File Source: BasicAuthenticator.java
/*
P/P * Method: org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator__static_init
*/
1 /*
2 * Copyright 2005 David M Johnson (For RSS and Atom In Action)
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 package org.apache.roller.weblogger.webservices.adminprotocol;
17
18 import java.util.StringTokenizer;
19 import javax.servlet.http.HttpServletRequest;
20 import org.apache.commons.codec.binary.Base64;
21
22 /**
23 * This class implements HTTP basic authentication for roller.
24 *
25 * @author jtb
26 */
27 class BasicAuthenticator extends Authenticator {
28 /** Creates a new instance of HttpBasicAuthenticator */
29 public BasicAuthenticator(HttpServletRequest req) {
/*
P/P * Method: void org.apache.roller.weblogger.webservices.adminprotocol.BasicAuthenticator(HttpServletRequest)
*
* Postconditions:
* this.request == req
* init'ed(this.request)
* init'ed(this.roller)
*/
30 super(req);
31 }
32
33 public void authenticate() throws HandlerException {
/*
P/P * Method: void authenticate()
*
* Preconditions:
* this.request != null
* (soft) this.roller != null
*
* Presumptions:
* java.lang.String:indexOf(...)@47 <= 232-2
* javax.servlet.http.HttpServletRequest:getHeader(...)@36 != null
*
* Postconditions:
* init'ed(java.lang.String:substring(...)._tainted)
* this.userName == One-of{null, &java.lang.String:substring(...)}
*
* Test Vectors:
* java.lang.String:equalsIgnoreCase(...)@44: {0}, {1}
* java.lang.String:indexOf(...)@47: {-1}, {-231..-2, 0..232-2}
* java.util.StringTokenizer:hasMoreTokens(...)@42: {0}, {1}
*/
34 setUserName(null);
35
36 String authHeader = getRequest().getHeader("Authorization");
37 if (authHeader == null) {
38 throw new UnauthorizedException("ERROR: Authorization header was not set");
39 }
40
41 StringTokenizer st = new StringTokenizer(authHeader);
42 if (st.hasMoreTokens()) {
43 String basic = st.nextToken();
44 if (basic.equalsIgnoreCase("Basic")) {
45 String credentials = st.nextToken();
46 String userPass = new String(Base64.decodeBase64(credentials.getBytes()));
47 int p = userPass.indexOf(":");
48 if (p != -1) {
49 String userName = userPass.substring(0, p);
50 String password = userPass.substring(p+1);
51 verifyUser(userName, password);
52
53 //success
54 setUserName(userName);
55 }
56 }
57 }
58
59 // FIX from Nick Lothian, see
+ 60 if (getUserName() == null) {
61 throw new UnauthorizedException("ERROR: Could not authorize user");
62 }
63
64 }
65 }
SofCheck Inspector Build Version : 2.18479
| BasicAuthenticator.java |
2009-Jan-02 14:24:58 |
| BasicAuthenticator.class |
2009-Sep-04 03:12:45 |