import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
public static String getFingerPrint(IMxRuntimeRequest req)
{
	String agent = req.getHeader("User-Agent");
	if (agent != null)
		return base64Encode(agent.getBytes());
	
	return "";
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
public void onCompleteAnonymousLogin(String continuation, IMxRuntimeRequest req, IMxRuntimeResponse resp)
		throws CoreException, IllegalStateException, IOException
{
	try {
		/** Setting up guest sessions is not the responsibility of this module, but otherwise:
			if (Core.getConfiguration().getEnableGuestLogin()) {
				ISession session = Core.initializeGuestSession();
				SessionInitializer.writeSessionCookies(resp, session);
			}
		*/
		SessionInitializer.redirectToIndex(resp, continuation);
	} catch (Exception e) {
		OpenIDHandler.error(resp, ResponseType.INTERNAL_SERVER_ERROR, "Failed to initialize session", e);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void callback(IMxRuntimeRequest req, IMxRuntimeResponse resp) throws Exception {
	LOG.debug("Callback from OpenID provider, evaluating..");

	HttpServletRequest origreq = req.getHttpServletRequest();

	//verification request?
	if (origreq.getMethod().equals("HEAD")) {
		handleHeadRequest(resp);
	} else if (req.getHeader("Accept") != null && req.getHeader("Accept").contains("application/xrds+xml")) {
		handleXrds(resp);
	} else {
		ParameterList openidResp = new ParameterList(origreq.getParameterMap());

		String mxid2Continuation = req.getParameter("mxid2.continuation");
		detectContinuationJsInjection(mxid2Continuation);

		String mode = openidResp.getParameter("openid.mode").getValue();
		if ("setup_needed".equalsIgnoreCase(mode)) {
			/*
			 * original request mode is immediate, because checkid setup would not have returned id_res without verified ID. 
			 * Return to return url, but without identity.
			 * 
			 * @See http://openid.net/specs/openid-authentication-2_0.html#negative_assertions
			 */
			if (LOG.isDebugEnabled())
				LOG.debug("Immediate authentication responded with setup_needed. Assuming that the app should continue as anonymous. ");

			loginHandler.onCompleteAnonymousLogin(mxid2Continuation, req, resp);
		} else if ("id_res".equals(mode)) {
			handleIdRes(req, resp, origreq, openidResp, mxid2Continuation);
		} else if ("cancel".equals(mode)) {
			LOG.warn("OpenId login failed: cancelled");
			resp.setStatus(IMxRuntimeResponse.UNAUTHORIZED);
			error(resp, ResponseType.UNAUTHORIZED, "OpenId login failed. Please try again later.", null);
		} else
			throw new IllegalStateException("Unexpected OpenID callback mode: " + mode);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void handleIdRes(IMxRuntimeRequest req, IMxRuntimeResponse resp, HttpServletRequest origreq,
						 ParameterList openidResp, String mxid2Continuation) throws Exception {
	// extract the receiving URL from the HTTP request
	StringBuffer receivingURL = new StringBuffer(OPENID_RETURN_URL);

	String queryString = origreq.getQueryString();
	if (queryString != null && queryString.length() > 0)
		receivingURL.append("?").append(origreq.getQueryString());

	// verify the response
	LOG.info("[OpenID Verify Response] receivingurl: " + receivingURL + "; to: " + openidResp.getParameter("openid.return_to"));
	VerificationResult verification = manager.verify(receivingURL.toString(), openidResp, discovered);

	// examine the verification result and extract the verified identifier
	Identifier verified = verification.getVerifiedId();

	if (verified != null) {
		String userId = verified.getIdentifier();
		lockOpenID(userId);
		try {
			loginHandler.onCompleteLogin(userId, mxid2Continuation, req, resp);
		} finally {
			unlockOpenID(userId);
		}
	} else {
		LOG.warn("OpenId authentication failed: " + verification.getStatusMsg());
		resp.setStatus(IMxRuntimeResponse.UNAUTHORIZED);
		error(resp, ResponseType.UNAUTHORIZED, "OpenId authentication request failed. Please try again later.", null);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void login(IMxRuntimeRequest req, IMxRuntimeResponse resp) throws Exception {
	String continuation = req.getParameter(CONTINUATION_PARAM);
	detectContinuationJsInjection(continuation);

	//special case 1: already a valid session, do not bother with a new login
	ISession session = this.getSessionFromRequest(req);
	if (session != null && !session.getUser().isAnonymous()) {

		//Logout old session and initialize new session. This will allow for role changes to take effect.
		String userId = session.getUser().getName();
		lockOpenID(userId);
		try {
			loginHandler.onCompleteLogin(userId, continuation, req, resp);
			Core.logout(session);
		} finally {
			unlockOpenID(userId);
		}
	} else if (!started) {
		//special case 2: no OpenID provider discovered
		LOG.warn("OpenId handler is in state 'NOT STARTED'. Falling back to default login.html");
		redirect(resp, FALLBACK_LOGINPAGE);
	} else {
		LOG.debug("Incoming login request, redirecting to OpenID provider");

		AuthRequest authReq = manager.authenticate(discovered, OPENID_RETURN_URL);
		authReq.setImmediate("true".equalsIgnoreCase(req.getParameter(IMMEDIATE_PARAM)));

		String url = authReq.getDestinationUrl(true);

		//MWE: publish the url which can be used to sign off
		if (SINGLESIGNOFF_ENABLED)
			url += "&mxid2.logoffcallback=" +  OpenIDUtils.urlEncode(OPENID_LOGOFF_URL);

		if (continuation != null)
			url += "&mxid2.continuation=" +  OpenIDUtils.urlEncode(continuation);

		redirect(resp, url);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void forceLogoff(IMxRuntimeRequest req, IMxRuntimeResponse resp) {
	String username = req.getParameter("openid");
	String fingerprint = req.getParameter("fingerprint");

	if (SINGLESIGNOFF_ENABLED)
		forceSessionLogoff(username, fingerprint);
	else
		LOG.warn("Received force_logoff request, but single sign off is not unabled in the configuration!");

	resp.setStatus(IMxRuntimeResponse.OK);
	resp.setContentType("text/plain");
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void logoff(IMxRuntimeRequest req, IMxRuntimeResponse resp) throws CoreException {
	if (SINGLESIGNOFF_ENABLED) {
		resp.addCookie(getSessionCookieName(), "", "/", "", 0, true);
		resp.addCookie(SessionInitializer.XASID_COOKIE, "", "/", "", 0, true);
		resp.setStatus(IMxRuntimeResponse.SEE_OTHER);
		resp.addHeader("location", OPENID_PROVIDER + "/../" + LOGOFF);
	} else {
		ISession ses = this.getSessionFromRequest(req);
		if (ses != null) {
			Core.logout(ses);
		}
		redirect(resp, INDEX_PAGE);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void callback(IMxRuntimeRequest req, IMxRuntimeResponse resp) throws Exception {
	log.debug("Callback from OpenID provider, evaluating..");

	HttpServletRequest origreq = req.getHttpServletRequest();

	//verification request?
	if (origreq.getMethod().equals("HEAD")) {
		handleHeadRequest(resp);
	} else if (req.getHeader("Accept") != null && req.getHeader("Accept").contains("application/xrds+xml")) {
		handleXrds(resp);
	} else {
		ParameterList openidResp = new ParameterList(origreq.getParameterMap());

		String mxid2Continuation = req.getParameter("mxid2.continuation");
		detectContinuationJsInjection(mxid2Continuation);

		String mode = openidResp.getParameter("openid.mode").getValue();
		if ("setup_needed".equalsIgnoreCase(mode)) {
			/*
			 * original request mode is immediate, because checkid setup would not have returned id_res without verified ID. 
			 * Return to return url, but without identity.
			 * 
			 * @See http://openid.net/specs/openid-authentication-2_0.html#negative_assertions
			 */
			if (log.isDebugEnabled())
				log.debug("Immediate authentication responded with setup_needed. Assuming that the app should continue as anonymous. ");

			loginHandler.onCompleteAnonymousLogin(mxid2Continuation, req, resp);
		} else if ("id_res".equals(mode)) {
			handleIdRes(req, resp, origreq, openidResp, mxid2Continuation);
		} else if ("cancel".equals(mode)) {
			log.warn("OpenId login failed: cancelled");
			resp.setStatus(IMxRuntimeResponse.UNAUTHORIZED);
			error(resp, ResponseType.UNAUTHORIZED, "OpenId login failed. Please try again later.", null);
		} else
			throw new IllegalStateException("Unexpected OpenID callback mode: " + mode);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void handleIdRes(IMxRuntimeRequest req, IMxRuntimeResponse resp, HttpServletRequest origreq,
						 ParameterList openidResp, String mxid2Continuation) throws Exception {
	// extract the receiving URL from the HTTP request
	StringBuffer receivingURL = new StringBuffer(OpenIDReturnURL);

	String queryString = origreq.getQueryString();
	if (queryString != null && queryString.length() > 0)
		receivingURL.append("?").append(origreq.getQueryString());

	// verify the response
	log.info("[OpenID Verify Response] receivingurl: " + receivingURL + "; to: " + openidResp.getParameter("openid.return_to"));
	VerificationResult verification = manager.verify(receivingURL.toString(), openidResp, discovered);

	// examine the verification result and extract the verified identifier
	Identifier verified = verification.getVerifiedId();

	if (verified != null) {
		String userId = verified.getIdentifier();
		lockOpenID(userId);
		try {
			loginHandler.onCompleteLogin(userId, mxid2Continuation, req, resp);
		} finally {
			unlockOpenID(userId);
		}
	} else {
		log.warn("OpenId authentication failed: " + verification.getStatusMsg());
		resp.setStatus(IMxRuntimeResponse.UNAUTHORIZED);
		error(resp, ResponseType.UNAUTHORIZED, "OpenId authentication request failed. Please try again later.", null);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void login(IMxRuntimeRequest req, IMxRuntimeResponse resp) throws Exception {
	String continuation = req.getParameter(CONTINUATION_PARAM);
	detectContinuationJsInjection(continuation);

	//special case 1: already a valid session, do not bother with a new login
	ISession session = this.getSessionFromRequest(req);
	if (session != null && !session.getUser().isAnonymous()) {

		//Logout old session and initialize new session. This will allow for role changes to take effect.
		String userId = session.getUser().getName();
		lockOpenID(userId);
		try {
			loginHandler.onCompleteLogin(userId, continuation, req, resp);
			Core.logout(session);
		} finally {
			unlockOpenID(userId);
		}
	} else if (!started) {
		//special case 2: no OpenID provider discovered
		log.warn("OpenId handler is in state 'NOT STARTED'. Falling back to default login.html");
		redirect(resp, FALLBACK_LOGINPAGE);
	} else {
		log.debug("Incoming login request, redirecting to OpenID provider");

		AuthRequest authReq = manager.authenticate(discovered, OpenIDReturnURL);
		authReq.setImmediate("true".equalsIgnoreCase(req.getParameter(IMMEDIATE_PARAM)));

		String url = authReq.getDestinationUrl(true);

		//MWE: publish the url which can be used to sign off
		if (SINGLESIGNOFF_ENABLED)
			url += "&mxid2.logoffcallback=" +  OpenIDUtils.urlEncode(OpenIDLogoffURL);

		if (continuation != null)
			url += "&mxid2.continuation=" +  OpenIDUtils.urlEncode(continuation);

		redirect(resp, url);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void forceLogoff(IMxRuntimeRequest req, IMxRuntimeResponse resp) {
	String username = req.getParameter("openid");
	String fingerprint = req.getParameter("fingerprint");

	if (SINGLESIGNOFF_ENABLED)
		forceSessionLogoff(username, fingerprint);
	else
		log.warn("Received force_logoff request, but single sign off is not unabled in the configuration!");

	resp.setStatus(IMxRuntimeResponse.OK);
	resp.setContentType("text/plain");
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
private void logoff(IMxRuntimeRequest req, IMxRuntimeResponse resp) throws CoreException {
	if (SINGLESIGNOFF_ENABLED) {
		resp.addCookie(Core.getConfiguration().getSessionIdCookieName(), "", "/", "", 0, true);
		resp.addCookie(SessionInitializer.XASID_COOKIE, "", "/", "", 0, true);
		resp.setStatus(IMxRuntimeResponse.SEE_OTHER);
		resp.addHeader("location", OPENID_PROVIDER + "/../" + LOGOFF);
	} else {
		ISession ses = this.getSessionFromRequest(req);
		if (ses != null) {
			Core.logout(ses);
		}
		redirect(resp, INDEX_PAGE);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
/**
 * Handles openId related requests. Two requests are supported:
 * 'openid/login': tries to setup a new user session. (Note: does not check if there is already a session)
 * 'openid/callback': used by the openId provider to confirm the identity of the current user
 */
@Override
public void processRequest(IMxRuntimeRequest req, IMxRuntimeResponse resp,
						   String path) throws Exception {

	//always force expiration on this handler!
	resp.addHeader("Expires", "0");

	if (LOG.isDebugEnabled())
		LOG.debug("Incoming request: " + path + " fingerprint: " + getFingerPrint(req));

	if (!OPENID_ENABLED) {
		LOG.info("NOT handling SSO request, disabled by configuration, redirecting to login.html");
		redirect(resp, FALLBACK_LOGINPAGE);
		return;
	}

	if (!started) {
		reconnectToMxID();
	}

	if (!started) {
		LOG.error("NOT handling SSO request, could not connect to MxID 2.0, redirecting to login.html");
		redirect(resp, FALLBACK_LOGINPAGE);
		return;
	}

	try {
		if (LOGOFF.equalsIgnoreCase(path)) {
			logoff(req, resp); //requesting Single Sign Off (from client)
		} else if (FORCE_LOGOFF.equalsIgnoreCase(path)) {
			forceLogoff(req, resp); //requesting Single Sign Off (from server)
		} else if (LOGIN.equalsIgnoreCase(path)) {
			login(req, resp); //requesting authorization
		} else if (CALLBACK.equalsIgnoreCase(path)) {
			callback(req, resp); //redirect from open id provider
		} else {
			error(resp, ResponseType.INTERNAL_SERVER_ERROR, "Unsupported request '" + path + "'", null);
		}
	} catch (Exception e) {
		error(resp, ResponseType.INTERNAL_SERVER_ERROR, "An unexpected exception occurred while handling request " + path, e);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
/**
 * Given a username, starts a new session for the user and redirects back to index.html. 
 * If no matching account is found for the user, a new account will be created automatically. 
 * @param resp
 * @param req
 * @param user
 * @return 
 * @throws CoreException
 * @throws IOException 
 * @throws NoSuchMethodException 
 * @throws SecurityException 
 */
static public ISession createSessionForUser(IMxRuntimeResponse resp,
		IMxRuntimeRequest req, IUser user) throws Exception {
	
	LOG.info("User " + user.getName() + " authenticated. Starting session..");
	
	String sessionid = req.getCookie(XAS_SESSION_ID);

	ISession session = Core.initializeSession(user, sessionid);
	
	// Used to enable Single Sign Off request (from remote sso *server*); must only sign off user in a particular User Agent / Browser
	String ua = req.getHeader("User-Agent");
	session.setUserAgent(ua);
	
	if (LOG.isDebugEnabled())
		LOG.debug("Created session, fingerprint: " + OpenIDUtils.getFingerPrint(session));
	
	writeSessionCookies(resp, session);
	
	return session;
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
@Deprecated
public static ISession login(String userName, String password, @SuppressWarnings("unused") String locale, IMxRuntimeRequest request) throws CoreException
{
	return Core.login(userName, password, request);
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
public static ISession login(String userName, String password, IMxRuntimeRequest request) throws CoreException
{
	return component.core().login(userName, password, request);
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
/**
 * Handles openId related requests. Two requests are supported:
 * 'openid/login': tries to setup a new user session. (Note: does not check if there is already a session)
 * 'openid/callback': used by the openId provider to confirm the identity of the current user
 */
@Override
public void processRequest(IMxRuntimeRequest req, IMxRuntimeResponse resp,
						   String path) throws Exception {

	//always force expiration on this handler!
	resp.addHeader("Expires", "0");

	if (log.isDebugEnabled())
		log.debug("Incoming request: " + path + " fingerprint: " + getFingerPrint(req));

	if (!OPENID_ENABLED) {
		log.info("NOT handling SSO request, disabled by configuration, redirecting to login.html");
		redirect(resp, FALLBACK_LOGINPAGE);
		return;
	}

	if (!started) {
		reconnectToMxID();
	}

	if (!started) {
		log.error("NOT handling SSO request, could not connect to MxID 2.0, redirecting to login.html");
		redirect(resp, FALLBACK_LOGINPAGE);
		return;
	}

	try {
		if (LOGOFF.equalsIgnoreCase(path)) {
			logoff(req, resp); //requesting Single Sign Off (from client)
		} else if (FORCE_LOGOFF.equalsIgnoreCase(path)) {
			forceLogoff(req, resp); //requesting Single Sign Off (from server)
		} else if (LOGIN.equalsIgnoreCase(path)) {
			login(req, resp); //requesting authorization
		} else if (CALLBACK.equalsIgnoreCase(path)) {
			callback(req, resp); //redirect from open id provider
		} else {
			error(resp, ResponseType.INTERNAL_SERVER_ERROR, "Unsupported request '" + path + "'", null);
		}
	} catch (Exception e) {
		error(resp, ResponseType.INTERNAL_SERVER_ERROR, "An unexpected exception occurred while handling request " + path, e);
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
/**
 * Given a username, starts a new session for the user and redirects back to index.html. 
 * If no matching account is found for the user, a new account will be created automatically. 
 * @param resp
 * @param req
 * @param username
 * @return 
 * @throws CoreException
 * @throws IOException 
 * @throws NoSuchMethodException 
 * @throws SecurityException 
 */
static public ISession createSessionForUser(IMxRuntimeResponse resp,
		IMxRuntimeRequest req, IUser user) throws Exception {
	
	log.info("User " + user.getName() + " authenticated. Starting session..");
	
	String sessionid = req.getCookie(Core.getConfiguration().getSessionIdCookieName());

	ISession session = Core.initializeSession(user, sessionid);
	
	// Used to enable Single Sign Off request (from remote sso *server*); must only sign off user in a particular User Agent / Browser
	String ua = req.getHeader("User-Agent");
	session.setUserAgent(ua);
	
	if (log.isDebugEnabled())
		log.debug("Created session, fingerprint: " + OpenIDUtils.getFingerPrint(session));
	
	writeSessionCookies(resp, session);
	
	return session;
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
@Override
public void processRequest(IMxRuntimeRequest req, IMxRuntimeResponse resp,
		String var3) {

	long start = System.currentTimeMillis();
	
	HttpServletRequest request = req.getHttpServletRequest();
	HttpServletResponse response = resp.getHttpServletResponse();

	String method = request.getMethod();
	URL u;
	try {
		u = new URL(request.getRequestURL().toString());
	} catch (MalformedURLException e1) {
		throw new IllegalStateException(e1);
	}

	String relpath = u.getPath().substring(RestServices.PATH_REST.length() + 1);
	String requestStr =  method + " " + relpath;

	response.setCharacterEncoding(RestServices.UTF8);
	response.setHeader("Expires", "-1");

	if (RestServices.LOGPUBLISH.isDebugEnabled())
		RestServices.LOGPUBLISH.debug("incoming request: " + Utils.getRequestUrl(request));

	RestServiceRequest rsr = new RestServiceRequest(request, response, resp, relpath);
	try {
		ISession existingSession = getSessionFromRequest(req);
		
		executeHandler(rsr, method, relpath, existingSession);
		
		if (RestServices.LOGPUBLISH.isDebugEnabled())
				RestServices.LOGPUBLISH.debug("Served " + requestStr + " in " + (System.currentTimeMillis() - start) + "ms.");
	}
	catch(RestPublishException rre) {
		handleRestPublishException(requestStr, rsr, rre);
	}
	catch(JSONException je) {
		handleJsonException(requestStr, rsr, je);
	}
	catch(Throwable e) {
		Throwable cause = ExceptionUtils.getRootCause(e);
		if (cause instanceof RestPublishException)
			handleRestPublishException(requestStr, rsr, (RestPublishException) cause);
		else if (cause instanceof JSONException)
			handleJsonException(requestStr, rsr, (JSONException) cause);
		if (cause instanceof CustomRestServiceException) {
			CustomRestServiceException rse = (CustomRestServiceException) cause;
			RestServices.LOGPUBLISH.warn(String.format("Failed to serve %s: %d (code: %s): %s", requestStr, rse.getHttpStatus(), rse.getDetail(), rse.getMessage()));
			serveErrorPage(rsr, rse.getHttpStatus(), rse.getMessage(), rse.getDetail());
		}
		else if (cause instanceof WebserviceException) {
			RestServices.LOGPUBLISH.warn("Invalid request " + requestStr + ": " +cause.getMessage());
			serveErrorPage(rsr, HttpStatus.SC_BAD_REQUEST, cause.getMessage(), ((WebserviceException) cause).getFaultCode());
		}
		else {
			RestServices.LOGPUBLISH.error("Failed to serve " + requestStr + ": " +e.getMessage(), e);
			serveErrorPage(rsr, HttpStatus.SC_INTERNAL_SERVER_ERROR, "Failed to serve: " + requestStr + ": An internal server error occurred. Please check the application logs or contact a system administrator.", null);
		}
	}
	finally {
		rsr.dispose();
	}
}
 

import com.mendix.m2ee.api.IMxRuntimeRequest; //导入依赖的package包/类
public void onCompleteLogin(String openId, String continuation, IMxRuntimeRequest req, IMxRuntimeResponse resp) throws Exception;