Attachment #11330 for bug #28286

View | Details | Raw Unified | Return to bug 28286
Collapse All | Expand All





        boolean reauthenticated = false;

        SingleSignOnEntry entry = sso.lookup(ssoId);
        if (entry != null && entry.getCanReauthenticate()) {
            Principal reauthPrincipal = null;
            Container parent = getContainer();
            if (parent != null) {
            Realm realm = parent.getRealm();
            if (realm != null) {
                reauthenticated = sso.reauthenticate(ssoId, realm, request);
                    reauthPrincipal =
                        realm.authenticate(username, entry.getPassword());
                }
            }

        if (reauthenticated) {
                associate(ssoId, getSession(request, true));
                request.setAuthType(entry.getAuthType());
                request.setUserPrincipal(reauthPrincipal);

                reauthenticated = true;
                if (log.isDebugEnabled()) {
                HttpServletRequest hreq = 
                        (HttpServletRequest) request.getRequest();
                    log.debug(" Reauthenticated cached principal '" +
                          hreq.getUserPrincipal().getName() +
                          "' with auth type '" +  hreq.getAuthType() + "'");
                              entry.getAuthType() + "'");
                }
            }
        }





import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Logger;
import org.apache.catalina.Realm;
import org.apache.catalina.Request;
import org.apache.catalina.Response;
import org.apache.catalina.Session;



    /**
     * Attempts reauthentication to the given <code>Realm</code> using
     * the credentials associated with the single sign-on session
     * identified by argument <code>ssoId</code>.
     * <p>
     * If reauthentication is successful, the <code>Principal</code> and
     * authorization type associated with the SSO session will be bound
     * to the given <code>HttpRequest</code> object via calls to 
     * {@link HttpRequest#setAuthType HttpRequest.setAuthType()} and 
     * {@link HttpRequest#setUserPrincipal HttpRequest.setUserPrincipal()}
     * </p>
     *
     * @param ssoId     identifier of SingleSignOn session with which the
     *                  caller is associated
     * @param realm     Realm implementation against which the caller is to
     *                  be authenticated
     * @param request   the request that needs to be authenticated
     * 
     * @return  <code>true</code> if reauthentication was successful,
     *          <code>false</code> otherwise.
     */
    protected boolean reauthenticate(String ssoId, Realm realm,
                                  HttpRequest request) {

        if (ssoId == null || realm == null)
            return false;

        boolean reauthenticated = false;

        SingleSignOnEntry entry = lookup(ssoId);
        if (entry != null && entry.getCanReauthenticate()) {
            
            String username = entry.getUsername();
            if (username != null) {
                Principal reauthPrincipal =
                        realm.authenticate(username, entry.getPassword());                
                if (reauthPrincipal != null) {                    
                    reauthenticated = true;                    
                    // Bind the authorization credentials to the request
                    request.setAuthType(entry.getAuthType());
                    request.setUserPrincipal(reauthPrincipal);
                }
            }
        }

        return reauthenticated;
    }


    /**
     * Register the specified Principal as being associated with the specified
     * value for the single sign on identifier.
     *



    /**
     * Updates any <code>SingleSignOnEntry</code> found under key
     * <code>ssoId</code> with the given authentication data.
     * <p>
     * The purpose of this method is to allow an SSO entry that was
     * established without a username/password combination (i.e. established
     * following DIGEST or CLIENT-CERT authentication) to be updated with
     * a username and password if one becomes available through a subsequent
     * BASIC or FORM authentication.  The SSO entry will then be usable for
     * reauthentication.
     * <p>
     * <b>NOTE:</b> Only updates the SSO entry if a call to
     * <code>SingleSignOnEntry.getCanReauthenticate()</code> returns
     * <code>false</code>; otherwise, it is assumed that the SSO entry already
     * has sufficient information to allow reauthentication and that no update
     * is needed.
     *
     * @param ssoId     identifier of Single sign to be updated
     * @param principal the <code>Principal</code> returned by the latest
     *                  call to <code>Realm.authenticate</code>.
     * @param authType  the type of authenticator used (BASIC, CLIENT-CERT,
     *                  DIGEST or FORM)
     * @param username  the username (if any) used for the authentication
     * @param password  the password (if any) used for the authentication
     */
    protected void update(String ssoId, Principal principal, String authType,
                          String username, String password) {

        SingleSignOnEntry sso = lookup(ssoId);
        if (sso != null && !sso.getCanReauthenticate()) {
            if (debug >= 1)
                log("Update sso id " + ssoId + " to auth type " + authType);

            synchronized(sso) {
                sso.updateCredentials(principal, authType, username, password);
            }

        }
    }


    /**
     * Log a message on the Logger associated with our Container (if any).
     *
     * @param message Message to be logged


    }

    
    //----------------------------------------------  Package-Protected Methods



        }
    }


    /**
     * Updates any <code>SingleSignOnEntry</code> found under key
     * <code>ssoId</code> with the given authentication data.
     * <p>
     * The purpose of this method is to allow an SSO entry that was
     * established without a username/password combination (i.e. established
     * following DIGEST or CLIENT-CERT authentication) to be updated with
     * a username and password if one becomes available through a subsequent
     * BASIC or FORM authentication.  The SSO entry will then be usable for
     * reauthentication.
     * <p>
     * <b>NOTE:</b> Only updates the SSO entry if a call to
     * <code>SingleSignOnEntry.getCanReauthenticate()</code> returns
     * <code>false</code>; otherwise, it is assumed that the SSO entry already
     * has sufficient information to allow reauthentication and that no update
     * is needed.
     *
     * @param ssoId identifier of Single sign to be updated
     * @param principal the <code>Principal</code> returned by the latest
     *                  call to <code>Realm.authenticate</code>.
     * @param authType  the type of authenticator used (BASIC, CLIENT-CERT,
     *                  DIGEST or FORM)
     * @param username  the username (if any) used for the authentication
     * @param password  the password (if any) used for the authentication
     */
    void update(String ssoId, Principal principal, String authType,
                  String username, String password) {

        SingleSignOnEntry sso = lookup(ssoId);
        if (sso != null && !sso.getCanReauthenticate()) {
            if (debug >= 1)
                log("Update sso id " + ssoId + " to auth type " + authType);

            synchronized(sso) {
                sso.updateCredentials(principal, authType, username, password);
            }

        }
    }

}

Return to bug 28286

Lines 760-790 Link Here

(-)AuthenticatorBase.java (-16 / +8 lines)
760		760
761	boolean reauthenticated = false;	761	boolean reauthenticated = false;
762		762
763	SingleSignOnEntry entry = sso.lookup(ssoId);
764	if (entry != null && entry.getCanReauthenticate()) {
765	Principal reauthPrincipal = null;
766	Container parent = getContainer();	763	Container parent = getContainer();
767	if (parent != null) {	764	if (parent != null) {
768	Realm realm = getContainer().getRealm();	765	Realm realm = parent.getRealm();
769	String username = entry.getUsername();	766	if (realm != null) {
770	if (realm != null && username != null) {	767	reauthenticated = sso.reauthenticate(ssoId, realm, request);
771	reauthPrincipal =
772	realm.authenticate(username, entry.getPassword());
773	}	768	}
774	}	769	}
775		770
776	if (reauthPrincipal != null) {	771	if (reauthenticated) {
777	associate(ssoId, getSession(request, true));	772	associate(ssoId, getSession(request, true));
778	request.setAuthType(entry.getAuthType());
779	request.setUserPrincipal(reauthPrincipal);
780		773
781	reauthenticated = true;
782	if (log.isDebugEnabled()) {	774	if (log.isDebugEnabled()) {
		775	HttpServletRequest hreq =
		776	(HttpServletRequest) request.getRequest();
783	log.debug(" Reauthenticated cached principal '" +	777	log.debug(" Reauthenticated cached principal '" +
784	entry.getPrincipal().getName() +	778	hreq.getUserPrincipal().getName() +
785	"' with auth type '" +	779	"' with auth type '" + hreq.getAuthType() + "'");
786	entry.getAuthType() + "'");
787	}
788	}	780	}
789	}	781	}
790		782

Lines 33-38 Link Here

(-)SingleSignOn.java (-41 / +92 lines)
33	import org.apache.catalina.LifecycleException;	33	import org.apache.catalina.LifecycleException;
34	import org.apache.catalina.LifecycleListener;	34	import org.apache.catalina.LifecycleListener;
35	import org.apache.catalina.Logger;	35	import org.apache.catalina.Logger;
		36	import org.apache.catalina.Realm;
36	import org.apache.catalina.Request;	37	import org.apache.catalina.Request;
37	import org.apache.catalina.Response;	38	import org.apache.catalina.Response;
38	import org.apache.catalina.Session;	39	import org.apache.catalina.Session;
Lines 559-564 Link Here
559		560
560		561
561	/**	562	/**
		563	* Attempts reauthentication to the given <code>Realm</code> using
		564	* the credentials associated with the single sign-on session
		565	* identified by argument <code>ssoId</code>.
		566	* <p>
		567	* If reauthentication is successful, the <code>Principal</code> and
		568	* authorization type associated with the SSO session will be bound
		569	* to the given <code>HttpRequest</code> object via calls to
		570	* {@link HttpRequest#setAuthType HttpRequest.setAuthType()} and
		571	* {@link HttpRequest#setUserPrincipal HttpRequest.setUserPrincipal()}
		572	* </p>
		573	*
		574	* @param ssoId identifier of SingleSignOn session with which the
		575	* caller is associated
		576	* @param realm Realm implementation against which the caller is to
		577	* be authenticated
		578	* @param request the request that needs to be authenticated
		579	*
		580	* @return <code>true</code> if reauthentication was successful,
		581	* <code>false</code> otherwise.
		582	*/
		583	protected boolean reauthenticate(String ssoId, Realm realm,
		584	HttpRequest request) {
		585
		586	if (ssoId == null \|\| realm == null)
		587	return false;
		588
		589	boolean reauthenticated = false;
		590
		591	SingleSignOnEntry entry = lookup(ssoId);
		592	if (entry != null && entry.getCanReauthenticate()) {
		593
		594	String username = entry.getUsername();
		595	if (username != null) {
		596	Principal reauthPrincipal =
		597	realm.authenticate(username, entry.getPassword());
		598	if (reauthPrincipal != null) {
		599	reauthenticated = true;
		600	// Bind the authorization credentials to the request
		601	request.setAuthType(entry.getAuthType());
		602	request.setUserPrincipal(reauthPrincipal);
		603	}
		604	}
		605	}
		606
		607	return reauthenticated;
		608	}
		609
		610
		611	/**
562	* Register the specified Principal as being associated with the specified	612	* Register the specified Principal as being associated with the specified
563	* value for the single sign on identifier.	613	* value for the single sign on identifier.
564	*	614	*
Lines 585-590 Link Here
585		635
586		636
587	/**	637	/**
		638	* Updates any <code>SingleSignOnEntry</code> found under key
		639	* <code>ssoId</code> with the given authentication data.
		640	* <p>
		641	* The purpose of this method is to allow an SSO entry that was
		642	* established without a username/password combination (i.e. established
		643	* following DIGEST or CLIENT-CERT authentication) to be updated with
		644	* a username and password if one becomes available through a subsequent
		645	* BASIC or FORM authentication. The SSO entry will then be usable for
		646	* reauthentication.
		647	* <p>
		648	* <b>NOTE:</b> Only updates the SSO entry if a call to
		649	* <code>SingleSignOnEntry.getCanReauthenticate()</code> returns
		650	* <code>false</code>; otherwise, it is assumed that the SSO entry already
		651	* has sufficient information to allow reauthentication and that no update
		652	* is needed.
		653	*
		654	* @param ssoId identifier of Single sign to be updated
		655	* @param principal the <code>Principal</code> returned by the latest
		656	* call to <code>Realm.authenticate</code>.
		657	* @param authType the type of authenticator used (BASIC, CLIENT-CERT,
		658	* DIGEST or FORM)
		659	* @param username the username (if any) used for the authentication
		660	* @param password the password (if any) used for the authentication
		661	*/
		662	protected void update(String ssoId, Principal principal, String authType,
		663	String username, String password) {
		664
		665	SingleSignOnEntry sso = lookup(ssoId);
		666	if (sso != null && !sso.getCanReauthenticate()) {
		667	if (debug >= 1)
		668	log("Update sso id " + ssoId + " to auth type " + authType);
		669
		670	synchronized(sso) {
		671	sso.updateCredentials(principal, authType, username, password);
		672	}
		673
		674	}
		675	}
		676
		677
		678	/**
588	* Log a message on the Logger associated with our Container (if any).	679	* Log a message on the Logger associated with our Container (if any).
589	*	680	*
590	* @param message Message to be logged	681	* @param message Message to be logged
Lines 633-638 Link Here
633		724
634	}	725	}
635		726
		727
636	//---------------------------------------------- Package-Protected Methods	728	//---------------------------------------------- Package-Protected Methods
637		729
638		730
Lines 669-713 Link Here
669	}	761	}
670	}	762	}
671		763
672
673	/**
674	* Updates any <code>SingleSignOnEntry</code> found under key
675	* <code>ssoId</code> with the given authentication data.
676	* <p>
677	* The purpose of this method is to allow an SSO entry that was
678	* established without a username/password combination (i.e. established
679	* following DIGEST or CLIENT-CERT authentication) to be updated with
680	* a username and password if one becomes available through a subsequent
681	* BASIC or FORM authentication. The SSO entry will then be usable for
682	* reauthentication.
683	* <p>
684	* <b>NOTE:</b> Only updates the SSO entry if a call to
685	* <code>SingleSignOnEntry.getCanReauthenticate()</code> returns
686	* <code>false</code>; otherwise, it is assumed that the SSO entry already
687	* has sufficient information to allow reauthentication and that no update
688	* is needed.
689	*
690	* @param ssoId identifier of Single sign to be updated
691	* @param principal the <code>Principal</code> returned by the latest
692	* call to <code>Realm.authenticate</code>.
693	* @param authType the type of authenticator used (BASIC, CLIENT-CERT,
694	* DIGEST or FORM)
695	* @param username the username (if any) used for the authentication
696	* @param password the password (if any) used for the authentication
697	*/
698	void update(String ssoId, Principal principal, String authType,
699	String username, String password) {
700
701	SingleSignOnEntry sso = lookup(ssoId);
702	if (sso != null && !sso.getCanReauthenticate()) {
703	if (debug >= 1)
704	log("Update sso id " + ssoId + " to auth type " + authType);
705
706	synchronized(sso) {
707	sso.updateCredentials(principal, authType, username, password);
708	}
709
710	}
711	}
712
713	}	764	}