public final class AuthUtil extends Object
AuthUtil
provides utility functions for implementations of
AuthenticationHandler
services and
users of the Sling authentication infrastructure.
This utility class can neither be extended from nor can it be instantiated.
Modifier and Type | Method and Description |
---|---|
static boolean |
checkReferer(javax.servlet.http.HttpServletRequest request,
String loginForm)
Check if the request is for this authentication handler.
|
static String |
getAttributeOrParameter(javax.servlet.http.HttpServletRequest request,
String name,
String defaultValue)
Returns the value of the named request attribute or parameter as a string
as follows:
If there is a request attribute of that name, which is a non-empty
string, it is returned.If there is a non-empty request parameter of
that name, this parameter is returned.
|
static String |
getLoginResource(javax.servlet.http.HttpServletRequest request,
String defaultLoginResource)
Returns any resource target to redirect to after successful
authentication.
|
static boolean |
isAjaxRequest(javax.servlet.http.HttpServletRequest request)
Returns
true if the request is to be considered an AJAX
request placed using the XMLHttpRequest browser host object. |
static boolean |
isBrowserRequest(javax.servlet.http.HttpServletRequest request)
Returns
true if the given request can be assumed to be sent
by a client browser such as Firefix, Internet Explorer, etc. |
static boolean |
isRedirectValid(javax.servlet.http.HttpServletRequest request,
String target)
Returns
true if the given redirect target is
valid according to the following list of requirements:
The target is neither null nor an empty
string
The target is not an URL which is identified by the
character sequence :// separating the scheme from the host
The target is normalized such that it contains no
consecutive slashes and no path segment contains a single or double dot
The target must be prefixed with the servlet context
path
If a ResourceResolver is available as a request
attribute the target (without the servlet context path
prefix) must resolve to an existing resource
If a ResourceResolver is not available as a
request attribute the target must be an absolute path
starting with a slash character does not contain any of the characters
< , > , ' , or "
in plain or URL encoding
|
static boolean |
isValidateRequest(javax.servlet.http.HttpServletRequest request)
Returns
true if the the client just asks for validation of
submitted username/password credentials. |
static void |
sendInvalid(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Sends a 403/FORBIDDEN response optionally stating the reason for this
response code in the
#X_REASON header. |
static void |
sendRedirect(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String target,
Map<String,String> params)
Redirects to the given target path appending any parameters provided in
the parameter map.
|
static void |
sendValid(javax.servlet.http.HttpServletResponse response)
Sends a 200/OK response to a credential validation request.
|
static String |
setLoginResourceAttribute(javax.servlet.http.HttpServletRequest request,
String defaultValue)
Ensures and returns the
Authenticator.LOGIN_RESOURCE request
attribute is set to a non-null, non-empty string. |
public static String getAttributeOrParameter(javax.servlet.http.HttpServletRequest request, String name, String defaultValue)
defaultValue
is returned.request
- The request from which to return the attribute or request
parametername
- The name of the attribute/parameterdefaultValue
- The default value to use if neither a non-empty
string attribute or a non-empty parameter exists in the
request.defaultValue
as defined
above.public static String getLoginResource(javax.servlet.http.HttpServletRequest request, String defaultLoginResource)
defaultLoginResource
parameter. First the
resource
request attribute is checked. If it is a non-empty
string, it is returned. Second the resource
request
parameter is checked and returned if it is a non-empty string.request
- The request providing the attribute or parameterdefaultLoginResource
- The default login resource valuedefaultLoginResource
.public static String setLoginResourceAttribute(javax.servlet.http.HttpServletRequest request, String defaultValue)
Authenticator.LOGIN_RESOURCE
request
attribute is set to a non-null, non-empty string. If the attribute is not
currently set, this method sets it as follows:
Authenticator.LOGIN_RESOURCE
request parameter is set
to a non-empty string, that parameter is setdefaultValue
is a non-empty string the
default value is usedrequest
- The request to check for the resource attributedefaultValue
- The default value to use if the attribute is not set
and the request parameter is not set. This parameter is
ignored if it is null
or an empty string.public static void sendRedirect(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String target, Map<String,String> params) throws IOException
This method implements the following functionality:
params
map does not contain a (non-
null
) value for the resource
entry, such an entry is generated from the request URI and the
(optional) query string of the given request
.params
map or at least a single
resource
parameter are added to the
target path for the redirect. Each parameter value is encoded using the
java.net.URLEncoder
with UTF-8 encoding to make it safe for
requests
After checking the redirect target and creating the target URL from the
parameter map, the response buffer is reset and the
HttpServletResponse.sendRedirect
is called. Any headers
already set before calling this method are preserved.
request
- The request object used to get the current request URI and
request query string if the params
map does not
have the resource
parameter set.response
- The response used to send the redirect to the client.target
- The redirect target to validate. This path must be prefixed
with the request's servlet context path. If this parameter is
not a valid target request as per the
isRedirectValid(HttpServletRequest, String)
method
the target is modified to be the root of the request's
context.params
- The map of parameters to be added to the target path. This
may be null
.IOException
- If an error occurs sending the redirect requestIllegalStateException
- If the response was committed or if a
partial URL is given and cannot be converted into a valid URLInternalError
- If the UTF-8 character encoding is not supported by
the platform. This should not be caught, because it is a real
problem if the encoding required by the specification is
missing.public static boolean isValidateRequest(javax.servlet.http.HttpServletRequest request)
true
if the the client just asks for validation of
submitted username/password credentials.
This implementation returns true
if the request parameter
#PAR_J_VALIDATE
is set to true
(case-insensitve). If
the request parameter is not set or to any value other than
true
this method returns false
.
request
- The request to provide the parameter to checktrue
if the #PAR_J_VALIDATE
parameter is set
to true
.public static void sendValid(javax.servlet.http.HttpServletResponse response)
This method just overwrites the response status to 200/OK, sends no content (content length header set to zero) and prevents caching on clients and proxies. Any other response headers set before calling this methods are preserved and sent along with the response.
response
- The response objectIllegalStateException
- if the response has already been committedpublic static void sendInvalid(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
#X_REASON
header. The value for the
#X_REASON
header is taken from
AuthenticationHandler.FAILURE_REASON
request attribute if set.
This method just overwrites the response status to 403/FORBIDDEN, adds
the AuthConstants.X_REASON
header and sends the reason as result
back. Any other response headers set before calling this methods are
preserved and sent along with the response.
request
- The request objectresponse
- The response objectIllegalStateException
- if the response has already been committedpublic static boolean checkReferer(javax.servlet.http.HttpServletRequest request, String loginForm)
request
- the current requestpublic static boolean isRedirectValid(javax.servlet.http.HttpServletRequest request, String target)
true
if the given redirect target
is
valid according to the following list of requirements:
target
is neither null
nor an empty
stringtarget
is not an URL which is identified by the
character sequence ://
separating the scheme from the hosttarget
is normalized such that it contains no
consecutive slashes and no path segment contains a single or double dottarget
must be prefixed with the servlet context
pathResourceResolver
is available as a request
attribute the target
(without the servlet context path
prefix) must resolve to an existing resourceResourceResolver
is not available as a
request attribute the target
must be an absolute path
starting with a slash character does not contain any of the characters
<
, >
, '
, or "
in plain or URL encoding
If any of the conditions does not hold, the method returns
false
and logs a warning level message with the
org.apache.sling.auth.core.AuthUtil logger.
request
- Providing the ResourceResolver
attribute and
the context to resolve the resource from the
target
. This may be null
which
causes the target to not be validated with a
ResoureResolver
target
- The redirect target to validate. This path must be
prefixed with the request's servlet context path.true
if the redirect target can be considered validpublic static boolean isBrowserRequest(javax.servlet.http.HttpServletRequest request)
true
if the given request can be assumed to be sent
by a client browser such as Firefix, Internet Explorer, etc.
This method inspects the User-Agent
header and returns
true
if the header contains the string Mozilla (known
to be contained in Firefox, Internet Explorer, WebKit-based browsers
User-Agent) or Opera (known to be contained in the Opera
User-Agent).
request
- The request to inspecttrue
if the request is assumed to be sent by a
browser.public static boolean isAjaxRequest(javax.servlet.http.HttpServletRequest request)
true
if the request is to be considered an AJAX
request placed using the XMLHttpRequest
browser host object.
Currently a request is considered an AJAX request if the client sends the
X-Requested-With request header set to XMLHttpRequest
.request
- The current requesttrue
if the request can be considered an AJAX
request.Copyright © 2015 The Apache Software Foundation. All rights reserved.