Versions Compared

Old Version 9

changes.mady.by.user Scott Amerson

Saved on

compared with

New Version Current

changes.mady.by.user Scott Amerson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

The DavServlet was modified to check password upon login. The following code (service method) should replace that in Sakai 2.0.x DavServlet code in order for the provider to perform the password check. This was not performed by the requestfilter initially (see JIRA http://bugs.sakaiproject.org/jira/browse/SAK-543 AND http://bugs.sakaiproject.org/jira/browse/SAK-2292 )

Code Block
/**
	 * Setup and cleanup around this request.
	 * @param req HttpServletRequest object with the client request
	 * @param res HttpServletResponse object back to the client
	 */
	protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, java.io.IOException
	{
		SakaidavServletInfo info = newInfo(req);

		// RequestFilter will give us any session with this username,
		// even if there's no cookie (which will normally be the case)
		// Thus we can't assume that just because there's a session,
		// we're authenticated. So we always check. In theory if we
		// can verify that this is a proper cookie-based session
		// we could skip the test. Note that there's nothing in the
		// DAV RFC about cookies, so it's actually non-standard to
		// use them, and I think most clients don't.
		// See kernel/request/src/java/org/sakaiproject/util/RequestFilter.java

		Session session = SessionManager.getCurrentSession();

		// try to authenticate based on a Principal (one of ours) in the req
		Principal prin = req.getUserPrincipal();

		if ((prin != null) && (prin instanceof DavPrincipal))
		    {
			String eid = prin.getName();
			String pw = ((DavPrincipal) prin).getPassword();
			Evidence e = new IdPwEvidence(eid, pw);
			
			// authenticate
			try
			    {
				if ((eid.length() == 0) || (pw.length() == 0))
				    {
					throw new AuthenticationException("missing required fields");
				    }
				
				Authentication a = AuthenticationManager.authenticate(e);
				
				// login the user if needed. RequestFilter
				// may have found a session with the right 
				// userid. If so there's no need for a login
				// as long as it's the right userid. 
				// getUserID could be our id, null, or the
				// wrong one. The wrong one should be rare.

				if (session.getUserId() != eid)
				    LoginUtil.login(a, req);
			    }
			catch (AuthenticationException ex)
			    {
				// not authenticated
				res.sendError(401);
				return;
			    }
		    } 
		else
		    {
			// user name missing, so can't authenticate
			res.sendError(401);
			return;
		    }

// Setup... ?

		try
		{
			doDispatch(info, req, res);
		}
		finally
		{
			log(req, info);
		}
	}