public boolean handleSecurity()

in src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java [465:502]

• 32 lines of code
• 8 McCabe index (conditional complexity)

    public boolean handleSecurity(HttpServletRequest request, HttpServletResponse response) {
        // 0. Nothing to do, if the session is also in the request
        // this might be the case if the request is handled as a result
        // of a servlet container include inside another Sling request
        Object sessionAttr = request.getAttribute(REQUEST_ATTRIBUTE_RESOLVER);
        if (sessionAttr instanceof ResourceResolver) {
            log.debug("handleSecurity: Request already authenticated, nothing to do");
            return true;
        } else if (sessionAttr != null) {
            // warn and remove existing non-session
            log.warn("handleSecurity: Overwriting existing ResourceResolver attribute ({})", sessionAttr);
            request.removeAttribute(REQUEST_ATTRIBUTE_RESOLVER);
        }

        boolean process = false;
        final SlingAuthenticationMetrics local = this.metricsService;
        final Closeable ctx = local != null ? local.authenticationTimerContext() : null;
        try {
            process = doHandleSecurity(request, response);
            if (process && expectAuthenticationHandler(request)) {
                log.warn("handleSecurity: AuthenticationHandler did not block request; access denied");
                request.removeAttribute(JakartaAuthenticationHandler.FAILURE_REASON);
                request.removeAttribute(JakartaAuthenticationHandler.FAILURE_REASON_CODE);
                AuthUtil.sendInvalid(request, response);
                process = false;
            }
        } finally {
            if (local != null) {
                try {
                    ctx.close();
                } catch (final IOException e) {
                    // ignore
                }
                local.authenticateCompleted(process);
            }
        }
        return process;
    }