org.eclipse.jetty.security.authentication

Class LoginAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

All Implemented Interfaces:

Authenticator

Direct Known Subclasses:

BasicAuthenticator, ClientCertAuthenticator, ConfigurableSpnegoAuthenticator, DigestAuthenticator, FormAuthenticator, SpnegoAuthenticator

public abstract class LoginAuthenticator
extends java.lang.Object
implements Authenticator

Nested Class Summary

Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator

Authenticator.AuthConfiguration, Authenticator.Factory

Field Summary

Fields

Modifier and Type	Field and Description
protected IdentityService	_identityService
protected LoginService	_loginService
private boolean	_renewSession
private static Logger	LOG

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	LoginAuthenticator()

Method Summary

Modifier and Type	Method and Description
LoginService	getLoginService()
UserIdentity	login(java.lang.String username, java.lang.Object password, javax.servlet.ServletRequest servletRequest) If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
void	logout(javax.servlet.ServletRequest request)
void	prepareRequest(javax.servlet.ServletRequest request) Called prior to validateRequest.
protected javax.servlet.http.HttpSession	renewSession(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Change the session id.
void	setConfiguration(Authenticator.AuthConfiguration configuration) Configure the Authenticator

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.security.Authenticator

getAuthMethod, secureResponse, validateRequest

Field Detail

LOG

private static final Logger LOG

_loginService

protected LoginService _loginService

_identityService

protected IdentityService _identityService

_renewSession

private boolean _renewSession

Constructor Detail

LoginAuthenticator

protected LoginAuthenticator()

Method Detail

prepareRequest

public void prepareRequest(javax.servlet.ServletRequest request)

Description copied from interface: Authenticator

Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.

Specified by:

prepareRequest in interface Authenticator

Parameters:

request - the request to manipulate

login

public UserIdentity login(java.lang.String username,
                          java.lang.Object password,
                          javax.servlet.ServletRequest servletRequest)

If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Parameters:

username - the username of the client to be authenticated

password - the user's credential

servletRequest - the inbound request that needs authentication

logout

public void logout(javax.servlet.ServletRequest request)

setConfiguration

public void setConfiguration(Authenticator.AuthConfiguration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Parameters:

configuration - the configuration

getLoginService

public LoginService getLoginService()

renewSession

protected javax.servlet.http.HttpSession renewSession(javax.servlet.http.HttpServletRequest request,
                                                      javax.servlet.http.HttpServletResponse response)

Change the session id. The session is changed to a new instance with a new ID if and only if:

• A session exists.
• The Authenticator.AuthConfiguration.isSessionRenewedOnAuthentication() returns true.
• The session ID has been given to unauthenticated responses

Parameters:

request - the request

response - the response

Returns:

The new session.