Hi,
In article <[EMAIL PROTECTED]>,
Thu, 19 Feb 2004 15:50:00 +0900 (JST),
Kazuhito SUGURI <[EMAIL PROTECTED]> wrote:
suguri.kazuhito> I'll propose a modified FormAuthentication soon.
This is the one.
I had modified FormAuthentication.java in cactus-src-1.5.
Two sets of accessor has been added to the original:
- void setExpectedPreAuthResponse(int) / int getExpectedPreAuthResponse()
Set/get the expected HTTP response code for the request
to the restricted resource without valid cookie.
The default is 302 (HttpURLConnection.HTTP_MOVED_TEMP).
This is corresponding to the Step (2).
- void setExpectedAuthResponse(int) / int getexpectedAuthResponse()
Set/get the expected HTTP response code if the security_check
is succeeded.
The default is 302 (HttpURLConnection.HTTP_MOVED_TEMP).
This is corresponding to the Step (4).
Ankur, would you try this?
Regards,
----
Kazuhito SUGURI
mailto:[EMAIL PROTECTED]
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 2001-2003 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Cactus" and "Apache Software
* Foundation" must not be used to endorse or promote products
* derived from this software without prior written permission. For
* written permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.cactus.client.authentication;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import org.apache.cactus.Cookie;
import org.apache.cactus.WebRequest;
import org.apache.cactus.client.connector.http.ConnectionHelper;
import org.apache.cactus.client.connector.http.ConnectionHelperFactory;
import org.apache.cactus.configuration.Configuration;
import org.apache.cactus.configuration.WebConfiguration;
import org.apache.cactus.util.ChainedRuntimeException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* Form-based authentication implementation. An instance of this class
* can be reused across several tests as it caches the session cookie.
* Thus the first time it is used to authenticate the user, it calls
* the security URL (which is by default the context URL prepended by
* "j_security_check"), caches the returned session cookie and adds the
* cookie for the next request. The second time it is called, it simply
* addes the session cookie for the next request.
*
* @author <a href="mailto:[EMAIL PROTECTED]">Jason Robertson</a>
* @author <a href="mailto:[EMAIL PROTECTED]">Vincent Massol</a>
*
* @since 1.5
*
* @version $Id: $
*/
public class FormAuthentication extends AbstractAuthentication
{
/**
* The logger.
*/
private static final Log LOGGER =
LogFactory.getLog(FormAuthentication.class);
/**
* The expected HTTP response code for the request to a restricted
* resource without authenticated principal.
*/
private int expectedPreAuthResponse = HttpURLConnection.HTTP_MOVED_TEMP;
/**
* The expected HTTP response code when the authentication is succeeded.
*/
private int expectedAuthResponse = HttpURLConnection.HTTP_MOVED_TEMP;
/**
* The URL to use when attempting to log in, if for whatever reason
* the default URL is incorrect.
*/
private URL securityCheckURL = null;
/**
* We store the session cookie name because of case issues. We need
* to be able to send exactly the same one as was sent back by the
* server. */
private String sessionIdCookieName = null;
/**
* We store the session id cookie so that this instance can
* be reused for another test. */
private String sessionId = null;
/**
* [EMAIL PROTECTED] WebRequest} object that will be used to connect to the
* security URL.
*/
private WebRequest securityRequest = new WebRequest();
/**
* @param theName user name of the Credential
* @param thePassword user password of the Credential
*/
public FormAuthentication(String theName, String thePassword)
{
super(theName, thePassword);
}
/**
* @see AbstractAuthentication#validateName(String)
*/
protected void validateName(String theName)
{
// Nothing to do here...
}
/**
* @see AbstractAuthentication#validatePassword(String)
*/
protected void validatePassword(String thePassword)
{
// Nothing to do here...
}
/**
* @see AbstractAuthentication#configure(WebRequest, Configuration)
*/
public void configure(WebRequest theRequest,
Configuration theConfiguration)
{
// Only authenticate the first time this instance is used.
if (this.sessionId == null)
{
authenticate(theRequest, theConfiguration);
}
// Sets the session id cookie for the next request.
if (this.sessionId != null)
{
theRequest.addCookie(this.sessionIdCookieName, this.sessionId);
}
}
/**
* @return the [EMAIL PROTECTED] WebRequest} that will be used to connect to the
* security URL. It can be used to add additional HTTP parameters such
* as proprietary ones required by some containers.
*/
public WebRequest getSecurityRequest()
{
return this.securityRequest;
}
/**
* This sets the URL to use when attempting to log in. This method is used
* if for whatever reason the default URL is incorrect.
*
* @param theUrl A URL to use to attempt to login.
*/
public void setSecurityCheckURL(URL theUrl)
{
this.securityCheckURL = theUrl;
}
/**
* This returns the URL to use when attempting to log in. By default, it's
* the context URL defined in the Cactus configuration with
* "/j_security_check" appended.
*
* @param theConfiguration the Cactus configuration
* @return the URL that is being used to attempt to login.
*/
public URL getSecurityCheckURL(Configuration theConfiguration)
{
if (this.securityCheckURL == null)
{
// Configure default
String stringUrl =
((WebConfiguration) theConfiguration).getContextURL()
+ "/j_security_check";
try
{
this.securityCheckURL = new URL(stringUrl);
}
catch (MalformedURLException e)
{
throw new ChainedRuntimeException(
"Unable to create default Security Check URL ["
+ stringUrl + "]");
}
}
LOGGER.debug("Using security check URL [" + this.securityCheckURL
+ "]");
return securityCheckURL;
}
/**
* Get the expected HTTP response code for the request to a restricted
* resource without authenticated principal.
*/
public int getExpectedPreAuthResponse(){
return this.expectedPreAuthResponse;
}
/**
* Set the expected HTTP response code for the request to a restricted
* resource without authenticated principal.
* The default is HttpURLConnection.HTTP_MOVED_TEMP.
*/
public void setExpectedPreAuthResponse(int expected){
this.expectedPreAuthResponse = expected;
}
/**
* Get the expected HTTP response code when the authentication is succeeded.
*/
public int getExpectedAuthResponse(){
return this.expectedAuthResponse;
}
/**
* Set the expected HTTP response code when the authentication is succeeded.
* The default is HttpURLConnection.HTTP_MOVED_TEMP.
*/
public void setExpectedAuthResponse(int expected){
this.expectedAuthResponse = expected;
}
private void checkResponseCodeEquals(int expected, int actual)
throws Exception
{
if(actual!=expected){
throw new Exception("Received a [" + actual + "] response code"
+ " and was expecting a [" + expected + "]");
}
}
private Cookie getCookie(HttpURLConnection connection, String target){
// Check (possible multiple) cookies for a target.
int i = 1;
String key = connection.getHeaderFieldKey(i);
while (key != null){
if (key.equalsIgnoreCase("set-cookie")){
// Cookie is in the form:
// "NAME=VALUE; expires=DATE; path=PATH;
// domain=DOMAIN_NAME; secure"
// The only thing we care about is finding a cookie with
// the name "JSESSIONID" and caching the value.
String cookiestr = connection.getHeaderField(i);
String nameValue = cookiestr.substring(0, cookiestr.indexOf(";"));
int equalsChar = nameValue.indexOf("=");
String name = nameValue.substring(0, equalsChar);
String value = nameValue.substring(equalsChar + 1);
if (name.equalsIgnoreCase(target)){
return new Cookie(connection.getURL().getHost(),
name, value);
}
}
key = connection.getHeaderFieldKey(++i);
}
return null;
}
private Cookie getSecureSessionIdCookie(WebRequest theRequest,
Configuration theConfiguration)
{
HttpURLConnection connection;
String resource = null;
try{
// Create a helper that will connect to a restricted resource.
resource = ((WebConfiguration)
theConfiguration).getRedirectorURL(theRequest);
ConnectionHelper helper =
ConnectionHelperFactory.getConnectionHelper(resource,
theConfiguration);
WebRequest request =
new WebRequest((WebConfiguration) theConfiguration);
// Make the connection using a default web request.
connection = helper.connect(request, theConfiguration);
checkResponseCodeEquals(getExpectedPreAuthResponse(),
connection.getResponseCode());
}catch(Throwable e){
throw new ChainedRuntimeException("Failed to connect to the secured
redirector: "
+ resource, e);
}
return getCookie(connection, "JSESSIONID");
}
/**
* Authenticate the principal by calling the security URL.
*
* @param theRequest the web request used to connect to the Redirector
* @param theConfiguration the Cactus configuration
*/
public void authenticate(WebRequest theRequest,
Configuration theConfiguration)
{
Cookie jsessionCookie = getSecureSessionIdCookie(theRequest,
theConfiguration);
sessionIdCookieName = jsessionCookie.getName();
sessionId = jsessionCookie.getValue();
try {
// Create a helper that will connect to the security check URL.
String url = getSecurityCheckURL(theConfiguration).toString();
ConnectionHelper helper =
ConnectionHelperFactory.getConnectionHelper(url,
(WebConfiguration)
theConfiguration);
// Configure a web request with the JSESSIONID cookie,
// the username and the password.
WebRequest request = getSecurityRequest();
request.setConfiguration(theConfiguration);
request.addCookie(jsessionCookie);
request.addParameter("j_username", getName(), WebRequest.POST_METHOD);
request.addParameter("j_password", getPassword(), WebRequest.POST_METHOD);
// Make the connection using the configured web request.
HttpURLConnection connection = helper.connect(request, theConfiguration);
checkResponseCodeEquals(getExpectedAuthResponse(),
connection.getResponseCode());
}catch(Throwable e){
throw new ChainedRuntimeException("Failed to authenticate the principal",
e);
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
