This is an automated email from the ASF dual-hosted git repository. radcortez pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 199b35223e1527377b52650557c75d2a135eb069 Author: Roberto Cortez <[email protected]> AuthorDate: Fri Dec 28 10:57:41 2018 +0000 TOMEE-2365 - Save original request on first form login step. --- .../security/cdi/LoginToContinueInterceptor.java | 17 +++--- .../security/http/LoginToContinueMechanism.java | 68 ++++++++++++++++++++++ 2 files changed, 78 insertions(+), 7 deletions(-) diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/LoginToContinueInterceptor.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/LoginToContinueInterceptor.java index d35be0a..1895689 100644 --- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/LoginToContinueInterceptor.java +++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/LoginToContinueInterceptor.java @@ -22,7 +22,6 @@ import javax.annotation.Priority; import javax.interceptor.AroundInvoke; import javax.interceptor.Interceptor; import javax.interceptor.InvocationContext; -import javax.security.enterprise.AuthenticationException; import javax.security.enterprise.AuthenticationStatus; import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext; import javax.security.enterprise.authentication.mechanism.http.LoginToContinue; @@ -31,6 +30,8 @@ import javax.servlet.http.HttpServletResponse; import java.util.Arrays; import static javax.interceptor.Interceptor.Priority.PLATFORM_BEFORE; +import static org.apache.tomee.security.http.LoginToContinueMechanism.isOriginalRequestInSession; +import static org.apache.tomee.security.http.LoginToContinueMechanism.saveRequest; @LoginToContinue @Interceptor @@ -51,7 +52,7 @@ public class LoginToContinueInterceptor { } private AuthenticationStatus validateRequest(final InvocationContext invocationContext) - throws AuthenticationException { + throws Exception { final HttpMessageContext httpMessageContext = (HttpMessageContext) invocationContext.getParameters()[2]; clearStaleState(httpMessageContext); @@ -74,11 +75,13 @@ public class LoginToContinueInterceptor { private AuthenticationStatus processContainerInitiatedAuthentication( final InvocationContext invocationContext, - final HttpMessageContext httpMessageContext) { + final HttpMessageContext httpMessageContext) + throws Exception { if (isOnInitialProtectedURL(httpMessageContext)) { - final LoginToContinue loginToContinue = getLoginToContinue(invocationContext); + saveRequest(httpMessageContext.getRequest()); + final LoginToContinue loginToContinue = getLoginToContinue(invocationContext); if (loginToContinue.useForwardToLogin()) { return httpMessageContext.forward(loginToContinue.loginPage()); } else { @@ -86,7 +89,7 @@ public class LoginToContinueInterceptor { } } - if (isOnOnLoginPostback(httpMessageContext)) { + if (isOnLoginPostback(httpMessageContext)) { return null; } @@ -98,10 +101,10 @@ public class LoginToContinueInterceptor { } private boolean isOnInitialProtectedURL(final HttpMessageContext httpMessageContext) { - return httpMessageContext.isProtected(); + return httpMessageContext.isProtected() && !isOriginalRequestInSession(httpMessageContext.getRequest()); } - private boolean isOnOnLoginPostback(final HttpMessageContext httpMessageContext) { + private boolean isOnLoginPostback(final HttpMessageContext httpMessageContext) { return false; } diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/http/LoginToContinueMechanism.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/http/LoginToContinueMechanism.java index fe5fccd..482bae6 100644 --- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/http/LoginToContinueMechanism.java +++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/http/LoginToContinueMechanism.java @@ -16,8 +16,76 @@ */ package org.apache.tomee.security.http; +import org.apache.catalina.authenticator.SavedRequest; +import org.apache.tomcat.util.buf.ByteChunk; + import javax.security.enterprise.authentication.mechanism.http.LoginToContinue; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; +import java.io.InputStream; +import java.util.Enumeration; +import java.util.Locale; public interface LoginToContinueMechanism { + int MAX_SAVE_POST_SIZE = 4 * 1024; + + String ORIGINAL_REQUEST = "org.apache.tomee.security.request.original"; + LoginToContinue getLoginToContinue(); + + static void saveRequest(final HttpServletRequest request) throws IOException { + SavedRequest saved = new SavedRequest(); + Cookie cookies[] = request.getCookies(); + if (cookies != null) { + for (int i = 0; i < cookies.length; i++) { + saved.addCookie(cookies[i]); + } + } + Enumeration<String> names = request.getHeaderNames(); + while (names.hasMoreElements()) { + String name = names.nextElement(); + Enumeration<String> values = request.getHeaders(name); + while (values.hasMoreElements()) { + String value = values.nextElement(); + saved.addHeader(name, value); + } + } + Enumeration<Locale> locales = request.getLocales(); + while (locales.hasMoreElements()) { + Locale locale = locales.nextElement(); + saved.addLocale(locale); + } + + int maxSavePostSize = MAX_SAVE_POST_SIZE; + if (maxSavePostSize != 0) { + ByteChunk body = new ByteChunk(); + body.setLimit(maxSavePostSize); + + byte[] buffer = new byte[4096]; + int bytesRead; + InputStream is = request.getInputStream(); + + while ( (bytesRead = is.read(buffer) ) >= 0) { + body.append(buffer, 0, bytesRead); + } + + // Only save the request body if there is something to save + if (body.getLength() > 0) { + saved.setContentType(request.getContentType()); + saved.setBody(body); + } + } + + saved.setMethod(request.getMethod()); + saved.setQueryString(request.getQueryString()); + saved.setRequestURI(request.getRequestURI()); + + // Stash the SavedRequest in our session for later use + request.getSession().setAttribute(ORIGINAL_REQUEST, saved); + } + + static boolean isOriginalRequestInSession(final HttpServletRequest request) { + return request.getSession().getAttribute(ORIGINAL_REQUEST) != null; + } }
