java/org/apache/catalina/authenticator/NonLoginAuthenticator.java - tomcat - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.catalina.authenticator;

 import java.io.IOException;

 import jakarta.servlet.http.HttpServletResponse;

 import org.apache.catalina.connector.Request;

 /**
  * An <b>Authenticator</b> and <b>Valve</b> implementation that checks only security constraints not involving user
  * authentication.
  */
 public final class NonLoginAuthenticator extends AuthenticatorBase {


     // --------------------------------------------------------- Public Methods


     /**
      * <p>
      * Authenticate the user making this request, based on the fact that no <code>login-config</code> has been defined
      * for the container.
      * </p>
      * <p>
      * This implementation means "login the user even though there is no self-contained way to establish a security
      * Principal for that user".
      * </p>
      * <p>
      * This method is called by the AuthenticatorBase super class to establish a Principal for the user BEFORE the
      * container security constraints are examined, i.e. it is not yet known whether the user will eventually be
      * permitted to access the requested resource. Therefore, it is necessary to always return <code>true</code> to
      * indicate the user has not failed authentication.
      * </p>
      * <p>
      * There are two cases:
      * </p>
      * <ul>
      * <li>without SingleSignon: a Session instance does not yet exist and there is no <code>auth-method</code> to
      * authenticate the user, so leave Request's Principal as null. Note: AuthenticatorBase will later examine the
      * security constraints to determine whether the resource is accessible by a user without a security Principal and
      * Role (i.e. unauthenticated).</li>
      * <li>with SingleSignon: if the user has already authenticated via another container (using its own login
      * configuration), then associate this Session with the SSOEntry so it inherits the already-established security
      * Principal and associated Roles. Note: This particular session will become a full member of the SingleSignOnEntry
      * Session collection and so will potentially keep the SSOE "alive", even if all the other properly authenticated
      * Sessions expire first... until it expires too.</li>
      * </ul>
      *
      * @param request  Request we are processing
      * @param response Response we are creating
      *
      * @return boolean to indicate whether the user is authenticated
      *
      * @exception IOException if an input/output error occurs
      */
     @Override
     protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {

         // Don't try and use SSO to authenticate since there is no auth
         // configured for this web application
         if (checkForCachedAuthentication(request, response, true)) {
             // Save the inherited Principal in this session so it can remain
             // authenticated until it expires.
             if (cache) {
                 request.getSessionInternal(true).setPrincipal(request.getPrincipal());
             }
             return true;
         }

         // No Principal means the user is not already authenticated
         // and so will not be assigned any roles. It is safe
         // to say the user is now authenticated because access to
         // protected resources will only be allowed with a matching role.
         // i.e. SC_FORBIDDEN (403 status) will be generated later.
         if (containerLog.isTraceEnabled()) {
             containerLog.trace("User authenticated without any roles");
         }
         return true;
     }


     @Override
     protected String getAuthMethod() {
         return "NONE";
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.catalina.authenticator;

	import java.io.IOException;

	import jakarta.servlet.http.HttpServletResponse;

	import org.apache.catalina.connector.Request;

	/**
	* An <b>Authenticator</b> and <b>Valve</b> implementation that checks only security constraints not involving user
	* authentication.
	*/
	public final class NonLoginAuthenticator extends AuthenticatorBase {


	// --------------------------------------------------------- Public Methods


	/**
	* <p>
	* Authenticate the user making this request, based on the fact that no <code>login-config</code> has been defined
	* for the container.
	* </p>
	* <p>
	* This implementation means "login the user even though there is no self-contained way to establish a security
	* Principal for that user".
	* </p>
	* <p>
	* This method is called by the AuthenticatorBase super class to establish a Principal for the user BEFORE the
	* container security constraints are examined, i.e. it is not yet known whether the user will eventually be
	* permitted to access the requested resource. Therefore, it is necessary to always return <code>true</code> to
	* indicate the user has not failed authentication.
	* </p>
	* <p>
	* There are two cases:
	* </p>
	* <ul>
	* <li>without SingleSignon: a Session instance does not yet exist and there is no <code>auth-method</code> to
	* authenticate the user, so leave Request's Principal as null. Note: AuthenticatorBase will later examine the
	* security constraints to determine whether the resource is accessible by a user without a security Principal and
	* Role (i.e. unauthenticated).</li>
	* <li>with SingleSignon: if the user has already authenticated via another container (using its own login
	* configuration), then associate this Session with the SSOEntry so it inherits the already-established security
	* Principal and associated Roles. Note: This particular session will become a full member of the SingleSignOnEntry
	* Session collection and so will potentially keep the SSOE "alive", even if all the other properly authenticated
	* Sessions expire first... until it expires too.</li>
	* </ul>
	*
	* @param request Request we are processing
	* @param response Response we are creating
	*
	* @return boolean to indicate whether the user is authenticated
	*
	* @exception IOException if an input/output error occurs
	*/
	@Override
	protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {

	// Don't try and use SSO to authenticate since there is no auth
	// configured for this web application
	if (checkForCachedAuthentication(request, response, true)) {
	// Save the inherited Principal in this session so it can remain
	// authenticated until it expires.
	if (cache) {
	request.getSessionInternal(true).setPrincipal(request.getPrincipal());
	}
	return true;
	}

	// No Principal means the user is not already authenticated
	// and so will not be assigned any roles. It is safe
	// to say the user is now authenticated because access to
	// protected resources will only be allowed with a matching role.
	// i.e. SC_FORBIDDEN (403 status) will be generated later.
	if (containerLog.isTraceEnabled()) {
	containerLog.trace("User authenticated without any roles");
	}
	return true;
	}


	@Override
	protected String getAuthMethod() {
	return "NONE";
	}
	}