incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From enor...@apache.org
Subject svn commit: r1201346 - in /sling/trunk: bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/ bundles/auth/form/ bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/ bundles/auth/openid/ bundles/auth/openid/src/main/java/org/apach...
Date Sat, 12 Nov 2011 22:22:51 GMT
Author: enorman
Date: Sat Nov 12 22:22:51 2011
New Revision: 1201346

URL: http://svn.apache.org/viewvc?rev=1201346&view=rev
Log:
SLING-2165 Form based login failure should stay on the same login page to show the login error

Added:
    sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java
Modified:
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java
    sling/trunk/bundles/auth/form/pom.xml
    sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
    sling/trunk/bundles/auth/openid/pom.xml
    sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java
    sling/trunk/bundles/auth/selector/pom.xml
    sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java
    sling/trunk/launchpad/builder/src/main/bundles/list.xml

Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java
(original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationHandler.java
Sat Nov 12 22:22:51 2011
@@ -20,6 +20,8 @@ package org.apache.sling.auth.core.spi;
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.net.URLEncoder;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -420,4 +422,29 @@ public abstract class AbstractAuthentica
             // TODO: log.error("Failed to send 403/Forbidden response", ioe);
         }
     }
+    
+	/**
+	 * Check if the request is for this authentication handler.
+	 * 
+	 * @param request the current request
+	 * @return true if the referer matches this handler, or false otherwise
+	 */
+	public static boolean checkReferer(HttpServletRequest request, String loginForm) {
+		//SLING-2165: if a Referer header is supplied check if it matches the login path for this
handler
+        String referer = request.getHeader("Referer");
+        if (referer != null) {
+        	String expectedPath = String.format("%s%s", request.getContextPath(), loginForm);
+        	try {
+            	URL uri = new URL(referer);
+            	if (!expectedPath.equals(uri.getPath())) {
+            		//not for this selector, so let the next one handle it.
+            		return false;
+            	}
+        	} catch (MalformedURLException e) {
+        		LoggerFactory.getLogger(AbstractAuthenticationHandler.class)
+        			.debug("Failed to parse the referer value for the login form " + loginForm, e);
+        	}
+        }
+        return true;
+	}    
 }

Modified: sling/trunk/bundles/auth/form/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/form/pom.xml?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/form/pom.xml (original)
+++ sling/trunk/bundles/auth/form/pom.xml Sat Nov 12 22:22:51 2011
@@ -98,7 +98,7 @@
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.auth.core</artifactId>
-            <version>1.0.4</version>
+            <version>1.0.7-SNAPSHOT</version>
             <scope>provided</scope>
         </dependency>
         <dependency>

Modified: sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
(original)
+++ sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
Sat Nov 12 22:22:51 2011
@@ -353,6 +353,12 @@ public class FormAuthenticationHandler e
             return false;
         }
 
+        //check the referer to see if the request is for this handler
+        if (!checkReferer(request, loginForm)) {
+        	//not for this handler, so return
+        	return false;
+        }
+        
         final String resource = setLoginResourceAttribute(request,
             request.getRequestURI());
 

Modified: sling/trunk/bundles/auth/openid/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/openid/pom.xml?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/openid/pom.xml (original)
+++ sling/trunk/bundles/auth/openid/pom.xml Sat Nov 12 22:22:51 2011
@@ -107,7 +107,7 @@
 		<dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.auth.core</artifactId>
-            <version>1.0.4</version>
+            <version>1.0.7-SNAPSHOT</version>
             <scope>provided</scope>
         </dependency>
 		<dependency>

Modified: sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java
(original)
+++ sling/trunk/bundles/auth/openid/src/main/java/org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.java
Sat Nov 12 22:22:51 2011
@@ -395,6 +395,13 @@ public class OpenIDAuthenticationHandler
             return false;
         }
 
+        //check the referer to see if the request is for this handler
+        if (!checkReferer(request, loginForm)) {
+        	//not for this handler, so return
+        	return false;
+        }
+        
+
         // requestAuthentication is only called after a failedauthentication
         // so it makes sense to remove any existing login
         final RelyingParty relyingParty = getRelyingParty(request);

Modified: sling/trunk/bundles/auth/selector/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/selector/pom.xml?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/selector/pom.xml (original)
+++ sling/trunk/bundles/auth/selector/pom.xml Sat Nov 12 22:22:51 2011
@@ -100,7 +100,7 @@
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.auth.core</artifactId>
-            <version>1.0.4</version>
+            <version>1.0.7-SNAPSHOT</version>
             <scope>provided</scope>
         </dependency>
         <dependency>

Modified: sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java
(original)
+++ sling/trunk/bundles/auth/selector/src/main/java/org/apache/sling/auth/selector/SelectorAuthenticationHandler.java
Sat Nov 12 22:22:51 2011
@@ -87,6 +87,12 @@ public class SelectorAuthenticationHandl
     public boolean requestCredentials(HttpServletRequest request,
             HttpServletResponse response) {
 
+        //check the referer to see if the request is for this handler
+        if (!checkReferer(request, loginForm)) {
+        	//not for this handler, so return
+        	return false;
+        }
+    	
         HashMap<String, String> params = new HashMap<String, String>();
         params.put(Authenticator.LOGIN_RESOURCE,
             getLoginResource(request, null));

Modified: sling/trunk/launchpad/builder/src/main/bundles/list.xml
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/builder/src/main/bundles/list.xml?rev=1201346&r1=1201345&r2=1201346&view=diff
==============================================================================
--- sling/trunk/launchpad/builder/src/main/bundles/list.xml (original)
+++ sling/trunk/launchpad/builder/src/main/bundles/list.xml Sat Nov 12 22:22:51 2011
@@ -71,7 +71,7 @@
         <bundle>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.auth.core</artifactId>
-            <version>1.0.6</version>
+            <version>1.0.7-SNAPSHOT</version>
         </bundle>
         <bundle>
             <groupId>org.apache.sling</groupId>
@@ -81,7 +81,7 @@
         <bundle>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.auth.openid</artifactId>
-            <version>1.0.2</version>
+            <version>1.0.3-SNAPSHOT</version>
         </bundle>
         <bundle>
             <groupId>org.apache.sling</groupId>
@@ -91,7 +91,7 @@
         <bundle>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.auth.selector</artifactId>
-            <version>1.0.4</version>
+            <version>1.0.5-SNAPSHOT</version>
         </bundle>
         <bundle>
             <groupId>org.apache.sling</groupId>

Added: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java?rev=1201346&view=auto
==============================================================================
--- sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java
(added)
+++ sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/login/RedirectOnLoginErrorTest.java
Sat Nov 12 22:22:51 2011
@@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sling.launchpad.webapp.integrationtest.login;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.httpclient.Header;
+import org.apache.commons.httpclient.HttpMethod;
+import org.apache.commons.httpclient.NameValuePair;
+import org.apache.commons.httpclient.methods.PostMethod;
+import org.apache.sling.commons.testing.integration.HttpTestBase;
+
+/** Test SLING-2165 Verify that redirect to the referring login form after login error works
*/
+public class RedirectOnLoginErrorTest extends HttpTestBase {
+
+	/** Execute a POST request and check status
+     * @return the HttpMethod executed
+     * @throws IOException */
+    private HttpMethod assertPostStatus(String url, int expectedStatusCode, List<NameValuePair>
postParams, 
+    					String assertMessage, String referer) throws IOException {
+        final PostMethod post = new PostMethod(url);
+        post.setFollowRedirects(false);
+        post.setDoAuthentication(false);
+
+        //set the referer to indicate where we came from
+        post.setRequestHeader("Referer", referer);
+        
+        //set Accept header to trick sling into treating the request as from a browser
+        post.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+
+        if(postParams!=null) {
+            final NameValuePair [] nvp = {};
+            post.setRequestBody(postParams.toArray(nvp));
+        }
+
+        if(postParams!=null) {
+            final NameValuePair [] nvp = {};
+            post.setRequestBody(postParams.toArray(nvp));
+        }
+
+        final int status = httpClient.executeMethod(post);
+        if(assertMessage == null) {
+            assertEquals(expectedStatusCode, status);
+        } else {
+            assertEquals(assertMessage, expectedStatusCode, status);
+        }
+        return post;
+    }
+	
+    /**
+     * Test SLING-2165.  Login Error should redirect back to the referrer
+     * login page.
+     * 
+     * @throws Exception
+     */
+    public void testRedirectToSelectorLoginFormAfterLoginError() throws Exception {
+    	//login failure
+        List<NameValuePair> params = new ArrayList<NameValuePair>();
+        params.add(new NameValuePair("j_username", "___bogus___"));
+        params.add(new NameValuePair("j_password", "not_a_real_user"));
+        final String loginPageUrl = String.format("%s/system/sling/selector/login", HTTP_BASE_URL);
+		PostMethod post = (PostMethod)assertPostStatus(HTTP_BASE_URL + "/j_security_check", 
+        		HttpServletResponse.SC_MOVED_TEMPORARILY, 
+        		params, 
+        		null,
+        		loginPageUrl);
+        
+        final Header locationHeader = post.getResponseHeader("Location");
+        String location = locationHeader.getValue();
+        int queryStrStart = location.indexOf('?');
+        if (queryStrStart != -1) {
+        	location = location.substring(0, queryStrStart);
+        }
+        assertEquals("Expected to remain on the selector/login page", loginPageUrl, location);
+    }
+
+    /**
+     * Test SLING-2165.  Login Error should redirect back to the referrer
+     * login page.
+     * 
+     * @throws Exception
+     */
+    public void testRedirectToOpenIDLoginFormAfterLoginError() throws Exception {
+    	//login failure
+        List<NameValuePair> params = new ArrayList<NameValuePair>();
+        params.add(new NameValuePair("openid_identifier", "___bogus___"));
+        final String loginPageUrl = String.format("%s/system/sling/openid/login", HTTP_BASE_URL);
+		PostMethod post = (PostMethod)assertPostStatus(HTTP_BASE_URL + "/j_security_check", 
+        		HttpServletResponse.SC_MOVED_TEMPORARILY, 
+        		params, 
+        		null,
+        		loginPageUrl);
+        
+        final Header locationHeader = post.getResponseHeader("Location");
+        String location = locationHeader.getValue();
+        int queryStrStart = location.indexOf('?');
+        if (queryStrStart != -1) {
+        	location = location.substring(0, queryStrStart);
+        }
+        assertEquals("Expected to remain on the openid/login page", loginPageUrl, location);
+    }
+
+    /**
+     * Test SLING-2165.  Login Error should redirect back to the referrer
+     * login page.
+     * 
+     * @throws Exception
+     */
+    public void testRedirectToLoginFormAfterLoginError() throws Exception {
+    	//login failure
+        List<NameValuePair> params = new ArrayList<NameValuePair>();
+        params.add(new NameValuePair("j_username", "___bogus___"));
+        params.add(new NameValuePair("j_password", "not_a_real_user"));
+        final String loginPageUrl = String.format("%s/system/sling/form/login", HTTP_BASE_URL);
+		PostMethod post = (PostMethod)assertPostStatus(HTTP_BASE_URL + "/j_security_check", 
+        		HttpServletResponse.SC_MOVED_TEMPORARILY, 
+        		params, 
+        		null,
+        		loginPageUrl);
+        
+        final Header locationHeader = post.getResponseHeader("Location");
+        String location = locationHeader.getValue();
+        int queryStrStart = location.indexOf('?');
+        if (queryStrStart != -1) {
+        	location = location.substring(0, queryStrStart);
+        }
+        assertEquals("Expected to remain on the form/login page", loginPageUrl, location);
+    }
+}



Mime
View raw message