| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| <head><meta http-equiv="content-type" content="text/html; charset=UTF-8" /> |
| <title>BasicHttpAuthenticationFilter xref</title> |
| <link type="text/css" rel="stylesheet" href="../../../../../../stylesheet.css" /> |
| </head> |
| <body> |
| <div id="overview"><a href="../../../../../../../apidocs/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.html">View Javadoc</a></div><pre> |
| <a class="jxr_linenumber" name="L1" href="#L1">1</a> <em class="jxr_comment">/*</em> |
| <a class="jxr_linenumber" name="L2" href="#L2">2</a> <em class="jxr_comment"> * Licensed to the Apache Software Foundation (ASF) under one</em> |
| <a class="jxr_linenumber" name="L3" href="#L3">3</a> <em class="jxr_comment"> * or more contributor license agreements. See the NOTICE file</em> |
| <a class="jxr_linenumber" name="L4" href="#L4">4</a> <em class="jxr_comment"> * distributed with this work for additional information</em> |
| <a class="jxr_linenumber" name="L5" href="#L5">5</a> <em class="jxr_comment"> * regarding copyright ownership. The ASF licenses this file</em> |
| <a class="jxr_linenumber" name="L6" href="#L6">6</a> <em class="jxr_comment"> * to you under the Apache License, Version 2.0 (the</em> |
| <a class="jxr_linenumber" name="L7" href="#L7">7</a> <em class="jxr_comment"> * "License"); you may not use this file except in compliance</em> |
| <a class="jxr_linenumber" name="L8" href="#L8">8</a> <em class="jxr_comment"> * with the License. You may obtain a copy of the License at</em> |
| <a class="jxr_linenumber" name="L9" href="#L9">9</a> <em class="jxr_comment"> *</em> |
| <a class="jxr_linenumber" name="L10" href="#L10">10</a> <em class="jxr_comment"> * <a href="http://www.apache.org/licenses/LICENSE-2.0" target="alexandria_uri">http://www.apache.org/licenses/LICENSE-2.0</a></em> |
| <a class="jxr_linenumber" name="L11" href="#L11">11</a> <em class="jxr_comment"> *</em> |
| <a class="jxr_linenumber" name="L12" href="#L12">12</a> <em class="jxr_comment"> * Unless required by applicable law or agreed to in writing,</em> |
| <a class="jxr_linenumber" name="L13" href="#L13">13</a> <em class="jxr_comment"> * software distributed under the License is distributed on an</em> |
| <a class="jxr_linenumber" name="L14" href="#L14">14</a> <em class="jxr_comment"> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY</em> |
| <a class="jxr_linenumber" name="L15" href="#L15">15</a> <em class="jxr_comment"> * KIND, either express or implied. See the License for the</em> |
| <a class="jxr_linenumber" name="L16" href="#L16">16</a> <em class="jxr_comment"> * specific language governing permissions and limitations</em> |
| <a class="jxr_linenumber" name="L17" href="#L17">17</a> <em class="jxr_comment"> * under the License.</em> |
| <a class="jxr_linenumber" name="L18" href="#L18">18</a> <em class="jxr_comment"> */</em> |
| <a class="jxr_linenumber" name="L19" href="#L19">19</a> <strong class="jxr_keyword">package</strong> org.apache.shiro.web.filter.authc; |
| <a class="jxr_linenumber" name="L20" href="#L20">20</a> |
| <a class="jxr_linenumber" name="L21" href="#L21">21</a> <strong class="jxr_keyword">import</strong> org.apache.shiro.authc.AuthenticationToken; |
| <a class="jxr_linenumber" name="L22" href="#L22">22</a> <strong class="jxr_keyword">import</strong> org.apache.shiro.codec.Base64; |
| <a class="jxr_linenumber" name="L23" href="#L23">23</a> <strong class="jxr_keyword">import</strong> org.apache.shiro.web.util.WebUtils; |
| <a class="jxr_linenumber" name="L24" href="#L24">24</a> <strong class="jxr_keyword">import</strong> org.slf4j.Logger; |
| <a class="jxr_linenumber" name="L25" href="#L25">25</a> <strong class="jxr_keyword">import</strong> org.slf4j.LoggerFactory; |
| <a class="jxr_linenumber" name="L26" href="#L26">26</a> |
| <a class="jxr_linenumber" name="L27" href="#L27">27</a> <strong class="jxr_keyword">import</strong> javax.servlet.ServletRequest; |
| <a class="jxr_linenumber" name="L28" href="#L28">28</a> <strong class="jxr_keyword">import</strong> javax.servlet.ServletResponse; |
| <a class="jxr_linenumber" name="L29" href="#L29">29</a> <strong class="jxr_keyword">import</strong> javax.servlet.http.HttpServletRequest; |
| <a class="jxr_linenumber" name="L30" href="#L30">30</a> <strong class="jxr_keyword">import</strong> javax.servlet.http.HttpServletResponse; |
| <a class="jxr_linenumber" name="L31" href="#L31">31</a> <strong class="jxr_keyword">import</strong> java.util.HashSet; |
| <a class="jxr_linenumber" name="L32" href="#L32">32</a> <strong class="jxr_keyword">import</strong> java.util.Locale; |
| <a class="jxr_linenumber" name="L33" href="#L33">33</a> <strong class="jxr_keyword">import</strong> java.util.Set; |
| <a class="jxr_linenumber" name="L34" href="#L34">34</a> |
| <a class="jxr_linenumber" name="L35" href="#L35">35</a> |
| <a class="jxr_linenumber" name="L36" href="#L36">36</a> <em class="jxr_javadoccomment">/**</em> |
| <a class="jxr_linenumber" name="L37" href="#L37">37</a> <em class="jxr_javadoccomment"> * Requires the requesting user to be {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} for the</em> |
| <a class="jxr_linenumber" name="L38" href="#L38">38</a> <em class="jxr_javadoccomment"> * request to continue, and if they're not, requires the user to login via the HTTP Basic protocol-specific challenge.</em> |
| <a class="jxr_linenumber" name="L39" href="#L39">39</a> <em class="jxr_javadoccomment"> * Upon successful login, they're allowed to continue on to the requested resource/url.</em> |
| <a class="jxr_linenumber" name="L40" href="#L40">40</a> <em class="jxr_javadoccomment"> * <p/></em> |
| <a class="jxr_linenumber" name="L41" href="#L41">41</a> <em class="jxr_javadoccomment"> * This implementation is a 'clean room' Java implementation of Basic HTTP Authentication specification per</em> |
| <a class="jxr_linenumber" name="L42" href="#L42">42</a> <em class="jxr_javadoccomment"> * <a href="ftp://ftp.isi.edu/in-notes/rfc2617.txt">RFC 2617</a>.</em> |
| <a class="jxr_linenumber" name="L43" href="#L43">43</a> <em class="jxr_javadoccomment"> * <p/></em> |
| <a class="jxr_linenumber" name="L44" href="#L44">44</a> <em class="jxr_javadoccomment"> * Basic authentication functions as follows:</em> |
| <a class="jxr_linenumber" name="L45" href="#L45">45</a> <em class="jxr_javadoccomment"> * <ol></em> |
| <a class="jxr_linenumber" name="L46" href="#L46">46</a> <em class="jxr_javadoccomment"> * <li>A request comes in for a resource that requires authentication.</li></em> |
| <a class="jxr_linenumber" name="L47" href="#L47">47</a> <em class="jxr_javadoccomment"> * <li>The server replies with a 401 response status, sets the <code>WWW-Authenticate</code> header, and the contents of a</em> |
| <a class="jxr_linenumber" name="L48" href="#L48">48</a> <em class="jxr_javadoccomment"> * page informing the user that the incoming resource requires authentication.</li></em> |
| <a class="jxr_linenumber" name="L49" href="#L49">49</a> <em class="jxr_javadoccomment"> * <li>Upon receiving this <code>WWW-Authenticate</code> challenge from the server, the client then takes a</em> |
| <a class="jxr_linenumber" name="L50" href="#L50">50</a> <em class="jxr_javadoccomment"> * username and a password and puts them in the following format:</em> |
| <a class="jxr_linenumber" name="L51" href="#L51">51</a> <em class="jxr_javadoccomment"> * <p><code>username:password</code></p></li></em> |
| <a class="jxr_linenumber" name="L52" href="#L52">52</a> <em class="jxr_javadoccomment"> * <li>This token is then base 64 encoded.</li></em> |
| <a class="jxr_linenumber" name="L53" href="#L53">53</a> <em class="jxr_javadoccomment"> * <li>The client then sends another request for the same resource with the following header:<br/></em> |
| <a class="jxr_linenumber" name="L54" href="#L54">54</a> <em class="jxr_javadoccomment"> * <p><code>Authorization: Basic <em>Base64_encoded_username_and_password</em></code></p></li></em> |
| <a class="jxr_linenumber" name="L55" href="#L55">55</a> <em class="jxr_javadoccomment"> * </ol></em> |
| <a class="jxr_linenumber" name="L56" href="#L56">56</a> <em class="jxr_javadoccomment"> * The {@link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse)} method will</em> |
| <a class="jxr_linenumber" name="L57" href="#L57">57</a> <em class="jxr_javadoccomment"> * only be called if the subject making the request is not</em> |
| <a class="jxr_linenumber" name="L58" href="#L58">58</a> <em class="jxr_javadoccomment"> * {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated}</em> |
| <a class="jxr_linenumber" name="L59" href="#L59">59</a> <em class="jxr_javadoccomment"> *</em> |
| <a class="jxr_linenumber" name="L60" href="#L60">60</a> <em class="jxr_javadoccomment"> * @see <a href="<a href="https://tools.ietf.org/html/rfc2617" target="alexandria_uri">https://tools.ietf.org/html/rfc2617</a>">RFC 2617</a></em> |
| <a class="jxr_linenumber" name="L61" href="#L61">61</a> <em class="jxr_javadoccomment"> * @see <a href="<a href="http://en.wikipedia.org/wiki/Basic_access_authentication" target="alexandria_uri">http://en.wikipedia.org/wiki/Basic_access_authentication</a>">Basic Access Authentication</a></em> |
| <a class="jxr_linenumber" name="L62" href="#L62">62</a> <em class="jxr_javadoccomment"> * @since 0.9</em> |
| <a class="jxr_linenumber" name="L63" href="#L63">63</a> <em class="jxr_javadoccomment"> */</em> |
| <a class="jxr_linenumber" name="L64" href="#L64">64</a> <strong class="jxr_keyword">public</strong> <strong class="jxr_keyword">class</strong> <a name="BasicHttpAuthenticationFilter" href="../../../../../../org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.html#BasicHttpAuthenticationFilter">BasicHttpAuthenticationFilter</a> <strong class="jxr_keyword">extends</strong> <a name="HttpAuthenticationFilter" href="../../../../../../org/apache/shiro/web/filter/authc/HttpAuthenticationFilter.html#HttpAuthenticationFilter">HttpAuthenticationFilter</a> { |
| <a class="jxr_linenumber" name="L65" href="#L65">65</a> |
| <a class="jxr_linenumber" name="L66" href="#L66">66</a> <em class="jxr_javadoccomment">/**</em> |
| <a class="jxr_linenumber" name="L67" href="#L67">67</a> <em class="jxr_javadoccomment"> * This class's private logger.</em> |
| <a class="jxr_linenumber" name="L68" href="#L68">68</a> <em class="jxr_javadoccomment"> */</em> |
| <a class="jxr_linenumber" name="L69" href="#L69">69</a> <strong class="jxr_keyword">private</strong> <strong class="jxr_keyword">static</strong> <strong class="jxr_keyword">final</strong> Logger log = LoggerFactory.getLogger(BasicHttpAuthenticationFilter.<strong class="jxr_keyword">class</strong>); |
| <a class="jxr_linenumber" name="L70" href="#L70">70</a> |
| <a class="jxr_linenumber" name="L71" href="#L71">71</a> |
| <a class="jxr_linenumber" name="L72" href="#L72">72</a> <strong class="jxr_keyword">public</strong> <a name="BasicHttpAuthenticationFilter" href="../../../../../../org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.html#BasicHttpAuthenticationFilter">BasicHttpAuthenticationFilter</a>() { |
| <a class="jxr_linenumber" name="L73" href="#L73">73</a> setAuthcScheme(HttpServletRequest.BASIC_AUTH); |
| <a class="jxr_linenumber" name="L74" href="#L74">74</a> setAuthzScheme(HttpServletRequest.BASIC_AUTH); |
| <a class="jxr_linenumber" name="L75" href="#L75">75</a> } |
| <a class="jxr_linenumber" name="L76" href="#L76">76</a> |
| <a class="jxr_linenumber" name="L77" href="#L77">77</a> <em class="jxr_javadoccomment">/**</em> |
| <a class="jxr_linenumber" name="L78" href="#L78">78</a> <em class="jxr_javadoccomment"> * Creates an AuthenticationToken for use during login attempt with the provided credentials in the http header.</em> |
| <a class="jxr_linenumber" name="L79" href="#L79">79</a> <em class="jxr_javadoccomment"> * <p/></em> |
| <a class="jxr_linenumber" name="L80" href="#L80">80</a> <em class="jxr_javadoccomment"> * This implementation:</em> |
| <a class="jxr_linenumber" name="L81" href="#L81">81</a> <em class="jxr_javadoccomment"> * <ol><li>acquires the username and password based on the request's</em> |
| <a class="jxr_linenumber" name="L82" href="#L82">82</a> <em class="jxr_javadoccomment"> * {@link #getAuthzHeader(javax.servlet.ServletRequest) authorization header} via the</em> |
| <a class="jxr_linenumber" name="L83" href="#L83">83</a> <em class="jxr_javadoccomment"> * {@link #getPrincipalsAndCredentials(String, javax.servlet.ServletRequest) getPrincipalsAndCredentials} method</li></em> |
| <a class="jxr_linenumber" name="L84" href="#L84">84</a> <em class="jxr_javadoccomment"> * <li>The return value of that method is converted to an <code>AuthenticationToken</code> via the</em> |
| <a class="jxr_linenumber" name="L85" href="#L85">85</a> <em class="jxr_javadoccomment"> * {@link #createToken(String, String, javax.servlet.ServletRequest, javax.servlet.ServletResponse) createToken} method</li></em> |
| <a class="jxr_linenumber" name="L86" href="#L86">86</a> <em class="jxr_javadoccomment"> * <li>The created <code>AuthenticationToken</code> is returned.</li></em> |
| <a class="jxr_linenumber" name="L87" href="#L87">87</a> <em class="jxr_javadoccomment"> * </ol></em> |
| <a class="jxr_linenumber" name="L88" href="#L88">88</a> <em class="jxr_javadoccomment"> *</em> |
| <a class="jxr_linenumber" name="L89" href="#L89">89</a> <em class="jxr_javadoccomment"> * @param request incoming ServletRequest</em> |
| <a class="jxr_linenumber" name="L90" href="#L90">90</a> <em class="jxr_javadoccomment"> * @param response outgoing ServletResponse</em> |
| <a class="jxr_linenumber" name="L91" href="#L91">91</a> <em class="jxr_javadoccomment"> * @return the AuthenticationToken used to execute the login attempt</em> |
| <a class="jxr_linenumber" name="L92" href="#L92">92</a> <em class="jxr_javadoccomment"> */</em> |
| <a class="jxr_linenumber" name="L93" href="#L93">93</a> <strong class="jxr_keyword">protected</strong> <a name="AuthenticationToken" href="../../../../../../org/apache/shiro/authc/AuthenticationToken.html#AuthenticationToken">AuthenticationToken</a> createToken(ServletRequest request, ServletResponse response) { |
| <a class="jxr_linenumber" name="L94" href="#L94">94</a> String authorizationHeader = getAuthzHeader(request); |
| <a class="jxr_linenumber" name="L95" href="#L95">95</a> <strong class="jxr_keyword">if</strong> (authorizationHeader == <strong class="jxr_keyword">null</strong> || authorizationHeader.length() == 0) { |
| <a class="jxr_linenumber" name="L96" href="#L96">96</a> <em class="jxr_comment">// Create an empty authentication token since there is no</em> |
| <a class="jxr_linenumber" name="L97" href="#L97">97</a> <em class="jxr_comment">// Authorization header.</em> |
| <a class="jxr_linenumber" name="L98" href="#L98">98</a> <strong class="jxr_keyword">return</strong> createToken(<span class="jxr_string">""</span>, <span class="jxr_string">""</span>, request, response); |
| <a class="jxr_linenumber" name="L99" href="#L99">99</a> } |
| <a class="jxr_linenumber" name="L100" href="#L100">100</a> |
| <a class="jxr_linenumber" name="L101" href="#L101">101</a> log.debug(<span class="jxr_string">"Attempting to execute login with auth header"</span>); |
| <a class="jxr_linenumber" name="L102" href="#L102">102</a> |
| <a class="jxr_linenumber" name="L103" href="#L103">103</a> String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request); |
| <a class="jxr_linenumber" name="L104" href="#L104">104</a> <strong class="jxr_keyword">if</strong> (prinCred == <strong class="jxr_keyword">null</strong> || prinCred.length < 2) { |
| <a class="jxr_linenumber" name="L105" href="#L105">105</a> <em class="jxr_comment">// Create an authentication token with an empty password,</em> |
| <a class="jxr_linenumber" name="L106" href="#L106">106</a> <em class="jxr_comment">// since one hasn't been provided in the request.</em> |
| <a class="jxr_linenumber" name="L107" href="#L107">107</a> String username = prinCred == <strong class="jxr_keyword">null</strong> || prinCred.length == 0 ? <span class="jxr_string">""</span> : prinCred[0]; |
| <a class="jxr_linenumber" name="L108" href="#L108">108</a> <strong class="jxr_keyword">return</strong> createToken(username, <span class="jxr_string">""</span>, request, response); |
| <a class="jxr_linenumber" name="L109" href="#L109">109</a> } |
| <a class="jxr_linenumber" name="L110" href="#L110">110</a> |
| <a class="jxr_linenumber" name="L111" href="#L111">111</a> String username = prinCred[0]; |
| <a class="jxr_linenumber" name="L112" href="#L112">112</a> String password = prinCred[1]; |
| <a class="jxr_linenumber" name="L113" href="#L113">113</a> |
| <a class="jxr_linenumber" name="L114" href="#L114">114</a> <strong class="jxr_keyword">return</strong> createToken(username, password, request, response); |
| <a class="jxr_linenumber" name="L115" href="#L115">115</a> } |
| <a class="jxr_linenumber" name="L116" href="#L116">116</a> |
| <a class="jxr_linenumber" name="L117" href="#L117">117</a> <em class="jxr_javadoccomment">/**</em> |
| <a class="jxr_linenumber" name="L118" href="#L118">118</a> <em class="jxr_javadoccomment"> * Returns the username and password pair based on the specified <code>encoded</code> String obtained from</em> |
| <a class="jxr_linenumber" name="L119" href="#L119">119</a> <em class="jxr_javadoccomment"> * the request's authorization header.</em> |
| <a class="jxr_linenumber" name="L120" href="#L120">120</a> <em class="jxr_javadoccomment"> * <p/></em> |
| <a class="jxr_linenumber" name="L121" href="#L121">121</a> <em class="jxr_javadoccomment"> * Per RFC 2617, the default implementation first Base64 decodes the string and then splits the resulting decoded</em> |
| <a class="jxr_linenumber" name="L122" href="#L122">122</a> <em class="jxr_javadoccomment"> * string into two based on the ":" character. That is:</em> |
| <a class="jxr_linenumber" name="L123" href="#L123">123</a> <em class="jxr_javadoccomment"> * <p/></em> |
| <a class="jxr_linenumber" name="L124" href="#L124">124</a> <em class="jxr_javadoccomment"> * <code>String decoded = Base64.decodeToString(encoded);<br/></em> |
| <a class="jxr_linenumber" name="L125" href="#L125">125</a> <em class="jxr_javadoccomment"> * return decoded.split(":");</code></em> |
| <a class="jxr_linenumber" name="L126" href="#L126">126</a> <em class="jxr_javadoccomment"> *</em> |
| <a class="jxr_linenumber" name="L127" href="#L127">127</a> <em class="jxr_javadoccomment"> * @param scheme the {@link #getAuthcScheme() authcScheme} found in the request</em> |
| <a class="jxr_linenumber" name="L128" href="#L128">128</a> <em class="jxr_javadoccomment"> * {@link #getAuthzHeader(javax.servlet.ServletRequest) authzHeader}. It is ignored by this implementation,</em> |
| <a class="jxr_linenumber" name="L129" href="#L129">129</a> <em class="jxr_javadoccomment"> * but available to overriding implementations should they find it useful.</em> |
| <a class="jxr_linenumber" name="L130" href="#L130">130</a> <em class="jxr_javadoccomment"> * @param encoded the Base64-encoded username:password value found after the scheme in the header</em> |
| <a class="jxr_linenumber" name="L131" href="#L131">131</a> <em class="jxr_javadoccomment"> * @return the username (index 0)/password (index 1) pair obtained from the encoded header data.</em> |
| <a class="jxr_linenumber" name="L132" href="#L132">132</a> <em class="jxr_javadoccomment"> */</em> |
| <a class="jxr_linenumber" name="L133" href="#L133">133</a> <strong class="jxr_keyword">protected</strong> String[] getPrincipalsAndCredentials(String scheme, String encoded) { |
| <a class="jxr_linenumber" name="L134" href="#L134">134</a> String decoded = Base64.decodeToString(encoded); |
| <a class="jxr_linenumber" name="L135" href="#L135">135</a> <strong class="jxr_keyword">return</strong> decoded.split(<span class="jxr_string">":"</span>, 2); |
| <a class="jxr_linenumber" name="L136" href="#L136">136</a> } |
| <a class="jxr_linenumber" name="L137" href="#L137">137</a> } |
| </pre> |
| <hr/> |
| <div id="footer">Copyright © 2004–2021 <a href="https://www.apache.org/">The Apache Software Foundation</a>. All rights reserved.</div> |
| </body> |
| </html> |
