1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache License, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17 package org.apache.catalina.authenticator;
18
19 import java.io.IOException;
20
21 import javax.servlet.http.HttpServletResponse;
22
23 import org.apache.catalina.connector.Request;
24
25 /**
26 * An <b>Authenticator</b> and <b>Valve</b> implementation that checks
27 * only security constraints not involving user authentication.
28 *
29 * @author Craig R. McClanahan
30 */
31 public final class NonLoginAuthenticator extends AuthenticatorBase {
32
33
34 // --------------------------------------------------------- Public Methods
35
36
37 /**
38 * <p>Authenticate the user making this request, based on the fact that no
39 * <code>login-config</code> has been defined for the container.</p>
40 *
41 * <p>This implementation means "login the user even though there is no
42 * self-contained way to establish a security Principal for that user".</p>
43 *
44 * <p>This method is called by the AuthenticatorBase super class to
45 * establish a Principal for the user BEFORE the container security
46 * constraints are examined, i.e. it is not yet known whether the user
47 * will eventually be permitted to access the requested resource.
48 * Therefore, it is necessary to always return <code>true</code> to
49 * indicate the user has not failed authentication.</p>
50 *
51 * <p>There are two cases:</p>
52 * <ul>
53 * <li>without SingleSignon: a Session instance does not yet exist
54 * and there is no <code>auth-method</code> to authenticate the
55 * user, so leave Request's Principal as null.
56 * Note: AuthenticatorBase will later examine the security constraints
57 * to determine whether the resource is accessible by a user
58 * without a security Principal and Role (i.e. unauthenticated).
59 * </li>
60 * <li>with SingleSignon: if the user has already authenticated via
61 * another container (using its own login configuration), then
62 * associate this Session with the SSOEntry so it inherits the
63 * already-established security Principal and associated Roles.
64 * Note: This particular session will become a full member of the
65 * SingleSignOnEntry Session collection and so will potentially
66 * keep the SSOE "alive", even if all the other properly
67 * authenticated Sessions expire first... until it expires too.
68 * </li>
69 * </ul>
70 *
71 * @param request Request we are processing
72 * @param response Response we are creating
73 * @return boolean to indicate whether the user is authenticated
74 * @exception IOException if an input/output error occurs
75 */
76 @Override
77 protected boolean doAuthenticate(Request request, HttpServletResponse response)
78 throws IOException {
79
80 // Don't try and use SSO to authenticate since there is no auth
81 // configured for this web application
82 if (checkForCachedAuthentication(request, response, true)) {
83 // Save the inherited Principal in this session so it can remain
84 // authenticated until it expires.
85 if (cache) {
86 request.getSessionInternal(true).setPrincipal(request.getPrincipal());
87 }
88 return true;
89 }
90
91 // No Principal means the user is not already authenticated
92 // and so will not be assigned any roles. It is safe to
93 // to say the user is now authenticated because access to
94 // protected resources will only be allowed with a matching role.
95 // i.e. SC_FORBIDDEN (403 status) will be generated later.
96 if (containerLog.isDebugEnabled())
97 containerLog.debug("User authenticated without any roles");
98 return true;
99 }
100
101
102 /**
103 * Return the authentication method, which is vendor-specific and
104 * not defined by HttpServletRequest.
105 */
106 @Override
107 protected String getAuthMethod() {
108 return "NONE";
109 }
110 }
111