/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.authenticator;
import java.io.IOException;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.catalina.connector.Request;
/**
* An <b>Authenticator</b> and <b>Valve</b> implementation that checks only security constraints not involving user
* authentication.
*/
public final class NonLoginAuthenticator extends AuthenticatorBase {
// --------------------------------------------------------- Public Methods
/**
* <p>
* Authenticate the user making this request, based on the fact that no <code>login-config</code> has been defined
* for the container.
* </p>
* <p>
* This implementation means "login the user even though there is no self-contained way to establish a security
* Principal for that user".
* </p>
* <p>
* This method is called by the AuthenticatorBase super class to establish a Principal for the user BEFORE the
* container security constraints are examined, i.e. it is not yet known whether the user will eventually be
* permitted to access the requested resource. Therefore, it is necessary to always return <code>true</code> to
* indicate the user has not failed authentication.
* </p>
* <p>
* There are two cases:
* </p>
* <ul>
* <li>without SingleSignon: a Session instance does not yet exist and there is no <code>auth-method</code> to
* authenticate the user, so leave Request's Principal as null. Note: AuthenticatorBase will later examine the
* security constraints to determine whether the resource is accessible by a user without a security Principal and
* Role (i.e. unauthenticated).</li>
* <li>with SingleSignon: if the user has already authenticated via another container (using its own login
* configuration), then associate this Session with the SSOEntry so it inherits the already-established security
* Principal and associated Roles. Note: This particular session will become a full member of the SingleSignOnEntry
* Session collection and so will potentially keep the SSOE "alive", even if all the other properly authenticated
* Sessions expire first... until it expires too.</li>
* </ul>
*
* @param request Request we are processing
* @param response Response we are creating
*
* @return boolean to indicate whether the user is authenticated
*
* @exception IOException if an input/output error occurs
*/
@Override
protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
// Don't try and use SSO to authenticate since there is no auth
// configured for this web application
if (checkForCachedAuthentication(request, response, true)) {
// Save the inherited Principal in this session so it can remain
// authenticated until it expires.
if (cache) {
request.getSessionInternal(true).setPrincipal(request.getPrincipal());
}
return true;
}
// No Principal means the user is not already authenticated
// and so will not be assigned any roles. It is safe
// to say the user is now authenticated because access to
// protected resources will only be allowed with a matching role.
// i.e. SC_FORBIDDEN (403 status) will be generated later.
if (containerLog.isTraceEnabled()) {
containerLog.trace("User authenticated without any roles");
}
return true;
}
@Override
protected String getAuthMethod() {
return "NONE";
}
}