diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java index bdc5428984f..f6f077e100b 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java @@ -29,6 +29,7 @@ import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthen import javax.servlet.http.HttpServletResponse; import java.util.Arrays; +import java.util.HashMap; import java.util.List; import java.util.StringTokenizer; @@ -36,6 +37,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class); private static final String BYPASS_URIS = "bypass-uris"; + private static HashMap nonSecuredEndpoints = new HashMap<>(); @Override public void invoke(Request request, Response response, CompositeValve compositeValve) { @@ -90,7 +92,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { private boolean skipAuthentication(Request request) { String param = request.getContext().findParameter("doAuthentication"); - return (param == null || !Boolean.parseBoolean(param)); + return (param == null || !Boolean.parseBoolean(param) || isNonSecuredEndPoint(request)); } private boolean isContextSkipped(Request request) { @@ -112,6 +114,35 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { return (ctx.equalsIgnoreCase("carbon") || ctx.equalsIgnoreCase("services")); } + private boolean isNonSecuredEndPoint(Request request) { + String uri = request.getRequestURI(); + if(!uri.endsWith("/")) { + uri = uri + "/"; + } + String ctx = request.getContextPath(); + //Check the context in nonSecuredEndpoints. If so it means current context is a skippedContext. + if (nonSecuredEndpoints.containsKey(uri)) { + return true; + } + String param = request.getContext().findParameter("nonSecuredEndPoints"); + String skippedEndPoint; + if (param != null && !param.isEmpty()) { + //Add the nonSecured end-points to cache + StringTokenizer tokenizer = new StringTokenizer(param, ","); + while (tokenizer.hasMoreTokens()) { + skippedEndPoint = ctx + tokenizer.nextToken(); + if(!skippedEndPoint.endsWith("/")) { + skippedEndPoint = skippedEndPoint + "/"; + } + nonSecuredEndpoints.put(skippedEndPoint, "true"); + } + if (nonSecuredEndpoints.containsKey(uri)) { + return true; + } + } + return false; + } + private void processRequest(Request request, Response response, CompositeValve compositeValve, AuthenticationInfo authenticationInfo) { switch (authenticationInfo.getStatus()) { @@ -121,7 +152,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { break; case FAILURE: String msg = "Failed to authorize incoming request"; - if(authenticationInfo.getMessage() != null && !authenticationInfo.getMessage().isEmpty()) { + if (authenticationInfo.getMessage() != null && !authenticationInfo.getMessage().isEmpty()) { msg = authenticationInfo.getMessage(); response.setHeader("WWW-Authenticate", msg); } @@ -132,5 +163,4 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { break; } } - -} +} \ No newline at end of file