in java/org/apache/catalina/authenticator/AuthenticatorBase.java [443:603]
public void invoke(Request request, Response response) throws IOException, ServletException {
if (log.isTraceEnabled()) {
log.trace("Security checking request " + request.getMethod() + " " + request.getRequestURI());
}
// Have we got a cached authenticated Principal to record?
if (cache) {
Principal principal = request.getUserPrincipal();
if (principal == null) {
Session session = request.getSessionInternal(false);
if (session != null) {
principal = session.getPrincipal();
if (principal != null) {
if (log.isTraceEnabled()) {
log.trace("We have cached auth type " + session.getAuthType() + " for principal " +
principal);
}
request.setAuthType(session.getAuthType());
request.setUserPrincipal(principal);
}
}
}
}
boolean authRequired = isContinuationRequired(request);
Realm realm = this.context.getRealm();
// Is this request URI subject to a security constraint?
SecurityConstraint[] constraints = realm.findSecurityConstraints(request, this.context);
AuthConfigProvider jaspicProvider = getJaspicProvider();
if (jaspicProvider != null) {
authRequired = true;
}
if (constraints == null && !context.getPreemptiveAuthentication() && !authRequired) {
if (log.isTraceEnabled()) {
log.trace("Not subject to any constraint");
}
getNext().invoke(request, response);
return;
}
// Make sure that constrained resources are not cached by web proxies
// or browsers as caching can provide a security hole
if (constraints != null && disableProxyCaching && !"POST".equalsIgnoreCase(request.getMethod())) {
if (securePagesWithPragma) {
// Note: These can cause problems with downloading files with IE
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Expires", DATE_ONE);
} else {
response.setHeader("Cache-Control", "private");
}
}
if (constraints != null) {
// Enforce any user data constraint for this security constraint
if (log.isTraceEnabled()) {
log.trace("Calling hasUserDataPermission()");
}
if (!realm.hasUserDataPermission(request, response, constraints)) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("authenticator.userDataPermissionFail"));
}
/*
* ASSERT: Authenticator already set the appropriate HTTP status code, so we do not have to do anything
* special
*/
return;
}
}
// Since authenticate modifies the response on failure,
// we have to check for allow-from-all first.
boolean hasAuthConstraint = false;
if (constraints != null) {
hasAuthConstraint = true;
for (int i = 0; i < constraints.length && hasAuthConstraint; i++) {
if (!constraints[i].getAuthConstraint()) {
hasAuthConstraint = false;
} else if (!constraints[i].getAllRoles() && !constraints[i].getAuthenticatedUsers()) {
String[] roles = constraints[i].findAuthRoles();
if (roles == null || roles.length == 0) {
hasAuthConstraint = false;
}
}
}
}
if (!authRequired && hasAuthConstraint) {
authRequired = true;
}
if (!authRequired && context.getPreemptiveAuthentication() && isPreemptiveAuthPossible(request)) {
authRequired = true;
}
JaspicState jaspicState = null;
if ((authRequired || constraints != null) && allowCorsPreflightBypass(request)) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("authenticator.corsBypass"));
}
getNext().invoke(request, response);
return;
}
if (authRequired) {
if (log.isTraceEnabled()) {
log.trace("Calling authenticate()");
}
if (jaspicProvider != null) {
jaspicState = getJaspicState(jaspicProvider, request, response, hasAuthConstraint);
if (jaspicState == null) {
return;
}
}
if (jaspicProvider == null && !doAuthenticate(request, response) ||
jaspicProvider != null && !authenticateJaspic(request, response, jaspicState, false)) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("authenticator.authenticationFail"));
}
/*
* ASSERT: Authenticator already set the appropriate HTTP status code, so we do not have to do anything
* special
*/
return;
}
}
if (constraints != null) {
if (log.isTraceEnabled()) {
log.trace("Calling accessControl()");
}
if (!realm.hasResourcePermission(request, response, constraints, this.context)) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("authenticator.userPermissionFail", request.getUserPrincipal().getName()));
}
/*
* ASSERT: AccessControl method has already set the appropriate HTTP status code, so we do not have to
* do anything special
*/
return;
}
}
// Any and all specified constraints have been satisfied
if (log.isTraceEnabled()) {
log.trace("Successfully passed all security constraints");
}
getNext().invoke(request, response);
if (jaspicProvider != null) {
secureResponseJspic(request, response, jaspicState);
}
}