+ @Override
+ public boolean handleSecurity(final HttpServletRequest request, HttpServletResponse response)
+ throws IOException {
+ if (log.isTraceEnabled())
+ KernelUtils.logRequestHeaders(log, request);
+ LoginContext lc;
+ try {
+ lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request));
+ lc.login();
+ // return true;
+ } catch (LoginException e) {
+ CallbackHandler token = basicAuth(request);
+ if (token != null) {
+ try {
+ lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, token);
+ lc.login();
+ // Note: this is impossible to reliably clear the
+ // authorization header when access from a browser.
+ return true;
+ } catch (LoginException e1) {
+ throw new CmsException("Could not login", e1);
+ }
+ } else {
+ // anonymous
+ try {
+ lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER);
+ lc.login();
+ } catch (LoginException e1) {
+ if (log.isDebugEnabled())
+ log.error("Cannot log in anonynous", e1);
+ return false;
+ }
+ }
+ }
+ request.setAttribute(NodeConstants.LOGIN_CONTEXT_USER, lc);
+ return true;
+ }