Class AuthUtil
AuthUtil
provides utility functions for implementations of
AuthenticationHandler
services and
users of the Sling authentication infrastructure.
This utility class can neither be extended from nor can it be instantiated.
- Since:
- 1.1 (bundle version 1.0.8)
-
Method Summary
Modifier and TypeMethodDescriptionstatic boolean
checkReferer
(HttpServletRequest request, String loginForm) Check if the request is for this authentication handler.static String
getAttributeOrParameter
(HttpServletRequest request, String name, String defaultValue) Returns the value of the named request attribute or parameter as a string as follows: If there is a request attribute of that name, which is a non-empty string, it is returned. If there is a non-empty request parameter of that name, this parameter is returned.static String
getLoginResource
(HttpServletRequest request, String defaultLoginResource) Returns any resource target to redirect to after successful authentication.static boolean
isAjaxRequest
(HttpServletRequest request) Returnstrue
if the request is to be considered an AJAX request placed using theXMLHttpRequest
browser host object.static boolean
isBrowserRequest
(HttpServletRequest request) Returnstrue
if the given request can be assumed to be sent by a client browser such as Firefix, Internet Explorer, etc.static boolean
isRedirectValid
(HttpServletRequest request, String target) Returnstrue
if the given redirecttarget
is valid according to the following list of requirements: Thetarget
is neithernull
nor an empty string Thetarget
is not an URL which is identified by the character sequence://
separating the scheme from the host Thetarget
is normalized such that it contains no consecutive slashes and no path segment contains a single or double dot Thetarget
must be prefixed with the servlet context path If aResourceResolver
is available as a request attribute thetarget
(without the servlet context path prefix) must resolve to an existing resource If aResourceResolver
is not available as a request attribute thetarget
must be an absolute path starting with a slash character does not contain any of the characters<
,>
,'
, or"
in plain or URL encodingstatic boolean
isValidateRequest
(HttpServletRequest request) Returnstrue
if the the client just asks for validation of submitted username/password credentials.static void
sendInvalid
(HttpServletRequest request, HttpServletResponse response) Sends a 403/FORBIDDEN response optionally stating the reason for this response code in theAuthConstants.X_REASON
header.static void
sendRedirect
(HttpServletRequest request, HttpServletResponse response, String target, Map<String, String> params) Redirects to the given target path appending any parameters provided in the parameter map.static void
sendValid
(HttpServletResponse response) Sends a 200/OK response to a credential validation request.static String
setLoginResourceAttribute
(HttpServletRequest request, String defaultValue) Ensures and returns theAuthenticator.LOGIN_RESOURCE
request attribute is set to a non-null, non-empty string.
-
Method Details
-
getAttributeOrParameter
public static String getAttributeOrParameter(HttpServletRequest request, String name, String defaultValue) Returns the value of the named request attribute or parameter as a string as follows:- If there is a request attribute of that name, which is a non-empty string, it is returned.
- If there is a non-empty request parameter of that name, this parameter is returned.
- Otherwise the
defaultValue
is returned.
- Parameters:
request
- The request from which to return the attribute or request parametername
- The name of the attribute/parameterdefaultValue
- The default value to use if neither a non-empty string attribute or a non-empty parameter exists in the request.- Returns:
- The attribute, parameter or
defaultValue
as defined above.
-
getLoginResource
Returns any resource target to redirect to after successful authentication. This method either returns a non-empty string or thedefaultLoginResource
parameter. First theresource
request attribute is checked. If it is a non-empty string, it is returned. Second theresource
request parameter is checked and returned if it is a non-empty string.- Parameters:
request
- The request providing the attribute or parameterdefaultLoginResource
- The default login resource value- Returns:
- The non-empty redirection target or
defaultLoginResource
.
-
setLoginResourceAttribute
Ensures and returns theAuthenticator.LOGIN_RESOURCE
request attribute is set to a non-null, non-empty string. If the attribute is not currently set, this method sets it as follows:- If the
Authenticator.LOGIN_RESOURCE
request parameter is set to a non-empty string, that parameter is set - Otherwise if the
defaultValue
is a non-empty string the default value is used - Otherwise the attribute is set to "/"
- Parameters:
request
- The request to check for the resource attributedefaultValue
- The default value to use if the attribute is not set and the request parameter is not set. This parameter is ignored if it isnull
or an empty string.- Returns:
- returns the value of resource request attribute
- If the
-
sendRedirect
public static void sendRedirect(HttpServletRequest request, HttpServletResponse response, String target, Map<String, String> params) throws IOExceptionRedirects to the given target path appending any parameters provided in the parameter map.This method implements the following functionality:
- If the
params
map does not contain a (non-null
) value for theresource
entry, such an entry is generated from the request URI and the (optional) query string of the givenrequest
. - The parameters from the
params
map or at least a singleresource
parameter are added to the target path for the redirect. Each parameter value is encoded using thejava.net.URLEncoder
with UTF-8 encoding to make it safe for requests
After checking the redirect target and creating the target URL from the parameter map, the response buffer is reset and the
HttpServletResponse.sendRedirect
is called. Any headers already set before calling this method are preserved.- Parameters:
request
- The request object used to get the current request URI and request query string if theparams
map does not have theresource
parameter set.response
- The response used to send the redirect to the client.target
- The redirect target to validate. This path must be prefixed with the request's servlet context path. If this parameter is not a valid target request as per theisRedirectValid(HttpServletRequest, String)
method the target is modified to be the root of the request's context.params
- The map of parameters to be added to the target path. This may benull
.- Throws:
IOException
- If an error occurs sending the redirect requestIllegalStateException
- If the response was committed or if a partial URL is given and cannot be converted into a valid URLInternalError
- If the UTF-8 character encoding is not supported by the platform. This should not be caught, because it is a real problem if the encoding required by the specification is missing.
- If the
-
isValidateRequest
Returnstrue
if the the client just asks for validation of submitted username/password credentials.This implementation returns
true
if the request parameterAuthConstants.PAR_J_VALIDATE
is set totrue
(case-insensitve). If the request parameter is not set or to any value other thantrue
this method returnsfalse
.- Parameters:
request
- The request to provide the parameter to check- Returns:
true
if theAuthConstants.PAR_J_VALIDATE
parameter is set totrue
.
-
sendValid
Sends a 200/OK response to a credential validation request.This method just overwrites the response status to 200/OK, sends no content (content length header set to zero) and prevents caching on clients and proxies. Any other response headers set before calling this methods are preserved and sent along with the response.
- Parameters:
response
- The response object- Throws:
IllegalStateException
- if the response has already been committed
-
sendInvalid
Sends a 403/FORBIDDEN response optionally stating the reason for this response code in theAuthConstants.X_REASON
header. The value for theAuthConstants.X_REASON
header is taken fromAuthenticationHandler.FAILURE_REASON
request attribute if set.This method just overwrites the response status to 403/FORBIDDEN, adds the
AuthConstants.X_REASON
header and sends the reason as result back. Any other response headers set before calling this methods are preserved and sent along with the response.- Parameters:
request
- The request objectresponse
- The response object- Throws:
IllegalStateException
- if the response has already been committed
-
checkReferer
Check if the request is for this authentication handler.- Parameters:
request
- the current requestloginForm
- Path to the login form- Returns:
- true if the referrer matches this handler, or false otherwise
-
isRedirectValid
Returnstrue
if the given redirecttarget
is valid according to the following list of requirements:- The
target
is neithernull
nor an empty string - The
target
is not an URL which is identified by the character sequence://
separating the scheme from the host - The
target
is normalized such that it contains no consecutive slashes and no path segment contains a single or double dot - The
target
must be prefixed with the servlet context path - If a
ResourceResolver
is available as a request attribute thetarget
(without the servlet context path prefix) must resolve to an existing resource - If a
ResourceResolver
is not available as a request attribute thetarget
must be an absolute path starting with a slash character does not contain any of the characters<
,>
,'
, or"
in plain or URL encoding
If any of the conditions does not hold, the method returns
false
and logs a warning level message with the org.apache.sling.auth.core.AuthUtil logger.- Parameters:
request
- Providing theResourceResolver
attribute and the context to resolve the resource from thetarget
. This may benull
which causes the target to not be validated with aResoureResolver
target
- The redirect target to validate. This path must be prefixed with the request's servlet context path.- Returns:
true
if the redirect target can be considered valid
- The
-
isBrowserRequest
Returnstrue
if the given request can be assumed to be sent by a client browser such as Firefix, Internet Explorer, etc.This method inspects the
User-Agent
header and returnstrue
if the header contains the string Mozilla (known to be contained in Firefox, Internet Explorer, WebKit-based browsers User-Agent) or Opera (known to be contained in the Opera User-Agent).- Parameters:
request
- The request to inspect- Returns:
true
if the request is assumed to be sent by a browser.
-
isAjaxRequest
Returnstrue
if the request is to be considered an AJAX request placed using theXMLHttpRequest
browser host object. Currently a request is considered an AJAX request if the client sends the X-Requested-With request header set toXMLHttpRequest
.- Parameters:
request
- The current request- Returns:
true
if the request can be considered an AJAX request.
-