Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

DavServlet modifications to allow Password Check on login

Sakai 2.0.x Replacement DavServlet.java file from Rutgers, incorporated into Sakai 2.1

The DavServlet was modified to check password upon login. The following code (service method) should replace that in Sakai 2.0.x DavServlet code in order for the provider to perform the password check. This was not performed by the requestfilter initially (see JIRA http://bugs.sakaiproject.org/jira/browse/SAK-543)

/**
	 * Setup and cleanup around this request.
	 * @param req HttpServletRequest object with the client request
	 * @param res HttpServletResponse object back to the client
	 */
	protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, java.io.IOException
	{
		SakaidavServletInfo info = newInfo(req);

		// RequestFilter will give us any session with this username,
		// even if there's no cookie (which will normally be the case)
		// Thus we can't assume that just because there's a session,
		// we're authenticated. So we always check. In theory if we
		// can verify that this is a proper cookie-based session
		// we could skip the test. Note that there's nothing in the
		// DAV RFC about cookies, so it's actually non-standard to
		// use them, and I think most clients don't.
		// See kernel/request/src/java/org/sakaiproject/util/RequestFilter.java

		Session session = SessionManager.getCurrentSession();

		// try to authenticate based on a Principal (one of ours) in the req
		Principal prin = req.getUserPrincipal();

		if ((prin != null) && (prin instanceof DavPrincipal))
		    {
			String eid = prin.getName();
			String pw = ((DavPrincipal) prin).getPassword();
			Evidence e = new IdPwEvidence(eid, pw);
			
			// authenticate
			try
			    {
				if ((eid.length() == 0) || (pw.length() == 0))
				    {
					throw new AuthenticationException("missing required fields");
				    }
				
				Authentication a = AuthenticationManager.authenticate(e);
				
				// login the user if needed. RequestFilter
				// may have found a session with the right 
				// userid. If so there's no need for a login
				// as long as it's the right userid. 
				// getUserID could be our id, null, or the
				// wrong one. The wrong one should be rare.

				if (session.getUserId() != eid)
				    LoginUtil.login(a, req);
			    }
			catch (AuthenticationException ex)
			    {
				// not authenticated
				res.sendError(401);
				return;
			    }
		    } 
		else
		    {
			// user name missing, so can't authenticate
			res.sendError(401);
			return;
		    }

// Setup... ?

		try
		{
			doDispatch(info, req, res);
		}
		finally
		{
			log(req, info);
		}
	}
  • No labels