public final class AuthUtil
extends java.lang.Object
AuthUtil provides utility functions for implementations of
 AuthenticationHandler services and
 users of the Sling authentication infrastructure.
 This utility class can neither be extended from nor can it be instantiated.
| Modifier and Type | Method and Description | 
|---|---|
| static boolean | checkReferer(javax.servlet.http.HttpServletRequest request,
            java.lang.String loginForm)Check if the request is for this authentication handler. | 
| static java.lang.String | getAttributeOrParameter(javax.servlet.http.HttpServletRequest request,
                       java.lang.String name,
                       java.lang.String defaultValue)Returns the value of the named request attribute or parameter as a string
 as follows:
 
 If there is a request attribute of that name, which is a non-empty
 string, it is returned.
 If there is a non-empty request parameter of
 that name, this parameter is returned. | 
| static java.lang.String | getLoginResource(javax.servlet.http.HttpServletRequest request,
                java.lang.String defaultLoginResource)Returns any resource target to redirect to after successful
 authentication. | 
| static boolean | isAjaxRequest(javax.servlet.http.HttpServletRequest request)Returns  trueif the request is to be considered an AJAX
 request placed using theXMLHttpRequestbrowser host object. | 
| static boolean | isBrowserRequest(javax.servlet.http.HttpServletRequest request)Returns  trueif the given request can be assumed to be sent
 by a client browser such as Firefix, Internet Explorer, etc. | 
| static boolean | isRedirectValid(javax.servlet.http.HttpServletRequest request,
               java.lang.String target)Returns  trueif the given redirecttargetis
 valid according to the following list of requirements:
 
 Thetargetis neithernullnor an empty
 string
 Thetargetis not an URL which is identified by the
 character sequence://separating the scheme from the host
 Thetargetis normalized such that it contains no
 consecutive slashes and no path segment contains a single or double dot
 Thetargetmust be prefixed with the servlet context
 path
 If aResourceResolveris available as a request
 attribute thetarget(without the servlet context path
 prefix) must resolve to an existing resource
 If aResourceResolveris not available as a
 request attribute thetargetmust be an absolute path
 starting with a slash character does not contain any of the characters<,>,', or"in plain or URL encoding | 
| static boolean | isValidateRequest(javax.servlet.http.HttpServletRequest request)Returns  trueif the the client just asks for validation of
 submitted username/password credentials. | 
| static void | sendInvalid(javax.servlet.http.HttpServletRequest request,
           javax.servlet.http.HttpServletResponse response)Sends a 403/FORBIDDEN response optionally stating the reason for this
 response code in the  AuthConstants.X_REASONheader. | 
| static void | sendRedirect(javax.servlet.http.HttpServletRequest request,
            javax.servlet.http.HttpServletResponse response,
            java.lang.String target,
            java.util.Map<java.lang.String,java.lang.String> params)Redirects to the given target path appending any parameters provided in
 the parameter map. | 
| static void | sendValid(javax.servlet.http.HttpServletResponse response)Sends a 200/OK response to a credential validation request. | 
| static java.lang.String | setLoginResourceAttribute(javax.servlet.http.HttpServletRequest request,
                         java.lang.String defaultValue)Ensures and returns the  Authenticator.LOGIN_RESOURCErequest
 attribute is set to a non-null, non-empty string. | 
public static java.lang.String getAttributeOrParameter(javax.servlet.http.HttpServletRequest request,
                                                       java.lang.String name,
                                                       java.lang.String defaultValue)
defaultValue is returned.request - The request from which to return the attribute or request
            parametername - The name of the attribute/parameterdefaultValue - The default value to use if neither a non-empty
            string attribute or a non-empty parameter exists in the
            request.defaultValue as defined
         above.public static java.lang.String getLoginResource(javax.servlet.http.HttpServletRequest request,
                                                java.lang.String defaultLoginResource)
defaultLoginResource parameter. First the
 resource request attribute is checked. If it is a non-empty
 string, it is returned. Second the resource request
 parameter is checked and returned if it is a non-empty string.request - The request providing the attribute or parameterdefaultLoginResource - The default login resource valuedefaultLoginResource.public static java.lang.String setLoginResourceAttribute(javax.servlet.http.HttpServletRequest request,
                                                         java.lang.String defaultValue)
Authenticator.LOGIN_RESOURCE request
 attribute is set to a non-null, non-empty string. If the attribute is not
 currently set, this method sets it as follows:
 Authenticator.LOGIN_RESOURCE request parameter is set
 to a non-empty string, that parameter is setdefaultValue is a non-empty string the
 default value is usedrequest - The request to check for the resource attributedefaultValue - The default value to use if the attribute is not set
            and the request parameter is not set. This parameter is
            ignored if it is null or an empty string.public static void sendRedirect(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                java.lang.String target,
                                java.util.Map<java.lang.String,java.lang.String> params)
                         throws java.io.IOException
This method implements the following functionality:
params map does not contain a (non-
 null) value for the resource entry, such an entry is generated from the request URI and the
 (optional) query string of the given request.params map or at least a single
 resource parameter are added to the
 target path for the redirect. Each parameter value is encoded using the
 java.net.URLEncoder with UTF-8 encoding to make it safe for
 requests
 After checking the redirect target and creating the target URL from the
 parameter map, the response buffer is reset and the
 HttpServletResponse.sendRedirect is called. Any headers
 already set before calling this method are preserved.
request - The request object used to get the current request URI and
            request query string if the params map does not
            have the resource
            parameter set.response - The response used to send the redirect to the client.target - The redirect target to validate. This path must be prefixed
            with the request's servlet context path. If this parameter is
            not a valid target request as per the
            isRedirectValid(HttpServletRequest, String) method
            the target is modified to be the root of the request's
            context.params - The map of parameters to be added to the target path. This
            may be null.java.io.IOException - If an error occurs sending the redirect requestjava.lang.IllegalStateException - If the response was committed or if a
             partial URL is given and cannot be converted into a valid URLjava.lang.InternalError - If the UTF-8 character encoding is not supported by
             the platform. This should not be caught, because it is a real
             problem if the encoding required by the specification is
             missing.public static boolean isValidateRequest(javax.servlet.http.HttpServletRequest request)
true if the the client just asks for validation of
 submitted username/password credentials.
 
 This implementation returns true if the request parameter
 AuthConstants.PAR_J_VALIDATE is set to true (case-insensitve). If
 the request parameter is not set or to any value other than
 true this method returns false.
request - The request to provide the parameter to checktrue if the AuthConstants.PAR_J_VALIDATE parameter is set
         to true.public static void sendValid(javax.servlet.http.HttpServletResponse response)
This method just overwrites the response status to 200/OK, sends no content (content length header set to zero) and prevents caching on clients and proxies. Any other response headers set before calling this methods are preserved and sent along with the response.
response - The response objectjava.lang.IllegalStateException - if the response has already been committedpublic static void sendInvalid(javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpServletResponse response)
AuthConstants.X_REASON header. The value for the
 AuthConstants.X_REASON header is taken from
 AuthenticationHandler.FAILURE_REASON request attribute if set.
 
 This method just overwrites the response status to 403/FORBIDDEN, adds
 the AuthConstants.X_REASON header and sends the reason as result
 back. Any other response headers set before calling this methods are
 preserved and sent along with the response.
request - The request objectresponse - The response objectjava.lang.IllegalStateException - if the response has already been committedpublic static boolean checkReferer(javax.servlet.http.HttpServletRequest request,
                                   java.lang.String loginForm)
request - the current requestpublic static boolean isRedirectValid(javax.servlet.http.HttpServletRequest request,
                                      java.lang.String target)
true if the given redirect target is
 valid according to the following list of requirements:
 target is neither null nor an empty
 stringtarget is not an URL which is identified by the
 character sequence :// separating the scheme from the hosttarget is normalized such that it contains no
 consecutive slashes and no path segment contains a single or double dottarget must be prefixed with the servlet context
 pathResourceResolver is available as a request
 attribute the target (without the servlet context path
 prefix) must resolve to an existing resourceResourceResolver is not available as a
 request attribute the target must be an absolute path
 starting with a slash character does not contain any of the characters
 <, >, ', or "
 in plain or URL encoding
 If any of the conditions does not hold, the method returns
 false and logs a warning level message with the
 org.apache.sling.auth.core.AuthUtil logger.
request - Providing the ResourceResolver attribute and
            the context to resolve the resource from the
            target. This may be null which
            causes the target to not be validated with a
            ResoureResolvertarget - The redirect target to validate. This path must be
      prefixed with the request's servlet context path.true if the redirect target can be considered validpublic static boolean isBrowserRequest(javax.servlet.http.HttpServletRequest request)
true if the given request can be assumed to be sent
 by a client browser such as Firefix, Internet Explorer, etc.
 
 This method inspects the User-Agent header and returns
 true if the header contains the string Mozilla (known
 to be contained in Firefox, Internet Explorer, WebKit-based browsers
 User-Agent) or Opera (known to be contained in the Opera
 User-Agent).
request - The request to inspecttrue if the request is assumed to be sent by a
         browser.public static boolean isAjaxRequest(javax.servlet.http.HttpServletRequest request)
true if the request is to be considered an AJAX
 request placed using the XMLHttpRequest browser host object.
 Currently a request is considered an AJAX request if the client sends the
 X-Requested-With request header set to XMLHttpRequest
 .request - The current requesttrue if the request can be considered an AJAX
         request.Copyright © 2010 - 2023 Adobe. All Rights Reserved