Author: fmeschbe
Date: Mon Aug 16 11:31:52 2010
New Revision: 985879
URL: http://svn.apache.org/viewvc?rev=985879&view=rev
Log:
SLING-1656 Unconditionally send back a 401/UNAUTHORIZED response from the
requestCredentials method if no other authentication handler was willing to
request credentials. Same for the extractCredentials method: The built-in HTTP
Basic handler is only called if no other credentials handler was willing to
handle the request. So the handler will first try to extract the authentication
header and if missing request credentials if the sling:authRequestLogin
parameter is set to any value.
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java?rev=985879&r1=985878&r2=985879&view=diff
==============================================================================
---
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
(original)
+++
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
Mon Aug 16 11:31:52 2010
@@ -127,7 +127,11 @@ public class HttpBasicAuthenticationHand
}
/**
- * Sends back the form to log into the system.
+ * Called by the SlingAuthenticator.login method in case no other
+ * authentication handler was willing to request credentials from the
+ * client. In this case this HTTP Basic authentication handler will
+ * send back a {...@link #sendUnauthorized(HttpServletResponse) 401
response}
+ * to request HTTP Basic authentication from the client.
*
* @param request The request object
* @param response The response object to which to send the request
@@ -135,12 +139,7 @@ public class HttpBasicAuthenticationHand
*/
public boolean requestCredentials(HttpServletRequest request,
HttpServletResponse response) {
-
- if (isLoginRequested(request, true)) {
- return sendUnauthorized(response);
- }
-
- return false;
+ return sendUnauthorized(response);
}
/**
@@ -161,17 +160,20 @@ public class HttpBasicAuthenticationHand
}
/**
- * Returns true if the {...@link #REQUEST_LOGIN_PARAMETER} parameter is
set to
- * the value <code>Basic</code> thus requesting plain basic authentication.
+ * Returns true if the {...@link #REQUEST_LOGIN_PARAMETER} parameter is
set.
+ * <p>
+ * This method always returns <code>true</code> if the parameter is set
+ * regardless of its value because the client indicated it wanted to login
+ * but no authentication handler was willing to actually handle this
+ * request. So as a last fallback this handler request HTTP Basic
+ * Credentials.
+ *
+ * @return <code>true</code> if the
+ * {...@link AuthenticationHandler#REQUEST_LOGIN_PARAMETER} is set
to
+ * any value.
*/
- private boolean isLoginRequested(HttpServletRequest request,
- boolean optionalLoginParameter) {
- final String reqLogin = request.getParameter(REQUEST_LOGIN_PARAMETER);
- if (reqLogin == null) {
- return optionalLoginParameter;
- }
- return "1".equals(reqLogin)
- || HttpServletRequest.BASIC_AUTH.equals(reqLogin);
+ private boolean isLoginRequested(HttpServletRequest request) {
+ return request.getParameter(REQUEST_LOGIN_PARAMETER) != null;
}
/**
@@ -197,7 +199,7 @@ public class HttpBasicAuthenticationHand
// presume 401/UNAUTHORIZED has not been sent
boolean authenticationForced = false;
- if (isLoginRequested(request, false)) {
+ if (isLoginRequested(request)) {
authenticationForced = sendUnauthorized(response);
