org.jboss.web.tomcat.tc4.authenticator: public class: BasicAuthenticator

org.jboss.web.tomcat.tc4.authenticator
public class: BasicAuthenticator [javadoc | source]

java.lang.Object
   org.apache.catalina.authenticator.AuthenticatorBase
      org.jboss.web.tomcat.tc4.authenticator.AuthenticatorBase
         org.jboss.web.tomcat.tc4.authenticator.BasicAuthenticator

An Authenticator and Valve implementation of HTTP BASIC Authentication, as outlined in RFC 2617: "HTTP Authentication: Basic and Digest Access Authentication."

Differs from the standard Tomcat version in that it associates the session of any request with any single sign-on session that may exist.

Also see:

authenticate

AuthenticatorBase#associate

SingleSignOn

author: B - Stansberry, based on work by Craig R. McClanahan

version: $ - Revision: 1.1.2.1 $ $Date: 2003/11/22 08:12:44 $ based on Tomcat Revision 1.12

Field Summary
protected static final Base64	base64Helper	The Base64 helper object for this class.
protected static final String	info	Descriptive information about this implementation.

Fields inherited from org.jboss.web.tomcat.tc4.authenticator.AuthenticatorBase:
info, ourSSO

Method from org.jboss.web.tomcat.tc4.authenticator.BasicAuthenticator Summary:
authenticate, getInfo, parsePassword, parseUsername

Methods from org.jboss.web.tomcat.tc4.authenticator.AuthenticatorBase:
associate, reauthenticateFromSSO, register, start, stop

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from org.jboss.web.tomcat.tc4.authenticator.BasicAuthenticator Detail:
public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException { HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); // Have we already authenticated someone? // Note: SingleSignOn does not call setUserPrincipal(), // so whoever did it would have to be some custom valve // in the pipeline Principal principal = hreq.getUserPrincipal(); String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (principal != null) { if (debug >= 1) log("Found principal '" + principal.getName() + "'"); // Associate the session with any existing SSO session if (ssoId != null) associate(ssoId, getSession(request, true)); return true; } // Is there an SSO session against which we can try to reauthenticate? if (ssoId != null) { if (debug >= 1) log("SSO Id set"); // Try to reauthenticate using data cached by SSO. If this fails, // either the original SSO logon was of DIGEST or SSL (which // we can't reauthenticate ourselves because there is no // cached username and password), or the realm denied // the user's reauthentication for some reason. // In either case we have to prompt the user for a logon */ if (reauthenticateFromSSO(ssoId, request)) return true; } // Validate any credentials already included with this request String authorization = request.getAuthorization(); String username = parseUsername(authorization); String password = parsePassword(authorization); principal = context.getRealm().authenticate(username, password); if (principal != null) { register(request, response, principal, Constants.BASIC_METHOD, username, password); return (true); } // Send an "unauthorized" response and an appropriate challenge String realmName = config.getRealmName(); if (realmName == null) realmName = hreq.getServerName() + ":" + hreq.getServerPort(); // if (debug >= 1) // log("Challenging for realm '" + realmName + "'"); HttpServletResponse hres = (HttpServletResponse) response.getResponse(); hres.setHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\""); hres.setStatus(HttpServletResponse.SC_UNAUTHORIZED); // hres.flushBuffer(); return (false); } Authenticate the user making this request, based on the specified login configuration. Return `true` if any specified constraint has been satisfied, or `false` if we have created a response challenge already. Differs from the standard Tomcat version in that it associates the session of any request with any single sign-on session that may exist.
public String getInfo() { // ------------------------------------------------------------- Properties return (this.info); } Return descriptive information about this Valve implementation.
protected String parsePassword(String authorization) { if (authorization == null) return (null); if (!authorization.startsWith("Basic ")) return (null); authorization = authorization.substring(6).trim(); // Decode and parse the authorization credentials String unencoded = new String(base64Helper.decode(authorization.getBytes())); int colon = unencoded.indexOf(':"); if (colon < 0) return (null); // String username = unencoded.substring(0, colon).trim(); String password = unencoded.substring(colon + 1).trim(); return (password); } Parse the password from the specified authorization credentials. If none can be found, return `null`.
protected String parseUsername(String authorization) { if (authorization == null) return (null); if (!authorization.toLowerCase().startsWith("basic ")) return (null); authorization = authorization.substring(6).trim(); // Decode and parse the authorization credentials String unencoded = new String(base64Helper.decode(authorization.getBytes())); int colon = unencoded.indexOf(':"); if (colon < 0) return (null); String username = unencoded.substring(0, colon).trim(); // String password = unencoded.substring(colon + 1).trim(); return (username); } Parse the username from the specified authorization credentials. If none can be found, return `null`.

Method from org.jboss.web.tomcat.tc4.authenticator.BasicAuthenticator Detail:

 public boolean authenticate(HttpRequest request,
    HttpResponse response,
    LoginConfig config) throws IOException {
      HttpServletRequest hreq =
            (HttpServletRequest) request.getRequest();
      // Have we already authenticated someone?
      // Note: SingleSignOn does not call setUserPrincipal(),
      // so whoever did it would have to be some custom valve
      // in the pipeline
      Principal principal = hreq.getUserPrincipal();
      String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
      if (principal != null)
      {
         if (debug  >= 1)
            log("Found principal '" + principal.getName() + "'");
         // Associate the session with any existing SSO session
         if (ssoId != null)
            associate(ssoId, getSession(request, true));
         return true;
      }
      // Is there an SSO session against which we can try to reauthenticate?
      if (ssoId != null)
      {
         if (debug  >= 1)
            log("SSO Id set");
         // Try to reauthenticate using data cached by SSO.  If this fails,
         // either the original SSO logon was of DIGEST or SSL (which
         // we can't reauthenticate ourselves because there is no
         // cached username and password), or the realm denied
         // the user's reauthentication for some reason.
         // In either case we have to prompt the user for a logon */
         if (reauthenticateFromSSO(ssoId, request))
            return true;
      }
      // Validate any credentials already included with this request
      String authorization = request.getAuthorization();
      String username = parseUsername(authorization);
      String password = parsePassword(authorization);
      principal = context.getRealm().authenticate(username, password);
      if (principal != null)
      {
         register(request, response, principal, Constants.BASIC_METHOD,
                  username, password);
         return (true);
      }
      // Send an "unauthorized" response and an appropriate challenge
      String realmName = config.getRealmName();
      if (realmName == null)
         realmName = hreq.getServerName() + ":" + hreq.getServerPort();
      //        if (debug  >= 1)
      //            log("Challenging for realm '" + realmName + "'");
      HttpServletResponse hres =
            (HttpServletResponse) response.getResponse();
      hres.setHeader("WWW-Authenticate",
                     "Basic realm=\"" + realmName + "\"");
      hres.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
      //      hres.flushBuffer();
      return (false);
}

true

false

Differs from the standard Tomcat version in that it associates the session of any request with any single sign-on session that may exist.

 public String getInfo() {
   // ------------------------------------------------------------- Properties
      return (this.info);
}

Return descriptive information about this Valve implementation.

 protected String parsePassword(String authorization) {
      if (authorization == null)
         return (null);
      if (!authorization.startsWith("Basic "))
         return (null);
      authorization = authorization.substring(6).trim();
      // Decode and parse the authorization credentials
      String unencoded =
            new String(base64Helper.decode(authorization.getBytes()));
      int colon = unencoded.indexOf(':");
      if (colon <  0)
         return (null);
      //        String username = unencoded.substring(0, colon).trim();
      String password = unencoded.substring(colon + 1).trim();
      return (password);
}

null

 protected String parseUsername(String authorization) {
      if (authorization == null)
         return (null);
      if (!authorization.toLowerCase().startsWith("basic "))
         return (null);
      authorization = authorization.substring(6).trim();
      // Decode and parse the authorization credentials
      String unencoded =
            new String(base64Helper.decode(authorization.getBytes()));
      int colon = unencoded.indexOf(':");
      if (colon <  0)
         return (null);
      String username = unencoded.substring(0, colon).trim();
      //        String password = unencoded.substring(colon + 1).trim();
      return (username);
}

null