/// <summary>
/// If the request has a valid authentication token it allows the request to continue to the target resource,
/// otherwise it triggers an authentication sequence using the configured
/// <see cref="AuthenticationHandler"/>
/// .
/// </summary>
/// <param name="request">the request object.</param>
/// <param name="response">the response object.</param>
/// <param name="filterChain">the filter chain object.</param>
/// <exception cref="System.IO.IOException">thrown if an IO error occurred.</exception>
/// <exception cref="Javax.Servlet.ServletException">thrown if a processing error occurred.
/// </exception>
public virtual void DoFilter(ServletRequest request, ServletResponse response, FilterChain
filterChain)
{
bool unauthorizedResponse = true;
int errCode = HttpServletResponse.ScUnauthorized;
AuthenticationException authenticationEx = null;
HttpServletRequest httpRequest = (HttpServletRequest)request;
HttpServletResponse httpResponse = (HttpServletResponse)response;
bool isHttps = "https".Equals(httpRequest.GetScheme());
try
{
bool newToken = false;
AuthenticationToken token;
try
{
token = GetToken(httpRequest);
}
catch (AuthenticationException ex)
{
Log.Warn("AuthenticationToken ignored: " + ex.Message);
// will be sent back in a 401 unless filter authenticates
authenticationEx = ex;
token = null;
}
if (authHandler.ManagementOperation(token, httpRequest, httpResponse))
{
if (token == null)
{
if (Log.IsDebugEnabled())
{
Log.Debug("Request [{}] triggering authentication", GetRequestURL(httpRequest));
}
token = authHandler.Authenticate(httpRequest, httpResponse);
if (token != null && token.GetExpires() != 0 && token != AuthenticationToken.Anonymous)
{
token.SetExpires(Runtime.CurrentTimeMillis() + GetValidity() * 1000);
}
newToken = true;
}
if (token != null)
{
unauthorizedResponse = false;
if (Log.IsDebugEnabled())
{
Log.Debug("Request [{}] user [{}] authenticated", GetRequestURL(httpRequest), token
.GetUserName());
}
AuthenticationToken authToken = token;
httpRequest = new _HttpServletRequestWrapper_532(authToken, httpRequest);
if (newToken && !token.IsExpired() && token != AuthenticationToken.Anonymous)
{
string signedToken = signer.Sign(token.ToString());
CreateAuthCookie(httpResponse, signedToken, GetCookieDomain(), GetCookiePath(), token
.GetExpires(), isHttps);
}
DoFilter(filterChain, httpRequest, httpResponse);
}
}
else
{
unauthorizedResponse = false;
}
}
catch (AuthenticationException ex)
{
// exception from the filter itself is fatal
errCode = HttpServletResponse.ScForbidden;
authenticationEx = ex;
if (Log.IsDebugEnabled())
{
Log.Debug("Authentication exception: " + ex.Message, ex);
}
else
{
Log.Warn("Authentication exception: " + ex.Message);
}
}
if (unauthorizedResponse)
{
if (!httpResponse.IsCommitted())
{
CreateAuthCookie(httpResponse, string.Empty, GetCookieDomain(), GetCookiePath(),
0, isHttps);
// If response code is 401. Then WWW-Authenticate Header should be
// present.. reset to 403 if not found..
if ((errCode == HttpServletResponse.ScUnauthorized) && (!httpResponse.ContainsHeader
(KerberosAuthenticator.WwwAuthenticate)))
{
errCode = HttpServletResponse.ScForbidden;
}
if (authenticationEx == null)
{
httpResponse.SendError(errCode, "Authentication required");
}
else
{
httpResponse.SendError(errCode, authenticationEx.Message);
}
}
}
}