accessinterceptor.java

低版本的tomcat 对于有些老版本的应用还真的需要老版的中间件

		    if( roles!=null)
			for( int j=0; j< roles.length; j++ )
			    sb.append( roles[j]).append(" ");
		    log( sb.toString());
		}
		// roles will be checked by a different interceptor
		if( roles!= null  && roles.length > 0) 
		    req.setRequiredRoles( roles );

		if( transport != null &&
		    ! "NONE".equals( transport )) {
		    req.setNote( reqTransportNote, transport );

		    // check INTEGRAL or CONFIDENTIAL
		    if( "INTEGRAL".equalsIgnoreCase( transport ) ||
			"CONFIDENTIAL".equalsIgnoreCase( transport )) {
			if( debug>0) log( "Transport " + transport + " " + req.isSecure());
			if( ! req.isSecure() ) {
				return 403;
			}
		    }
		}
		
	    }
	}
 	return 0;
    }

    /** Find if a pattern is matched by a container
     */
    boolean match( Container ct, String path, String method ) {
	String ctPath=ct.getPath();
	int ctPathL=ctPath.length();
	String ctMethods[]=ct.getMethods();
	
	if( ctMethods != null && ctMethods.length > 0 ) {
	    boolean ok=false;
	    for( int i=0; i< ctMethods.length; i++ ) {
		if( method.equalsIgnoreCase( ctMethods[i] ) ) {
		    ok=true;
		    break;
		}
	    }
	    if( ! ok ) return false; // no method matched
	}

	// either method is any or we matched the method
	
	switch( ct.getMapType() ) {
	case Container.PREFIX_MAP:
	    if( path.length() < ctPathL - 2  )
		return false;
	    // determine how much to match
	    int matchLen = ctPathL - 2;	// match up to, but not including the '/'
	    // if more can be matched in the path, include matching the '/'
	    if( path.length() > matchLen )
		matchLen++;
	    return path.startsWith( ctPath.substring(0, matchLen ));
	case Container.EXTENSION_MAP:
	    return ctPath.substring( 1 ).equals( URLUtil.getExtension( path ));
	case Container.PATH_MAP:
	    return path.equals( ctPath );
	}
	return false;
    }
    // -------------------- Implementation methods --------------------
}

class SecurityConstraints {
    Container []securityPatterns;
    int patterns=0;
    // implement re-sizeable array later
    static final int MAX_CONSTRAINTS=30;

    public SecurityConstraints() {
	securityPatterns=new Container[MAX_CONSTRAINTS];
    }

    // It's called in a single thread anyway
    public synchronized void addContainer(Container ct) {
	securityPatterns[ patterns ]= ct;
	patterns++;
    }
}

class BasicAuthHandler extends ServletWrapper {
    
    BasicAuthHandler() {
	initialized=true;
	internal=true;
	name="tomcat.basicAuthHandler";
    }

    public void doService(Request req, Response res)
	throws Exception
    {
	Context ctx=req.getContext();
	String realm=ctx.getRealmName();
	if(realm==null) realm="default";
	res.setStatus( 401 );
	res.setHeader( "WWW-Authenticate",
		       "Basic realm=\"" + realm + "\"");
    }
}

/** 403 - Forbiden.
    This handler will report that the page can't be accessed without
    SSL.
*/
class SSLRequiredHandler extends ServletWrapper {
    
    SSLRequiredHandler() {
	initialized=true;
	internal=true;
	name="tomcat.sslRequiredHandler";
    }

    public void doService(Request req, Response res)
	throws Exception
    {
	Context ctx=req.getContext();
	ContextManager cm=ctx.getContextManager();
	
	int secureP=cm.getSecurePort();
	if( secureP <= 0 ) {
	    // 403 - this page requires SSL and we don't
	    // know any way to get there
	    res.setStatus( 403 );
	    StringBuffer body=new StringBuffer();
	    body.append("<h1>SSL required to access this page</H1>");
	    
	    res.setContentLength(body.length());
	    if( res.isUsingStream() ) {
		ServletOutputStream out = res.getOutputStream();
		out.print(body.toString());
		out.flush();
	    } else {
		PrintWriter out = res.getWriter();
		out.print(body);
		out.flush();
	    }
	} else {
	    StringBuffer securePage=new StringBuffer();
	    securePage.append("https://").append(req.getServerName());
	    securePage.append( ":" ).append(secureP );
	    // same context page, etc
	    securePage.append( req.getRequestURI());
	    String qS=req.getQueryString();
	    if( qS!=null) {
		securePage.append( "?").append( qS );
	    }
	    req.setAttribute("javax.servlet.error.message",
			     securePage.toString() );
	    contextM.handleStatus( req, res, 302 ); // redirect
	    return;
	}
    }
}

/** 401 - access denied. Will check if we have an authenticated user
    or not.
    XXX If we have user/pass, but still no permission  - display
    error page.
*/
class FormAuthHandler extends ServletWrapper {
    
    FormAuthHandler() {
	initialized=true;
	internal=true;
	name="tomcat.formAuthHandler";
    }

    public void doService(Request req, Response res)
	throws Exception
    {
	Context ctx=req.getContext();

	HttpSession session=req.getSession( false );
	if( session == null ) {
	}
	
	String page=ctx.getFormLoginPage();
	String errorPage=ctx.getFormErrorPage();
	// assert errorPage!=null ( AccessInterceptor will check
	// that and enable form login only if everything is ok

	session=req.getSession( true );
	String username=(String)session.getAttribute( "j_username" );

        String originalLocation = req.getRequestURI();

	if (req.getQueryString() != null)
	    originalLocation += "?" + req.getQueryString();

 	session.setAttribute( "tomcat.auth.originalLocation",
			      originalLocation);
        
	if( debug>0) log( "Username = " + username);
	if( username != null ) {
	    // 401 with existing j_username - that means wrong credentials.
	    // Next time we'll have a fresh start
	    session.removeAttribute( "j_username");
	    session.removeAttribute( "j_password");
	    req.setAttribute("javax.servlet.error.message",
			     errorPage );
	    contextM.handleStatus( req, res, 302 ); // redirect
	    return;
	}

	if( debug > 0 )
	    log("Redirect1: " + page  + " originalUri=" + req.getRequestURI());

	req.setAttribute("javax.servlet.error.message",
			 page );
	contextM.handleStatus( req, res, 302 ); // redirect
	return; 
    }
}


/** 
    j_security_check handler

    This is called after the user POST the form login page.
*/
class FormSecurityCheckHandler extends ServletWrapper {
    
    FormSecurityCheckHandler() {
	initialized=true;
	internal=true;
	name="tomcat.formSecurityCheck";
    }

    /** Will set the j_username and j_password attributes
	in the session, and redirect to the original
	location.
	No need to validate user/pass and display error page
	if wrong user/pass. Will be done by normal 401 handler,
	if user/pass are wrong.
    */
    public void doService(Request req, Response res)
	throws Exception
    {
	String username=req.getParameter( "j_username" );
	String password=req.getParameter( "j_password" );

	Context ctx=req.getContext();
	String errorPage=ctx.getFormErrorPage();
	// assert errorPage!=null ( AccessInterceptor will check
	// that and enable form login only if everything is ok
	
	if( debug > 0 )
	    log( " user/pass= " + username + " " + password );
	    
	HttpSession session=req.getSession( false );
	if( session == null ) {
	    ctx.log("From login without a session ");
	    req.setAttribute("javax.servlet.error.message",
			     errorPage );
	    contextM.handleStatus( req, res, 302 ); // redirect
	    return;
	}
	session.setAttribute( "j_username", username );
	session.setAttribute( "j_password", password );
	    
	String origLocation=(String)session.
	    getAttribute( "tomcat.auth.originalLocation");

	if( debug > 0)
	    log("Redirect2: " + origLocation);
	
	req.setAttribute("javax.servlet.error.message",
			 origLocation );
	contextM.handleStatus( req, res, 302 ); // redirect
    }
}