jakarta-cactus-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ankur.ku...@axa.com.au
Subject Re: Form Authentication is not working in Weblogic Portal 7.0 SP4,need help
Date Thu, 19 Feb 2004 22:56:44 GMT
Hi Kazuhito,
I tried this modified FormAuthentication and it works when I run Weblogic 
Server with host name as "localhost". 
But if I use any other host name, it doesn't work, and reason being is 
domain name is set to "localhost" for other cookies, like cookies getting 
created from createHttpState() method of CookieUtil.
I think BaseWebRequest also needs modification where domain name is 
hard-coded.:
 public void addCookie(String theName, String theValue)
    {
        addCookie("localhost", theName, theValue);
    }

I will modify it and then try to run the code.
Thanks,
Ankur 


Please respond to "Cactus Users List" <cactus-user@jakarta.apache.org>
To:     cactus-user@jakarta.apache.org
cc: 

Subject:        Re: Form Authentication is not working in Weblogic Portal 7.0 SP4,need 
help

Hi,

In article <20040219.155000.71085584.suguri.kazuhito@lab.ntt.co.jp>,
Thu, 19 Feb 2004 15:50:00 +0900 (JST),
Kazuhito SUGURI <suguri.kazuhito@lab.ntt.co.jp> wrote: 
suguri.kazuhito> I'll propose a modified FormAuthentication soon.

This is the one.
I had modified FormAuthentication.java in cactus-src-1.5.

Two sets of accessor has been added to the original:
- void setExpectedPreAuthResponse(int) / int getExpectedPreAuthResponse()
                 Set/get the expected HTTP response code for the request
                 to the restricted resource without valid cookie.
                 The default is 302 (HttpURLConnection.HTTP_MOVED_TEMP).
                 This is corresponding to the Step (2).
- void setExpectedAuthResponse(int) / int getexpectedAuthResponse()
                 Set/get the expected HTTP response code if the 
security_check
                 is succeeded.
                 The default is 302 (HttpURLConnection.HTTP_MOVED_TEMP).
                 This is corresponding to the Step (4).


Ankur, would you try this?


Regards,
----
Kazuhito SUGURI
mailto:suguri.kazuhito@lab.ntt.co.jp


/*
 * ====================================================================
 *
 * The Apache Software License, Version 1.1
 *
 * Copyright (c) 2001-2003 The Apache Software Foundation.  All rights
 * reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. The end-user documentation included with the redistribution, if
 *    any, must include the following acknowlegement:
 *       "This product includes software developed by the
 *        Apache Software Foundation (http://www.apache.org/)."
 *    Alternately, this acknowlegement may appear in the software itself,
 *    if and wherever such third-party acknowlegements normally appear.
 *
 * 4. The names "The Jakarta Project", "Cactus" and "Apache Software
 *    Foundation" must not be used to endorse or promote products
 *    derived from this software without prior written permission. For
 *    written permission, please contact apache@apache.org.
 *
 * 5. Products derived from this software may not be called "Apache"
 *    nor may "Apache" appear in their names without prior written
 *    permission of the Apache Group.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation.  For more
 * information on the Apache Software Foundation, please see
 * <http://www.apache.org/>.
 *
 */
package org.apache.cactus.client.authentication;

import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;

import org.apache.cactus.Cookie;
import org.apache.cactus.WebRequest;
import org.apache.cactus.client.connector.http.ConnectionHelper;
import org.apache.cactus.client.connector.http.ConnectionHelperFactory;
import org.apache.cactus.configuration.Configuration;
import org.apache.cactus.configuration.WebConfiguration;
import org.apache.cactus.util.ChainedRuntimeException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * Form-based authentication implementation. An instance of this class
 * can be reused across several tests as it caches the session cookie.
 * Thus the first time it is used to authenticate the user, it calls
 * the security URL (which is by default the context URL prepended by
 * "j_security_check"), caches the returned session cookie and adds the
 * cookie for the next request. The second time it is called, it simply
 * addes the session cookie for the next request.
 * 
 * @author <a href="mailto:Jason.Robertson@acs-inc.com">Jason Robertson</a>
 * @author <a href="mailto:vmassol@apache.org">Vincent Massol</a>
 *
 * @since 1.5
 *
 * @version $Id: $
 */
public class FormAuthentication extends AbstractAuthentication
{
    /**
     * The logger.
     */
    private static final Log LOGGER = 
        LogFactory.getLog(FormAuthentication.class);

    /**
     * The expected HTTP response code for the request to a restricted
     * resource without authenticated principal.
     */
    private int expectedPreAuthResponse = 
HttpURLConnection.HTTP_MOVED_TEMP;

    /**
     * The expected HTTP response code when the authentication is 
succeeded.
     */
    private int expectedAuthResponse = HttpURLConnection.HTTP_MOVED_TEMP;

    /**
     * The URL to use when attempting to log in, if for whatever reason 
     * the default URL is incorrect.
     */
    private URL securityCheckURL = null;

    /**
     * We store the session cookie name because of case issues. We need
     * to be able to send exactly the same one as was sent back by the
     * server.     */
    private String sessionIdCookieName = null;

    /**
     * We store the session id cookie so that this instance can
     * be reused for another test.     */
    private String sessionId = null;

    /**
     * {@link WebRequest} object that will be used to connect to the
     * security URL. 
     */
    private WebRequest securityRequest = new WebRequest();
 
    /**
     * @param theName user name of the Credential
     * @param thePassword user password of the Credential
     */
    public FormAuthentication(String theName, String thePassword)
    {
        super(theName, thePassword);
    }
 
    /**
     * @see AbstractAuthentication#validateName(String)
     */
    protected void validateName(String theName)
    {
        // Nothing to do here...
    }
 
    /**
     * @see AbstractAuthentication#validatePassword(String)
     */
    protected void validatePassword(String thePassword)
    {
        // Nothing to do here...
    }

    /**
     * @see AbstractAuthentication#configure(WebRequest, Configuration)
     */
    public void configure(WebRequest theRequest,
        Configuration theConfiguration)
    {
        // Only authenticate the first time this instance is used.
        if (this.sessionId == null)
        {
           authenticate(theRequest, theConfiguration);
        }

        // Sets the session id cookie for the next request.
        if (this.sessionId != null)
        {
            theRequest.addCookie(this.sessionIdCookieName, 
this.sessionId);
        }
    }

    /**
     * @return the {@link WebRequest} that will be used to connect to the
     * security URL. It can be used to add additional HTTP parameters such
     * as proprietary ones required by some containers.
     */
    public WebRequest getSecurityRequest()
    {
        return this.securityRequest;
    }
 
    /**
     * This sets the URL to use when attempting to log in. This method is 
used
     * if for whatever reason the default URL is incorrect.
     *
     * @param theUrl A URL to use to attempt to login.
     */
    public void setSecurityCheckURL(URL theUrl)
    {
       this.securityCheckURL = theUrl;
    }
 
    /**
     * This returns the URL to use when attempting to log in. By default, 
it's
     * the context URL defined in the Cactus configuration with 
     * "/j_security_check" appended. 
     *
     * @param theConfiguration the Cactus configuration
     * @return the URL that is being used to attempt to login.
     */
    public URL getSecurityCheckURL(Configuration theConfiguration)
    {
        if (this.securityCheckURL == null)
        {
            // Configure default
            String stringUrl = 
                ((WebConfiguration) theConfiguration).getContextURL()
                + "/j_security_check";

            try
            {
                this.securityCheckURL = new URL(stringUrl);
            }
            catch (MalformedURLException e)
            {
                throw new ChainedRuntimeException(
                    "Unable to create default Security Check URL [" 
                    + stringUrl + "]");
            }
        }

        LOGGER.debug("Using security check URL [" + this.securityCheckURL
            + "]");

        return securityCheckURL;
    }


    /**
     * Get the expected HTTP response code for the request to a restricted
     * resource without authenticated principal.
     */
    public int getExpectedPreAuthResponse(){
                 return this.expectedPreAuthResponse;
    }

    /**
     * Set the expected HTTP response code for the request to a restricted
     * resource without authenticated principal.
     * The default is HttpURLConnection.HTTP_MOVED_TEMP.
     */
    public void setExpectedPreAuthResponse(int expected){
                 this.expectedPreAuthResponse = expected;
    }

    /**
     * Get the expected HTTP response code when the authentication is 
succeeded.
     */
    public int getExpectedAuthResponse(){
                 return this.expectedAuthResponse;
    }

    /**
     * Set the expected HTTP response code when the authentication is 
succeeded.
     * The default is HttpURLConnection.HTTP_MOVED_TEMP.
     */
    public void setExpectedAuthResponse(int expected){
                 this.expectedAuthResponse = expected;
    }


    private void checkResponseCodeEquals(int expected, int actual)
                 throws Exception
    {
                 if(actual!=expected){
                     throw new Exception("Received a [" + actual + "] 
response code"
                                                                 + " and 
was expecting a [" + expected + "]");
                 }
    }


    private Cookie getCookie(HttpURLConnection connection, String target){
                 // Check (possible multiple) cookies for a target.
                 int i = 1;
                 String key = connection.getHeaderFieldKey(i);
                 while (key != null){
                     if (key.equalsIgnoreCase("set-cookie")){
                                 // Cookie is in the form:
                                 // "NAME=VALUE; expires=DATE; path=PATH;
                                 //  domain=DOMAIN_NAME; secure"
                                 // The only thing we care about is 
finding a cookie with
                                 // the name "JSESSIONID" and caching the 
value.
                                 String cookiestr = 
connection.getHeaderField(i);
                                 String nameValue = cookiestr.substring(0, 
cookiestr.indexOf(";"));
                                 int equalsChar = nameValue.indexOf("=");
                                 String name = nameValue.substring(0, 
equalsChar);
                                 String value = 
nameValue.substring(equalsChar + 1);
                                 if (name.equalsIgnoreCase(target)){
                                     return new 
Cookie(connection.getURL().getHost(),
 name, value);
                }
            }
                     key = connection.getHeaderFieldKey(++i);
                 }
                 return null;
    }


    private Cookie getSecureSessionIdCookie(WebRequest theRequest,
     Configuration theConfiguration)
    {
                 HttpURLConnection connection;
                 String resource = null;

                 try{
            // Create a helper that will connect to a restricted resource.
                     resource = ((WebConfiguration) 
theConfiguration).getRedirectorURL(theRequest);
            ConnectionHelper helper =
                ConnectionHelperFactory.getConnectionHelper(resource,
                                     theConfiguration);
                     WebRequest request =
                                 new WebRequest((WebConfiguration) 
theConfiguration);
            // Make the connection using a default web request.
            connection = helper.connect(request, theConfiguration);
                     checkResponseCodeEquals(getExpectedPreAuthResponse(),
 connection.getResponseCode());
                 }catch(Throwable e){
            throw new ChainedRuntimeException("Failed to connect to the 
secured redirector: "
        + resource, e);
        }

                 return getCookie(connection, "JSESSIONID");
    }

    /**
     * Authenticate the principal by calling the security URL.
     * 
     * @param theRequest the web request used to connect to the Redirector
     * @param theConfiguration the Cactus configuration
     */
    public void authenticate(WebRequest theRequest,
                                                      Configuration 
theConfiguration)
    {
                 Cookie jsessionCookie = 
getSecureSessionIdCookie(theRequest,
                                  theConfiguration);
                 sessionIdCookieName = jsessionCookie.getName();
                 sessionId = jsessionCookie.getValue();
 
        try {
            // Create a helper that will connect to the security check 
URL.
                     String url = 
getSecurityCheckURL(theConfiguration).toString();
            ConnectionHelper helper =
 ConnectionHelperFactory.getConnectionHelper(url,
                                     (WebConfiguration) theConfiguration);

            // Configure a web request with the JSESSIONID cookie,
            // the username and the password.
            WebRequest request = getSecurityRequest();
            request.setConfiguration(theConfiguration);
            request.addCookie(jsessionCookie);
            request.addParameter("j_username", getName(), 
WebRequest.POST_METHOD);
            request.addParameter("j_password", getPassword(), 
WebRequest.POST_METHOD);

            // Make the connection using the configured web request.
            HttpURLConnection connection = helper.connect(request, 
theConfiguration);
                     checkResponseCodeEquals(getExpectedAuthResponse(),
 connection.getResponseCode());
        }catch(Throwable e){
            throw new ChainedRuntimeException("Failed to authenticate the 
principal",
        e);
        }
    }
}

---------------------------------------------------------------------
To unsubscribe, e-mail: cactus-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: cactus-user-help@jakarta.apache.org




*********************************************************************************
Important Note
This email (including any attachments) contains information which is 
confidential and may be subject to legal privilege.  If you are not 
the intended recipient you must not use, distribute or copy this 
email.  If you have received this email in error please notify the 
sender immediately and delete this email. Any views expressed in this 
email are not necessarily the views of AXA.   Thank you.
*********************************************************************************


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message