Re: JASPIC Implementation pointers

[Fjodor Vershinin]

2015-07-03 15:31 GMT+03:00 Mark Thomas ma...@apache.org:

 On 03/07/2015 07:37, Fjodor Vershinin wrote:
  Hi!
  Unfortunately, commit rearrangement requires some more effort from me,
 so I
  haven't finished it yesterday.
  I need some more time to fix checkstyle errors and so on.

 OK.

I have prepared patchset in
https://github.com/fjodorver/tomcat/commits/feature/form_auth branch, some
commits are squashed. However I think it's reasonable to save refactoring
commits in order to have possibility for tracing code changes and discuss
about them.


  We can change the way users have to configure it. For example, we could
  say they have to use programmatic configuration via the standard JASPIC
  interfaces if they want to use non-default settings.
 
 
  I see your point. The best option in my opinion is is to pass this
 options
  through LoginConfig/Context in ContextConfig.
  We can figure out how to set these options in a programmatic way and then
  refresh the context provider in order to reinitialize authenitcation
  modules.

 Why do you say reinitialize? I'd expect a new instance of the module to
 be created when the web application starts and that instance to be used
 until it stops (requiring a stop/start to update config happens a lot in
 Tomcat - not that much configuration is configurable dynamically).

Here is the thing: currently we initialize our embedded provider on
application startup, if application has login-config in web.xml.
So, we need to invent some mechanism to detect, if person wants to use
custom provider or embedded one.
I have an idea, that login-config is for embedded provider only, so, in
case users want to use their custom provider, and do not want to use
embedded one, they should avoid using login-config in application config.
Another option is unregister Tomcat's default provider, and register custom
one.

Thanks,
Fjodor

svn commit: r1689026 - in /tomcat/trunk/test/org/apache/catalina/authenticator: ResponseDescriptor.java TestJaspicBasicAuthenticator.java

[markt]

Author: markt
Date: Fri Jul  3 14:47:12 2015
New Revision: 1689026

URL: http://svn.apache.org/r1689026
Log:
Implemented integration test for JASPIC BASIC authentication
Patch by fjodorver

Added:
tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java 
  (with props)

tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java
   (with props)

Added: 
tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java?rev=1689026view=auto
==
--- tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java 
(added)
+++ tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java 
Fri Jul  3 14:47:12 2015
@@ -0,0 +1,59 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the License); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an AS IS BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.catalina.authenticator;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * This class incorporates test response data
+ */
+class ResponseDescriptor {
+private MapString, ListString headers;
+private String body;
+private int responseCode;
+
+
+public MapString, ListString getHeaders() {
+return headers;
+}
+
+
+public void setHeaders(MapString, ListString headers) {
+this.headers = headers;
+}
+
+
+public String getBody() {
+return body;
+}
+
+
+public void setBody(String body) {
+this.body = body;
+}
+
+
+public int getResponseCode() {
+return responseCode;
+}
+
+
+public void setResponseCode(int responseCode) {
+this.responseCode = responseCode;
+}
+}
\ No newline at end of file

Propchange: 
tomcat/trunk/test/org/apache/catalina/authenticator/ResponseDescriptor.java
--
svn:eol-style = native

Added: 
tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java?rev=1689026view=auto
==
--- 
tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java
 (added)
+++ 
tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicBasicAuthenticator.java
 Fri Jul  3 14:47:12 2015
@@ -0,0 +1,211 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the License); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an AS IS BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.catalina.authenticator;
+
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.message.config.AuthConfigFactory;
+
+import org.hamcrest.CoreMatchers;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
+
+import org.junit.Test;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.jaspic.JaspicAuthenticator;
+import 
org.apache.catalina.authenticator.jaspic.provider.TomcatAuthConfigProvider;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.startup.TesterMapRealm;
+import org.apache.catalina.startup.TesterServlet;
+import 

svn commit: r1689034 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 14:59:01 2015
New Revision: 1689034

URL: http://svn.apache.org/r1689034
Log:
Fix NPE on empty realm name 
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java?rev=1689034r1=1689033r2=1689034view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
 Fri Jul  3 14:59:01 2015
@@ -66,7 +66,7 @@ public abstract class TomcatAuthModule i
 
 
 public String getRealmName() {
-return Optional.of(realmName).orElse(DEFAULT_REALM_NAME);
+return Optional.ofNullable(realmName).orElse(DEFAULT_REALM_NAME);
 }
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: JASPIC Implementation pointers

[Fjodor Vershinin]

I am working on polishing FORM authentication module code. I will continue
with that this evening.
JASPIC modules configuration looks more like architectural stuff, so we
need to make some decisions how to proceed forward. I think it can be task
for next week together SPNEGO authentication module.

Thanks,
Fjodor

2015-07-03 17:16 GMT+03:00 Fjodor Vershinin fjo...@vershinin.net:


 Another option would be to define a jaspic element for server.xml /
 context.xml that is nested in a Context and if present takes precedence
 for JASPIC config. For that to work modules would have to:
 - have zero arg constructors
 - be fully configurable via setters
 - use simple types for their property setters

 How feasible is that?


 I think it sounds even better, however I would like to allow security
 configuration only on the provider basis.
 Provider can be initalized with settings HashMap, which can be passed
 directly to modules on initialization.
 And then, modules can set own settings using provided information.

 --
 Thanks,
 Fjodor




-- 
Thanks,
Fjodor

Re: JASPIC Implementation pointers

[Mark Thomas]

On 03/07/2015 07:37, Fjodor Vershinin wrote:
 Hi!
 Unfortunately, commit rearrangement requires some more effort from me, so I
 haven't finished it yesterday.
 I need some more time to fix checkstyle errors and so on.

OK.

 We can change the way users have to configure it. For example, we could
 say they have to use programmatic configuration via the standard JASPIC
 interfaces if they want to use non-default settings.
 
 
 I see your point. The best option in my opinion is is to pass this options
 through LoginConfig/Context in ContextConfig.
 We can figure out how to set these options in a programmatic way and then
 refresh the context provider in order to reinitialize authenitcation
 modules.

Why do you say reinitialize? I'd expect a new instance of the module to
be created when the web application starts and that instance to be used
until it stops (requiring a stop/start to update config happens a lot in
Tomcat - not that much configuration is configurable dynamically).

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1688911 - /tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java

[Konstantin Kolinko]

2015-07-03 0:07 GMT+03:00  ma...@apache.org:
 Author: markt
 Date: Thu Jul  2 21:07:18 2015
 New Revision: 1688911

 URL: http://svn.apache.org/r1688911
 Log: (empty)

Log message =?
This looks like a followup to http://svn.apache.org/r1688909

Removing ka = null; line has no effect, as ka variable is not used
below. OK with it.

Removing socket = null; line has an effect on
catch(OutOfMemoryError) clause. An unlikely use case, though.

If we keep the socket = null; line , it can be moved into the close() method.
Note that it will be this.socket = null; there, as socket argument
of the close() method shadows socket field of the class.

 -if (socket.getPoller().cancelledKey(key, SocketStatus.ERROR, 
 false) != null) {
 +if (socket.getPoller().cancelledKey(key, socketStatus, 
 false) != null) {

OK.
The above was a copy-paste fix from extracting common code into as
method in r1688909.
The error was that socketStatus argument was not used.

Best regards,
Konstantin Kolinko

 Modified:
 tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java

 Modified: 
 tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
 URL: 
 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1688911r1=1688910r2=1688911view=diff
 ==
 --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java 
 (original)
 +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Thu 
 Jul  2 21:07:18 2015
 @@ -1756,20 +1756,17 @@ public class NioEndpoint extends Abstrac
  // Close socket and pool
  try {
  close(ka, socket, key, SocketStatus.ERROR);
 -socket = null;
 -ka = null;
  } catch ( Exception x ) {
  log.error(,x);
  }
  }
  } else if (handshake == -1 ) {
  close(ka, socket, key, SocketStatus.DISCONNECT);
 -ka = null;
  } else {
  ka.getPoller().add(socket, handshake);
  }
 -}catch(CancelledKeyException cx) {
 -socket.getPoller().cancelledKey(key,null,false);
 +} catch (CancelledKeyException cx) {
 +socket.getPoller().cancelledKey(key, null, false);
  } catch (OutOfMemoryError oom) {
  try {
  oomParachuteData = null;
 @@ -1809,7 +1806,7 @@ public class NioEndpoint extends Abstrac
  if (ka != null) {
  ka.setComet(false);
  }
 -if (socket.getPoller().cancelledKey(key, SocketStatus.ERROR, 
 false) != null) {
 +if (socket.getPoller().cancelledKey(key, socketStatus, 
 false) != null) {
  // SocketWrapper (attachment) was removed from the
  // key - recycle both. This can only happen once
  // per attempted closure so it is used to determine



 -
 To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: JASPIC Implementation pointers

[Mark Thomas]

On 03/07/2015 15:42, Fjodor Vershinin wrote:
 I am working on polishing FORM authentication module code. I will continue
 with that this evening.

OK. I'm commenting on commits as I apply them. Some of them have
suggestions for further improvements. These improvements don't need to
be implemented now (if you have time then great). As a minimum there
needs to be a TODO comment added to the right place(s) in the code so
you can come back to them later.


 JASPIC modules configuration looks more like architectural stuff, so we
 need to make some decisions how to proceed forward.

What decisions? If you can define these before the weekend that gives
folks a few days to think about it before you need answers.

 I think it can be task
 for next week together SPNEGO authentication module.

SPNEGO is likely to be tricky since setting up a test environment needs
server machines and some Windows Server licenses. I have a set of VMs I
use for testing SPNEGO. It probably makes sense if you port it and I
test it.

Mark

 
 Thanks,
 Fjodor
 
 2015-07-03 17:16 GMT+03:00 Fjodor Vershinin fjo...@vershinin.net:
 

 Another option would be to define a jaspic element for server.xml /
 context.xml that is nested in a Context and if present takes precedence
 for JASPIC config. For that to work modules would have to:
 - have zero arg constructors
 - be fully configurable via setters
 - use simple types for their property setters

 How feasible is that?


 I think it sounds even better, however I would like to allow security
 configuration only on the provider basis.
 Provider can be initalized with settings HashMap, which can be passed
 directly to modules on initialization.
 And then, modules can set own settings using provided information.

 --
 Thanks,
 Fjodor

 
 
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Early Access builds for JDK 8u60 b21 and JDK 9 b70 are available on java.net

[Rory O'Donnell]

Hi Mark/Mladen,

Early Access build for JDK 8u60 b21 http://jdk8.java.net/download.html 
is available on java.net, summary of changes are listed here. 
http://www.java.net/download/jdk8u60/changes/jdk8u60-b21.html
As we enter the later phases of development for JDK 8u60, please log any 
show stoppers as soon as possible.


Early Access build for JDK 9 b70 https://jdk9.java.net/download/ is 
available on java.net, summary of  changes are listed here 
http://www.java.net/download/jdk9/changes/jdk9-b70.html.


The JDK 9 schedule of record is available on the JDK 9 Project page: 
http://openjdk.java.net/projects/jdk9


At https://wiki.openjdk.java.net/display/Adoption/JDK+9+Outreach you can 
find a (preliminary) list of other
changes that might affect your project's code in JDK 9, and other things 
to consider when testing with JDK 9.
I'd be curious to know if there is anything on that list you'd consider 
to have an effect on your project.


Please keep in mind that as JEPs and others changes are integrated into 
(or out of) JDK 9, the list will change

over time.

Rgds,Rory

--
Rgds,Rory O'Donnell
Quality Engineering Manager
Oracle EMEA , Dublin, Ireland

Re: JASPIC Implementation pointers

[Mark Thomas]

On 03/07/2015 13:56, Fjodor Vershinin wrote:
 2015-07-03 15:31 GMT+03:00 Mark Thomas ma...@apache.org:
 
 On 03/07/2015 07:37, Fjodor Vershinin wrote:
 Hi!
 Unfortunately, commit rearrangement requires some more effort from me,
 so I
 haven't finished it yesterday.
 I need some more time to fix checkstyle errors and so on.

 OK.
 
 I have prepared patchset in
 https://github.com/fjodorver/tomcat/commits/feature/form_auth branch, some
 commits are squashed. However I think it's reasonable to save refactoring
 commits in order to have possibility for tracing code changes and discuss
 about them.

OK. I'll hopefully start reviewing and merging those this afternoon.

 We can change the way users have to configure it. For example, we could
 say they have to use programmatic configuration via the standard JASPIC
 interfaces if they want to use non-default settings.


 I see your point. The best option in my opinion is is to pass this
 options
 through LoginConfig/Context in ContextConfig.
 We can figure out how to set these options in a programmatic way and then
 refresh the context provider in order to reinitialize authenitcation
 modules.

 Why do you say reinitialize? I'd expect a new instance of the module to
 be created when the web application starts and that instance to be used
 until it stops (requiring a stop/start to update config happens a lot in
 Tomcat - not that much configuration is configurable dynamically).
 
 Here is the thing: currently we initialize our embedded provider on
 application startup, if application has login-config in web.xml.

Not quite.

If the user has defined an authenticator Valve in context.xml or
server.xml then that is used and any login-config in web.xml is ignored.

 So, we need to invent some mechanism to detect, if person wants to use
 custom provider or embedded one.

Or, as currently, simply define an order of preference.

 I have an idea, that login-config is for embedded provider only, so, in
 case users want to use their custom provider, and do not want to use
 embedded one, they should avoid using login-config in application config.
 Another option is unregister Tomcat's default provider, and register custom
 one.

Another option would be to define a jaspic element for server.xml /
context.xml that is nested in a Context and if present takes precedence
for JASPIC config. For that to work modules would have to:
- have zero arg constructors
- be fully configurable via setters
- use simple types for their property setters

How feasible is that?

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: JASPIC Implementation pointers

[Fjodor Vershinin]

 Another option would be to define a jaspic element for server.xml /
 context.xml that is nested in a Context and if present takes precedence
 for JASPIC config. For that to work modules would have to:
 - have zero arg constructors
 - be fully configurable via setters
 - use simple types for their property setters

 How feasible is that?


I think it sounds even better, however I would like to allow security
configuration only on the provider basis.
Provider can be initalized with settings HashMap, which can be passed
directly to modules on initialization.
And then, modules can set own settings using provided information.

-- 
Thanks,
Fjodor

svn commit: r1689060 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 18:58:24 2015
New Revision: 1689060

URL: http://svn.apache.org/r1689060
Log:
Port FORM auth to JASPIC
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689060r1=1689059r2=1689060view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 18:58:24 2015
@@ -16,20 +16,47 @@
  */
 package org.apache.catalina.authenticator.jaspic.provider.modules;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.Principal;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.Locale;
 import java.util.Map;
 
 import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.message.AuthException;
 import javax.security.auth.message.AuthStatus;
 import javax.security.auth.message.MessageInfo;
 import javax.security.auth.message.MessagePolicy;
+import javax.security.auth.message.callback.CallerPrincipalCallback;
+import javax.security.auth.message.callback.GroupPrincipalCallback;
+import javax.security.auth.message.callback.PasswordValidationCallback;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.catalina.Context;
+import org.apache.catalina.Manager;
+import org.apache.catalina.Realm;
+import org.apache.catalina.Session;
+import org.apache.catalina.authenticator.Constants;
+import org.apache.catalina.authenticator.SavedRequest;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.apache.coyote.ActionCode;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.buf.CharChunk;
+import org.apache.tomcat.util.buf.MessageBytes;
+import org.apache.tomcat.util.descriptor.web.LoginConfig;
+import org.apache.tomcat.util.http.MimeHeaders;
 
 /**
  * This class implements JASPIC FORM-based authentication.
@@ -61,8 +88,219 @@ public class FormAuthModule extends Tomc
 if (!isMandatory(messageInfo)) {
 return AuthStatus.SUCCESS;
 }
-return AuthStatus.FAILURE;
+try {
 
+Request request = (Request) messageInfo.getRequestMessage();
+HttpServletResponse response = (HttpServletResponse) 
messageInfo.getResponseMessage();
+// References to objects we will need later
+Session session = null;
+Principal principal = null;
+
+// Have we authenticated this user before but have caching 
disabled?
+if (!isCache()) {
+session = request.getSessionInternal(true);
+if (log.isDebugEnabled()) {
+log.debug(Checking for reauthenticate in session  + 
session);
+}
+String username = (String) 
session.getNote(Constants.SESS_USERNAME_NOTE);
+String password = (String) 
session.getNote(Constants.SESS_PASSWORD_NOTE);
+if ((username != null)  (password != null)) {
+if (log.isDebugEnabled()) {
+log.debug(Reauthenticating username ' + username + 
');
+}
+PasswordValidationCallback passwordCallback = new 
PasswordValidationCallback(
+clientSubject, username, password.toCharArray());
+handler.handle(new Callback[] { passwordCallback });
+
+if (!passwordCallback.getResult()) {
+forwardToErrorPage(request, response, 
context.getLoginConfig());
+}
+principal = getPrincipal(passwordCallback);
+if (principal != null) {
+session.setNote(Constants.FORM_PRINCIPAL_NOTE, 
principal);
+if (!matchRequest(request)) {
+CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(
+clientSubject, principal);
+GroupPrincipalCallback groupCallback = new 
GroupPrincipalCallback(
+

svn commit: r1689058 - in /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider: ./ modules/

[markt]

Author: markt
Date: Fri Jul  3 18:54:29 2015
New Revision: 1689058

URL: http://svn.apache.org/r1689058
Log:
Make the Context available to the auth modules.
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java?rev=1689058r1=1689057r2=1689058view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java
 Fri Jul  3 18:54:29 2015
@@ -26,6 +26,7 @@ import javax.security.auth.message.Messa
 import javax.security.auth.message.config.ServerAuthConfig;
 import javax.security.auth.message.config.ServerAuthContext;
 
+import org.apache.catalina.Context;
 import org.apache.catalina.Realm;
 import 
org.apache.catalina.authenticator.jaspic.provider.modules.BasicAuthModule;
 import 
org.apache.catalina.authenticator.jaspic.provider.modules.DigestAuthModule;
@@ -41,17 +42,20 @@ public class TomcatAuthConfig implements
 private String appContext;
 private CallbackHandler handler;
 private TomcatServerAuthContext tomcatServerAuthContext;
-private Realm realm;
+
+private Context context;
 private LoginConfig loginConfig;
+private Realm realm;
 
 
 public TomcatAuthConfig(String layer, String appContext, CallbackHandler 
callbackHandler,
-Realm realm, LoginConfig loginConfig) {
+Context context) {
 this.messageLayer = layer;
 this.appContext = appContext;
 this.handler = callbackHandler;
-this.realm = realm;
-this.loginConfig = loginConfig;
+this.context = context;
+this.realm = context.getRealm();
+this.loginConfig = context.getLoginConfig();
 }
 
 
@@ -108,13 +112,13 @@ public class TomcatAuthConfig implements
 String authMethod = getAuthMethod();
 switch (authMethod) {
 case BASIC: {
-return new BasicAuthModule();
+return new BasicAuthModule(context);
 }
 case DIGEST: {
-return new DigestAuthModule(realm);
+return new DigestAuthModule(context);
 }
 case FORM: {
-return new FormAuthModule();
+return new FormAuthModule(context);
 }
 default: {
 throw new AuthException(

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java?rev=1689058r1=1689057r2=1689058view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfigProvider.java
 Fri Jul  3 18:54:29 2015
@@ -26,24 +26,20 @@ import javax.security.auth.message.confi
 import javax.security.auth.message.config.ServerAuthConfig;
 
 import org.apache.catalina.Context;
-import org.apache.catalina.Realm;
-import org.apache.tomcat.util.descriptor.web.LoginConfig;
 
 /**
- * Tomcat's context based JASPIC authentication provider. It returns 
authentication
- * modules depending on context login-config setup.
+ * Tomcat's context based JASPIC authentication provider. It returns
+ * authentication modules depending on context login-config setup.
  */
 public class TomcatAuthConfigProvider implements AuthConfigProvider {
 
 private MapString, String providerProperties;
 private ServerAuthConfig serverAuthConfig;
-private Realm realm;
-private LoginConfig loginConfig;
+private Context context;
 
 
 public TomcatAuthConfigProvider(Context context) {
-this.realm = context.getRealm();
-this.loginConfig = context.getLoginConfig();
+this.context = context;
 }
 
 
@@ -66,7 +62,7 @@ public class TomcatAuthConfigProvider im
 public synchronized ServerAuthConfig getServerAuthConfig(String layer, 
String appContext,
 

svn commit: r1689056 - in /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider: TomcatAuthConfig.java modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 18:49:45 2015
New Revision: 1689056

URL: http://svn.apache.org/r1689056
Log:
Added dummy FORM auth module
Patch by fjodorver

Added:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
   (with props)
Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java?rev=1689056r1=1689055r2=1689056view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/TomcatAuthConfig.java
 Fri Jul  3 18:49:45 2015
@@ -29,6 +29,7 @@ import javax.security.auth.message.confi
 import org.apache.catalina.Realm;
 import 
org.apache.catalina.authenticator.jaspic.provider.modules.BasicAuthModule;
 import 
org.apache.catalina.authenticator.jaspic.provider.modules.DigestAuthModule;
+import 
org.apache.catalina.authenticator.jaspic.provider.modules.FormAuthModule;
 import 
org.apache.catalina.authenticator.jaspic.provider.modules.TomcatAuthModule;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.res.StringManager;
@@ -112,6 +113,9 @@ public class TomcatAuthConfig implements
 case DIGEST: {
 return new DigestAuthModule(realm);
 }
+case FORM: {
+return new FormAuthModule();
+}
 default: {
 throw new AuthException(
 sm.getString(authenticator.jaspic.unknownAuthType, 
authMethod));

Added: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689056view=auto
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (added)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 18:49:45 2015
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the License); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an AS IS BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.authenticator.jaspic.provider.modules;
+
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
+import javax.security.auth.message.MessageInfo;
+import javax.security.auth.message.MessagePolicy;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
+/**
+ * This class implements JASPIC FORM-based authentication.
+ */
+public class FormAuthModule extends TomcatAuthModule {
+private static final Log log = LogFactory.getLog(FormAuthModule.class);
+
+private Class?[] supportedMessageTypes = new Class[] { 
HttpServletRequest.class,
+HttpServletResponse.class };
+
+private String landingPage;
+
+
+public FormAuthModule() {
+}
+
+
+public FormAuthModule(String landingPage) {
+this.landingPage = landingPage;
+}
+
+
+@SuppressWarnings(rawtypes)
+@Override
+public void initializeModule(MessagePolicy requestPolicy, MessagePolicy 
responsePolicy,
+CallbackHandler handler, Map options) throws AuthException {
+}
+
+
+@Override
+public AuthStatus validateRequest(MessageInfo messageInfo, Subject 
clientSubject,
+Subject serviceSubject) throws AuthException {
+if (!isMandatory(messageInfo)) {
+return AuthStatus.SUCCESS;
+}
+return AuthStatus.FAILURE;
+
+}
+
+
+@Override
+public AuthStatus secureResponse(MessageInfo messageInfo, Subject 
serviceSubject)
+  

svn commit: r1689062 - /tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java

[markt]

Author: markt
Date: Fri Jul  3 19:04:23 2015
New Revision: 1689062

URL: http://svn.apache.org/r1689062
Log:
Port FORM auth unit test for JASPIC
Patch by fjodorver

Added:

tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java
   (with props)

Added: 
tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java?rev=1689062view=auto
==
--- 
tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java
 (added)
+++ 
tomcat/trunk/test/org/apache/catalina/authenticator/TestJaspicFormAuthenticator.java
 Fri Jul  3 19:04:23 2015
@@ -0,0 +1,769 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the License); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an AS IS BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.catalina.authenticator;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+import java.util.StringTokenizer;
+
+import javax.security.auth.message.config.AuthConfigFactory;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.junit.Ignore;
+import org.junit.Test;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.jaspic.JaspicAuthenticator;
+import 
org.apache.catalina.authenticator.jaspic.provider.TomcatAuthConfigProvider;
+import org.apache.catalina.startup.SimpleHttpClient;
+import org.apache.catalina.startup.TesterMapRealm;
+import org.apache.catalina.startup.TesterServlet;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.tomcat.util.descriptor.web.LoginConfig;
+import org.apache.tomcat.util.descriptor.web.SecurityCollection;
+import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.apache.tomcat.websocket.server.WsContextListener;
+
+/*
+ * Test FORM authentication for sessions that do and do not use cookies.
+ *
+ * 1. A client that can accept and respond to a Set-Cookie for JSESSIONID
+ *will be able to maintain its authenticated session, no matter whether
+ *the session ID is changed once, many times, or not at all.
+ *
+ * 2. A client that cannot accept cookies will only be able to maintain a
+ *persistent session IF the server sends the correct (current) jsessionid
+ *as a path parameter appended to ALL urls within its response. That is
+ *achievable with servlets, jsps, jstl (all of which which can ask for an
+ *encoded url to be inserted into the dynamic web page). It cannot work
+ *with static html.
+ *note: this test class uses the Tomcat sample jsps, which conform.
+ *
+ * 3. Therefore, any webapp that MIGHT need to authenticate a client that
+ *does not accept cookies MUST generate EVERY protected resource url
+ *dynamically (so that it will include the current session ID).
+ *
+ * 4. Any webapp that cannot satisfy case 3 MUST turn off
+ *changeSessionIdOnAuthentication for its Context and thus degrade the
+ *session fixation protection for ALL of its clients.
+ *note from MarkT: Not sure I agree with this. If the URLs aren't
+ *  being encoded, then the session is going to break regardless of
+ *  whether or not the session ID changes.
+ *
+ * Unlike a proper browser, this unit test class does a quite lot of
+ * screen-scraping and cheating of headers and urls (not very elegant,
+ * but it makes no claims to generality).
+ *
+ */
+public class TestJaspicFormAuthenticator extends TomcatBaseTest {
+
+// these should really be singletons to be type-safe,
+// we are in a unit test and don't need to paranoid.
+protected static final boolean USE_100_CONTINUE = true;
+protected static final boolean NO_100_CONTINUE = !USE_100_CONTINUE;
+
+protected static final boolean CLIENT_USE_COOKIES = true;
+protected static final boolean CLIENT_NO_COOKIES = !CLIENT_USE_COOKIES;
+
+

[Bug 58095] Empty script tag results in generated jsp having a self-closing script tag, which is invalid and results in rendering issues

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=58095

--- Comment #3 from Christopher Schultz ch...@christopherschultz.net ---
I'm not sure this is a Tomcat issue, but I'm not sure exactly how Tomcat does
its XML parsing, etc. I know that I've seen this problem with other
XML-oriented HTML-handling software as well.

A specific case in point: Apache Cocoon will take a script/script pair in
an XSLT and generate script/ in the output. We have to use the same tricks
like scriptxsl:commentboo!/xsl:comment/script in order to prevent the
XML serializer from coalescing the tags together.

The problem is likely to be that the XML serializer doesn't realize that there
are certain HTML tags that cannot be self-closing (and script is the only one
I know of of-hand). As far as XML is concerned, script/script (with no
child elements) is equivalent to script/, so this behavior is completely
acceptable. But since this is really HTML, those rules sometimes don't apply.

Have you tried using application/xhtml+xml as your content type? If you do
that, the browser might use an XML parsed instead of an HTML parser, *and* you
are likely to get the benefit of using avoiding a quirks rendering more and
instead use a standards-compliant parser *and* renderer.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689063 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:07:30 2015
New Revision: 1689063

URL: http://svn.apache.org/r1689063
Log:
Remove unnecessary code
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689063r1=1689062r2=1689063view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:07:30 2015
@@ -54,7 +54,6 @@ import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.ExceptionUtils;
 import org.apache.tomcat.util.buf.ByteChunk;
-import org.apache.tomcat.util.buf.CharChunk;
 import org.apache.tomcat.util.buf.MessageBytes;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.http.MimeHeaders;
@@ -179,9 +178,6 @@ public class FormAuthModule extends Tomc
 }
 
 // Acquire references to objects we will need to evaluate
-MessageBytes uriMB = MessageBytes.newInstance();
-CharChunk uriCC = uriMB.getCharChunk();
-uriCC.setLimit(-1);
 String contextPath = request.getContextPath();
 String requestURI = request.getDecodedRequestURI();
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689064 - /tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java

[markt]

Author: markt
Date: Fri Jul  3 19:07:52 2015
New Revision: 1689064

URL: http://svn.apache.org/r1689064
Log:
Remove unnecessary code
Thanks to fjodorver

Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1689064r1=1689063r2=1689064view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java 
Fri Jul  3 19:07:52 2015
@@ -38,7 +38,6 @@ import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.ExceptionUtils;
 import org.apache.tomcat.util.buf.ByteChunk;
-import org.apache.tomcat.util.buf.CharChunk;
 import org.apache.tomcat.util.buf.MessageBytes;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.http.MimeHeaders;
@@ -208,9 +207,6 @@ public class FormAuthenticator
 }
 
 // Acquire references to objects we will need to evaluate
-MessageBytes uriMB = MessageBytes.newInstance();
-CharChunk uriCC = uriMB.getCharChunk();
-uriCC.setLimit(-1);
 String contextPath = request.getContextPath();
 String requestURI = request.getDecodedRequestURI();
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

JASPIC Implementation pointers

[Fjodor Vershinin]

 On 03/07/2015 15:42, Fjodor Vershinin wrote:
  I am working on polishing FORM authentication module code. I will
 continue
  with that this evening.

 OK. I'm commenting on commits as I apply them. Some of them have
 suggestions for further improvements. These improvements don't need to
 be implemented now (if you have time then great). As a minimum there
 needs to be a TODO comment added to the right place(s) in the code so
 you can come back to them later.


Ok, thank you.


  JASPIC modules configuration looks more like architectural stuff, so we
  need to make some decisions how to proceed forward.

 What decisions? If you can define these before the weekend that gives
 folks a few days to think about it before you need answers.

 For example the way how we handle module configurations. What do you think
about my proposal to use Provider based config?


  I think it can be task
  for next week together SPNEGO authentication module.

 SPNEGO is likely to be tricky since setting up a test environment needs
 server machines and some Windows Server licenses. I have a set of VMs I
 use for testing SPNEGO. It probably makes sense if you port it and I
 test it.


Let's do that way.


 
  Thanks,
  Fjodor
 
  2015-07-03 17:16 GMT+03:00 Fjodor Vershinin fjo...@vershinin.net:
 
 
  Another option would be to define a jaspic element for server.xml /
  context.xml that is nested in a Context and if present takes precedence
  for JASPIC config. For that to work modules would have to:
  - have zero arg constructors
  - be fully configurable via setters
  - use simple types for their property setters
 
  How feasible is that?
 
 
  I think it sounds even better, however I would like to allow security
  configuration only on the provider basis.
  Provider can be initalized with settings HashMap, which can be passed
  directly to modules on initialization.
  And then, modules can set own settings using provided information.
 
  --
  Thanks,
  Fjodor
 
 
 
 


 -
 To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: dev-h...@tomcat.apache.org



-- 
Thanks,
Fjodor

svn commit: r1689061 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:00:51 2015
New Revision: 1689061

URL: http://svn.apache.org/r1689061
Log:
Validation extracted to separate method, in order to make exception handling 
easier
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689061r1=1689060r2=1689061view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:00:51 2015
@@ -27,6 +27,7 @@ import java.util.Map;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.message.AuthException;
 import javax.security.auth.message.AuthStatus;
 import javax.security.auth.message.MessageInfo;
@@ -89,213 +90,217 @@ public class FormAuthModule extends Tomc
 return AuthStatus.SUCCESS;
 }
 try {
+return validate(messageInfo, clientSubject);
+} catch (Exception e) {
+throw new AuthException(e.getMessage());
+}
+}
 
-Request request = (Request) messageInfo.getRequestMessage();
-HttpServletResponse response = (HttpServletResponse) 
messageInfo.getResponseMessage();
-// References to objects we will need later
-Session session = null;
-Principal principal = null;
-
-// Have we authenticated this user before but have caching 
disabled?
-if (!isCache()) {
-session = request.getSessionInternal(true);
-if (log.isDebugEnabled()) {
-log.debug(Checking for reauthenticate in session  + 
session);
-}
-String username = (String) 
session.getNote(Constants.SESS_USERNAME_NOTE);
-String password = (String) 
session.getNote(Constants.SESS_PASSWORD_NOTE);
-if ((username != null)  (password != null)) {
-if (log.isDebugEnabled()) {
-log.debug(Reauthenticating username ' + username + 
');
-}
-PasswordValidationCallback passwordCallback = new 
PasswordValidationCallback(
-clientSubject, username, password.toCharArray());
-handler.handle(new Callback[] { passwordCallback });
 
-if (!passwordCallback.getResult()) {
-forwardToErrorPage(request, response, 
context.getLoginConfig());
-}
-principal = getPrincipal(passwordCallback);
-if (principal != null) {
-session.setNote(Constants.FORM_PRINCIPAL_NOTE, 
principal);
-if (!matchRequest(request)) {
-CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(
-clientSubject, principal);
-GroupPrincipalCallback groupCallback = new 
GroupPrincipalCallback(
-clientSubject, 
context.getRealm().getRoles(principal));
-handler.handle(new Callback[] { principalCallback, 
groupCallback });
-return AuthStatus.SUCCESS;
-}
-}
-if (log.isDebugEnabled()) {
-log.debug(Reauthentication failed, proceed normally);
-}
-}
+private AuthStatus validate(MessageInfo messageInfo, Subject 
clientSubject) throws IOException,
+UnsupportedCallbackException {
+Request request = (Request) messageInfo.getRequestMessage();
+HttpServletResponse response = (HttpServletResponse) 
messageInfo.getResponseMessage();
+// References to objects we will need later
+Session session = null;
+Principal principal = null;
+
+// Have we authenticated this user before but have caching disabled?
+if (!isCache()) {
+session = request.getSessionInternal(true);
+if (log.isDebugEnabled()) {
+log.debug(Checking for reauthenticate in session  + session);
 }
-
-// Is this the re-submit of the original request URI after
-// successful
-// authentication? If so, forward the *original* request instead.
-if 

svn commit: r1689067 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:15:06 2015
New Revision: 1689067

URL: http://svn.apache.org/r1689067
Log:
Added realm and login-config fields to FormAuthModule
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689067r1=1689066r2=1689067view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:15:06 2015
@@ -69,9 +69,14 @@ public class FormAuthModule extends Tomc
 
 private String landingPage;
 
+private Realm realm;
+private LoginConfig loginConfig;
+
 
 public FormAuthModule(Context context) {
 super(context);
+this.realm = context.getRealm();
+this.loginConfig = context.getLoginConfig();
 }
 
 
@@ -121,7 +126,7 @@ public class FormAuthModule extends Tomc
 handler.handle(new Callback[] { passwordCallback });
 
 if (!passwordCallback.getResult()) {
-forwardToErrorPage(request, response, 
context.getLoginConfig());
+forwardToErrorPage(request, response);
 }
 principal = getPrincipal(passwordCallback);
 if (principal != null) {
@@ -153,7 +158,7 @@ public class FormAuthModule extends Tomc
 CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(clientSubject,
 principal);
 GroupPrincipalCallback groupCallback = new 
GroupPrincipalCallback(clientSubject,
-context.getRealm().getRoles(principal));
+realm.getRoles(principal));
 handler.handle(new Callback[] { principalCallback, groupCallback 
});
 
 // If we're caching principals we no longer needgetPrincipal the
@@ -185,7 +190,6 @@ public class FormAuthModule extends Tomc
 boolean loginAction = requestURI.startsWith(contextPath)
  requestURI.endsWith(Constants.FORM_ACTION);
 
-LoginConfig config = context.getLoginConfig();
 
 // No -- Save this request and redirect to the form login page
 if (!loginAction) {
@@ -201,7 +205,7 @@ public class FormAuthModule extends Tomc
 sm.getString(authenticator.requestBodyTooBig));
 return AuthStatus.FAILURE;
 }
-forwardToLoginPage(request, response, config);
+forwardToLoginPage(request, response);
 return AuthStatus.SEND_CONTINUE;
 }
 
@@ -221,7 +225,7 @@ public class FormAuthModule extends Tomc
 }
 principal = realm.authenticate(username, password);
 if (principal == null) {
-forwardToErrorPage(request, response, config);
+forwardToErrorPage(request, response);
 return AuthStatus.FAILURE;
 }
 
@@ -335,21 +339,18 @@ public class FormAuthModule extends Tomc
  *
  * @param request Request we are processing
  * @param response Response we are populating
- * @param config Login configuration describing how authentication should 
be
- *performed
  * @throws IOException If the forward to the login page fails and the call
  * to {@link HttpServletResponse#sendError(int, String)} throws
  * an {@link IOException}
  */
-protected void forwardToLoginPage(Request request, HttpServletResponse 
response,
-LoginConfig config) throws IOException {
+protected void forwardToLoginPage(Request request, HttpServletResponse 
response) throws IOException {
 
 if (log.isDebugEnabled()) {
 log.debug(sm.getString(formAuthenticator.forwardLogin, 
request.getRequestURI(),
-request.getMethod(), config.getLoginPage(), 
context.getName()));
+request.getMethod(), loginConfig.getLoginPage(), 
context.getName()));
 }
 
-String loginPage = config.getLoginPage();
+String loginPage = loginConfig.getLoginPage();
 if (loginPage == null || loginPage.length() == 0) {
 String msg = sm.getString(formAuthenticator.noLoginPage, 
context.getName());
 log.warn(msg);
@@ -398,17 +399,15 @@ public class FormAuthModule extends Tomc
  * Called to forward to the error page
  *
  * @param request Request we are processing
- * @param response Response we are populating
- * @param config Login configuration describing how authentication should 
be
- *performed
- * 

svn commit: r1689068 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:19:00 2015
New Revision: 1689068

URL: http://svn.apache.org/r1689068
Log:
Extracted principal callbacks handling
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689068r1=1689067r2=1689068view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:19:00 2015
@@ -132,11 +132,7 @@ public class FormAuthModule extends Tomc
 if (principal != null) {
 session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
 if (!matchRequest(request)) {
-CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(
-clientSubject, principal);
-GroupPrincipalCallback groupCallback = new 
GroupPrincipalCallback(
-clientSubject, 
context.getRealm().getRoles(principal));
-handler.handle(new Callback[] { principalCallback, 
groupCallback });
+handlePrincipalCallbacks(clientSubject, principal);
 return AuthStatus.SUCCESS;
 }
 }
@@ -155,11 +151,7 @@ public class FormAuthModule extends Tomc
 log.debug(Restore request from session ' + 
session.getIdInternal() + ');
 }
 principal = (Principal) 
session.getNote(Constants.FORM_PRINCIPAL_NOTE);
-CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(clientSubject,
-principal);
-GroupPrincipalCallback groupCallback = new 
GroupPrincipalCallback(clientSubject,
-realm.getRoles(principal));
-handler.handle(new Callback[] { principalCallback, groupCallback 
});
+handlePrincipalCallbacks(clientSubject, principal);
 
 // If we're caching principals we no longer needgetPrincipal the
 // username
@@ -190,7 +182,6 @@ public class FormAuthModule extends Tomc
 boolean loginAction = requestURI.startsWith(contextPath)
  requestURI.endsWith(Constants.FORM_ACTION);
 
-
 // No -- Save this request and redirect to the form login page
 if (!loginAction) {
 session = request.getSessionInternal(true);
@@ -304,6 +295,16 @@ public class FormAuthModule extends Tomc
 }
 
 
+private void handlePrincipalCallbacks(Subject clientSubject, Principal 
principal)
+throws IOException, UnsupportedCallbackException {
+CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(clientSubject,
+principal);
+GroupPrincipalCallback groupCallback = new 
GroupPrincipalCallback(clientSubject, context
+.getRealm().getRoles(principal));
+handler.handle(new Callback[] { principalCallback, groupCallback });
+}
+
+
 private boolean isCache() {
 return true;
 }
@@ -343,7 +344,8 @@ public class FormAuthModule extends Tomc
  * to {@link HttpServletResponse#sendError(int, String)} throws
  * an {@link IOException}
  */
-protected void forwardToLoginPage(Request request, HttpServletResponse 
response) throws IOException {
+protected void forwardToLoginPage(Request request, HttpServletResponse 
response)
+throws IOException {
 
 if (log.isDebugEnabled()) {
 log.debug(sm.getString(formAuthenticator.forwardLogin, 
request.getRequestURI(),



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689069 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:20:20 2015
New Revision: 1689069

URL: http://svn.apache.org/r1689069
Log:
Extracted expired session handling
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689069r1=1689068r2=1689069view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:20:20 2015
@@ -204,11 +204,12 @@ public class FormAuthModule extends Tomc
 // credentials
 // and redirect to the error page if they are not correct
 request.getResponse().sendAcknowledgement();
-Realm realm = context.getRealm();
+
 // TODO fix character encoding
 // if (characterEncoding != null) {
 // request.setCharacterEncoding(characterEncoding);
 // }
+
 String username = request.getParameter(Constants.FORM_USERNAME);
 String password = request.getParameter(Constants.FORM_PASSWORD);
 if (log.isDebugEnabled()) {
@@ -228,25 +229,7 @@ public class FormAuthModule extends Tomc
 session = request.getSessionInternal(false);
 }
 if (session == null) {
-// if (containerLog.isDebugEnabled()) {
-// containerLog.debug
-// (User took so long to log on the session expired);
-// }
-if (landingPage == null) {
-response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
-sm.getString(authenticator.sessionExpired));
-} else {
-// Make the authenticator think the user originally
-// requested
-// the landing page
-String uri = request.getContextPath() + landingPage;
-SavedRequest saved = new SavedRequest();
-saved.setMethod(GET);
-saved.setRequestURI(uri);
-saved.setDecodedRequestURI(uri);
-
request.getSessionInternal(true).setNote(Constants.FORM_REQUEST_NOTE, saved);
-response.sendRedirect(response.encodeRedirectURL(uri));
-}
+handleSessionExpired(request, response);
 return AuthStatus.FAILURE;
 }
 
@@ -295,6 +278,25 @@ public class FormAuthModule extends Tomc
 }
 
 
+private void handleSessionExpired(Request request, HttpServletResponse 
response)
+throws IOException {
+if (landingPage == null) {
+response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
+sm.getString(authenticator.sessionExpired));
+return;
+}
+// Make the authenticator think the user originally
+// requested
+// the landing page
+String uri = request.getContextPath() + landingPage;
+SavedRequest saved = new SavedRequest();
+saved.setMethod(GET);
+saved.setRequestURI(uri);
+saved.setDecodedRequestURI(uri);
+request.getSessionInternal(true).setNote(Constants.FORM_REQUEST_NOTE, 
saved);
+}
+
+
 private void handlePrincipalCallbacks(Subject clientSubject, Principal 
principal)
 throws IOException, UnsupportedCallbackException {
 CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(clientSubject,



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689073 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:49:08 2015
New Revision: 1689073

URL: http://svn.apache.org/r1689073
Log:
Extracted is login action request check
Removed password validation callback, because we can use Realm directly
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689073r1=1689072r2=1689073view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:49:08 2015
@@ -107,7 +107,7 @@ public class FormAuthModule extends Tomc
 HttpServletResponse response = (HttpServletResponse) 
messageInfo.getResponseMessage();
 
 // Have we authenticated this user before but have caching disabled?
-if (!isCache()) {
+if (!isCache()) { //TODO Ask is it required? May be principal must be 
always cached
 Session session = request.getSessionInternal(true);
 if (log.isDebugEnabled()) {
 log.debug(Checking for reauthenticate in session  + session);
@@ -118,21 +118,18 @@ public class FormAuthModule extends Tomc
 if (log.isDebugEnabled()) {
 log.debug(Reauthenticating username ' + username + ');
 }
-PasswordValidationCallback passwordCallback = new 
PasswordValidationCallback(
-clientSubject, username, password.toCharArray());
-handler.handle(new Callback[] { passwordCallback });
-
-if (!passwordCallback.getResult()) {
+Principal principal = realm.authenticate(username, password);
+if (principal == null) {
 forwardToErrorPage(request, response);
+return AuthStatus.FAILURE;
 }
-Principal principal = getPrincipal(passwordCallback);
-if (principal != null) {
-session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
-if (!isMatchingSavedRequest(request)) {
-handlePrincipalCallbacks(clientSubject, principal);
-return AuthStatus.SUCCESS;
-}
+
+session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
+if (!isMatchingSavedRequest(request)) {
+handlePrincipalCallbacks(clientSubject, principal);
+return AuthStatus.SUCCESS;
 }
+
 if (log.isDebugEnabled()) {
 log.debug(Reauthentication failed, proceed normally);
 }
@@ -146,14 +143,7 @@ public class FormAuthModule extends Tomc
 return submitSavedRequest(clientSubject, request, response);
 }
 
-String contextPath = request.getContextPath();
-String requestURI = request.getDecodedRequestURI();
-
-// Is this the action request from the login page?
-boolean loginAction = requestURI.startsWith(contextPath)
- requestURI.endsWith(Constants.FORM_ACTION);
-
-if (!loginAction) {
+if (!isLoginActionRequest(request)) {
 return handleNoLoginAction(request, response);
 }
 
@@ -597,10 +587,11 @@ public class FormAuthModule extends Tomc
 SavedRequest saved = new SavedRequest();
 Cookie cookies[] = request.getCookies();
 if (cookies != null) {
-for (int i = 0; i  cookies.length; i++) {
-saved.addCookie(cookies[i]);
+for (Cookie cookie : cookies) {
+saved.addCookie(cookie);
 }
 }
+
 EnumerationString names = request.getHeaderNames();
 while (names.hasMoreElements()) {
 String name = names.nextElement();
@@ -666,4 +657,12 @@ public class FormAuthModule extends Tomc
 return (sb.toString());
 
 }
+
+
+private boolean isLoginActionRequest(Request request) {
+String contextPath = request.getContextPath();
+String requestURI = request.getDecodedRequestURI();
+return requestURI.startsWith(contextPath)  
requestURI.endsWith(Constants.FORM_ACTION);
+}
+
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689077 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:58:28 2015
New Revision: 1689077

URL: http://svn.apache.org/r1689077
Log:
Enabled character encoding
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689077r1=1689076r2=1689077view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:58:28 2015
@@ -68,6 +68,7 @@ public class FormAuthModule extends Tomc
 HttpServletResponse.class };
 
 private String landingPage;
+private String characterEncoding;
 
 private Realm realm;
 private LoginConfig loginConfig;
@@ -222,10 +223,9 @@ public class FormAuthModule extends Tomc
 
 request.getResponse().sendAcknowledgement();
 
-// TODO fix character encoding
-// if (characterEncoding != null) {
-// request.setCharacterEncoding(characterEncoding);
-// }
+if (characterEncoding != null) {
+request.setCharacterEncoding(characterEncoding);
+}
 
 String username = request.getParameter(Constants.FORM_USERNAME);
 String password = request.getParameter(Constants.FORM_PASSWORD);



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689078 - in /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules: BasicAuthModule.java DigestAuthModule.java FormAuthModule.java TomcatAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 20:00:56 2015
New Revision: 1689078

URL: http://svn.apache.org/r1689078
Log:
JASPIC callback management moved to parent class
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java?rev=1689078r1=1689077r2=1689078view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/BasicAuthModule.java
 Fri Jul  3 20:00:56 2015
@@ -29,8 +29,6 @@ import javax.security.auth.message.AuthE
 import javax.security.auth.message.AuthStatus;
 import javax.security.auth.message.MessageInfo;
 import javax.security.auth.message.MessagePolicy;
-import javax.security.auth.message.callback.CallerPrincipalCallback;
-import javax.security.auth.message.callback.GroupPrincipalCallback;
 import javax.security.auth.message.callback.PasswordValidationCallback;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -91,14 +89,7 @@ public class BasicAuthModule extends Tom
 if (!passwordCallback.getResult()) {
 sendUnauthorizedError(response, realmName);
 }
-
-GenericPrincipal principal = getPrincipal(passwordCallback);
-
-CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(clientSubject,
-principal);
-GroupPrincipalCallback groupCallback = new 
GroupPrincipalCallback(clientSubject,
-principal.getRoles());
-handler.handle(new Callback[] { principalCallback, groupCallback 
});
+handlePrincipalCallbacks(clientSubject, 
getPrincipal(passwordCallback));
 return AuthStatus.SUCCESS;
 
 } catch (Exception e) {

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java?rev=1689078r1=1689077r2=1689078view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/DigestAuthModule.java
 Fri Jul  3 20:00:56 2015
@@ -25,15 +25,12 @@ import java.util.LinkedHashMap;
 import java.util.Map;
 
 import javax.security.auth.Subject;
-import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.message.AuthException;
 import javax.security.auth.message.AuthStatus;
 import javax.security.auth.message.MessageInfo;
 import javax.security.auth.message.MessagePolicy;
-import javax.security.auth.message.callback.CallerPrincipalCallback;
-import javax.security.auth.message.callback.GroupPrincipalCallback;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -259,11 +256,7 @@ public class DigestAuthModule extends To
 }
 
 try {
-CallerPrincipalCallback principalCallback = new 
CallerPrincipalCallback(clientSubject,
-principal);
-String[] roles = realm.getRoles(principal);
-GroupPrincipalCallback groupCallback = new 
GroupPrincipalCallback(clientSubject, roles);
-handler.handle(new Callback[] { principalCallback, groupCallback 
});
+handlePrincipalCallbacks(clientSubject, principal);
 } catch (IOException | UnsupportedCallbackException e) {
 throw new AuthException(e.getMessage());
 }

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689078r1=1689077r2=1689078view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 

Re: JASPIC Implementation pointers

[Mark Thomas]

On 03/07/2015 18:55, Fjodor Vershinin wrote:
 On 03/07/2015 15:42, Fjodor Vershinin wrote:
 I am working on polishing FORM authentication module code. I will
 continue
 with that this evening.

 OK. I'm commenting on commits as I apply them. Some of them have
 suggestions for further improvements. These improvements don't need to
 be implemented now (if you have time then great). As a minimum there
 needs to be a TODO comment added to the right place(s) in the code so
 you can come back to them later.
 
 
 Ok, thank you.
 
 
 JASPIC modules configuration looks more like architectural stuff, so we
 need to make some decisions how to proceed forward.

 What decisions? If you can define these before the weekend that gives
 folks a few days to think about it before you need answers.

 For example the way how we handle module configurations. What do you think
 about my proposal to use Provider based config?

I'll start a new thread for that. One topic per thread is easier for
other people to follow.

Mark


 
 
 I think it can be task
 for next week together SPNEGO authentication module.

 SPNEGO is likely to be tricky since setting up a test environment needs
 server machines and some Windows Server licenses. I have a set of VMs I
 use for testing SPNEGO. It probably makes sense if you port it and I
 test it.
 
 
 Let's do that way.
 
 

 Thanks,
 Fjodor

 2015-07-03 17:16 GMT+03:00 Fjodor Vershinin fjo...@vershinin.net:


 Another option would be to define a jaspic element for server.xml /
 context.xml that is nested in a Context and if present takes precedence
 for JASPIC config. For that to work modules would have to:
 - have zero arg constructors
 - be fully configurable via setters
 - use simple types for their property setters

 How feasible is that?


 I think it sounds even better, however I would like to allow security
 configuration only on the provider basis.
 Provider can be initalized with settings HashMap, which can be passed
 directly to modules on initialization.
 And then, modules can set own settings using provided information.

 --
 Thanks,
 Fjodor






 -
 To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: dev-h...@tomcat.apache.org


 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689071 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:23:18 2015
New Revision: 1689071

URL: http://svn.apache.org/r1689071
Log:
Extracted login and non-login actions
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689071r1=1689070r2=1689071view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:23:18 2015
@@ -182,27 +182,54 @@ public class FormAuthModule extends Tomc
 boolean loginAction = requestURI.startsWith(contextPath)
  requestURI.endsWith(Constants.FORM_ACTION);
 
-// No -- Save this request and redirect to the form login page
 if (!loginAction) {
-session = request.getSessionInternal(true);
-if (log.isDebugEnabled()) {
-log.debug(Save request in session ' + 
session.getIdInternal() + ');
-}
-try {
-saveRequest(request, session);
-} catch (IOException ioe) {
-log.debug(Request body too big to save during 
authentication);
-response.sendError(HttpServletResponse.SC_FORBIDDEN,
-sm.getString(authenticator.requestBodyTooBig));
-return AuthStatus.FAILURE;
-}
-forwardToLoginPage(request, response);
-return AuthStatus.SEND_CONTINUE;
-}
-
-// Yes -- Acknowledge the request, validate the specified
-// credentials
-// and redirect to the error page if they are not correct
+return handleNoLoginAction(request, response);
+}
+
+return handleLoginAction(request, response);
+}
+
+
+/**
+ * Save this request and redirect to the form login page
+ *
+ * @param request
+ * @param response
+ * @return
+ * @throws IOException
+ */
+private AuthStatus handleNoLoginAction(Request request, 
HttpServletResponse response)
+throws IOException {
+Session session = request.getSessionInternal(true);
+if (log.isDebugEnabled()) {
+log.debug(Save request in session ' + session.getIdInternal() + 
');
+}
+try {
+saveRequest(request, session);
+} catch (IOException ioe) {
+log.debug(Request body too big to save during authentication);
+response.sendError(HttpServletResponse.SC_FORBIDDEN,
+sm.getString(authenticator.requestBodyTooBig));
+return AuthStatus.FAILURE;
+}
+
+forwardToLoginPage(request, response);
+return AuthStatus.SEND_CONTINUE;
+}
+
+
+/**
+ * Acknowledge the request, validate the specified and redirect to the 
error
+ * page if they are not correct
+ *
+ * @param request
+ * @param response
+ * @return
+ * @throws IOException
+ */
+private AuthStatus handleLoginAction(Request request, HttpServletResponse 
response)
+throws IOException {
+
 request.getResponse().sendAcknowledgement();
 
 // TODO fix character encoding
@@ -215,7 +242,7 @@ public class FormAuthModule extends Tomc
 if (log.isDebugEnabled()) {
 log.debug(Authenticating username ' + username + ');
 }
-principal = realm.authenticate(username, password);
+Principal principal = realm.authenticate(username, password);
 if (principal == null) {
 forwardToErrorPage(request, response);
 return AuthStatus.FAILURE;
@@ -225,9 +252,7 @@ public class FormAuthModule extends Tomc
 log.debug(Authentication of ' + username + ' was successful);
 }
 
-if (session == null) {
-session = request.getSessionInternal(false);
-}
+Session session = request.getSessionInternal(false);
 if (session == null) {
 handleSessionExpired(request, response);
 return AuthStatus.FAILURE;



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689080 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 20:03:51 2015
New Revision: 1689080

URL: http://svn.apache.org/r1689080
Log:
Change session id on authenication field added
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689080r1=1689079r2=1689080view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 20:03:51 2015
@@ -70,6 +70,8 @@ public class FormAuthModule extends Tomc
 private Realm realm;
 private LoginConfig loginConfig;
 
+private boolean changeSessionIdOnAuthenication = true;
+
 
 public FormAuthModule(Context context) {
 super(context);
@@ -392,7 +394,7 @@ public class FormAuthModule extends Tomc
 
 
 private boolean getChangeSessionIdOnAuthentication() {
-return true;// FIXME
+return changeSessionIdOnAuthenication ;
 }
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689070 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:21:17 2015
New Revision: 1689070

URL: http://svn.apache.org/r1689070
Log:
Meaningful name for variable
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689070r1=1689069r2=1689070view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:21:17 2015
@@ -242,11 +242,11 @@ public class FormAuthModule extends Tomc
 
 // Redirect the user to the original request URI (which will cause
 // the original request to be restored)
-requestURI = savedRequestURL(session);
+String savedRequestUrl = savedRequestURL(session);
 if (log.isDebugEnabled()) {
-log.debug(Redirecting to original ' + requestURI + ');
+log.debug(Redirecting to original ' + savedRequestUrl + ');
 }
-if (requestURI == null) {
+if (savedRequestUrl == null) {
 if (landingPage == null) {
 response.sendError(HttpServletResponse.SC_BAD_REQUEST,
 sm.getString(authenticator.formlogin));
@@ -267,7 +267,7 @@ public class FormAuthModule extends Tomc
 // to
 // use.
 Response internalResponse = request.getResponse();
-String location = response.encodeRedirectURL(requestURI);
+String location = response.encodeRedirectURL(savedRequestUrl);
 if (HTTP/1.1.equals(request.getProtocol())) {
 internalResponse.sendRedirect(location, 
HttpServletResponse.SC_SEE_OTHER);
 } else {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689072 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:32:52 2015
New Revision: 1689072

URL: http://svn.apache.org/r1689072
Log:
extracted sending saved request
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689072r1=1689071r2=1689072view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:32:52 2015
@@ -105,13 +105,10 @@ public class FormAuthModule extends Tomc
 UnsupportedCallbackException {
 Request request = (Request) messageInfo.getRequestMessage();
 HttpServletResponse response = (HttpServletResponse) 
messageInfo.getResponseMessage();
-// References to objects we will need later
-Session session = null;
-Principal principal = null;
 
 // Have we authenticated this user before but have caching disabled?
 if (!isCache()) {
-session = request.getSessionInternal(true);
+Session session = request.getSessionInternal(true);
 if (log.isDebugEnabled()) {
 log.debug(Checking for reauthenticate in session  + session);
 }
@@ -128,10 +125,10 @@ public class FormAuthModule extends Tomc
 if (!passwordCallback.getResult()) {
 forwardToErrorPage(request, response);
 }
-principal = getPrincipal(passwordCallback);
+Principal principal = getPrincipal(passwordCallback);
 if (principal != null) {
 session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
-if (!matchRequest(request)) {
+if (!isMatchingSavedRequest(request)) {
 handlePrincipalCallbacks(clientSubject, principal);
 return AuthStatus.SUCCESS;
 }
@@ -145,36 +142,10 @@ public class FormAuthModule extends Tomc
 // Is this the re-submit of the original request URI after
 // successful
 // authentication? If so, forward the *original* request instead.
-if (matchRequest(request)) {
-session = request.getSessionInternal(true);
-if (log.isDebugEnabled()) {
-log.debug(Restore request from session ' + 
session.getIdInternal() + ');
-}
-principal = (Principal) 
session.getNote(Constants.FORM_PRINCIPAL_NOTE);
-handlePrincipalCallbacks(clientSubject, principal);
-
-// If we're caching principals we no longer needgetPrincipal the
-// username
-// and password in the session, so remove them
-if (isCache()) {
-session.removeNote(Constants.SESS_USERNAME_NOTE);
-session.removeNote(Constants.SESS_PASSWORD_NOTE);
-}
-if (restoreRequest(request, session)) {
-if (log.isDebugEnabled()) {
-log.debug(Proceed to restored request);
-}
-return AuthStatus.SUCCESS;
-} else {
-if (log.isDebugEnabled()) {
-log.debug(Restore of original request failed);
-}
-response.sendError(HttpServletResponse.SC_BAD_REQUEST);
-return AuthStatus.FAILURE;
-}
+if (isMatchingSavedRequest(request)) {
+return submitSavedRequest(clientSubject, request, response);
 }
 
-// Acquire references to objects we will need to evaluate
 String contextPath = request.getContextPath();
 String requestURI = request.getDecodedRequestURI();
 
@@ -190,6 +161,37 @@ public class FormAuthModule extends Tomc
 }
 
 
+private AuthStatus submitSavedRequest(Subject clientSubject, Request 
request,
+HttpServletResponse response) throws IOException, 
UnsupportedCallbackException {
+Session session = request.getSessionInternal(true);
+if (log.isDebugEnabled()) {
+log.debug(Restore request from session ' + 
session.getIdInternal() + ');
+}
+Principal principal = (Principal) 
session.getNote(Constants.FORM_PRINCIPAL_NOTE);
+handlePrincipalCallbacks(clientSubject, principal);
+
+// If we're caching principals we no longer need getPrincipal the
+// username
+// and password in the session, so remove them
+if (isCache()) {
+session.removeNote(Constants.SESS_USERNAME_NOTE);
+

svn commit: r1689082 - /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 20:08:18 2015
New Revision: 1689082

URL: http://svn.apache.org/r1689082
Log:
Extracted saved authentication handling to separate method 
Patch by fjodorver

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689082r1=1689081r2=1689082view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 20:08:18 2015
@@ -106,32 +106,8 @@ public class FormAuthModule extends Tomc
 Request request = (Request) messageInfo.getRequestMessage();
 HttpServletResponse response = (HttpServletResponse) 
messageInfo.getResponseMessage();
 
-// Have we authenticated this user before but have caching disabled?
-if (!cachePrincipalsInSession) {
-Session session = request.getSessionInternal(true);
-if (log.isDebugEnabled()) {
-log.debug(Checking for reauthenticate in session  + session);
-}
-String username = (String) 
session.getNote(Constants.SESS_USERNAME_NOTE);
-String password = (String) 
session.getNote(Constants.SESS_PASSWORD_NOTE);
-if ((username != null)  (password != null)) {
-if (log.isDebugEnabled()) {
-log.debug(Reauthenticating username ' + username + ');
-}
-Principal principal = realm.authenticate(username, password);
-if (principal == null) {
-forwardToErrorPage(request, response);
-return AuthStatus.FAILURE;
-}
-
-session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
-if (isMatchingSavedRequest(request)) {
-return submitSavedRequest(clientSubject, request, 
response);
-}
-
-handlePrincipalCallbacks(clientSubject, principal);
-return AuthStatus.SUCCESS;
-}
+if (!cachePrincipalsInSession  isUserAuthenicatedBefore(request)) {
+return handleSavedCredentials(clientSubject, request, response);
 }
 
 // Is this the re-submit of the original request URI after
@@ -149,6 +125,43 @@ public class FormAuthModule extends Tomc
 }
 
 
+private AuthStatus handleSavedCredentials(Subject clientSubject, Request 
request,
+HttpServletResponse response) throws IOException, 
UnsupportedCallbackException {
+Session session = request.getSessionInternal(true);
+if (log.isDebugEnabled()) {
+log.debug(Checking for reauthenticate in session  + session);
+}
+
+String username = (String) 
session.getNote(Constants.SESS_USERNAME_NOTE);
+String password = (String) 
session.getNote(Constants.SESS_PASSWORD_NOTE);
+if (log.isDebugEnabled()) {
+log.debug(Reauthenticating username ' + username + ');
+}
+
+Principal principal = realm.authenticate(username, password);
+if (principal == null) {
+forwardToErrorPage(request, response);
+return AuthStatus.FAILURE;
+}
+
+session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
+if (isMatchingSavedRequest(request)) {
+return submitSavedRequest(clientSubject, request, response);
+}
+
+handlePrincipalCallbacks(clientSubject, principal);
+return AuthStatus.SUCCESS;
+}
+
+
+private boolean isUserAuthenicatedBefore(Request request) {
+Session session = request.getSessionInternal(true);
+String username = (String) 
session.getNote(Constants.SESS_USERNAME_NOTE);
+String password = (String) 
session.getNote(Constants.SESS_PASSWORD_NOTE);
+return username != null  password != null;
+}
+
+
 private AuthStatus submitSavedRequest(Subject clientSubject, Request 
request,
 HttpServletResponse response) throws IOException, 
UnsupportedCallbackException {
 Session session = request.getSessionInternal(true);



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

JASPIC configuration

[Mark Thomas]

On 03/07/2015 18:55, Fjodor Vershinin wrote:

 For example the way how we handle module configurations. What do
 you think about my proposal to use Provider based config?

OK. We need the configuration settings in the ServerAuthModule
implementations. It is pretty clear from the API that those settings are
meant to be passed via the options Map in initialize().

initialize() is called from the constructor of TomcatServerAuthContext.
The options Map is an argument that constructor. Question 1 why pass in
the module and all the other parameters to the constructor when you
coudl configure the module before calling the constructor and just pass
in the configured module?

That constructor is called from TomcatAuthConfig.getAuthContext() which
passes in a properties Map. It looks as if the intention is that that
properties map contains the configuration settings for the module(s). It
would be reasonable to create a new Map, add those properties, add any
internal properties (like the Realm name) and pass the newly created Map
to the module. That has the added bonus (hopefully - it depends exactly
on the properties) of isolating the module form any later changes the
caller may make.

TomcatAuthConfig.getAuthContext() is called from
JaspicAuthenticator.authenticate(). A quick aside here. How many of the
calls in that method might change their return values between different
requests? Any that will not would be better placed in start() for better
performance.

Getting back to configuration, the JaspicAuthenticator has the
authProperties Map. If this Map were populated with the necessary
configuration settings, we can now see a path to getting this to the
ServerAuthModule where they are required.

server.xml is processed by the Digester. Understanding how that works
can take a little while. The short version is is uses introspection to
set properties on objects and we can use this to set configuration
settings on the JaspicAuthenticator - in exactly the same way as we
currently do for the BasicAuthenticator, DigestAuthenticator etc. This
has the added bonus that as long as we keep the attribute names the
same, users can migrate their settings to use JASPIC simply by changing
the name of the Authenticator class they specify in server.xml /
context.xml.

For this to work, we need to be able to put all the configuration
settings for JaspicAuthenticator in the authProperties Map. Luckily we
don;t need to define every possible setting - the digest supports
generic methods. If you add setProperty(String, String) and
getProperty(String) methods to the JaspicAuthenticator then the Digester
will do the rest.

With all the information above you should have what you need to get
settings from a JaspicAuthenticator in server.xml / context.xml all the
way to the ServerAuthModule. If you need any help - particularly around
the digester or configuring the authenticator in server.xml /
context.xml just ask.


Finally, feel free to ignore all of the above and go a different route
but be prepared to justify why you think the different route is beter.


HTH and have a good weekend,

Mark

P.S. Congratulations on passing your mid-term.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1689075 - in /tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules: FormAuthModule.java TomcatAuthModule.java

[markt]

Author: markt
Date: Fri Jul  3 19:57:38 2015
New Revision: 1689075

URL: http://svn.apache.org/r1689075
Log:
 Principal cache settings moved into parent class 

Modified:

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java

tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java?rev=1689075r1=1689074r2=1689075view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/FormAuthModule.java
 Fri Jul  3 19:57:38 2015
@@ -107,7 +107,7 @@ public class FormAuthModule extends Tomc
 HttpServletResponse response = (HttpServletResponse) 
messageInfo.getResponseMessage();
 
 // Have we authenticated this user before but have caching disabled?
-if (!isCache()) { //TODO Ask is it required? May be principal must be 
always cached
+if (!cachePrincipalsInSession) {
 Session session = request.getSessionInternal(true);
 if (log.isDebugEnabled()) {
 log.debug(Checking for reauthenticate in session  + session);
@@ -125,14 +125,12 @@ public class FormAuthModule extends Tomc
 }
 
 session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
-if (!isMatchingSavedRequest(request)) {
-handlePrincipalCallbacks(clientSubject, principal);
-return AuthStatus.SUCCESS;
+if (isMatchingSavedRequest(request)) {
+return submitSavedRequest(clientSubject, request, 
response);
 }
 
-if (log.isDebugEnabled()) {
-log.debug(Reauthentication failed, proceed normally);
-}
+handlePrincipalCallbacks(clientSubject, principal);
+return AuthStatus.SUCCESS;
 }
 }
 
@@ -163,7 +161,7 @@ public class FormAuthModule extends Tomc
 // If we're caching principals we no longer need getPrincipal the
 // username
 // and password in the session, so remove them
-if (isCache()) {
+if (cachePrincipalsInSession) {
 session.removeNote(Constants.SESS_USERNAME_NOTE);
 session.removeNote(Constants.SESS_PASSWORD_NOTE);
 }
@@ -324,11 +322,6 @@ public class FormAuthModule extends Tomc
 }
 
 
-private boolean isCache() {
-return true;
-}
-
-
 @Override
 public AuthStatus secureResponse(MessageInfo messageInfo, Subject 
serviceSubject)
 throws AuthException {

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java?rev=1689075r1=1689074r2=1689075view=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
 (original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/jaspic/provider/modules/TomcatAuthModule.java
 Fri Jul  3 19:57:38 2015
@@ -51,6 +51,8 @@ public abstract class TomcatAuthModule i
 
 protected Context context;
 
+protected boolean cachePrincipalsInSession = true;
+
 
 public TomcatAuthModule(Context context) {
 this.context = context;



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: JASPIC Implementation pointers

[Fjodor Vershinin]

Hi!
Unfortunately, commit rearrangement requires some more effort from me, so I
haven't finished it yesterday.
I need some more time to fix checkstyle errors and so on.

We can change the way users have to configure it. For example, we could
 say they have to use programmatic configuration via the standard JASPIC
 interfaces if they want to use non-default settings.


I see your point. The best option in my opinion is is to pass this options
through LoginConfig/Context in ContextConfig.
We can figure out how to set these options in a programmatic way and then
refresh the context provider in order to reinitialize authenitcation
modules.

Thanks,
Fjodor