Hi, In article <[EMAIL PROTECTED]>, Thu, 19 Feb 2004 15:50:00 +0900 (JST), Kazuhito SUGURI <[EMAIL PROTECTED]> wrote: suguri.kazuhito> I'll propose a modified FormAuthentication soon.
This is the one. I had modified FormAuthentication.java in cactus-src-1.5. Two sets of accessor has been added to the original: - void setExpectedPreAuthResponse(int) / int getExpectedPreAuthResponse() Set/get the expected HTTP response code for the request to the restricted resource without valid cookie. The default is 302 (HttpURLConnection.HTTP_MOVED_TEMP). This is corresponding to the Step (2). - void setExpectedAuthResponse(int) / int getexpectedAuthResponse() Set/get the expected HTTP response code if the security_check is succeeded. The default is 302 (HttpURLConnection.HTTP_MOVED_TEMP). This is corresponding to the Step (4). Ankur, would you try this? Regards, ---- Kazuhito SUGURI mailto:[EMAIL PROTECTED]
/* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 2001-2003 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Cactus" and "Apache Software * Foundation" must not be used to endorse or promote products * derived from this software without prior written permission. For * written permission, please contact [EMAIL PROTECTED] * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * <http://www.apache.org/>. * */ package org.apache.cactus.client.authentication; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; import org.apache.cactus.Cookie; import org.apache.cactus.WebRequest; import org.apache.cactus.client.connector.http.ConnectionHelper; import org.apache.cactus.client.connector.http.ConnectionHelperFactory; import org.apache.cactus.configuration.Configuration; import org.apache.cactus.configuration.WebConfiguration; import org.apache.cactus.util.ChainedRuntimeException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * Form-based authentication implementation. An instance of this class * can be reused across several tests as it caches the session cookie. * Thus the first time it is used to authenticate the user, it calls * the security URL (which is by default the context URL prepended by * "j_security_check"), caches the returned session cookie and adds the * cookie for the next request. The second time it is called, it simply * addes the session cookie for the next request. * * @author <a href="mailto:[EMAIL PROTECTED]">Jason Robertson</a> * @author <a href="mailto:[EMAIL PROTECTED]">Vincent Massol</a> * * @since 1.5 * * @version $Id: $ */ public class FormAuthentication extends AbstractAuthentication { /** * The logger. */ private static final Log LOGGER = LogFactory.getLog(FormAuthentication.class); /** * The expected HTTP response code for the request to a restricted * resource without authenticated principal. */ private int expectedPreAuthResponse = HttpURLConnection.HTTP_MOVED_TEMP; /** * The expected HTTP response code when the authentication is succeeded. */ private int expectedAuthResponse = HttpURLConnection.HTTP_MOVED_TEMP; /** * The URL to use when attempting to log in, if for whatever reason * the default URL is incorrect. */ private URL securityCheckURL = null; /** * We store the session cookie name because of case issues. We need * to be able to send exactly the same one as was sent back by the * server. */ private String sessionIdCookieName = null; /** * We store the session id cookie so that this instance can * be reused for another test. */ private String sessionId = null; /** * [EMAIL PROTECTED] WebRequest} object that will be used to connect to the * security URL. */ private WebRequest securityRequest = new WebRequest(); /** * @param theName user name of the Credential * @param thePassword user password of the Credential */ public FormAuthentication(String theName, String thePassword) { super(theName, thePassword); } /** * @see AbstractAuthentication#validateName(String) */ protected void validateName(String theName) { // Nothing to do here... } /** * @see AbstractAuthentication#validatePassword(String) */ protected void validatePassword(String thePassword) { // Nothing to do here... } /** * @see AbstractAuthentication#configure(WebRequest, Configuration) */ public void configure(WebRequest theRequest, Configuration theConfiguration) { // Only authenticate the first time this instance is used. if (this.sessionId == null) { authenticate(theRequest, theConfiguration); } // Sets the session id cookie for the next request. if (this.sessionId != null) { theRequest.addCookie(this.sessionIdCookieName, this.sessionId); } } /** * @return the [EMAIL PROTECTED] WebRequest} that will be used to connect to the * security URL. It can be used to add additional HTTP parameters such * as proprietary ones required by some containers. */ public WebRequest getSecurityRequest() { return this.securityRequest; } /** * This sets the URL to use when attempting to log in. This method is used * if for whatever reason the default URL is incorrect. * * @param theUrl A URL to use to attempt to login. */ public void setSecurityCheckURL(URL theUrl) { this.securityCheckURL = theUrl; } /** * This returns the URL to use when attempting to log in. By default, it's * the context URL defined in the Cactus configuration with * "/j_security_check" appended. * * @param theConfiguration the Cactus configuration * @return the URL that is being used to attempt to login. */ public URL getSecurityCheckURL(Configuration theConfiguration) { if (this.securityCheckURL == null) { // Configure default String stringUrl = ((WebConfiguration) theConfiguration).getContextURL() + "/j_security_check"; try { this.securityCheckURL = new URL(stringUrl); } catch (MalformedURLException e) { throw new ChainedRuntimeException( "Unable to create default Security Check URL [" + stringUrl + "]"); } } LOGGER.debug("Using security check URL [" + this.securityCheckURL + "]"); return securityCheckURL; } /** * Get the expected HTTP response code for the request to a restricted * resource without authenticated principal. */ public int getExpectedPreAuthResponse(){ return this.expectedPreAuthResponse; } /** * Set the expected HTTP response code for the request to a restricted * resource without authenticated principal. * The default is HttpURLConnection.HTTP_MOVED_TEMP. */ public void setExpectedPreAuthResponse(int expected){ this.expectedPreAuthResponse = expected; } /** * Get the expected HTTP response code when the authentication is succeeded. */ public int getExpectedAuthResponse(){ return this.expectedAuthResponse; } /** * Set the expected HTTP response code when the authentication is succeeded. * The default is HttpURLConnection.HTTP_MOVED_TEMP. */ public void setExpectedAuthResponse(int expected){ this.expectedAuthResponse = expected; } private void checkResponseCodeEquals(int expected, int actual) throws Exception { if(actual!=expected){ throw new Exception("Received a [" + actual + "] response code" + " and was expecting a [" + expected + "]"); } } private Cookie getCookie(HttpURLConnection connection, String target){ // Check (possible multiple) cookies for a target. int i = 1; String key = connection.getHeaderFieldKey(i); while (key != null){ if (key.equalsIgnoreCase("set-cookie")){ // Cookie is in the form: // "NAME=VALUE; expires=DATE; path=PATH; // domain=DOMAIN_NAME; secure" // The only thing we care about is finding a cookie with // the name "JSESSIONID" and caching the value. String cookiestr = connection.getHeaderField(i); String nameValue = cookiestr.substring(0, cookiestr.indexOf(";")); int equalsChar = nameValue.indexOf("="); String name = nameValue.substring(0, equalsChar); String value = nameValue.substring(equalsChar + 1); if (name.equalsIgnoreCase(target)){ return new Cookie(connection.getURL().getHost(), name, value); } } key = connection.getHeaderFieldKey(++i); } return null; } private Cookie getSecureSessionIdCookie(WebRequest theRequest, Configuration theConfiguration) { HttpURLConnection connection; String resource = null; try{ // Create a helper that will connect to a restricted resource. resource = ((WebConfiguration) theConfiguration).getRedirectorURL(theRequest); ConnectionHelper helper = ConnectionHelperFactory.getConnectionHelper(resource, theConfiguration); WebRequest request = new WebRequest((WebConfiguration) theConfiguration); // Make the connection using a default web request. connection = helper.connect(request, theConfiguration); checkResponseCodeEquals(getExpectedPreAuthResponse(), connection.getResponseCode()); }catch(Throwable e){ throw new ChainedRuntimeException("Failed to connect to the secured redirector: " + resource, e); } return getCookie(connection, "JSESSIONID"); } /** * Authenticate the principal by calling the security URL. * * @param theRequest the web request used to connect to the Redirector * @param theConfiguration the Cactus configuration */ public void authenticate(WebRequest theRequest, Configuration theConfiguration) { Cookie jsessionCookie = getSecureSessionIdCookie(theRequest, theConfiguration); sessionIdCookieName = jsessionCookie.getName(); sessionId = jsessionCookie.getValue(); try { // Create a helper that will connect to the security check URL. String url = getSecurityCheckURL(theConfiguration).toString(); ConnectionHelper helper = ConnectionHelperFactory.getConnectionHelper(url, (WebConfiguration) theConfiguration); // Configure a web request with the JSESSIONID cookie, // the username and the password. WebRequest request = getSecurityRequest(); request.setConfiguration(theConfiguration); request.addCookie(jsessionCookie); request.addParameter("j_username", getName(), WebRequest.POST_METHOD); request.addParameter("j_password", getPassword(), WebRequest.POST_METHOD); // Make the connection using the configured web request. HttpURLConnection connection = helper.connect(request, theConfiguration); checkResponseCodeEquals(getExpectedAuthResponse(), connection.getResponseCode()); }catch(Throwable e){ throw new ChainedRuntimeException("Failed to authenticate the principal", e); } } }
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]