/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.sling.auth.core.spi;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.sling.api.resource.ResourceUtil;
import org.apache.sling.auth.core.AuthenticationSupport;
import org.apache.sling.auth.core.AuthUtil;
import org.slf4j.LoggerFactory;
public class DefaultAuthenticationFeedbackHandler implements
AuthenticationFeedbackHandler {
/**
* Handles an optional request for a redirect after successful
* authentication and <code>true</code> if the request has been redirected.
* <p>
* This method checks {@link AuthenticationSupport#REDIRECT_PARAMETER}
* request parameter for the redirect target. This parameter is handled
* as follows:
* <ul>
* <li>If the parameter does not exist, the method does not redirect and
* <code>false</code> is returned.</li>
* <li>If the parameter is the string <code>true</code> or is empty, a
* redirect response to the request URI (<code>HttpServletRequest.getRequestURI()</code>)
* is sent and <code>true</code> is returned.</li>
* <li>If the parameter is a relative path, the path is made absolute
* by resolving it relative to the request URI
* (<code>HttpServletRequest.getRequestURI()</code>). The resulting
* target is validated with the
* {@link AbstractAuthenticationHandler#isRedirectValid(HttpServletRequest, String)}
* method. If valid a redirect to that target is sent back and <code>true</code>
* is returned. Otherwise a redirect to the servlet context root is
* sent back and <code>true</code> is returned.</li>
* <li>If the parameter is an absolute path it is validated with the
* {@link AbstractAuthenticationHandler#isRedirectValid(HttpServletRequest, String)}
* method. If valid a redirect to that path is sent back and <code>true</code>
* is returned. Otherwise a redirect to the servlet context root is
* sent back and <code>true</code> is returned.</li>
* </ul>
* If sending the redirect response fails due to some IO problems, the
* request is still terminated but an error message is logged indicating the
* problem.
*
* @return <code>true</code> if redirect was requested. Otherwise
* <code>false</code> is returned. Note, that <code>true</code> is
* returned regardless of whether sending the redirect response
* succeeded or not.
*
* @since 1.0.4 (bundle version 1.0.8) the target is validated with the
* {@link AbstractAuthenticationHandler#isRedirectValid(HttpServletRequest, String)}
* method.
*/
public static boolean handleRedirect(final HttpServletRequest request,
final HttpServletResponse response) {
final String redirect = getValidatedRedirectTarget(request);
if (redirect != null) {
// and redirect ensuring the response is sent to the client
try {
response.sendRedirect(redirect);
} catch (Exception e) {
// expected: IOException and IllegalStateException
LoggerFactory.getLogger(
DefaultAuthenticationFeedbackHandler.class).error(
"handleRedirect: Failed to send redirect to " + redirect
+ ", aborting request without redirect", e);
}
// consider the request done
return true;
}
// no redirect requested
return false;
}
private static String getValidatedRedirectTarget(
final HttpServletRequest request) {
String redirect = request.getParameter(AuthenticationSupport.REDIRECT_PARAMETER);
if (redirect == null) {
return null;
}
// redirect to the same path
if ("true".equalsIgnoreCase(redirect) || redirect.length() == 0) {
return request.getRequestURI();
}
// redirect relative to the current request (make absolute)
if (!redirect.startsWith("/") && !redirect.contains("://")) {
String path = request.getRequestURI();
path = path.substring(request.getContextPath().length());
int lastSlash = path.lastIndexOf('/');
path = (lastSlash > 0) ? path.substring(0, lastSlash + 1) : path;
redirect = path.concat(redirect);
redirect = ResourceUtil.normalize(redirect);
}
// prepend context path if necessary
if (redirect.startsWith("/") && !redirect.startsWith(request.getContextPath())) {
redirect = request.getContextPath().concat(redirect);
}
// absolute target (in the servlet context)
if (!AuthUtil.isRedirectValid(request, redirect)) {
LoggerFactory.getLogger(DefaultAuthenticationFeedbackHandler.class).error(
"handleRedirect: Redirect target '{}' is invalid, redirecting to '/'",
redirect);
redirect = "/";
}
return redirect;
}
/**
* This default implementation does nothing.
* <p>
* Extensions of this class may overwrite to cleanup any internal state.
*/
public void authenticationFailed(HttpServletRequest request,
HttpServletResponse response, AuthenticationInfo authInfo) {
}
/**
* This default implementation calls the
* {@link #handleRedirect(HttpServletRequest, HttpServletResponse)} method
* to optionally redirect the request after successful authentication.
* <p>
* Extensions of this class may overwrite this method to perform additional
* cleanup etc.
*
* @return the result of calling the
* {@link #handleRedirect(HttpServletRequest, HttpServletResponse)}
* method.
*/
public boolean authenticationSucceeded(HttpServletRequest request,
HttpServletResponse response, AuthenticationInfo authInfo) {
return handleRedirect(request, response);
}
}