org.apache.sling.auth.core

Class AuthUtil

java.lang.Object

org.apache.sling.auth.core.AuthUtil

public final class AuthUtil
extends java.lang.Object

The AuthUtil provides utility functions for implementations of AuthenticationHandler services and users of the Sling authentication infrastructure.

This utility class can neither be extended from nor can it be instantiated.

Since:

1.1 (bundle version 1.0.8)

Method Summary

Modifier and Type	Method and Description
static boolean	checkReferer(HttpServletRequest request, java.lang.String loginForm) Check if the request is for this authentication handler.
static java.lang.String	getAttributeOrParameter(HttpServletRequest request, java.lang.String name, java.lang.String defaultValue) Returns the value of the named request attribute or parameter as a string as follows: If there is a request attribute of that name, which is a non-empty string, it is returned. If there is a non-empty request parameter of that name, this parameter is returned.
static java.lang.String	getLoginResource(HttpServletRequest request, java.lang.String defaultLoginResource) Returns any resource target to redirect to after successful authentication.
static boolean	isAjaxRequest(HttpServletRequest request) Returns true if the request is to be considered an AJAX request placed using the XMLHttpRequest browser host object.
static boolean	isBrowserRequest(HttpServletRequest request) Returns true if the given request can be assumed to be sent by a client browser such as Firefix, Internet Explorer, etc.
static boolean	isRedirectValid(HttpServletRequest request, java.lang.String target) Returns true if the given redirect target is valid according to the following list of requirements: The target is neither null nor an empty string The target is not an URL which is identified by the character sequence :// separating the scheme from the host The target is normalized such that it contains no consecutive slashes and no path segment contains a single or double dot The target must be prefixed with the servlet context path If a ResourceResolver is available as a request attribute the target (without the servlet context path prefix) must resolve to an existing resource If a ResourceResolver is not available as a request attribute the target must be an absolute path starting with a slash character does not contain any of the characters <, >, ', or " in plain or URL encoding
static boolean	isValidateRequest(HttpServletRequest request) Returns true if the the client just asks for validation of submitted username/password credentials.
static void	sendInvalid(HttpServletRequest request, HttpServletResponse response) Sends a 403/FORBIDDEN response optionally stating the reason for this response code in the AuthConstants.X_REASON header.
static void	sendRedirect(HttpServletRequest request, HttpServletResponse response, java.lang.String target, java.util.Map<java.lang.String,java.lang.String> params) Redirects to the given target path appending any parameters provided in the parameter map.
static void	sendValid(HttpServletResponse response) Sends a 200/OK response to a credential validation request.
static java.lang.String	setLoginResourceAttribute(HttpServletRequest request, java.lang.String defaultValue) Ensures and returns the Authenticator.LOGIN_RESOURCE request attribute is set to a non-null, non-empty string.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getAttributeOrParameter

public static java.lang.String getAttributeOrParameter(HttpServletRequest request,
                                                       java.lang.String name,
                                                       java.lang.String defaultValue)

Returns the value of the named request attribute or parameter as a string as follows:

1. If there is a request attribute of that name, which is a non-empty string, it is returned.
2. If there is a non-empty request parameter of that name, this parameter is returned.
3. Otherwise the defaultValue is returned.

Parameters:

request - The request from which to return the attribute or request parameter

name - The name of the attribute/parameter

defaultValue - The default value to use if neither a non-empty string attribute or a non-empty parameter exists in the request.

Returns:

The attribute, parameter or defaultValue as defined above.

getLoginResource

public static java.lang.String getLoginResource(HttpServletRequest request,
                                                java.lang.String defaultLoginResource)

Returns any resource target to redirect to after successful authentication. This method either returns a non-empty string or the defaultLoginResource parameter. First the resource request attribute is checked. If it is a non-empty string, it is returned. Second the resource request parameter is checked and returned if it is a non-empty string.

Parameters:

request - The request providing the attribute or parameter

defaultLoginResource - The default login resource value

Returns:

The non-empty redirection target or defaultLoginResource.

setLoginResourceAttribute

public static java.lang.String setLoginResourceAttribute(HttpServletRequest request,
                                                         java.lang.String defaultValue)

Ensures and returns the Authenticator.LOGIN_RESOURCE request attribute is set to a non-null, non-empty string. If the attribute is not currently set, this method sets it as follows:

1. If the Authenticator.LOGIN_RESOURCE request parameter is set to a non-empty string, that parameter is set
2. Otherwise if the defaultValue is a non-empty string the default value is used
3. Otherwise the attribute is set to "/"

Parameters:

request - The request to check for the resource attribute

defaultValue - The default value to use if the attribute is not set and the request parameter is not set. This parameter is ignored if it is null or an empty string.

Returns:

returns the value of resource request attribute

sendRedirect

public static void sendRedirect(HttpServletRequest request,
                                HttpServletResponse response,
                                java.lang.String target,
                                java.util.Map<java.lang.String,java.lang.String> params)
                         throws java.io.IOException

Redirects to the given target path appending any parameters provided in the parameter map.

This method implements the following functionality:

• If the params map does not contain a (non- null) value for the resource entry, such an entry is generated from the request URI and the (optional) query string of the given request.
• The parameters from the params map or at least a single resource parameter are added to the target path for the redirect. Each parameter value is encoded using the java.net.URLEncoder with UTF-8 encoding to make it safe for requests

After checking the redirect target and creating the target URL from the parameter map, the response buffer is reset and the HttpServletResponse.sendRedirect is called. Any headers already set before calling this method are preserved.

Parameters:

request - The request object used to get the current request URI and request query string if the params map does not have the resource parameter set.

response - The response used to send the redirect to the client.

target - The redirect target to validate. This path must be prefixed with the request's servlet context path. If this parameter is not a valid target request as per the isRedirectValid(HttpServletRequest, String) method the target is modified to be the root of the request's context.

params - The map of parameters to be added to the target path. This may be null.

Throws:

java.io.IOException - If an error occurs sending the redirect request

java.lang.IllegalStateException - If the response was committed or if a partial URL is given and cannot be converted into a valid URL

java.lang.InternalError - If the UTF-8 character encoding is not supported by the platform. This should not be caught, because it is a real problem if the encoding required by the specification is missing.

isValidateRequest

public static boolean isValidateRequest(HttpServletRequest request)

Returns true if the the client just asks for validation of submitted username/password credentials.

This implementation returns true if the request parameter AuthConstants.PAR_J_VALIDATE is set to true (case-insensitve). If the request parameter is not set or to any value other than true this method returns false.

Parameters:

request - The request to provide the parameter to check

Returns:

true if the AuthConstants.PAR_J_VALIDATE parameter is set to true.

sendValid

public static void sendValid(HttpServletResponse response)

Sends a 200/OK response to a credential validation request.

This method just overwrites the response status to 200/OK, sends no content (content length header set to zero) and prevents caching on clients and proxies. Any other response headers set before calling this methods are preserved and sent along with the response.

Parameters:

response - The response object

Throws:

java.lang.IllegalStateException - if the response has already been committed

sendInvalid

public static void sendInvalid(HttpServletRequest request,
                               HttpServletResponse response)

Sends a 403/FORBIDDEN response optionally stating the reason for this response code in the AuthConstants.X_REASON header. The value for the AuthConstants.X_REASON header is taken from AuthenticationHandler.FAILURE_REASON request attribute if set.

This method just overwrites the response status to 403/FORBIDDEN, adds the AuthConstants.X_REASON header and sends the reason as result back. Any other response headers set before calling this methods are preserved and sent along with the response.

Parameters:

request - The request object

response - The response object

Throws:

java.lang.IllegalStateException - if the response has already been committed

checkReferer

public static boolean checkReferer(HttpServletRequest request,
                                   java.lang.String loginForm)

Check if the request is for this authentication handler.

Parameters:

request - the current request

Returns:

true if the referer matches this handler, or false otherwise

isRedirectValid

public static boolean isRedirectValid(HttpServletRequest request,
                                      java.lang.String target)

Returns true if the given redirect target is valid according to the following list of requirements:

• The target is neither null nor an empty string
• The target is not an URL which is identified by the character sequence :// separating the scheme from the host
• The target is normalized such that it contains no consecutive slashes and no path segment contains a single or double dot
• The target must be prefixed with the servlet context path
• If a ResourceResolver is available as a request attribute the target (without the servlet context path prefix) must resolve to an existing resource
• If a ResourceResolver is not available as a request attribute the target must be an absolute path starting with a slash character does not contain any of the characters <, >, ', or " in plain or URL encoding

If any of the conditions does not hold, the method returns false and logs a warning level message with the org.apache.sling.auth.core.AuthUtil logger.

Parameters:

request - Providing the ResourceResolver attribute and the context to resolve the resource from the target. This may be null which causes the target to not be validated with a ResoureResolver

target - The redirect target to validate. This path must be prefixed with the request's servlet context path.

Returns:

true if the redirect target can be considered valid

isBrowserRequest

public static boolean isBrowserRequest(HttpServletRequest request)

Returns true if the given request can be assumed to be sent by a client browser such as Firefix, Internet Explorer, etc.

This method inspects the User-Agent header and returns true if the header contains the string Mozilla (known to be contained in Firefox, Internet Explorer, WebKit-based browsers User-Agent) or Opera (known to be contained in the Opera User-Agent).

Parameters:

request - The request to inspect

Returns:

true if the request is assumed to be sent by a browser.

isAjaxRequest

public static boolean isAjaxRequest(HttpServletRequest request)

Returns true if the request is to be considered an AJAX request placed using the XMLHttpRequest browser host object. Currently a request is considered an AJAX request if the client sends the X-Requested-With request header set to XMLHttpRequest .

Parameters:

request - The current request

Returns:

true if the request can be considered an AJAX request.