All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.catalina.authenticator.NonLoginAuthenticator Maven / Gradle / Ivy

There is a newer version: 11.0.0-M26
Show newest version
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.catalina.authenticator;

import java.io.IOException;

import javax.servlet.http.HttpServletResponse;

import org.apache.catalina.connector.Request;

/**
 * An Authenticator and Valve implementation that checks only security constraints not involving user
 * authentication.
 *
 * @author Craig R. McClanahan
 */
public final class NonLoginAuthenticator extends AuthenticatorBase {


    // --------------------------------------------------------- Public Methods


    /**
     * 

* Authenticate the user making this request, based on the fact that no login-config has been defined * for the container. *

*

* This implementation means "login the user even though there is no self-contained way to establish a security * Principal for that user". *

*

* This method is called by the AuthenticatorBase super class to establish a Principal for the user BEFORE the * container security constraints are examined, i.e. it is not yet known whether the user will eventually be * permitted to access the requested resource. Therefore, it is necessary to always return true to * indicate the user has not failed authentication. *

*

* There are two cases: *

*
    *
  • without SingleSignon: a Session instance does not yet exist and there is no auth-method to * authenticate the user, so leave Request's Principal as null. Note: AuthenticatorBase will later examine the * security constraints to determine whether the resource is accessible by a user without a security Principal and * Role (i.e. unauthenticated).
  • *
  • with SingleSignon: if the user has already authenticated via another container (using its own login * configuration), then associate this Session with the SSOEntry so it inherits the already-established security * Principal and associated Roles. Note: This particular session will become a full member of the SingleSignOnEntry * Session collection and so will potentially keep the SSOE "alive", even if all the other properly authenticated * Sessions expire first... until it expires too.
  • *
* * @param request Request we are processing * @param response Response we are creating * * @return boolean to indicate whether the user is authenticated * * @exception IOException if an input/output error occurs */ @Override protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException { // Don't try and use SSO to authenticate since there is no auth // configured for this web application if (checkForCachedAuthentication(request, response, true)) { // Save the inherited Principal in this session so it can remain // authenticated until it expires. if (cache) { request.getSessionInternal(true).setPrincipal(request.getPrincipal()); } return true; } // No Principal means the user is not already authenticated // and so will not be assigned any roles. It is safe to // to say the user is now authenticated because access to // protected resources will only be allowed with a matching role. // i.e. SC_FORBIDDEN (403 status) will be generated later. if (containerLog.isDebugEnabled()) { containerLog.debug("User authenticated without any roles"); } return true; } @Override protected String getAuthMethod() { return "NONE"; } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy