug(" Ca lling hasU serDataPer mission()" );	499	log. debug(" Ca lling hasU serDataPer mission()" );	496	log. debug(" Ca lling hasU serDataPer mission()" );
527	}	500	}	497	}
528	if (!realm .hasUserDa taPermissi on(request , response ,	501	if (!realm .hasUserDa taPermissi on(request , response , constrain ts)) {	498	if (!rea lm.hasUser DataPermis sion(reque st, respon se, constr aints)) {
529	const raints)) {
530	if ( log.isDebu gEnabled() ) {	502	if ( log.isDebu gEnabled() ) {	499	if ( log.isDebu gEnabled() ) {
531	log.debug( " Failed h asUserData Permission () test");	503	log.debug( " Failed h asUserData Permission () test");	500	log.debug( " Failed h asUserData Permission () test");
532	}	504	}	501	}
533	/*	505	/*	502	/*
534	* ASSERT: Authentica tor alread y set the appropriat e	506	* ASSERT: Authentica tor alread y set the appropriat e HTTP stat us	503	* A SSERT: Aut henticator already s et the app ropriate H TTP status
535	* HTTP statu s code, so w e do not h ave to do anything s pecial	507	* code, so w e do not h ave to do anything s pecial	504	* c ode, so we do not ha ve to do a nything sp ecial
536	*/	508	*/	505	*/
537	retu rn;	509	retu rn;	506	retu rn;
538	}	510	}	507	}
539	}	511	}	508	}
540		512		509
541	// Since aut henticate modifies t he respons e on failu re,	513	// Since aut henticate modifies t he respons e on failu re,	510	// Since aut henticate modifies t he respons e on failu re,
542	// we have t o check fo r allow-fr om-all fir st.	514	// we have t o check fo r allow-fr om-all fir st.	511	// we have t o check fo r allow-fr om-all fir st.
543	boolean a uth Requi r e d ;	515	boolean h a sA uth Const r aint = fal s e ;	512	bo olean hasA uthConstra int = fals e;
544	if (constr aints = = null) {	516	if (constr aints ! = null) {	513	if (constrai nts != nul l) {
545	authRequ ired = fal se;	517	h a sA uth Const r aint = true;	514	hasAuthC onstraint = true;
546	} else {	518	for (i nt i = 0; i < con straints.l ength && h a sA uth Const r aint ; i++) {	515	for (int i = 0; i < constrai nts.length && hasAut hConstrain t; i++) {
547	a uth Requi r ed = true;	519	if (!constrai nts[i].get AuthConstr aint()) {	516	if ( !constrain ts[i].getA uthConstra int()) {
548	for (i = 0; i < con straints.l ength && a uth Requi r ed ; i++) {	520	h a sA uth Const r aint = false;	517	hasAuthCon straint = false;
549	if (!constrai nts[i].get AuthConstr aint()) {	521	} else if (!constrai nts[i].get AllRoles() &&	518	} el se if (!co nstraints[ i].getAllR oles() &&
550	a uth Requi r ed = false;
551	break;
552	} else if (!constrai nts[i].get AllRoles() &&
553	!const raints[i]. getAuthent icatedUser s()) {	522	!const raints[i]. getAuthent icatedUser s()) {	519	!const raints[i]. getAuthent icatedUser s()) {
554	String [] roles = constrain ts[i].find AuthRoles( );	523	String [] roles = constrain ts[i].find AuthRoles( );	520	String[] r oles = con straints[i ].findAuth Roles();
555	if (roles == null \|\| ro les.length == 0) {	524	if (roles == null \|\| ro les.length == 0) {	521	if (roles == null \|\| roles.len gth == 0) {
556	a uth Requi r ed = false;	525	h a sA uth Const r aint = false;	522	hasAut hConstrain t = false;
557	break;	526	}	523	}
558	}	527	}	524	}
559	}	528	}	525	}
560	}	529	}	526	}
		530		527
		531	if (!authReq uired && h asAuthCons traint) {	528	if (!authReq uired && h asAuthCons traint) {
		532	authRequ ired = tru e;	529	authRequ ired = tru e;
561	}	533	}	530	}
562		534		531
563	if (!authReq uired && c ontext.get Preemptive Authentica tion()) {	535	if (!authReq uired && c ontext.get Preemptive Authentica tion()) {	532	if (!authReq uired && c ontext.get Preemptive Authentica tion()) {
564	authRequ ired =	536	authRequ ired =	533	authRequ ired =
565	request.ge tCoyoteReq uest().get MimeHeader s().getVal ue(	537	request.ge tCoyoteReq uest().get MimeHeader s().getVal ue( "authoriza tion") != null;	534	request.ge tCoyoteReq uest().get MimeHeader s().getVal ue("author ization") != null;
566	"autho rization") != null;
567	}	538	}	535	}
568		539		536
569	if (!authR equired && context.g etPreempti veAuthenti cation() &&	540	if (!authR equired && context.g etPreempti veAuthenti cation()	537	if (!authReq uired && c ontext.get Preemptive Authentica tion()
570	HttpServle tRequest.C LIENT_CERT _AUTH.equa ls(getAuth Method())) {	541	&& HttpServle tRequest.C LIENT_CERT _AUTH.equa ls(getAuth Method())) {	538	&& H ttpServlet Request.CL IENT_CERT_ AUTH.equal s(getAuthM ethod())) {
571	X509Cert ificate[] certs = ge tRequestCe rtificates (request);	542	X509Cert ificate[] certs = ge tRequestCe rtificates (request);	539	X509Cert ificate[] certs = ge tRequestCe rtificates (request);
572	authRequ ired = cer ts != null && certs. length > 0 ;	543	authRequ ired = cer ts != null && certs. length > 0 ;	540	authRequ ired = cer ts != null && certs. length > 0 ;
573	}	544	}	541	}
574		545		542
575	if (authRequi red) {	546	Ja spicState jaspicStat e = null;	543	Ja spicState jaspicStat e = null;
		547		544
		548	if (authRequi red) {	545	if (authRequ ired) {
576	if (log. isDebugEna bled()) {	549	if (log. isDebugEna bled()) {	546	if (log. isDebugEna bled()) {
577	log. debug(" Ca lling auth enticate() ");	550	log. debug(" Ca lling auth enticate() ");	547	log. debug(" Ca lling auth enticate() ");
578	}	551	}	548	}
579	if ( !authentic ate (request, response )) {	552		549
		553	if (jasp icProvider != null) {	550	if (jasp icProvider != null) {
		554	jasp icState = getJaspicS tate(jaspi cProvider, request, response, hasAuthCon straint);	551	jasp icState = getJaspicS tate(jaspi cProvider, request, response, hasAuthCon straint);
		555	if ( jaspicStat e == null) {	552	if ( jaspicStat e == null) {
		556	return;	553	return;
		557	}	554	}
		558	}	555	}
		559		556
		560	if (jasp icProvider == null & & !doAuthe nticate(re quest, res ponse) \|\|	557	if (jasp icProvider == null & & !doAuthe nticate(re quest, res ponse) \|\|
		561	jaspicProv ider != nu ll &&	558	jaspicProv ider != nu ll &&
		562	!authentic ate Jaspic (request, response , jaspicSt ate, false )) {	559	!a uthenticat eJaspic(re quest, res ponse, jas picState, false)) {
580	if ( log.isDebu gEnabled() ) {	563	if ( log.isDebu gEnabled() ) {	560	if ( log.isDebu gEnabled() ) {
581	log.debug( " Failed a uthenticat e() test") ;	564	log.debug( " Failed a uthenticat e() test") ;	561	log.debug( " Failed a uthenticat e() test") ;
582	}	565	}	562	}
583	/*	566	/*	563	/*
584	* ASSERT: Authentica tor alread y set the appropriat e	567	* ASSERT: Authentica tor alread y set the appropriat e HTTP stat us	564	* A SSERT: Aut henticator already s et the app ropriate H TTP status
585	* HTTP statu s code, so w e do not h ave to do anything	568	* code, so w e do not h ave to do anything special	565	* c ode, so we do not ha ve to do a nything sp ecial
586	* s pecial
587	*/	569	*/	566	*/
588	retu rn;	570	retu rn;	567	retu rn;
589	}	571	}	568	}
590		572		569
591	}	573	}	570	}
592		574		571
593	if (constrai nts != nul l) {	575	if (constrai nts != nul l) {	572	if (constrai nts != nul l) {
594	if (log. isDebugEna bled()) {	576	if (log. isDebugEna bled()) {	573	if (log. isDebugEna bled()) {
595	log. debug(" Ca lling acce ssControl( )");	577	log. debug(" Ca lling acce ssControl( )");	574	log. debug(" Ca lling acce ssControl( )");
596	}	578	}	575	}
597	if (!realm .hasResour cePermissi on(request , response ,	579	if (!realm .hasResour cePermissi on(request , response , constrain ts, this.c ontext)) {	576	if (!rea lm.hasReso urcePermis sion(reque st, respon se, constr aints, thi s.context) ) {
598	const raints,
599	this. context)) {
600	if ( log.isDebu gEnabled() ) {	580	if ( log.isDebu gEnabled() ) {	577	if ( log.isDebu gEnabled() ) {
601	log.debug( " Failed a ccessContr ol() test" );	581	log.debug( " Failed a ccessContr ol() test" );	578	log.debug( " Failed a ccessContr ol() test" );
602	}	582	}	579	}
603	/*	583	/*	580	/*
604	* ASSERT: AccessCont rol method has alrea dy set the	584	* ASSERT: AccessCont rol method has alrea dy set the appropria te	581	* A SSERT: Acc essControl method ha s already set the ap propriate
605	* appropriat e HTTP statu s code, so we do not have to d o	585	* HTTP statu s code, so we do not have to d o anything special	582	* H TTP status code, so we do not have to do anything special
606	* a nything sp ecial
607	*/	586	*/	583	*/
608	retu rn;	587	retu rn;	584	retu rn;
609	}	588	}	585	}
610	}	589	}	586	}
611		590		587
612	// Any and a ll specifi ed constra ints have been satis fied	591	// Any and a ll specifi ed constra ints have been satis fied	588	// Any and a ll specifi ed constra ints have been satis fied
613	if (log.isDe bugEnabled ()) {	592	if (log.isDe bugEnabled ()) {	589	if (log.isDe bugEnabled ()) {
614	log.debu g(" Succes sfully pas sed all se curity con straints") ;	593	log.debu g(" Succes sfully pas sed all se curity con straints") ;	590	log.debu g(" Succes sfully pas sed all se curity con straints") ;
615	}	594	}	591	}
616	ge tNext().in voke(reque st, respon se);	595	ge tNext().in voke(reque st, respon se);	592	ge tNext().in voke(reque st, respon se);
617		596		593
		597	if (jaspicPr ovider != null) {	594	if (jaspicPr ovider != null) {
		598	secureRe sponseJspi c(request, response, jaspicSta te);	595	secureRe sponseJspi c(request, response, jaspicSta te);
		599	}	596	}
		600	}	597	}
		601		598
		602		599
		603	@Overr ide	600	@Overr ide
		604	public boolean a uthenticat e(Request request, H ttpServlet Response h ttpRespons e)	601	public boolean a uthenticat e(Request request, H ttpServlet Response h ttpRespons e)
		605	throws I OException {	602	throws I OException {
		606		603
		607	Au thConfigPr ovider jas picProvide r = getJas picProvide r();	604	Au thConfigPr ovider jas picProvide r = getJas picProvide r();
		608		605
		609	if (jaspicPr ovider == null) {	606	if (jaspicPr ovider == null) {
		610	return d oAuthentic ate(reques t, httpRes ponse);	607	return d oAuthentic ate(reques t, httpRes ponse);
		611	} else {	608	} else {
		612	Response response = request. getRespons e();	609	Response response = request. getRespons e();
		613	JaspicSt ate jaspic State = ge tJaspicSta te(jaspicP rovider, r equest, re sponse, tr ue);	610	JaspicSt ate jaspic State = ge tJaspicSta te(jaspicP rovider, r equest, re sponse, tr ue);
		614	if (jasp icState == null) {	611	if (jasp icState == null) {
		615	retu rn false;	612	retu rn false;
		616	}	613	}
		617		614
		618	boolean result = a uthenticat eJaspic(re quest, res ponse, jas picState, true);	615	boolean result = a uthenticat eJaspic(re quest, res ponse, jas picState, true);
		619		616
		620	secureRe sponseJspi c(request, response, jaspicSta te);	617	secureRe sponseJspi c(request, response, jaspicSta te);
		621		618
		622	return r esult;	619	return r esult;
		623	}	620	}
		624	}	621	}
		625		622
		626		623
		627	privat e void sec ureRespons eJspic(Req uest reque st, Respon se respons e, JaspicS tate state ) {	624	privat e void sec ureRespons eJspic(Req uest reque st, Respon se respons e, JaspicS tate state ) {
		628	tr y {	625	tr y {
		629	state.se rverAuthCo ntext.secu reResponse (state.mes sageInfo, null);	626	state.se rverAuthCo ntext.secu reResponse (state.mes sageInfo, null);
		630	request. setRequest ((HttpServ letRequest ) state.me ssageInfo. getRequest Message()) ;	627	request. setRequest ((HttpServ letRequest ) state.me ssageInfo. getRequest Message()) ;
		631	response .setRespon se((HttpSe rvletRespo nse) state .messageIn fo.getResp onseMessag e());	628	response .setRespon se((HttpSe rvletRespo nse) state .messageIn fo.getResp onseMessag e());
		632	} catch (Aut hException e) {	629	} catch (Aut hException e) {
		633	log.warn (sm.getStr ing("authe nticator.j aspicSecur eResponseF ail"), e);	630	log.warn (sm.getStr ing("authe nticator.j aspicSecur eResponseF ail"), e);
		634	}	631	}
		635	}	632	}
		636		633
		637		634
		638	privat e JaspicSt ate getJas picState(A uthConfigP rovider ja spicProvid er, Reques t request,	635	privat e JaspicSt ate getJas picState(A uthConfigP rovider ja spicProvid er, Reques t request,
		639	Response response, boolean a uthMandato ry) throws IOExcepti on {	636	Response response, boolean a uthMandato ry) throws IOExcepti on {
		640	Ja spicState jaspicStat e = new Ja spicState( );	637	Ja spicState jaspicStat e = new Ja spicState( );
		641		638
		642	ja spicState. messageInf o =	639	ja spicState. messageInf o =
		643	new MessageInf oImpl(requ est.getReq uest(), re sponse.get Response() , authMand atory);	640	new MessageInf oImpl(requ est.getReq uest(), re sponse.get Response() , authMand atory);
		644		641
		645	tr y {	642	tr y {
		646	ServerAu thConfig s erverAuthC onfig = ja spicProvid er.getServ erAuthConf ig(	643	ServerAu thConfig s erverAuthC onfig = ja spicProvid er.getServ erAuthConf ig(
		647	"HttpServl et", jaspi cAppContex tID, Callb ackHandler Impl.getIn stance());	644	"HttpServl et", jaspi cAppContex tID, Callb ackHandler Impl.getIn stance());
		648	String a uthContext ID = serve rAuthConfi g.getAuthC ontextID(j aspicState .messageIn fo);	645	String a uthContext ID = serve rAuthConfi g.getAuthC ontextID(j aspicState .messageIn fo);
		649	jaspicSt ate.server AuthContex t = server AuthConfig .getAuthCo ntext(auth ContextID, null, nul l);	646	jaspicSt ate.server AuthContex t = server AuthConfig .getAuthCo ntext(auth ContextID, null, nul l);
		650	} catch (Aut hException e) {	647	} catch (Aut hException e) {
		651	log.warn (sm.getStr ing("authe nticator.j aspicServe rAuthConte xtFail"), e);	648	log.warn (sm.getStr ing("authe nticator.j aspicServe rAuthConte xtFail"), e);
		652	response .sendError (HttpServl etResponse .SC_INTERN AL_SERVER_ ERROR);	649	response .sendError (HttpServl etResponse .SC_INTERN AL_SERVER_ ERROR);
		653	return n ull;	650	return n ull;
		654	}	651	}
		655		652
		656	re turn jaspi cState;	653	re turn jaspi cState;
618	}	657	}	654	}
619		658		655
620		659		656
621	// --- ---------- ---------- ---------- ---------- ---------- - Protecte d Methods	660	// --- ---------- ---------- ---------- ---------- ---------- - Protecte d Methods	657	// --- ---------- ---------- ---------- ---------- ---------- - Protecte d Methods
622		661		658
623	/**	662	/**	659	/**
		663	* Pro vided for sub-classe s to imple ment their specific authentica tion	660	* Pro vided for sub-classe s to imple ment their specific authentica tion
		664	* mec hanism.	661	* mec hanism.
		665	*	662	*
		666	* @pa ram reques t The requ est that t riggered t he authent ication	663	* @pa ram reques t The requ est that t riggered t he authent ication
		667	* @pa ram respon se The res ponse asso ciated wit h the requ est	664	* @pa ram respon se The res ponse asso ciated wit h the requ est
		668	*	665	*
		669	* @re turn {@cod e true} if the the u ser was au thenticate d, otherwi se {@code	666	* @re turn {@cod e true} if the the u ser was au thenticate d, otherwi se {@code
		670	* false }, in whic h case an authentica tion chall enge will have been	667	* false }, in whic h case an authentica tion chall enge will have been
		671	* writt en to the response	668	* writt en to the response
		672	*	669	*
		673	* @th rows IOExc eption If an I/O pro blem occur red during the authe ntication	670	* @th rows IOExc eption If an I/O pro blem occur red during the authe ntication
		674	* pro cess	671	* pro cess
		675	*/	672	*/
		676	protec ted abstra ct boolean doAuthent icate(Requ est reques t, HttpSer vletRespon se respons e)	673	protec ted abstra ct boolean doAuthent icate(Requ est reques t, HttpSer vletRespon se respons e)
		677	throws I OException ;	674	throws I OException ;
		678		675
		679		676
		680	/**	677	/**
		681	* Doe s this aut henticator require t hat {@link #authenti cate(Reque st,	678	* Doe s this aut henticator require t hat {@link #authenti cate(Reque st,
		682	* Htt pServletRe sponse)} i s called t o continue an authen tication p rocess	679	* Htt pServletRe sponse)} i s called t o continue an authen tication p rocess
		683	* tha t started in a previ ous reques t?	680	* tha t started in a previ ous reques t?
		684	*	681	*
		685	* @pa ram reques t The requ est curren tly being processed	682	* @pa ram reques t The requ est curren tly being processed
		686	*	683	*
		687	* @re turn {@cod e true} if authentic ate() must be called , otherwis e	684	* @re turn {@cod e true} if authentic ate() must be called , otherwis e
		688	* {@cod e false}	685	* {@cod e false}
		689	*/	686	*/
		690	protec ted boolea n isContin uationRequ ired(Reque st request ) {	687	protec ted boolea n isContin uationRequ ired(Reque st request ) {
		691	re turn false ;	688	re turn false ;
		692	}	689	}
		693		690
		694		691
		695	/**	692	/**
624	* Loo k for the X509 certi ficate cha in in the Request un der the ke y	696	* Loo k for the X509 certi ficate cha in in the Request un der the ke y	693	* Loo k for the X509 certi ficate cha in in the Request un der the ke y
625	* <co de>javax.s ervlet.req uest.X509C ertificate </code>. I f not foun d, trigger	697	* <co de>javax.s ervlet.req uest.X509C ertificate </code>. I f not foun d, trigger	694	* <co de>javax.s ervlet.req uest.X509C ertificate </code>. I f not foun d, trigger
626	* ext racting th e certific ate chain from the C oyote requ est.	698	* ext racting th e certific ate chain from the C oyote requ est.	695	* ext racting th e certific ate chain from the C oyote requ est.
627	*	699	*	696	*
628	* @param r equest Request to be proces sed	700	* @param r equest	697	* @pa ram reques t
		701	* Re quest to b e processe d	698	* Re quest to b e processe d
629	*	702	*	699	*
630	* @return The X509 c ertificate chain if found, <co de>null</c ode>	703	* @return The X509 c ertificate chain if found, <co de>null</c ode> otherwise .	700	* @re turn The X 509 certif icate chai n if found , <code>nu ll</code> otherwise.
631	* otherw ise.
632	*/	704	*/	701	*/
633	protec ted X509Ce rtificate[ ] getReque stCertific ates(final Request r equest)	705	protec ted X509Ce rtificate[ ] getReque stCertific ates(final Request r equest)	702	protec ted X509Ce rtificate[ ] getReque stCertific ates(final Request r equest)
634	throws I llegalStat eException {	706	throws I llegalStat eException {	703	throws I llegalStat eException {
635		707		704
636	X5 09Certific ate certs[ ] =	708	X5 09Certific ate certs[ ] =	705	X5 09Certific ate certs[ ] =
637	(X50 9Certifica te[]) requ est.getAtt ribute(Glo bals.CERTI FICATES_AT TR);	709	(X50 9Certifica te[]) requ est.getAtt ribute(Glo bals.CERTI FICATES_AT TR);	706	(X50 9Certifica te[]) requ est.getAtt ribute(Glo bals.CERTI FICATES_AT TR);
638		710		707
639	if ((certs = = null) \|\| (certs.le ngth < 1)) {	711	if ((certs = = null) \|\| (certs.le ngth < 1)) {	708	if ((certs = = null) \|\| (certs.le ngth < 1)) {
640	try {	712	try {	709	try {
641	requ est.getCoy oteRequest ().action( ActionCode .REQ_SSL_C ERTIFICATE , null);	713	requ est.getCoy oteRequest ().action( ActionCode .REQ_SSL_C ERTIFICATE , null);	710	requ est.getCoy oteRequest ().action( ActionCode .REQ_SSL_C ERTIFICATE , null);
642	cert s = (X509C ertificate []) reques t.getAttri bute(Globa ls.CERTIFI CATES_ATTR );	714	cert s = (X509C ertificate []) reques t.getAttri bute(Globa ls.CERTIFI CATES_ATTR );	711	cert s = (X509C ertificate []) reques t.getAttri bute(Globa ls.CERTIFI CATES_ATTR );
643	} catch (IllegalSt ateExcepti on ise) {	715	} catch (IllegalSt ateExcepti on ise) {	712	} catch (IllegalSt ateExcepti on ise) {
644	// R equest bod y was too large for save buffe r	716	// R equest bod y was too large for save buffe r	713	// R equest bod y was too large for save buffe r
645	// R eturn null which wil l trigger an auth fa ilure	717	// R eturn null which wil l trigger an auth fa ilure	714	// R eturn null which wil l trigger an auth fa ilure
646	}	718	}	715	}
647	}	719	}	716	}
648		720		717
649	re turn certs ;	721	re turn certs ;	718	re turn certs ;
650	}	722	}	719	}
651		723		720
652
653	/**	724	/**	721	/**
654	* Associat e the spec ified sing le sign on identifie r with the	725	* Associat e the spec ified sing le sign on identifie r with the specified	722	* Ass ociate the specified single si gn on iden tifier wit h the spec ified
655	* specified Session.	726	* Session.	723	* Ses sion.
656	*	727	*	724	*
657	* @param s soId Single si gn on iden tifier	728	* @param s soId	725	* @pa ram ssoId
658	* @param ses sion Session to be associ ated	729	* Si ngle sign on identif ier	726	* Si ngle sign on identif ier
		730	* @pa ram sessio n	727	* @pa ram sessio n
		731	* Session to be associ ated	728	* Se ssion to b e associat ed
659	*/	732	*/	729	*/
660	protec ted void a ssociate(S tring ssoI d, Session session) {	733	protec ted void a ssociate(S tring ssoI d, Session session) {	730	protec ted void a ssociate(S tring ssoI d, Session session) {
661		734		731
662	if (sso == n ull) {	735	if (sso == n ull) {	732	if (sso == n ull) {
663	return;	736	return;	733	return;
664	}	737	}	734	}
665	ss o.associat e(ssoId, s ession);	738	ss o.associat e(ssoId, s ession);	735	ss o.associat e(ssoId, s ession);
666		739		736
667	}	740	}	737	}
668		741		738
669		742		739
670	/**	743	privat e boolean authentica teJaspic(R equest req uest, Resp onse respo nse, Jaspi cState sta te,	740	privat e boolean authentica teJaspic(R equest req uest, Resp onse respo nse, Jaspi cState sta te,
671	* Aut henticate the user m aking this request, based on t he login	744	boolean requirePri ncipal) {	741	boolean requirePri ncipal) {
672	* con figuration of the {@ link Conte xt} with w hich this Authentica tor is	745		742
673	* ass ociated. Return <co de>true</c ode> if an y specifie d constrai nt has	746	bo olean cach edAuth = c heckForCac hedAuthent ication(re quest, res ponse, fal se);	743	bo olean cach edAuth = c heckForCac hedAuthent ication(re quest, res ponse, fal se);
674	* bee n satisfie d, or <cod e>false</c ode> if we have crea ted a resp onse	747	Su bject clie nt = new S ubject();	744	Su bject clie nt = new S ubject();
675	* cha llenge alr eady.	748	Au thStatus a uthStatus;	745	Au thStatus a uthStatus;
676	*	749	tr y {	746	tr y {
677	* @pa ram reques t Request we are pro cessing	750	authStat us = state .serverAut hContext.v alidateReq uest(state .messageIn fo, client , null);	747	authStat us = state .serverAut hContext.v alidateReq uest(state .messageIn fo, client , null);
678	* @pa ram respon se Respons e we are p opulating	751	} catch (Aut hException e) {	748	} catch (Aut hException e) {
679	*	752	log.debu g(sm.getSt ring("auth enticator. loginFail" ), e);	749	log.debu g(sm.getSt ring("auth enticator. loginFail" ), e);
680	* @ex ception IO Exception if an inpu t/output e rror occur s	753	return f alse;	750	return f alse;
681	*/	754	}	751	}
682	@Overr ide	755		752
683	public abstract boolean au thenticate (Request r equest,	756	re quest.setR equest((Ht tpServletR equest) st ate.messag eInfo.getR equestMess age());	753	re quest.setR equest((Ht tpServletR equest) st ate.messag eInfo.getR equestMess age());
684	HttpServ letRespons e response ) throws I OException ;	757	re sponse.set Response(( HttpServle tResponse) state.mes sageInfo.g etResponse Message()) ;	754	re sponse.set Response(( HttpServle tResponse) state.mes sageInfo.g etResponse Message()) ;
		758		755
		759	if (authStat us == Auth Status.SUC CESS) {	756	if (authStat us == Auth Status.SUC CESS) {
		760	GenericP rincipal p rincipal = getPrinci pal(client );	757	GenericP rincipal p rincipal = getPrinci pal(client );
		761	if (log. isDebugEna bled()) {	758	if (log. isDebugEna bled()) {
		762	log. debug("Aut henticated user: " + principal );	759	log. debug("Aut henticated user: " + principal );
		763	}	760	}
		764	if (prin cipal == n ull) {	761	if (prin cipal == n ull) {
		765	requ est.setUse rPrincipal (null);	762	requ est.setUse rPrincipal (null);
		766	requ est.setAut hType(null );	763	requ est.setAut hType(null );
		767	if ( requirePri ncipal) {	764	if ( requirePri ncipal) {
		768	return fal se;	765	return fal se;
		769	}	766	}
		770	} else i f (cachedA uth == fal se \|\|	767	} else i f (cachedA uth == fal se \|\|
		771	!principal .getUserPr incipal(). equals(req uest.getUs erPrincipa l())) {	768	!principal .getUserPr incipal(). equals(req uest.getUs erPrincipa l())) {
		772	// S kip regist ration if authentica tion crede ntials wer e	769	// S kip regist ration if authentica tion crede ntials wer e
		773	// c ached and the Princi pal did no t change.	770	// c ached and the Princi pal did no t change.
		774	requ est.setNot e(Constant s.REQ_JASP IC_SUBJECT _NOTE, cli ent);	771	requ est.setNot e(Constant s.REQ_JASP IC_SUBJECT _NOTE, cli ent);
		775	@Sup pressWarni ngs("rawty pes")// JA SPIC API u ses raw ty pes	772	@Sup pressWarni ngs("rawty pes")// JA SPIC API u ses raw ty pes
		776	Map map = stat e.messageI nfo.getMap ();	773	Map map = stat e.messageI nfo.getMap ();
		777	if ( map != nul l && map.c ontainsKey ("javax.se rvlet.http .registerS ession")) {	774	if ( map != nul l && map.c ontainsKey ("javax.se rvlet.http .registerS ession")) {
		778	register(r equest, re sponse, pr incipal, " JASPIC", n ull, null, true, tru e);	775	register(r equest, re sponse, pr incipal, " JASPIC", n ull, null, true, tru e);
		779	} el se {	776	} el se {
		780	register(r equest, re sponse, pr incipal, " JASPIC", n ull, null) ;	777	register(r equest, re sponse, pr incipal, " JASPIC", n ull, null) ;
		781	}	778	}
		782	}	779	}
		783	return t rue;	780	return t rue;
		784	}	781	}
		785	re turn false ;	782	re turn false ;
		786	}	783	}
		787		784
		788		785
		789	privat e GenericP rincipal g etPrincipa l(Subject subject) {	786	privat e GenericP rincipal g etPrincipa l(Subject subject) {
		790	if (subject == null) {	787	if (subject == null) {
		791	return n ull;	788	return n ull;
		792	}	789	}
		793		790
		794	Se t<GenericP rincipal> principals = subject .getPrivat eCredentia ls(Generic Principal. class);	791	Se t<GenericP rincipal> principals = subject .getPrivat eCredentia ls(Generic Principal. class);
		795	if (principa ls.isEmpty ()) {	792	if (principa ls.isEmpty ()) {
		796	return n ull;	793	return n ull;
		797	}	794	}
		798		795
		799	re turn princ ipals.iter ator().nex t();	796	re turn princ ipals.iter ator().nex t();
		800	}	797	}
685		801		798
686		802		799
687	/**	803	/**	800	/**
688	* Che ck to see if the use r has alre ady been a uthenticat ed earlier in the	804	* Che ck to see if the use r has alre ady been a uthenticat ed earlier in the	801	* Che ck to see if the use r has alre ady been a uthenticat ed earlier in the
689	* pro cessing ch ain or if there is e nough info rmation av ailable to	805	* pro cessing ch ain or if there is e nough info rmation av ailable to	802	* pro cessing ch ain or if there is e nough info rmation av ailable to
690	* aut henticate the user w ithout req uiring fur ther user interactio n.	806	* aut henticate the user w ithout req uiring fur ther user interactio n.	803	* aut henticate the user w ithout req uiring fur ther user interactio n.
691	*	807	*	804	*
692	* @param r equest The curre nt request	808	* @param r equest	805	* @pa ram reques t
693	* @param res ponse The curren t re spons e	809	* The curren t re qu e st	806	* Th e current request
694	* @param use SSO Should inf ormation a vailable f rom SSO be used to a ttempt	810	* @pa ram respon se	807	* @pa ram respon se
695	* to authentica te the cur rent user?	811	* Th e current response	808	* Th e current response
		812	* @pa ram useSSO	809	* @pa ram useSSO
		813	* Should inf ormation a vailable f rom SSO be used to a ttempt to	810	* Sh ould infor mation ava ilable fro m SSO be u sed to att empt to
		814	* authentica te the cur rent user?	811	* au thenticate the curre nt user?
696	*	815	*	812	*
697	* @re turn <code >true</cod e> if the user was a uthenticat ed via the cache,	816	* @re turn <code >true</cod e> if the user was a uthenticat ed via the cache,	813	* @re turn <code >true</cod e> if the user was a uthenticat ed via the cache,
698	* other wise <code >false</co de>	817	* other wise <code >false</co de>	814	* other wise <code >false</co de>
699	*/	818	*/	815	*/
700	protected boolean ch eckForCach edAuthenti cation(Req uest reque st,	819	protected boolean ch eckForCach edAuthenti cation(Req uest reque st, HttpServl etResponse response, boolean u seSSO) {	816	protec ted boolea n checkFor CachedAuth entication (Request r equest, Ht tpServletR esponse re sponse, bo olean useS SO) {
701	HttpServ letRespons e response , boolean useSSO) {
702		820		817
703	// Has the u ser alread y been aut henticated ?	821	// Has the u ser alread y been aut henticated ?	818	// Has the u ser alread y been aut henticated ?
704	Pr incipal pr incipal = request.ge tUserPrinc ipal();	822	Pr incipal pr incipal = request.ge tUserPrinc ipal();	819	Pr incipal pr incipal = request.ge tUserPrinc ipal();
705	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);	823	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);	820	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);
706	if (principa l != null) {	824	if (principa l != null) {	821	if (principa l != null) {
707	if (log. isDebugEna bled()) {	825	if (log. isDebugEna bled()) {	822	if (log. isDebugEna bled()) {
708	log. debug(sm.g etString(" authentica tor.check. found", pr incipal.ge tName()));	826	log. debug(sm.g etString(" authentica tor.check. found", pr incipal.ge tName()));	823	log. debug(sm.g etString(" authentica tor.check. found", pr incipal.ge tName()));
709	}	827	}	824	}
710	// Assoc iate the s ession wit h any exis ting SSO s ession. Ev en if	828	// Assoc iate the s ession wit h any exis ting SSO s ession. Ev en if	825	// Assoc iate the s ession wit h any exis ting SSO s ession. Ev en if
711	// useSS O is false , this wil l ensure c oordinated session	829	// useSS O is false , this wil l ensure c oordinated session	826	// useSS O is false , this wil l ensure c oordinated session
712	// inval idation at log out.	830	// inval idation at log out.	827	// inval idation at log out.
713	if (ssoI d != null) {	831	if (ssoI d != null) {	828	if (ssoI d != null) {
714	asso ciate(ssoI d, request .getSessio nInternal( true));	832	asso ciate(ssoI d, request .getSessio nInternal( true));	829	asso ciate(ssoI d, request .getSessio nInternal( true));
715	}	833	}	830	}
716	return t rue;	834	return t rue;	831	return t rue;
717	}	835	}	832	}
718		836		833
719	// Is there an SSO ses sion again st which w e can try to reauthe nticate?	837	// Is there an SSO ses sion again st which w e can try to reauthe nticate?	834	// Is there an SSO ses sion again st which w e can try to reauthe nticate?
720	if (useSSO & & ssoId != null) {	838	if (useSSO & & ssoId != null) {	835	if (useSSO & & ssoId != null) {
721	if (log. isDebugEna bled()) {	839	if (log. isDebugEna bled()) {	836	if (log. isDebugEna bled()) {
722	log. debug(sm.g etString(" authentica tor.check. sso", ssoI d));	840	log. debug(sm.g etString(" authentica tor.check. sso", ssoI d));	837	log. debug(sm.g etString(" authentica tor.check. sso", ssoI d));
723	}	841	}	838	}
724	/ * Try to r eauthentic ate using data cache d by SSO. If this fa ils,	842	/*	839	/*
725	either the original SSO logon was of DIG EST or SSL (which	843	* Try to r eauthentic ate using data cache d by SSO. If this fa ils,	840	* Try t o reauthen ticate usi ng data ca ched by SS O. If this fails,
726	we can't rea uthenticat e ourselve s because there is n o	844	* either the original SSO logon was of DIG EST or SSL (which we	841	* eithe r the orig inal SSO l ogon was o f DIGEST o r SSL (whi ch we
727	cached username and passwo rd), or th e realm de nied	845	* can't rea uthenticat e ourselve s because there is n o cached	842	* can't reauthent icate ours elves beca use there is no cach ed
728	the user's reauthent ication fo r some rea son.	846	* username and passwo rd), or th e realm de nied the user' s	843	* usern ame and pa ssword), o r the real m denied t he user's
729	In either case we ha ve to prompt th e user for a logon */	847	* reauthent ication fo r some rea son. In either case we h ave to	844	* reaut henticatio n for some reason. I n either c ase we hav e to
		848	* prompt th e user for a logon	845	* promp t the user for a log on
		849	*/	846	*/
730	if (reau thenticate FromSSO(ss oId, reque st)) {	850	if (reau thenticate FromSSO(ss oId, reque st)) {	847	if (reau thenticate FromSSO(ss oId, reque st)) {
731	retu rn true;	851	retu rn true;	848	retu rn true;
732	}	852	}	849	}
733	}	853	}	850	}
734		854		851
735	// Has the C onnector p rovided a pre-authen ticated Pr incipal th at now	855	// Has the C onnector p rovided a pre-authen ticated Pr incipal th at now	852	// Has the C onnector p rovided a pre-authen ticated Pr incipal th at now
736	// needs to be authori zed?	856	// needs to be authori zed?	853	// needs to be authori zed?
737	if (request. getCoyoteR equest().g etRemoteUs erNeedsAut horization ()) {	857	if (request. getCoyoteR equest().g etRemoteUs erNeedsAut horization ()) {	854	if (request. getCoyoteR equest().g etRemoteUs erNeedsAut horization ()) {
738	String u sername = request.ge tCoyoteReq uest().get RemoteUser ().toStrin g();	858	String u sername = request.ge tCoyoteReq uest().get RemoteUser ().toStrin g();	855	String u sername = request.ge tCoyoteReq uest().get RemoteUser ().toStrin g();
739	if (user name != nu ll) {	859	if (user name != nu ll) {	856	if (user name != nu ll) {
740	if ( log.isDebu gEnabled() ) {	860	if ( log.isDebu gEnabled() ) {	857	if ( log.isDebu gEnabled() ) {
741	log.debug( sm.getStri ng("authen ticator.ch eck.author ize", user name));	861	log.debug( sm.getStri ng("authen ticator.ch eck.author ize", user name));	858	log.debug( sm.getStri ng("authen ticator.ch eck.author ize", user name));
742	}	862	}	859	}
743	Prin cipal auth orized = c ontext.get Realm().au thenticate (username) ;	863	Prin cipal auth orized = c ontext.get Realm().au thenticate (username) ;	860	Prin cipal auth orized = c ontext.get Realm().au thenticate (username) ;
744	if ( authorized == null) {	864	if ( authorized == null) {	861	if ( authorized == null) {
745	// Realm d oesn't rec ognise use r. Create a user wit h no roles	865	// Realm d oesn't rec ognise use r. Create a user wit h no roles	862	// Realm d oesn't rec ognise use r. Create a user wit h no roles
746	// from th e authenti cated user name	866	// from th e authenti cated user name	863	// from th e authenti cated user name
747	if (log.is DebugEnabl ed()) {	867	if (log.is DebugEnabl ed()) {	864	if (log.is DebugEnabl ed()) {
748	log.de bug(sm.get String("au thenticato r.check.au thorizeFai l", userna me));	868	log.de bug(sm.get String("au thenticato r.check.au thorizeFai l", userna me));	865	log.de bug(sm.get String("au thenticato r.check.au thorizeFai l", userna me));
749	}	869	}	866	}
750	authorized = new Gen ericPrinci pal(userna me, null, null);	870	authorized = new Gen ericPrinci pal(userna me, null, null);	867	authorized = new Gen ericPrinci pal(userna me, null, null);
751	}	871	}	868	}
752	Stri ng authTyp e = reques t.getAuthT ype();	872	Stri ng authTyp e = reques t.getAuthT ype();	869	Stri ng authTyp e = reques t.getAuthT ype();
753	if ( authType = = null \|\| authType.l ength() == 0) {	873	if ( authType = = null \|\| authType.l ength() == 0) {	870	if ( authType = = null \|\| authType.l ength() == 0) {
754	authType = getAuthMe thod();	874	authType = getAuthMe thod();	871	authType = getAuthMe thod();
755	}	875	}	872	}
756	regi ster(reque st, respon se, author ized, auth Type, user name, null );	876	regi ster(reque st, respon se, author ized, auth Type, user name, null );	873	regi ster(reque st, respon se, author ized, auth Type, user name, null );
757	retu rn true;	877	retu rn true;	874	retu rn true;
758	}	878	}	875	}
759	}	879	}	876	}
760	re turn false ;	880	re turn false ;	877	re turn false ;
761	}	881	}	878	}
762		882		879
763
764	/**	883	/**	880	/**
765	* Attempts reauthent ication to the <code >Realm</co de> using	884	* Attempts reauthent ication to the <code >Realm</co de> using the crede ntials	881	* Att empts reau thenticati on to the <code>Real m</code> u sing the c redentials
766	* the creden tials included i n argument <code>ent ry</code>.	885	* included i n argument <code>ent ry</code>.	882	* inc luded in a rgument <c ode>entry< /code>.
767	*	886	*	883	*
768	* @param sso Id identifier of Single SignOn ses sion with which the	887	* @pa ram ssoId	884	* @pa ram ssoId
769	* caller is associated	888	* identifier of Single SignOn ses sion with which the caller is	885	* id entifier o f SingleSi gnOn sessi on with wh ich the ca ller is
770	* @param req uest the reques t that nee ds to be a uthenticat ed	889	* associated	886	* as sociated
		890	* @pa ram reques t	887	* @pa ram reques t
		891	* the reques t that nee ds to be a uthenticat ed	888	* th e request that needs to be aut henticated
		892	* @re turn <code >true</cod e> if the reauthenti cation fro m SSL occu rred	889	* @re turn <code >true</cod e> if the reauthenti cation fro m SSL occu rred
771	*/	893	*/	890	*/
772	protec ted boolea n reauthen ticateFrom SSO(String ssoId, Re quest requ est) {	894	protec ted boolea n reauthen ticateFrom SSO(String ssoId, Re quest requ est) {	891	protec ted boolea n reauthen ticateFrom SSO(String ssoId, Re quest requ est) {
773		895		892
774	if (sso == n ull \|\| sso Id == null ) {	896	if (sso == n ull \|\| sso Id == null ) {	893	if (sso == n ull \|\| sso Id == null ) {
775	return f alse;	897	return f alse;	894	return f alse;
776	}	898	}	895	}
777		899		896
778	bo olean reau thenticate d = false;	900	bo olean reau thenticate d = false;	897	bo olean reau thenticate d = false;
779		901		898
780	Co ntainer pa rent = get Container( );	902	Co ntainer pa rent = get Container( );	899	Co ntainer pa rent = get Container( );
781	if (parent ! = null) {	903	if (parent ! = null) {	900	if (parent ! = null) {
782	Realm re alm = pare nt.getReal m();	904	Realm re alm = pare nt.getReal m();	901	Realm re alm = pare nt.getReal m();
783	if (real m != null) {	905	if (real m != null) {	902	if (real m != null) {
784	reau thenticate d = sso.re authentica te(ssoId, realm, req uest);	906	reau thenticate d = sso.re authentica te(ssoId, realm, req uest);	903	reau thenticate d = sso.re authentica te(ssoId, realm, req uest);
785	}	907	}	904	}
786	}	908	}	905	}
787		909		906
788	if (reauthen ticated) {	910	if (reauthen ticated) {	907	if (reauthen ticated) {
789	associat e(ssoId, r equest.get SessionInt ernal(true ));	911	associat e(ssoId, r equest.get SessionInt ernal(true ));	908	associat e(ssoId, r equest.get SessionInt ernal(true ));
790		912		909
791	if (log. isDebugEna bled()) {	913	if (log. isDebugEna bled()) {	910	if (log. isDebugEna bled()) {
792	log. debug(" Re authentica ted cached principal '" +	914	log. debug(" Re authentica ted cached principal '" +	911	log. debug(" Re authentica ted cached principal '" +
793	requ est.getUse rPrincipal ().getName () +	915	reques t.getUserP rincipal() .getName() +	912	reques t.getUserP rincipal() .getName() +
794	"' w ith auth t ype '" + request.ge tAuthType( ) + "'");	916	"' wit h auth typ e '" + req uest.getAu thType() + "'");	913	"' wit h auth typ e '" + req uest.getAu thType() + "'");
795	}	917	}	914	}
796	}	918	}	915	}
797		919		916
798	re turn reaut henticated ;	920	re turn reaut henticated ;	917	re turn reaut henticated ;
799	}	921	}	918	}
800		922		919
801
802	/**	923	/**	920	/**
803	* Reg ister an a uthenticat ed Princip al and aut henticatio n type in our	924	* Reg ister an a uthenticat ed Princip al and aut henticatio n type in our	921	* Reg ister an a uthenticat ed Princip al and aut henticatio n type in our
804	* req uest, in t he current session ( if there i s one), an d with our	925	* req uest, in t he current session ( if there i s one), an d with our	922	* req uest, in t he current session ( if there i s one), an d with our
805	* SingleSi gnOn valve , if there is one. Set the ap propriate cookie	926	* SingleSi gnOn valve , if there is one. S et the app ropriate c ookie to be	923	* Sin gleSignOn valve, if there is o ne. Set th e appropri ate cookie to be
806	* to be returned.	927	* returned.	924	* ret urned.
807	*	928	*	925	*
808	* @param req uest The servle t request we are pro cessing	929	* @pa ram reques t	926	* @pa ram reques t
809	* @param res ponse The servle t response we are ge nerating	930	* The servle t request we are pro cessing	927	* Th e servlet request we are proce ssing
810	* @param pri ncipal The authen ticated Pr incipal to be regist ered	931	* @pa ram respon se	928	* @pa ram respon se
811	* @param aut hType The authen tication t ype to be registered	932	* The servle t response we are ge nerating	929	* Th e servlet response w e are gene rating
812	* @param use rname Username u sed to aut henticate (if any)	933	* @pa ram princi pal	930	* @pa ram princi pal
813	* @param pas sword Password u sed to aut henticate (if any)	934	* The authen ticated Pr incipal to be regist ered	931	* Th e authenti cated Prin cipal to b e register ed
		935	* @pa ram authTy pe	932	* @pa ram authTy pe
		936	* The authen tication t ype to be registered	933	* Th e authenti cation typ e to be re gistered
		937	* @pa ram userna me	934	* @pa ram userna me
		938	* Username u sed to aut henticate (if any)	935	* Us ername use d to authe nticate (i f any)
		939	* @pa ram passwo rd	936	* @pa ram passwo rd
		940	* Password u sed to aut henticate (if any)	937	* Pa ssword use d to authe nticate (i f any)
814	*/	941	*/	938	*/
815	public voi d register (Request r equest, Ht tpServletR esponse re sponse,	942	public voi d register (Request r equest, Ht tpServletR esponse re sponse, Principal principal ,	939	public void regi ster(Reque st request , HttpServ letRespons e response , Principa l principa l,
816	Pr incipal pr incipal, S tring auth Type,	943	String a uthType, S tring user name, Stri ng passwor d) {	940	String a uthType, S tring user name, Stri ng passwor d) {
817	String username, String pas sword ) {	944	re gister(req uest, resp onse, prin cipal, aut hType, use rname, pas sword, alw aysUseSess ion, cache );	941	re gister(req uest, resp onse, prin cipal, aut hType, use rname, pas sword, alw aysUseSess ion, cache );
		945	}	942	}
		946		943
		947		944
		948	privat e void reg ister(Requ est reques t, HttpSer vletRespon se respons e, Princip al princip al,	945	privat e void reg ister(Requ est reques t, HttpSer vletRespon se respons e, Princip al princip al,
		949	String authType, String username, String pas sword , boolean al waysUseSes sion,	946	String a uthType, S tring user name, Stri ng passwor d, boolean alwaysUse Session,
		950	boolean cache) {	947	boolean cache) {
818		951		948
819	if (log.isDe bugEnabled ()) {	952	if (log.isDe bugEnabled ()) {	949	if (log.isDe bugEnabled ()) {
820	String n ame = (pri ncipal == null) ? "n one" : pri ncipal.get Name();	953	String n ame = (pri ncipal == null) ? "n one" : pri ncipal.get Name();	950	String n ame = (pri ncipal == null) ? "n one" : pri ncipal.get Name();
821	log.debug( "Authentic ated '" + name + "' with type '" + authT ype +	954	log.debug( "Authentic ated '" + name + "' with type '" + authT ype + "'");	951	log.debu g("Authent icated '" + name + " ' with typ e '" + aut hType + "' ");
822	"'");
823	}	955	}	952	}
824		956		953
825	// Cache the authentic ation info rmation in our reque st	957	// Cache the authentic ation info rmation in our reque st	954	// Cache the authentic ation info rmation in our reque st
826	re quest.setA uthType(au thType);	958	re quest.setA uthType(au thType);	955	re quest.setA uthType(au thType);
827	re quest.setU serPrincip al(princip al);	959	re quest.setU serPrincip al(princip al);	956	re quest.setU serPrincip al(princip al);
828		960		957
829	Se ssion sess ion = requ est.getSes sionIntern al(false);	961	Se ssion sess ion = requ est.getSes sionIntern al(false);	958	Se ssion sess ion = requ est.getSes sionIntern al(false);
830		962		959
831	if (session != null) {	963	if (session != null) {	960	if (session != null) {
832	// If th e principa l is null then this is a logou t. No need to change	964	// If th e principa l is null then this is a logou t. No need to change	961	// If th e principa l is null then this is a logou t. No need to change
833	// the s ession ID. See BZ 59 043.	965	// the s ession ID. See BZ 59 043.	962	// the s ession ID. See BZ 59 043.
834	if (chan geSessionI dOnAuthent ication && principal != null) {	966	if (chan geSessionI dOnAuthent ication && principal != null) {	963	if (chan geSessionI dOnAuthent ication && principal != null) {
835	Stri ng oldId = null;	967	Stri ng oldId = null;	964	Stri ng oldId = null;
836	if ( log.isDebu gEnabled() ) {	968	if ( log.isDebu gEnabled() ) {	965	if ( log.isDebu gEnabled() ) {
837	oldId = se ssion.getI d();	969	oldId = se ssion.getI d();	966	oldId = se ssion.getI d();
838	}	970	}	967	}
839	Mana ger manage r = reques t.getConte xt().getMa nager();	971	Mana ger manage r = reques t.getConte xt().getMa nager();	968	Mana ger manage r = reques t.getConte xt().getMa nager();
840	mana ger.change SessionId( session);	972	mana ger.change SessionId( session);	969	mana ger.change SessionId( session);
841	requ est.change SessionId( session.ge tId());	973	requ est.change SessionId( session.ge tId());	970	requ est.change SessionId( session.ge tId());
842	if ( log.isDebu gEnabled() ) {	974	if ( log.isDebu gEnabled() ) {	971	if ( log.isDebu gEnabled() ) {
843	log.debug( sm.getStri ng("authen ticator.ch angeSessio nId",	975	log.debug( sm.getStri ng("authen ticator.ch angeSessio nId",	972	log.debug( sm.getStri ng("authen ticator.ch angeSessio nId",
844	ol dId, sessi on.getId() ));	976	ol dId, sessi on.getId() ));	973	ol dId, sessi on.getId() ));
845	}	977	}	974	}
846	}	978	}	975	}
847	} else if (a lwaysUseSe ssion) {	979	} else if (a lwaysUseSe ssion) {	976	} else if (a lwaysUseSe ssion) {
848	session = request. getSession Internal(t rue);	980	session = request. getSession Internal(t rue);	977	session = request. getSession Internal(t rue);
849	}	981	}	978	}
850		982		979
851	// Cache the authentic ation info rmation in our sessi on, if any	983	// Cache the authentic ation info rmation in our sessi on, if any	980	// Cache the authentic ation info rmation in our sessi on, if any
852	if (cache) {	984	if (cache) {	981	if (cache) {
853	if (sess ion != nul l) {	985	if (sess ion != nul l) {	982	if (sess ion != nul l) {
854	sess ion.setAut hType(auth Type);	986	sess ion.setAut hType(auth Type);	983	sess ion.setAut hType(auth Type);
855	sess ion.setPri ncipal(pri ncipal);	987	sess ion.setPri ncipal(pri ncipal);	984	sess ion.setPri ncipal(pri ncipal);
856	if ( username ! = null) {	988	if ( username ! = null) {	985	if ( username ! = null) {
857	session.se tNote(Cons tants.SESS _USERNAME_ NOTE, user name);	989	session.se tNote(Cons tants.SESS _USERNAME_ NOTE, user name);	986	session.se tNote(Cons tants.SESS _USERNAME_ NOTE, user name);
858	} el se {	990	} el se {	987	} el se {
859	session.re moveNote(C onstants.S ESS_USERNA ME_NOTE);	991	session.re moveNote(C onstants.S ESS_USERNA ME_NOTE);	988	session.re moveNote(C onstants.S ESS_USERNA ME_NOTE);
860	}	992	}	989	}
861	if ( password ! = null) {	993	if ( password ! = null) {	990	if ( password ! = null) {
862	session.se tNote(Cons tants.SESS _PASSWORD_ NOTE, pass word);	994	session.se tNote(Cons tants.SESS _PASSWORD_ NOTE, pass word);	991	session.se tNote(Cons tants.SESS _PASSWORD_ NOTE, pass word);
863	} el se {	995	} el se {	992	} el se {
864	session.re moveNote(C onstants.S ESS_PASSWO RD_NOTE);	996	session.re moveNote(C onstants.S ESS_PASSWO RD_NOTE);	993	session.re moveNote(C onstants.S ESS_PASSWO RD_NOTE);
865	}	997	}	994	}
866	}	998	}	995	}
867	}	999	}	996	}
868		1000		997
869	// Construct a cookie to be retu rned to th e client	1001	// Construct a cookie to be retu rned to th e client	998	// Construct a cookie to be retu rned to th e client
870	if (sso == n ull) {	1002	if (sso == n ull) {	999	if (sso == n ull) {
871	return;	1003	return;	1000	return;
872	}	1004	}	1001	}
873		1005		1002
874	// Only crea te a new S SO entry i f the SSO did not al ready set a note	1006	// Only crea te a new S SO entry i f the SSO did not al ready set a note	1003	// Only crea te a new S SO entry i f the SSO did not al ready set a note
875	// for an ex isting ent ry (as it would do w ith subseq uent reque sts	1007	// for an ex isting ent ry (as it would do w ith subseq uent reque sts	1004	// for an ex isting ent ry (as it would do w ith subseq uent reque sts
876	// for DIGES T and SSL authentica ted contex ts)	1008	// for DIGES T and SSL authentica ted contex ts)	1005	// for DIGES T and SSL authentica ted contex ts)
877	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);	1009	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);	1006	St ring ssoId = (String ) request. getNote(Co nstants.RE Q_SSOID_NO TE);
878	if (ssoId == null) {	1010	if (ssoId == null) {	1007	if (ssoId == null) {
879	// Const ruct a coo kie to be returned t o the clie nt	1011	// Const ruct a coo kie to be returned t o the clie nt	1008	// Const ruct a coo kie to be returned t o the clie nt
880	ssoId = sessionIdG enerator.g enerateSes sionId();	1012	ssoId = sessionIdG enerator.g enerateSes sionId();	1009	ssoId = sessionIdG enerator.g enerateSes sionId();
881	Cookie c ookie = ne w Cookie(C onstants.S INGLE_SIGN _ON_COOKIE , ssoId);	1013	Cookie c ookie = ne w Cookie(C onstants.S INGLE_SIGN _ON_COOKIE , ssoId);	1010	Cookie c ookie = ne w Cookie(C onstants.S INGLE_SIGN _ON_COOKIE , ssoId);
882	cookie.s etMaxAge(- 1);	1014	cookie.s etMaxAge(- 1);	1011	cookie.s etMaxAge(- 1);
883	cookie.s etPath("/" );	1015	cookie.s etPath("/" );	1012	cookie.s etPath("/" );
884		1016		1013
885	// Bugzi lla 41217	1017	// Bugzi lla 41217	1014	// Bugzi lla 41217
886	cookie.s etSecure(r equest.isS ecure());	1018	cookie.s etSecure(r equest.isS ecure());	1015	cookie.s etSecure(r equest.isS ecure());
887		1019		1016
888	// Bugzi lla 34724	1020	// Bugzi lla 34724	1017	// Bugzi lla 34724
889	String s soDomain = sso.getCo okieDomain ();	1021	String s soDomain = sso.getCo okieDomain ();	1018	String s soDomain = sso.getCo okieDomain ();
890	if (ssoDomain != null) {	1022	if (ssoDomain != null) {	1019	if (ssoD omain != n ull) {
891	cook ie.setDoma in(ssoDoma in);	1023	cook ie.setDoma in(ssoDoma in);	1020	cook ie.setDoma in(ssoDoma in);
892	}	1024	}	1021	}
893		1025		1022
894	// Configu re httpOnl y on SSO c ookie usin g same rul es as sess ion cookies	1026	// Configu re httpOnl y on SSO c ookie usin g same rul es as sess ion	1023	// Confi gure httpO nly on SSO cookie us ing same r ules as se ssion
895	if (reques t.getServl etContext( ).getSessi onCookieCo nfig().isH ttpOnly() \|\|	1027	// cooki es	1024	// cooki es
896	request.ge tContext() .getUseHtt pOnly()) {	1028	if (reques t.getServl etContext( ).getSessi onCookieCo nfig().isH ttpOnly()	1025	if (requ est.getSer vletContex t().getSes sionCookie Config().i sHttpOnly( )
		1029	\|\| request.ge tContext() .getUseHtt pOnly()) {	1026	\|\| request .getContex t().getUse HttpOnly() ) {
897	cook ie.setHttp Only(true) ;	1030	cook ie.setHttp Only(true) ;	1027	cook ie.setHttp Only(true) ;
898	}	1031	}	1028	}
899		1032		1029
900	response .addCookie (cookie);	1033	response .addCookie (cookie);	1030	response .addCookie (cookie);
901		1034		1031
902	// Regis ter this p rincipal w ith our SS O valve	1035	// Regis ter this p rincipal w ith our SS O valve	1032	// Regis ter this p rincipal w ith our SS O valve
903	sso.regi ster(ssoId , principa l, authTyp e, usernam e, passwor d);	1036	sso.regi ster(ssoId , principa l, authTyp e, usernam e, passwor d);	1033	sso.regi ster(ssoId , principa l, authTyp e, usernam e, passwor d);
904	request. setNote(Co nstants.RE Q_SSOID_NO TE, ssoId) ;	1037	request. setNote(Co nstants.RE Q_SSOID_NO TE, ssoId) ;	1034	request. setNote(Co nstants.RE Q_SSOID_NO TE, ssoId) ;
905		1038		1035
906	} else {	1039	} else {	1036	} else {
907	if (prin cipal == n ull) {	1040	if (prin cipal == n ull) {	1037	if (prin cipal == n ull) {
908	// R egistering a program matic logo ut	1041	// R egistering a program matic logo ut	1038	// R egistering a program matic logo ut
909	sso. deregister (ssoId);	1042	sso. deregister (ssoId);	1039	sso. deregister (ssoId);
910	requ est.remove Note(Const ants.REQ_S SOID_NOTE) ;	1043	requ est.remove Note(Const ants.REQ_S SOID_NOTE) ;	1040	requ est.remove Note(Const ants.REQ_S SOID_NOTE) ;
911	retu rn;	1044	retu rn;	1041	retu rn;
912	} else {	1045	} else {	1042	} else {
913	// U pdate the SSO sessio n with the latest au thenticati on data	1046	// U pdate the SSO sessio n with the latest au thenticati on data	1043	// U pdate the SSO sessio n with the latest au thenticati on data
914	sso. update(sso Id, princi pal, authT ype, usern ame, passw ord);	1047	sso. update(sso Id, princi pal, authT ype, usern ame, passw ord);	1044	sso. update(sso Id, princi pal, authT ype, usern ame, passw ord);
915	}	1048	}	1045	}
916	}	1049	}	1046	}
917		1050		1047
918	// Fix for B ug 10040	1051	// Fix for B ug 10040	1048	// Fix for B ug 10040
919	// Always as sociate a session wi th a new S SO reqistr ation.	1052	// Always as sociate a session wi th a new S SO reqistr ation.	1049	// Always as sociate a session wi th a new S SO reqistr ation.
920	// SSO entri es are onl y removed from the S SO registr y map when	1053	// SSO entri es are onl y removed from the S SO registr y map when	1050	// SSO entri es are onl y removed from the S SO registr y map when
921	// associate d sessions are destr oyed; if a new SSO e ntry is cr eated	1054	// associate d sessions are destr oyed; if a new SSO e ntry is cr eated	1051	// associate d sessions are destr oyed; if a new SSO e ntry is cr eated
922	// above for this requ est and th e user nev er revisit s the cont ext, the	1055	// above for this requ est and th e user nev er revisit s the cont ext, the	1052	// above for this requ est and th e user nev er revisit s the cont ext, the
923	// SSO entry will neve r be clear ed if we d on't assoc iate the s ession	1056	// SSO entry will neve r be clear ed if we d on't assoc iate the s ession	1053	// SSO entry will neve r be clear ed if we d on't assoc iate the s ession
924	if (session == null) {	1057	if (session == null) {	1054	if (session == null) {
925	session = request. getSession Internal(t rue);	1058	session = request. getSession Internal(t rue);	1055	session = request. getSession Internal(t rue);
926	}	1059	}	1056	}
927	ss o.associat e(ssoId, s ession);	1060	ss o.associat e(ssoId, s ession);	1057	ss o.associat e(ssoId, s ession);
928		1061		1058
929	}	1062	}	1059	}
930		1063		1060
931	@Overr ide	1064	@Overr ide	1061	@Overr ide
932	public voi d login(St ring usern ame, Strin g password , Request request)	1065	public voi d login(St ring usern ame, Strin g password , Request request) throws Se rvletExcep tion {	1062	public void logi n(String u sername, S tring pass word, Requ est reques t) throws ServletExc eption {
933	throws S ervletExce ption {
934	Pr incipal pr incipal = doLogin(re quest, use rname, pas sword);	1066	Pr incipal pr incipal = doLogin(re quest, use rname, pas sword);	1063	Pr incipal pr incipal = doLogin(re quest, use rname, pas sword);
935	register(r equest, re quest.getR esponse(), principal ,	1067	register(r equest, re quest.getR esponse(), principal , getAuthMe thod(), us ername, pa ssword);	1064	re gister(req uest, requ est.getRes ponse(), p rincipal, getAuthMet hod(), use rname, pas sword);
936	getAuthMet hod(), use rname, pas sword);
937	}	1068	}	1065	}
938		1069		1066
939	protec ted abstra ct String getAuthMet hod();	1070	protec ted abstra ct String getAuthMet hod();	1067	protec ted abstra ct String getAuthMet hod();
940		1071		1068
941	/**	1072	/**	1069	/**
942	* Pro cess the l ogin reque st.	1073	* Pro cess the l ogin reque st.	1070	* Pro cess the l ogin reque st.
943	*	1074	*	1071	*
944	* @param r equest Associated request	1075	* @param r equest	1072	* @pa ram reques t
945	* @param usern a me The u s e r	1076	* As sociated r equest	1073	* As sociated r equest
946	* @param pas sword The passwo rd	1077	* @pa ram userna me	1074	* @pa ram userna me
		1078	* Th e user	1075	* Th e user
		1079	* @param p a s swo r d	1076	* @pa ram passwo rd
		1080	* The passwo rd	1077	* Th e password
947	* @re turn The au thenticate d Principa l	1081	* @re turn The a uthenticat ed Princip al	1078	* @re turn The a uthenticat ed Princip al
948	* @th rows Servl etExceptio n	1082	* @th rows Servl etExceptio n	1079	* @th rows Servl etExceptio n
		1083	* N o principa l was auth enticated with the s pecified c redentials	1080	* N o principa l was auth enticated with the s pecified c redentials
949	*/	1084	*/	1081	*/
950	protected Principal doLogin(Re quest requ est, Strin g username ,	1085	protected Principal doLogin(Re quest requ est, Strin g username , String pa ssword)	1082	protec ted Princi pal doLogi n(Request request, S tring user name, Stri ng passwor d)
951	String pas sword) throws Ser vletExcept ion {	1086	throws Ser vletExcept ion {	1083	throws S ervletExce ption {
952	Pr incipal p = context. getRealm() .authentic ate(userna me, passwo rd);	1087	Pr incipal p = context. getRealm() .authentic ate(userna me, passwo rd);	1084	Pr incipal p = context. getRealm() .authentic ate(userna me, passwo rd);
953	if (p == nul l) {	1088	if (p == nul l) {	1085	if (p == nul l) {
954	throw ne w ServletE xception(s m.getStrin g("authent icator.log inFail"));	1089	throw ne w ServletE xception(s m.getStrin g("authent icator.log inFail"));	1086	throw ne w ServletE xception(s m.getStrin g("authent icator.log inFail"));
955	}	1090	}	1087	}
956	re turn p;	1091	re turn p;	1088	re turn p;
957	}	1092	}	1089	}
958		1093		1090
959	@Overr ide	1094	@Overr ide	1091	@Overr ide
960	public void logo ut(Request request) {	1095	public void logo ut(Request request) {	1092	public void logo ut(Request request) {
		1096	Au thConfigPr ovider pro vider = ge tJaspicPro vider();	1093	Au thConfigPr ovider pro vider = ge tJaspicPro vider();
		1097	if (provider != null) {	1094	if (provider != null) {
		1098	MessageI nfo messag eInfo = ne w MessageI nfoImpl(re quest, req uest.getRe sponse(), true);	1095	MessageI nfo messag eInfo = ne w MessageI nfoImpl(re quest, req uest.getRe sponse(), true);
		1099	Subject client = ( Subject) r equest.get Note(Const ants.REQ_J ASPIC_SUBJ ECT_NOTE);	1096	Subject client = ( Subject) r equest.get Note(Const ants.REQ_J ASPIC_SUBJ ECT_NOTE);
		1100	if (clie nt == null ) {	1097	if (clie nt == null ) {
		1101	retu rn;	1098	retu rn;
		1102	}	1099	}
		1103		1100
		1104	ServerAu thContext serverAuth Context;	1101	ServerAu thContext serverAuth Context;
		1105	try {	1102	try {
		1106	Serv erAuthConf ig serverA uthConfig = provider .getServer AuthConfig ("HttpServ let",	1103	Serv erAuthConf ig serverA uthConfig = provider .getServer AuthConfig ("HttpServ let",
		1107	jaspic AppContext ID, Callba ckHandlerI mpl.getIns tance());	1104	jaspic AppContext ID, Callba ckHandlerI mpl.getIns tance());
		1108	Stri ng authCon textID = s erverAuthC onfig.getA uthContext ID(message Info);	1105	Stri ng authCon textID = s erverAuthC onfig.getA uthContext ID(message Info);
		1109	serv erAuthCont ext = serv erAuthConf ig.getAuth Context(au thContextI D, null, n ull);	1106	serv erAuthCont ext = serv erAuthConf ig.getAuth Context(au thContextI D, null, n ull);
		1110	serv erAuthCont ext.cleanS ubject(mes sageInfo, client);	1107	serv erAuthCont ext.cleanS ubject(mes sageInfo, client);
		1111	} catch (AuthExcep tion e) {	1108	} catch (AuthExcep tion e) {
		1112	log. debug(sm.g etString(" authentica tor.jaspic CleanSubje ctFail"), e);	1109	log. debug(sm.g etString(" authentica tor.jaspic CleanSubje ctFail"), e);
		1113	}	1110	}
		1114	}	1111	}
		1115		1112
961	Pr incipal p = request. getPrincip al();	1116	Pr incipal p = request. getPrincip al();	1113	Pr incipal p = request. getPrincip al();
962	if (p instan ceof Tomca tPrincipal ) {	1117	if (p instan ceof Tomca tPrincipal ) {	1114	if (p instan ceof Tomca tPrincipal ) {
963	try {	1118	try {	1115	try {
964	((To mcatPrinci pal) p).lo gout();	1119	((To mcatPrinci pal) p).lo gout();	1116	((To mcatPrinci pal) p).lo gout();
965	} catch (Throwable t) {	1120	} catch (Throwable t) {	1117	} catch (Throwable t) {
966	Exce ptionUtils .handleThr owable(t);	1121	Exce ptionUtils .handleThr owable(t);	1118	Exce ptionUtils .handleThr owable(t);
967	log. debug(sm.g etString(" authentica tor.tomcat PrincipalL ogoutFail" ), t);	1122	log. debug(sm.g etString(" authentica tor.tomcat PrincipalL ogoutFail" ), t);	1119	log. debug(sm.g etString(" authentica tor.tomcat PrincipalL ogoutFail" ), t);
968	}	1123	}	1120	}
969	}	1124	}	1121	}
970		1125		1122
971	re gister(req uest, requ est.getRes ponse(), n ull, null, null, nul l);	1126	re gister(req uest, requ est.getRes ponse(), n ull, null, null, nul l);	1123	re gister(req uest, requ est.getRes ponse(), n ull, null, null, nul l);
972	}	1127	}	1124	}
973		1128		1125
		1129		1126
974	/**	1130	/**	1127	/**
975	* Start th is compone nt and imp lement the requireme nts	1131	* Start th is compone nt and imp lement the requireme nts of	1128	* Sta rt this co mponent an d implemen t the requ irements o f
976	* of {@link org .apache.ca talina.uti l.Lifecycl eBase#star tInternal( )}.	1132	* {@link org .apache.ca talina.uti l.Lifecycl eBase#star tInternal( )}.	1129	* {@l ink org.ap ache.catal ina.util.L ifecycleBa se#startIn ternal()}.
977	*	1133	*	1130	*
978	* @excepti on Lifecyc leExceptio n if this c omponent d etects a f atal error	1134	* @excepti on Lifecyc leExceptio n	1131	* @ex ception Li fecycleExc eption
979	* that preve nts this component from being used	1135	* if this component detects a fatal erro r that pre vents this	1132	* if this component detects a fatal erro r that pre vents this
		1136	* component from being used	1133	* componen t from bei ng used
980	*/	1137	*/	1134	*/
981	@Overr ide	1138	@Overr ide	1135	@Overr ide
982	protec ted synchr onized voi d startInt ernal() th rows Lifec ycleExcept ion {	1139	protec ted synchr onized voi d startInt ernal() th rows Lifec ycleExcept ion {	1136	protec ted synchr onized voi d startInt ernal() th rows Lifec ycleExcept ion {
		1140	Se rvletConte xt servlet Context = context.ge tServletCo ntext();	1137	Se rvletConte xt servlet Context = context.ge tServletCo ntext();
		1141	ja spicAppCon textID = s ervletCont ext.getVir tualServer Name() + " " +	1138	ja spicAppCon textID = s ervletCont ext.getVir tualServer Name() + " " +
		1142	serv letContext .getContex tPath();	1139	serv letContext .getContex tPath();
983		1143		1140
984	// Look up t he SingleS ignOn impl ementation in our re quest proc essing	1144	// Look up t he SingleS ignOn impl ementation in our re quest proc essing	1141	// Look up t he SingleS ignOn impl ementation in our re quest proc essing
985	// path, if there is o ne	1145	// path, if there is o ne	1142	// path, if there is o ne
986	Co ntainer pa rent = con text.getPa rent();	1146	Co ntainer pa rent = con text.getPa rent();	1143	Co ntainer pa rent = con text.getPa rent();
987	wh ile ((sso == null) & & (parent != null)) {	1147	wh ile ((sso == null) & & (parent != null)) {	1144	wh ile ((sso == null) & & (parent != null)) {
988	Valve va lves[] = p arent.getP ipeline(). getValves( );	1148	Valve va lves[] = p arent.getP ipeline(). getValves( );	1145	Valve va lves[] = p arent.getP ipeline(). getValves( );
989	for (int i = 0; i < valves.l ength; i++ ) {	1149	for (int i = 0; i < valves.l ength; i++ ) {	1146	for (int i = 0; i < valves.l ength; i++ ) {
990	if ( valves[i] instanceof SingleSig nOn) {	1150	if ( valves[i] instanceof SingleSig nOn) {	1147	if ( valves[i] instanceof SingleSig nOn) {
991	sso = (Sin gleSignOn) valves[i] ;	1151	sso = (Sin gleSignOn) valves[i] ;	1148	sso = (Sin gleSignOn) valves[i] ;
992	break;	1152	break;	1149	break;
993	}	1153	}	1150	}
994	}	1154	}	1151	}
995	if (sso == null) {	1155	if (sso == null) {	1152	if (sso == null) {
996	pare nt = paren t.getParen t();	1156	pare nt = paren t.getParen t();	1153	pare nt = paren t.getParen t();
997	}	1157	}	1154	}
998	}	1158	}	1155	}
999	if (log.isDe bugEnabled ()) {	1159	if (log.isDe bugEnabled ()) {	1156	if (log.isDe bugEnabled ()) {
1000	if (sso != null) {	1160	if (sso != null) {	1157	if (sso != null) {
1001	log. debug("Fou nd SingleS ignOn Valv e at " + s so);	1161	log. debug("Fou nd SingleS ignOn Valv e at " + s so);	1158	log. debug("Fou nd SingleS ignOn Valv e at " + s so);
1002	} else {	1162	} else {	1159	} else {
1003	log. debug("No SingleSign On Valve i s present" );	1163	log. debug("No SingleSign On Valve i s present" );	1160	log. debug("No SingleSign On Valve i s present" );
1004	}	1164	}	1161	}
1005	}	1165	}	1162	}
1006		1166		1163
1007	se ssionIdGen erator = n ew Standar dSessionId Generator( );	1167	se ssionIdGen erator = n ew Standar dSessionId Generator( );	1164	se ssionIdGen erator = n ew Standar dSessionId Generator( );
1008	se ssionIdGen erator.set SecureRand omAlgorith m(getSecur eRandomAlg orithm());	1168	se ssionIdGen erator.set SecureRand omAlgorith m(getSecur eRandomAlg orithm());	1165	se ssionIdGen erator.set SecureRand omAlgorith m(getSecur eRandomAlg orithm());
1009	se ssionIdGen erator.set SecureRand omClass(ge tSecureRan domClass() );	1169	se ssionIdGen erator.set SecureRand omClass(ge tSecureRan domClass() );	1166	se ssionIdGen erator.set SecureRand omClass(ge tSecureRan domClass() );
1010	se ssionIdGen erator.set SecureRand omProvider (getSecure RandomProv ider());	1170	se ssionIdGen erator.set SecureRand omProvider (getSecure RandomProv ider());	1167	se ssionIdGen erator.set SecureRand omProvider (getSecure RandomProv ider());
1011		1171		1168
1012	su per.startI nternal();	1172	su per.startI nternal();	1169	su per.startI nternal();
1013	}	1173	}	1170	}
1014		1174		1171
1015
1016	/**	1175	/**	1172	/**
1017	* Stop thi s componen t and impl ement the requiremen ts	1176	* Stop thi s componen t and impl ement the requiremen ts of	1173	* Sto p this com ponent and implement the requi rements of
1018	* of {@link org .apache.ca talina.uti l.Lifecycl eBase#stop Internal() }.	1177	* {@link org .apache.ca talina.uti l.Lifecycl eBase#stop Internal() }.	1174	* {@l ink org.ap ache.catal ina.util.L ifecycleBa se#stopInt ernal()}.
1019	*	1178	*	1175	*
1020	* @excepti on Lifecyc leExceptio n if this c omponent d etects a f atal error	1179	* @excepti on Lifecyc leExceptio n	1176	* @ex ception Li fecycleExc eption
1021	* that preve nts this component from being used	1180	* if this component detects a fatal erro r that pre vents this	1177	* if this component detects a fatal erro r that pre vents this
		1181	* component from being used	1178	* componen t from bei ng used
1022	*/	1182	*/	1179	*/
1023	@Overr ide	1183	@Overr ide	1180	@Overr ide
1024	protec ted synchr onized voi d stopInte rnal() thr ows Lifecy cleExcepti on {	1184	protec ted synchr onized voi d stopInte rnal() thr ows Lifecy cleExcepti on {	1181	protec ted synchr onized voi d stopInte rnal() thr ows Lifecy cleExcepti on {
1025		1185		1182
1026	su per.stopIn ternal();	1186	su per.stopIn ternal();	1183	su per.stopIn ternal();
1027		1187		1184
1028	ss o = null;	1188	ss o = null;	1185	ss o = null;
1029	}	1189	}	1186	}
		1190		1187
		1191		1188
		1192	privat e AuthConf igProvider getJaspic Provider() {	1189	privat e AuthConf igProvider getJaspic Provider() {
		1193	AuthConfig Provider provider = jaspicPr ovider;	1190	Optional< AuthConfig Provider > provider = jaspicPr ovider;
		1194	if (provider == null) {	1191	if (provider == null) {
		1195	provider = findJas picProvide r();	1192	provider = findJas picProvide r();
		1196	}	1193	}
		1197	if (provider == NO_PRO VIDER_AVAI LABLE) {	1194	return pro vider .orElse(nu ll) ;
		1198	return n ull;
		1199	}
		1200	return pro vider ;
		1201	}	1195	}
		1202		1196
		1203		1197
		1204	private AuthConfig Provider findJaspi cProvider( ) {	1198	private Optional< AuthConfig Provider > findJaspi cProvider( ) {
		1205	Au thConfigFa ctory fact ory = Auth ConfigFact ory.getFac tory();	1199	Au thConfigFa ctory fact ory = Auth ConfigFact ory.getFac tory();
		1206	AuthConfig Provider provider = null ;	1200	Optional< AuthConfig Provider > provider ;
		1207	if (factor y ! = null) {	1201	if (factor y = = null) {
		1208	provider = factory.ge tConfigPro vider("Htt pServlet", jaspicApp ContextID, this) ;	1202	provider = Optiona l.empty();
		1209	}	1203	} else {
		1210	if (provider == null) {	1204	provider = Optiona l.ofNullab le(
		1211	provider = NO_PROV IDER_AVAIL ABLE;	1205	factory.ge tConfigPro vider("Htt pServlet", jaspicApp ContextID, this) ) ;
		1212	}	1206	}
		1213	ja spicProvid er = provi der;	1207	ja spicProvid er = provi der;
		1214	re turn provi der;	1208	re turn provi der;
		1215	}	1209	}
		1216		1210
		1217		1211
		1218	@Overr ide	1212	@Overr ide
		1219	public void noti fy(String layer, Str ing appCon text) {	1213	public void noti fy(String layer, Str ing appCon text) {
		1220	fi ndJaspicPr ovider();	1214	fi ndJaspicPr ovider();
		1221	}	1215	}
		1222		1216
		1223		1217
		1224	privat e static c lass Jaspi cState {	1218	privat e static c lass Jaspi cState {
		1225	pu blic Messa geInfo mes sageInfo = null;	1219	pu blic Messa geInfo mes sageInfo = null;
		1226	pu blic Serve rAuthConte xt serverA uthContext = null;	1220	pu blic Serve rAuthConte xt serverA uthContext = null;
		1227	}	1221	}
		1228
		1229
		1230	privat e static c lass NoOpA uthConfigP rovider im plements A uthConfigP rovider {
		1231
		1232	@O verride
		1233	pu blic Clien tAuthConfi g getClien tAuthConfi g(String l ayer, Stri ng appCont ext, Callb ackHandler handler)
		1234	thro ws AuthExc eption {
		1235	return n ull;
		1236	}
		1237
		1238	@O verride
		1239	pu blic Serve rAuthConfi g getServe rAuthConfi g(String l ayer, Stri ng appCont ext, Callb ackHandler handler)
		1240	thro ws AuthExc eption {
		1241	return n ull;
		1242	}
		1243
		1244	@O verride
		1245	pu blic void refresh() {
		1246	}
		1247	}
1030	}	1248	}	1222	}