abstractauthenticator.java

来自「RESIN 3.2 最新源码」· Java 代码 · 共 796 行 · 第 1/2 页

      byte []serverDigest = digest.digest();

      if (clientDigest.length != serverDigest.length)
        return null;

      for (int i = 0; i < clientDigest.length; i++) {
        if (serverDigest[i] != clientDigest[i])
          return null;
      }

      return new BasicPrincipal(user);
    } catch (Exception e) {
      throw new ServletException(e);
    }
  }

  private void digestUpdateHex(MessageDigest digest, byte []bytes)
  {
    for (int i = 0; i < bytes.length; i++) {
      int b = bytes[i];
      int d1 = (b >> 4) & 0xf;
      int d2 = b & 0xf;

      if (d1 < 10)
        digest.update((byte) (d1 + '0'));
      else
        digest.update((byte) (d1 + 'a' - 10));

      if (d2 < 10)
        digest.update((byte) (d2 + '0'));
      else
        digest.update((byte) (d2 + 'a' - 10));
    }
  }

  protected byte []stringToDigest(String digest)
  {
    if (digest == null)
      return null;
    
    int len = (digest.length() + 1) / 2;
    byte []clientDigest = new byte[len];

    for (int i = 0; i + 1 < digest.length(); i += 2) {
      int ch1 = digest.charAt(i);
      int ch2 = digest.charAt(i + 1);

      int b = 0;
      if (ch1 >= '0' && ch1 <= '9')
        b += ch1 - '0';
      else if (ch1 >= 'a' && ch1 <= 'f')
        b += ch1 - 'a' + 10;

      b *= 16;
      
      if (ch2 >= '0' && ch2 <= '9')
        b += ch2 - '0';
      else if (ch2 >= 'a' && ch2 <= 'f')
        b += ch2 - 'a' + 10;

      clientDigest[i / 2] = (byte) b;
    }

    return clientDigest;
  }

  /**
   * Returns the digest secret for Digest authentication.
   */
  protected byte []getDigestSecret(HttpServletRequest request,
                                   HttpServletResponse response,
                                   ServletContext application,
                                   String username, String realm,
                                   String algorithm)
    throws ServletException
  {
    String password = getDigestPassword(request, response, application,
                                        username, realm);
    
    if (password == null)
      return null;

    if (_passwordDigest != null)
      return _passwordDigest.stringToDigest(password);

    try {
      MessageDigest digest = MessageDigest.getInstance(algorithm);

      String string = username + ":" + realm + ":" + password;
      byte []data = string.getBytes("UTF8");
      return digest.digest(data);
    } catch (Exception e) {
      throw new ServletException(e);
    }
  }

  protected byte []digest(String value)
    throws ServletException
  {
    try {
      MessageDigest digest = MessageDigest.getInstance("MD5");

      byte []data = value.getBytes("UTF8");
      return digest.digest(data);
    } catch (Exception e) {
      throw new ServletException(e);
    }
  }

  /**
   * Returns the password for authenticators too lazy to calculate the
   * digest.
   */
  protected String getDigestPassword(HttpServletRequest request,
                                     HttpServletResponse response,
                                     ServletContext application,
                                     String username, String realm)
    throws ServletException
  {
    return null;
  }

  /**
   * Grab the user from the request, assuming the user has
   * already logged in.  In other words, overriding methods could
   * use cookies or the session to find the logged in principal, but
   * shouldn't try to log the user in with form parameters.
   *
   * @param request the servlet request.
   *
   * @return a Principal representing the user or null if none has logged in.
   */
  public Principal getUserPrincipal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    ServletContext application)
    throws ServletException
  {
    SessionImpl session = (SessionImpl) request.getSession(false);
    Principal user = null;

    if (session != null)
      user = session.getUser();
    
    if (user != null)
      return user;

    PrincipalEntry entry = null;
    
    if (_principalCache == null) {
    }
    else if (session != null)
      entry = _principalCache.get(session.getId());
    else if (request.getRequestedSessionId() != null)
      entry = _principalCache.get(request.getRequestedSessionId());

    if (entry != null) {
      user = entry.getPrincipal();

      if (session == null)
	session = (SessionImpl) request.getSession(true);
      
      session.setUser(user);
      entry.addSession(session);
      
      return user;
    }

    user = getUserPrincipalImpl(request, application);

    if (user == null) {
    }
    else if (session != null) {
      entry = new PrincipalEntry(user);
      
      session.setUser(user);
      entry.addSession(session);
      
      _principalCache.put(session.getId(), entry);
    }
    else if (request.getRequestedSessionId() != null) {
      entry = new PrincipalEntry(user);
      
      _principalCache.put(request.getRequestedSessionId(), entry);
    }

    return user;
  }
  
  /**
   * Gets the user from a persistent cookie, uaing authenticateCookie
   * to actually look the cookie up.
   */
  protected Principal getUserPrincipalImpl(HttpServletRequest request,
                                           ServletContext application)
    throws ServletException
  {
    return null;
  }

  /**
   * Returns true if the user plays the named role.
   *
   * @param request the servlet request
   * @param user the user to test
   * @param role the role to test
   */
  public boolean isUserInRole(HttpServletRequest request,
                              HttpServletResponse response,
                              ServletContext application,
                              Principal user, String role)
    throws ServletException
  {
    return false;
  }

  /**
   * Logs the user out from the session.
   *
   * @param application the application
   * @param timeoutSession the session timing out, null if not a timeout logout
   * @param user the logged in user
   */
  public void logout(ServletContext application,
		     HttpSession timeoutSession,
                     String sessionId,
                     Principal user)
    throws ServletException
  {
    if (log.isLoggable(Level.FINE))
      log.fine(this + " logout " + user);

    if (sessionId != null) {
      if (_principalCache == null) {
      }
      else if (timeoutSession != null) {
	PrincipalEntry entry =  _principalCache.get(sessionId);
	
	if (entry != null && entry.logout(timeoutSession)) {
	  _principalCache.remove(sessionId);
	}
      }
      else {
	PrincipalEntry entry =  _principalCache.remove(sessionId);

	if (entry != null)
	  entry.logout();
      }

      Application app = (Application) application;
      SessionManager manager = app.getSessionManager();

      if (manager != null) {
	try {
	  SessionImpl session = manager.getSession(sessionId,
						   Alarm.getCurrentTime(),
						   false, true);

	  if (session != null) {
	    session.finish();
	    session.logout();
	  }
	} catch (Exception e) {
	  log.log(Level.FINE, e.toString(), e);
	}
      }
    }
  }

  /**
   * Logs the user out from the session.
   *
   * @param request the servlet request
   * @deprecated
   */
  public void logout(HttpServletRequest request,
                     HttpServletResponse response,
                     ServletContext application,
                     Principal user)
    throws ServletException
  {
    logout(application, null, request.getRequestedSessionId(), user);
  }

  /**
   * Logs the user out from the session.
   *
   * @param request the servlet request
   * @deprecated
   */
  public void logout(ServletContext application,
		     String sessionId,
                     Principal user)
    throws ServletException
  {
    logout(application, null, sessionId, user);
  }

  static class PrincipalEntry {
    private Principal _principal;
    private ArrayList<SoftReference<SessionImpl>> _sessions;

    PrincipalEntry(Principal principal)
    {
      _principal = principal;
    }

    Principal getPrincipal()
    {
      return _principal;
    }

    void addSession(SessionImpl session)
    {
      if (_sessions == null)
	_sessions = new ArrayList<SoftReference<SessionImpl>>();
      
      _sessions.add(new SoftReference<SessionImpl>(session));
    }

    /**
     * Logout only the given session, returning true if it's the
     * last session to logout.
     */
    boolean logout(HttpSession timeoutSession)
    {
      ArrayList<SoftReference<SessionImpl>> sessions = _sessions;

      if (sessions == null)
	return true;

      boolean isEmpty = true;
      for (int i = sessions.size() - 1; i >= 0; i--) {
	SoftReference<SessionImpl> ref = sessions.get(i);
	SessionImpl session = ref.get();

	try {
	  if (session == timeoutSession) {
	    sessions.remove(i);
	    session.logout();
	  }
	  else if (session == null)
	    sessions.remove(i);
	  else
	    isEmpty = false;
	} catch (Exception e) {
	  log.log(Level.WARNING, e.toString(), e);
	}
      }

      return isEmpty;
    }
      
    void logout()
    {
      ArrayList<SoftReference<SessionImpl>> sessions = _sessions;
      _sessions = null;
      
      for (int i = 0; sessions != null && i < sessions.size(); i++) {
	SoftReference<SessionImpl> ref = sessions.get(i);
	SessionImpl session = ref.get();

	try {
	  if (session != null) {
	    session.logout();
	    session.invalidateLogout();  // #599,  server/12i3
	  }
	} catch (Exception e) {
	  log.log(Level.WARNING, e.toString(), e);
	}
      }
    }
  }

  /**
   * Sets the serialization handle
   */
  public void setSerializationHandle(Object handle)
  {
    _serializationHandle = handle;
  }

  /**
   * Serialize to the handle
   */
  public Object writeReplace()
  {
    return _serializationHandle;
  }

  public String toString()
  {
    return (getClass().getSimpleName()
	    + "[" + _passwordDigestAlgorithm
	    + "," + _passwordDigestRealm + "]");
  }
}