java/org/apache/catalina/authenticator/NonLoginAuthenticator.java - tomcat80 - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.catalina.authenticator;

 import java.io.IOException;

 import javax.servlet.http.HttpServletResponse;

 import org.apache.catalina.connector.Request;

 /**
  * An <b>Authenticator</b> and <b>Valve</b> implementation that checks
  * only security constraints not involving user authentication.
  *
  * @author Craig R. McClanahan
  */
 public final class NonLoginAuthenticator extends AuthenticatorBase {


     // --------------------------------------------------------- Public Methods


     /**
      * <p>Authenticate the user making this request, based on the fact that no
      * <code>login-config</code> has been defined for the container.</p>
      *
      * <p>This implementation means "login the user even though there is no
      * self-contained way to establish a security Principal for that user".</p>
      *
      * <p>This method is called by the AuthenticatorBase super class to
      * establish a Principal for the user BEFORE the container security
      * constraints are examined, i.e. it is not yet known whether the user
      * will eventually be permitted to access the requested resource.
      * Therefore, it is necessary to always return <code>true</code> to
      * indicate the user has not failed authentication.</p>
      *
      * <p>There are two cases:</p>
      * <ul>
      * <li>without SingleSignon: a Session instance does not yet exist
      *     and there is no <code>auth-method</code> to authenticate the
      *     user, so leave Request's Principal as null.
      *     Note: AuthenticatorBase will later examine the security constraints
      *           to determine whether the resource is accessible by a user
      *           without a security Principal and Role (i.e. unauthenticated).
      * </li>
      * <li>with SingleSignon: if the user has already authenticated via
      *     another container (using its own login configuration), then
      *     associate this Session with the SSOEntry so it inherits the
      *     already-established security Principal and associated Roles.
      *     Note: This particular session will become a full member of the
      *           SingleSignOnEntry Session collection and so will potentially
      *           keep the SSOE "alive", even if all the other properly
      *           authenticated Sessions expire first... until it expires too.
      * </li>
      * </ul>
      *
      * @param request  Request we are processing
      * @param response Response we are creating
      * @return boolean to indicate whether the user is authenticated
      * @exception IOException if an input/output error occurs
      */
     @Override
     public boolean authenticate(Request request, HttpServletResponse response)
         throws IOException {

         // Don't try and use SSO to authenticate since there is no auth
         // configured for this web application
         if (checkForCachedAuthentication(request, response, true)) {
             // save the inherited Principal in this session so it can remain
             // authenticated until it expires
             if (cache) {
                 request.getSessionInternal(true).setPrincipal(request.getUserPrincipal());
             }
             return true;
         }

         // No Principal means the user is not already authenticated
         // and so will not be assigned any roles. It is safe to
         // to say the user is now authenticated because access to
         // protected resources will only be allowed with a matching role.
         // i.e. SC_FORBIDDEN (403 status) will be generated later.
         if (containerLog.isDebugEnabled())
             containerLog.debug("User authenticated without any roles");
         return true;
     }


     /**
      * Return the authentication method, which is vendor-specific and
      * not defined by HttpServletRequest.
      */
     @Override
     protected String getAuthMethod() {
         return "NONE";
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.catalina.authenticator;

	import java.io.IOException;

	import javax.servlet.http.HttpServletResponse;

	import org.apache.catalina.connector.Request;

	/**
	* An <b>Authenticator</b> and <b>Valve</b> implementation that checks
	* only security constraints not involving user authentication.
	*
	* @author Craig R. McClanahan
	*/
	public final class NonLoginAuthenticator extends AuthenticatorBase {


	// --------------------------------------------------------- Public Methods


	/**
	* <p>Authenticate the user making this request, based on the fact that no
	* <code>login-config</code> has been defined for the container.</p>
	*
	* <p>This implementation means "login the user even though there is no
	* self-contained way to establish a security Principal for that user".</p>
	*
	* <p>This method is called by the AuthenticatorBase super class to
	* establish a Principal for the user BEFORE the container security
	* constraints are examined, i.e. it is not yet known whether the user
	* will eventually be permitted to access the requested resource.
	* Therefore, it is necessary to always return <code>true</code> to
	* indicate the user has not failed authentication.</p>
	*
	* <p>There are two cases:</p>
	* <ul>
	* <li>without SingleSignon: a Session instance does not yet exist
	* and there is no <code>auth-method</code> to authenticate the
	* user, so leave Request's Principal as null.
	* Note: AuthenticatorBase will later examine the security constraints
	* to determine whether the resource is accessible by a user
	* without a security Principal and Role (i.e. unauthenticated).
	* </li>
	* <li>with SingleSignon: if the user has already authenticated via
	* another container (using its own login configuration), then
	* associate this Session with the SSOEntry so it inherits the
	* already-established security Principal and associated Roles.
	* Note: This particular session will become a full member of the
	* SingleSignOnEntry Session collection and so will potentially
	* keep the SSOE "alive", even if all the other properly
	* authenticated Sessions expire first... until it expires too.
	* </li>
	* </ul>
	*
	* @param request Request we are processing
	* @param response Response we are creating
	* @return boolean to indicate whether the user is authenticated
	* @exception IOException if an input/output error occurs
	*/
	@Override
	public boolean authenticate(Request request, HttpServletResponse response)
	throws IOException {

	// Don't try and use SSO to authenticate since there is no auth
	// configured for this web application
	if (checkForCachedAuthentication(request, response, true)) {
	// save the inherited Principal in this session so it can remain
	// authenticated until it expires
	if (cache) {
	request.getSessionInternal(true).setPrincipal(request.getUserPrincipal());
	}
	return true;
	}

	// No Principal means the user is not already authenticated
	// and so will not be assigned any roles. It is safe to
	// to say the user is now authenticated because access to
	// protected resources will only be allowed with a matching role.
	// i.e. SC_FORBIDDEN (403 status) will be generated later.
	if (containerLog.isDebugEnabled())
	containerLog.debug("User authenticated without any roles");
	return true;
	}


	/**
	* Return the authentication method, which is vendor-specific and
	* not defined by HttpServletRequest.
	*/
	@Override
	protected String getAuthMethod() {
	return "NONE";
	}
	}