SEC-217 - Improve Siteminder Filter - now authenticates on calls to both j_security_check and the default target URL if the user isn't already authenticated. Thanks Paul Garvey for determining this and providing solution code.
This commit is contained in:
Scott McCrory
parent
e44c5e66d3
commit
e39bd43541
|
|
@ -16,15 +16,20 @@
|
||||||
package org.acegisecurity.ui.webapp;
|
package org.acegisecurity.ui.webapp;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
import org.acegisecurity.Authentication;
|
import org.acegisecurity.Authentication;
|
||||||
import org.acegisecurity.AuthenticationException;
|
import org.acegisecurity.AuthenticationException;
|
||||||
|
import org.acegisecurity.context.HttpSessionContextIntegrationFilter;
|
||||||
|
import org.acegisecurity.context.SecurityContext;
|
||||||
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
|
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Extends Acegi's AuthenticationProcessingFilter to pick up Netegrity
|
* Extends Acegi's AuthenticationProcessingFilter to pick up CA/Netegrity
|
||||||
* Siteminder's headers.
|
* Siteminder headers.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Also provides a backup form-based authentication and the ability set source
|
* Also provides a backup form-based authentication and the ability set source
|
||||||
|
|
@ -56,8 +61,12 @@ import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
|
||||||
*/
|
*/
|
||||||
public class SiteminderAuthenticationProcessingFilter
|
public class SiteminderAuthenticationProcessingFilter
|
||||||
extends AuthenticationProcessingFilter {
|
extends AuthenticationProcessingFilter {
|
||||||
|
|
||||||
//~ Instance fields ========================================================
|
//~ Instance fields ========================================================
|
||||||
|
|
||||||
|
/** Log instance for debugging */
|
||||||
|
private static final Log logger = LogFactory.getLog(SiteminderAuthenticationProcessingFilter.class);
|
||||||
|
|
||||||
/** Form password request key. */
|
/** Form password request key. */
|
||||||
private String formPasswordParameterKey = null;
|
private String formPasswordParameterKey = null;
|
||||||
|
|
||||||
|
|
@ -202,6 +211,55 @@ public class SiteminderAuthenticationProcessingFilter
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Overridden to perform authentication not only on j_security_check, but also on
|
||||||
|
* requests for the default target URL when the user isn't already authenticated.
|
||||||
|
*
|
||||||
|
* <p>Thank you Paul Garvey for providing a straightforward solution (and code) for this!</p>
|
||||||
|
*
|
||||||
|
* @see org.acegisecurity.ui.AbstractProcessingFilter#requiresAuthentication(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
|
||||||
|
*/
|
||||||
|
protected boolean requiresAuthentication(final HttpServletRequest request,
|
||||||
|
final HttpServletResponse response) {
|
||||||
|
|
||||||
|
String uri = request.getRequestURI();
|
||||||
|
int pathParamIndex = uri.indexOf(';');
|
||||||
|
|
||||||
|
if (pathParamIndex > 0) {
|
||||||
|
// strip everything after the first semi-colon
|
||||||
|
uri = uri.substring(0, pathParamIndex);
|
||||||
|
}
|
||||||
|
|
||||||
|
//attempt authentication if j_secuity_check is present or if the getDefaultTargetUrl()
|
||||||
|
//is present and user is not already authenticated.
|
||||||
|
boolean bAuthenticated = false;
|
||||||
|
SecurityContext context = (SecurityContext) request
|
||||||
|
.getSession()
|
||||||
|
.getAttribute(
|
||||||
|
HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY);
|
||||||
|
if (context != null) {
|
||||||
|
Authentication auth = context.getAuthentication();
|
||||||
|
if (auth != null
|
||||||
|
&& auth instanceof UsernamePasswordAuthenticationToken) {
|
||||||
|
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) auth;
|
||||||
|
bAuthenticated = token.isAuthenticated();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//if true is returned then authentication will be attempted.
|
||||||
|
boolean bAttemptAuthentication = (uri.endsWith(request.getContextPath()
|
||||||
|
+ getFilterProcessesUrl()))
|
||||||
|
|| ((uri.endsWith(getDefaultTargetUrl()) && !bAuthenticated));
|
||||||
|
|
||||||
|
if (logger.isDebugEnabled()) {
|
||||||
|
logger.debug("Authentication attempted for the following URI ==> "
|
||||||
|
+ uri + " is " + bAttemptAuthentication);
|
||||||
|
}
|
||||||
|
|
||||||
|
return bAttemptAuthentication;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the form password parameter key.
|
* Sets the form password parameter key.
|
||||||
*
|
*
|
||||||
|
|
@ -229,6 +287,7 @@ public class SiteminderAuthenticationProcessingFilter
|
||||||
this.siteminderPasswordHeaderKey = key;
|
this.siteminderPasswordHeaderKey = key;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the Siteminder username header key.
|
* Sets the Siteminder username header key.
|
||||||
*
|
*
|
||||||
|
|
@ -237,4 +296,5 @@ public class SiteminderAuthenticationProcessingFilter
|
||||||
public void setSiteminderUsernameHeaderKey(final String key) {
|
public void setSiteminderUsernameHeaderKey(final String key) {
|
||||||
this.siteminderUsernameHeaderKey = key;
|
this.siteminderUsernameHeaderKey = key;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue