📄 securityhandler.java
字号:
request.setUserPrincipal(_notChecked); return true; } /* ------------------------------------------------------------ */ /** Check security contraints * @param constraints * @param authenticator * @param realm * @param pathInContext * @param request * @param response * @return false if the request has failed a security constraint or the authenticator has already sent a response. * @exception IOException */ private boolean check( Object constraints, Authenticator authenticator, UserRealm realm, String pathInContext, Request request, Response response) throws IOException { // Combine data and auth constraints int dataConstraint= Constraint.DC_NONE; Object roles= null; boolean unauthenticated= false; boolean forbidden= false; for (int c= 0; c < LazyList.size(constraints); c++) { Constraint sc= (Constraint)LazyList.get(constraints,c); // Combine data constraints. if (dataConstraint > Constraint.DC_UNSET && sc.hasDataConstraint()) { if (sc.getDataConstraint() > dataConstraint) dataConstraint= sc.getDataConstraint(); } else dataConstraint= Constraint.DC_UNSET; // ignore all other data constraints // Combine auth constraints. if (!unauthenticated && !forbidden) { if (sc.getAuthenticate()) { if (sc.isAnyRole()) { roles= Constraint.ANY_ROLE; } else { String[] scr= sc.getRoles(); if (scr == null || scr.length == 0) { forbidden= true; break; } else { // TODO - this looks inefficient! if (roles != Constraint.ANY_ROLE) { for (int r=scr.length;r-->0;) roles= LazyList.add(roles, scr[r]); } } } } else unauthenticated= true; } } // Does this forbid everything? if (forbidden && (!(authenticator instanceof FormAuthenticator) || !((FormAuthenticator)authenticator).isLoginOrErrorPage(pathInContext))) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return false; } // Handle data constraint if (dataConstraint > Constraint.DC_NONE) { HttpConnection connection = HttpConnection.getCurrentConnection(); Connector connector = connection.getConnector(); switch (dataConstraint) { case Constraint.DC_INTEGRAL : if (connector.isIntegral(request)) break; if (connector.getConfidentialPort() > 0) { String url= connector.getIntegralScheme() + "://" + request.getServerName() + ":" + connector.getIntegralPort() + request.getRequestURI(); if (request.getQueryString() != null) url += "?" + request.getQueryString(); response.setContentLength(0); response.sendRedirect(url); } else response.sendError(Response.SC_FORBIDDEN,null); return false; case Constraint.DC_CONFIDENTIAL : if (connector.isConfidential(request)) break; if (connector.getConfidentialPort() > 0) { String url= connector.getConfidentialScheme() + "://" + request.getServerName() + ":" + connector.getConfidentialPort() + request.getRequestURI(); if (request.getQueryString() != null) url += "?" + request.getQueryString(); response.setContentLength(0); response.sendRedirect(url); } else response.sendError(Response.SC_FORBIDDEN,null); return false; default : response.sendError(Response.SC_FORBIDDEN,null); return false; } } // Does it fail a role check? if (!unauthenticated && roles != null) { if (realm == null) { Log.warn("Request "+request.getRequestURI()+" failed - no realm"); response.sendError(Response.SC_INTERNAL_SERVER_ERROR,"No realm"); return false; } Principal user= null; // Handle pre-authenticated request if (request.getAuthType() != null && request.getRemoteUser() != null) { // TODO - is this still needed??? user= request.getUserPrincipal(); if (user == null) user= realm.authenticate(request.getRemoteUser(), null, request); if (user == null && authenticator != null) user= authenticator.authenticate(realm, pathInContext, request, response); } else if (authenticator != null) { // User authenticator. user= authenticator.authenticate(realm, pathInContext, request, response); } else { // don't know how authenticate Log.warn("Mis-configured Authenticator for " + request.getRequestURI()); response.sendError(Response.SC_INTERNAL_SERVER_ERROR,"Configuration error"); } // If we still did not get a user if (user == null) return false; // Auth challenge or redirection already sent else if (user == __NOBODY) return true; // The Nobody user indicates authentication in transit. if (roles != Constraint.ANY_ROLE) { boolean inRole= false; for (int r= LazyList.size(roles); r-- > 0;) { if (realm.isUserInRole(user, (String)LazyList.get(roles, r))) { inRole= true; break; } } if (!inRole) { Log.warn("AUTH FAILURE: incorrect role for " + StringUtil.printable(user.getName())); /* if ("BASIC".equalsIgnoreCase(authenticator.getAuthMethod())) ((BasicAuthenticator)authenticator).sendChallenge(realm, response); else for TCK */ response.sendError(Response.SC_FORBIDDEN,"User not in required role"); return false; // role failed. } } } else { request.setUserPrincipal(_notChecked); } return true; } public static Principal __NO_USER = new Principal() { public String getName() { return null; } public String toString() { return "No User"; } }; public class NotChecked implements Principal { public String getName() { return null; } public String toString() { return "NOT CHECKED"; } public SecurityHandler getSecurityHandler() { return SecurityHandler.this; } }; /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /** Nobody user. * The Nobody UserPrincipal is used to indicate a partial state of * authentication. A request with a Nobody UserPrincipal will be allowed * past all authentication constraints - but will not be considered an * authenticated request. It can be used by Authenticators such as * FormAuthenticator to allow access to logon and error pages within an * authenticated URI tree. */ public static Principal __NOBODY = new Principal() { public String getName() { return "Nobody"; } public String toString() { return getName(); } };}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -