public boolean handleSecurity()

in src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java [409:440]

• 27 lines of code
• 5 McCabe index (conditional complexity)

    public boolean handleSecurity(HttpServletRequest request,
            HttpServletResponse response) {
        // 0. Nothing to do, if the session is also in the request
        // this might be the case if the request is handled as a result
        // of a servlet container include inside another Sling request
        Object sessionAttr = request.getAttribute(REQUEST_ATTRIBUTE_RESOLVER);
        if (sessionAttr instanceof ResourceResolver) {
            log.debug("handleSecurity: Request already authenticated, nothing to do");
            return true;
        } else if (sessionAttr != null) {
            // warn and remove existing non-session
            log.warn("handleSecurity: Overwriting existing ResourceResolver attribute ({})", sessionAttr);
            request.removeAttribute(REQUEST_ATTRIBUTE_RESOLVER);
        }

        Timer.Context ctx = metrics.authenticationTimerContext();
        boolean process = false;
        try {
            process = doHandleSecurity(request, response);
            if (process && expectAuthenticationHandler(request)) {
                log.warn("handleSecurity: AuthenticationHandler did not block request; access denied");
                request.removeAttribute(AuthenticationHandler.FAILURE_REASON);
                request.removeAttribute(AuthenticationHandler.FAILURE_REASON_CODE);
                AuthUtil.sendInvalid(request, response);
                process = false;
            }
        } finally {
            ctx.stop();
            metrics.authenticateCompleted(process);
        }
        return process;
    }