We have a static method in the utility class that will download a file from a URL. An authentic set up has been set up so that the user name and password are required, the credentials can be retrieved. The problem is that credentials from the first successful connection are used for each connection afterwords, as long as the credentials are valid. This is a problem because our code is multi-user, and since the credentials are not checked for each connection, it is possible that a user with the proper credentials could download a file.
We are using the code here
Private static URLAuthenticator auth; Public static file download (string url, string username, string password, file newfile) {auth.set (username, password); Authenticator.setDefault (authentication); Url fURL = new url (url); Output Stream Out = New BufferedOutputStream (New FileOutputStream (newFile)); URL Connection Connection = fURL.openConnection (); InputStream = conn.getInputStream (); Try {copystream (outside, outside); } Finally {if (in! = Null) in.close (); If (out! = Tap) out.close (); } Return new; } Provides public class URLAuthenticator authenticator {Private String Username; Private string password; Public URLAuthenticator (string username, string password) {set (username, password); } Public Zero Set (String Username, String Password) {this.username = Username; This.password = password; } Protected passwordAuthorizationGet authoritization () {log.debug ("Retrieving credentials" "+ username", '"+" password "". "); Return the new passwordAuthication (username, password. Kocharare ()); }} I see the log statement from getPasswordAuthentication only once, for the first time a file has been downloaded, after successful attempts, the password passwords are not called again, Although credentials have been reset. The result is that after the first successful connection, invalid credentials can be entered, and a successful connection can still be done. Is this possibly the download method is stable, and in the stable class?
Edit I forgot to tell that it is colliding in a JSF webpage - maybe one of those technologies has to set some default credentials somewhere?
I pulled the URLAuthenticator into my own class, and made it as non-static as possible, but the problem still exists. I've read that if the default authenticator is set to zero with the Authenticator. Set default (empty), then NTLM authentication will be used on Windows. This should not be a problem because I am setting the authenticator all the time, but I thought I would remove it from there. NTLM authentication is definitely being used, because if the server is run as a user that accesses the downloaded file, credentials are not even asked, just download the file. So obviously, I am called Authenticator before grabbing my credentials and passing them.
I have come to know at least that it seems this behavior is one. An optional solution is to use Sun-specific class to explicitly reset the cache, such as:
import sun.net .www.protocol.http.AuthCacheValue; Import sun.net .www.protocol.http.AuthCacheImpl; .... AuthCacheValue.setAuthCache (New AuthCacheImpl ()); Authenticator.setDefault (new URLAuthenticator (username, password)); I am resetting AuthCache at the top of the download function described in question. During the compilation, you will receive warnings about using these classes, it does not completely solve the problem: If NTLM authentication works, authenticer will still not be called, but as long as the server is a user's If the underlying file is not allowed for the requested file, then it should clear the cache out
Comments
Post a Comment