This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.auth.form-1.0.2 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-form.git
commit dc0a50e664a949edeac28cb6532e763a7d786368 Author: Felix Meschberger <[email protected]> AuthorDate: Mon Sep 13 10:08:52 2010 +0000 SLING-1752 Unify resource attribute/parameter setting and default value handling git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form@996477 13f79535-47bb-0310-9956-ffa450edef68 --- pom.xml | 2 +- .../auth/form/impl/FormAuthenticationHandler.java | 83 ++++++++++++++++------ 2 files changed, 64 insertions(+), 21 deletions(-) diff --git a/pom.xml b/pom.xml index 0e529a5..34ae84d 100644 --- a/pom.xml +++ b/pom.xml @@ -98,7 +98,7 @@ <dependency> <groupId>org.apache.sling</groupId> <artifactId>org.apache.sling.auth.core</artifactId> - <version>1.0.0</version> + <version>1.0.3-SNAPSHOT</version> <scope>provided</scope> </dependency> <dependency> diff --git a/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java b/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java index 7835e0a..0557d6f 100644 --- a/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java +++ b/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java @@ -330,13 +330,26 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { if (authData != null) { if (tokenStore.isValid(authData)) { info = createAuthInfo(authData); + } else if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) { + // signal to AJAX the request is forbidden + try { + response.sendError( + HttpServletResponse.SC_REQUEST_TIMEOUT, + "Session Timeout, please login"); + response.flushBuffer(); + } catch (IOException ioe) { + // TODO: log !! + } + return AuthenticationInfo.DOING_AUTH; } else { if (this.loginAfterExpire) { - // signal the requestCredentials method a previous login failure - request.setAttribute(PAR_J_REASON, FormReason.TIMEOUT); - info = AuthenticationInfo.FAIL_AUTH; + // signal the requestCredentials method a previous login + // failure + request.setAttribute(PAR_J_REASON, FormReason.TIMEOUT); + info = AuthenticationInfo.FAIL_AUTH; } - // clear the cookie, its invalid and we should get rid of it so that the invalid cookie + // clear the cookie, its invalid and we should get rid of it + // so that the invalid cookie // isn't present on the authN operation. authStorage.clear(request, response); } @@ -379,11 +392,8 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { return true; } - String resource = getLoginResource(request, null); - if (resource == null) { - resource = request.getContextPath() + request.getPathInfo(); - request.setAttribute(Authenticator.LOGIN_RESOURCE, resource); - } + final String resource = setLoginResourceAttribute(request, + request.getRequestURI()); if (includeLoginForm && (resourceResolverFactory != null)) { ResourceResolver resourceResolver = null; @@ -651,9 +661,7 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { // authentication, otherwise the request may be processed // as a POST request to the j_security_check page (unless // the j_validate parameter is set) - if (getLoginResource(request, null) == null) { - request.setAttribute(Authenticator.LOGIN_RESOURCE, "/"); - } + setLoginResourceAttribute(request, request.getContextPath()); } } @@ -896,6 +904,15 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { * {@link CookieAuthData} in an HTTP Cookie. */ private static class CookieStorage implements AuthenticationStorage { + + /** + * The Set-Cookie header used to manage the login cookie. + * + * @see CookieStorage#setCookie(HttpServletRequest, HttpServletResponse, + * String, String, int, String) + */ + private static final String HEADER_SET_COOKIE = "Set-Cookie"; + private final String cookieName; private final String domainCookieName; private final String defaultCookieDomain; @@ -917,8 +934,11 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { // reverse the base64 encoding try { - return new String(Base64.decodeBase64(value), - "UTF-8"); + String result = new String( + Base64.decodeBase64(value), "UTF-8"); + if (result.length() > 0) { + return result; + } } catch (UnsupportedEncodingException e1) { throw new RuntimeException(e1); } @@ -988,14 +1008,37 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { ? "/" : ctxPath; - Cookie cookie = new Cookie(name, value); + /* + * The Servlet Spec 2.5 does not allow us to set the commonly used + * HttpOnly attribute on cookies (Servlet API 3.0 does) so we create + * the Set-Cookie header manually. See + * http://www.owasp.org/index.php/HttpOnly for information on what + * the HttpOnly attribute is used for. + */ + + final StringBuilder header = new StringBuilder(); + + // default setup with name, value, cookie path and HttpOnly + header.append(name).append('=').append(value); + header.append(";Path=").append(cookiePath); + header.append(";HttpOnly"); // don't allow JS access + + // set the cookie domain if so configured if (domain != null) { - cookie.setDomain(domain); + header.append(";Domain=").append(domain); + } + + // Only set the Max-Age attribute to remove the cookie + if (age == 0) { + header.append(";Max-Age=").append(age); } - cookie.setMaxAge(age); - cookie.setPath(cookiePath); - cookie.setSecure(request.isSecure()); - response.addCookie(cookie); + + // ensure the cookie is secured if this is an https request + if (request.isSecure()) { + header.append(";Secure"); + } + + response.addHeader(HEADER_SET_COOKIE, header.toString()); } } -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
