return;
}
}
// Is this request URI subject to a security constraint?
SecurityConstraint constraint = findConstraint(hrequest);
if ((constraint == null) /* &&
(!Constants.FORM_METHOD.equals(config.getAuthMethod())) */ ) {
if (debug >= 1)
log(" Not subject to any constraint");
context.invokeNext(request, response);
return;
}
if ((debug >= 1) && (constraint != null))
log(" Subject to constraint " + constraint);
// Make sure that constrained resources are not cached by web proxies
// or browsers as caching can provide a security hole
HttpServletRequest hsrequest = (HttpServletRequest)hrequest.getRequest();
if (disableProxyCaching &&
!hsrequest.isSecure() &&
!"POST".equalsIgnoreCase(hsrequest.getMethod())) {
HttpServletResponse sresponse =
(HttpServletResponse) response.getResponse();
sresponse.setHeader("Pragma", "No-cache");
sresponse.setHeader("Cache-Control", "no-cache");
sresponse.setDateHeader("Expires", 1);
}
// Enforce any user data constraint for this security constraint
if (debug >= 1)
log(" Calling checkUserData()");
if (!checkUserData(hrequest, hresponse, constraint)) {
if (debug >= 1)
log(" Failed checkUserData() test");
// ASSERT: Authenticator already set the appropriate
// HTTP status code, so we do not have to do anything special
return;
}
// Authenticate based upon the specified login configuration
if (constraint.getAuthConstraint()) {
if (debug >= 1)
log(" Calling authenticate()");
if (!authenticate(hrequest, hresponse, config)) {
if (debug >= 1)
log(" Failed authenticate() test");
// ASSERT: Authenticator already set the appropriate
// HTTP status code, so we do not have to do anything special
return;
}
}
// Perform access control based on the specified role(s)
if (constraint.getAuthConstraint()) {
if (debug >= 1)
log(" Calling accessControl()");
if (!accessControl(hrequest, hresponse, constraint)) {
if (debug >= 1)
log(" Failed accessControl() test");