File Doc Category Size Date Package
WebProgrammaticLogin.java API Doc Glassfish v2 API 10147 Fri May 04 22:36:20 BST 2007 com.sun.web.security

WebProgrammaticLogin

java.lang.Object

public class WebProgrammaticLogin extends Object

Internal implementation for servlet programmatic login.

see: com.sun.appserv.security.ProgrammaticLogin

Fields Summary
public static final String
WEBAUTH_PROGRAMMATIC
private static Logger
logger
Constructors Summary
Methods Summary
private static org.apache.catalina.Session getSession(org.apache.coyote.tomcat5.CoyoteRequest request)
Returns the underlying Session object from the request, if one is available, or null.
HttpSession session = request.getSession(false); if (session != null) { Context context = request.getContext(); if (context != null) { Manager manager = context.getManager(); if (manager != null) { // need to locate the real Session obj String sessionId = session.getId(); try { Session realSession = manager.findSession(sessionId); return realSession; } catch (IOException e) { // ignored return null; } } } } return null;
private static org.apache.coyote.tomcat5.CoyoteRequest getUnwrappedCoyoteRequest(javax.servlet.http.HttpServletRequest request)
Return the unwrapped CoyoteRequest object.
CoyoteRequest req = null; ServletRequest servletRequest = request; try{ ServletRequest prevRequest = null; while (servletRequest != prevRequest && servletRequest instanceof ServletRequestWrapper) { prevRequest = servletRequest; servletRequest = ((ServletRequestWrapper)servletRequest).getRequest(); } if (servletRequest instanceof CoyoteRequestFacade) { req = ((CoyoteRequestFacade)servletRequest).getUnwrappedCoyoteRequest(); } } catch (AccessControlException ex){ logger.log(Level.FINE, "Programmatic login faiied to get request"); } return req;
public static java.lang.Boolean login(java.lang.String user, java.lang.String password, java.lang.String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Login and set up principal in request and session. This implements programmatic login for servlets.
Due to a number of bugs in RI the security context is not shared between web container and ejb container. In order for an identity established by programmatic login to be known to both containers, it needs to be set not only in the security context but also in the current request and, if applicable, the session object. If a session does not exist this method does not create one.
See bugs 4646134, 4688449 and other referenced bugs for more background.
Note also that this login does not hook up into SSO.
param
user User name to login.
param
password User password.
param
request HTTP request object provided by caller application. It should be an instance of HttpRequestFacade.
param
response HTTP response object provided by called application. It should be an instance of HttpServletResponse. This is not used currently.
param
realm the realm name to be authenticated to. If the realm is null, authentication takes place in default realm
returns
A Boolean object; true if login succeeded, false otherwise.
see
com.sun.appserv.security.ProgrammaticLogin
throws
Exception on login failure.
// Need real request object not facade CoyoteRequest req = getUnwrappedCoyoteRequest(request); if (req == null) { return Boolean.valueOf(false); } // Try to login - this will set up security context on success LoginContextDriver.login(user, password, realm); // Create a WebPrincipal for tomcat and store in current request // This will allow programmatic authorization later in this request // to work as expected. SecurityContext secCtx = SecurityContext.getCurrent(); assert (secCtx != null); // since login succeeded above WebPrincipal principal = new WebPrincipal(user, password, secCtx); req.setUserPrincipal(principal); req.setAuthType(WEBAUTH_PROGRAMMATIC); if(logger.isLoggable(Level.FINE)){ logger.log(Level.FINE, "Programmatic login set principal in http request to: "+ user); } // Try to retrieve a Session object (not the facade); if it exists // store the principal there as well. This will allow web container // authorization to work in subsequent requests in this session. Session realSession = getSession(req); if (realSession != null) { realSession.setPrincipal((Principal)principal); realSession.setAuthType(WEBAUTH_PROGRAMMATIC); if(logger.isLoggable(Level.FINE)){ logger.log(Level.FINE, "Programmatic login set principal in session."); } } else { if(logger.isLoggable(Level.FINE)){ logger.log(Level.FINE,"Programmatic login: No session available."); } } return Boolean.valueOf(true);
public static java.lang.Boolean logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Logout and remove principal in request and session.
param
request HTTP request object provided by caller application. It should be an instance of HttpRequestFacade.
param
response HTTP response object provided by called application. It should be an instance of HttpServletResponse. This is not used currently.
returns
A Boolean object; true if login succeeded, false otherwise.
see
com.sun.appserv.security.ProgrammaticLogin
throws
Exception any exception encountered during logout operation
// Need real request object not facade CoyoteRequest req = getUnwrappedCoyoteRequest(request); if (req == null) { return Boolean.valueOf(false); } // Logout - clears out security context LoginContextDriver.logout(); // Remove principal and auth type from request req.setUserPrincipal(null); req.setAuthType(null); if(logger.isLoggable(Level.FINE)){ logger.log(Level.FINE, "Programmatic logout removed principal from request."); } // Remove from session if possible. Session realSession = getSession(req); if (realSession != null) { realSession.setPrincipal(null); realSession.setAuthType(null); if(logger.isLoggable(Level.FINE)){ logger.log(Level.FINE, "Programmatic logout removed principal from "+ "session."); } } return Boolean.valueOf(true);