CrowdAuthenticator (Atlassian Crowd 2.5.1 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.atlassian.crowd.integration.seraph.v22
Class CrowdAuthenticator

java.lang.Object
  com.atlassian.seraph.auth.AbstractAuthenticator
      com.atlassian.seraph.auth.DefaultAuthenticator
          com.atlassian.crowd.integration.seraph.v22.CrowdAuthenticator

All Implemented Interfaces:: com.atlassian.seraph.auth.Authenticator, com.atlassian.seraph.Initable, Serializable

Direct Known Subclasses:: BambooAuthenticator, ConfluenceAuthenticator, JIRAAuthenticator

public abstract class CrowdAuthenticator
extends com.atlassian.seraph.auth.DefaultAuthenticator
extends com.atlassian.seraph.auth.DefaultAuthenticator

See Also:: Serialized Form

Field Summary
`protected static org.apache.log4j.Logger`	`logger`

Fields inherited from class com.atlassian.seraph.auth.DefaultAuthenticator
`LOGGED_IN_KEY, LOGGED_OUT_KEY`

Fields inherited from interface com.atlassian.seraph.auth.Authenticator
`DEFAULT_AUTHENTICATOR`

Constructor Summary
`CrowdAuthenticator(CrowdHttpAuthenticator crowdHttpAuthenticator)`

Method Summary
`protected boolean`	`authenticate(Principal user, String password)` Override the super method, always return true so that authentication is not called twice when a user logs in.
`protected void`	`fetchUserInCache(String username)` Fetches a user with the given username in the cache, in case the user exists, but cannot be found from the cache yet.
`Principal`	`getUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`
`protected boolean`	`isAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Checks to see if the request can be authenticated.
`boolean`	`login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password, boolean cookie)` We must override the login() method as it gives us access to the HttpServletRequest and HttpServletResponse, which Crowd needs in order to generate and set the Crowd SSO token.
`boolean`	`logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`
`protected abstract void`	`logoutUser(javax.servlet.http.HttpServletRequest request)` This method will allow you to remove all session information about the user and force them to re-authenticate If you wish to remove specific application attributes for the user, e.g.
`protected boolean`	`rememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Attempts to authenticate the request based on the auto-login cookie (if set).

Methods inherited from class com.atlassian.seraph.auth.DefaultAuthenticator
`authoriseUserAndEstablishSession, getAuthType, getElevatedSecurityGuard, getLogoutInterceptors, getRememberMeService, getRoleMapper, getUser, getUserFromBasicAuthentication, getUserFromCookie, getUserFromSession, init, isAuthorised, isPrincipalAlreadyInSessionContext, isUserInRole, putPrincipalInSessionContext, refreshPrincipalObtainedFromSession, removePrincipalFromSessionContext`

Methods inherited from class com.atlassian.seraph.auth.AbstractAuthenticator
`destroy, getConfig, getRemoteUser, getUser, login`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

logger

protected static final org.apache.log4j.Logger logger

Constructor Detail

CrowdAuthenticator

public CrowdAuthenticator(CrowdHttpAuthenticator crowdHttpAuthenticator)

Method Detail

fetchUserInCache

protected void fetchUserInCache(String username)
                         throws UserNotFoundException,
                                InvalidAuthenticationException,
                                OperationFailedException

Fetches a user with the given username in the cache, in case the user exists, but cannot be found from the cache yet. By default this method will call DefaultAuthenticator.getUser(String), but JIRA needs to override it, because DefaultAuthenticator.getUser(String) only checks the local cache when retrieving users.

Parameters:: username - username of the user to be fetched
Throws:: InvalidAuthenticationException - if the application or user authentication was not successful.; OperationFailedException - if the operation has failed for an unknown reason; UserNotFoundException

authenticate

protected boolean authenticate(Principal user,
                               String password)

Override the super method, always return true so that authentication is not called twice when a user logs in. More info: this is because we subclass login() to perform the authentication, but also call super.login(), which then calls this authenticate() method. We also can't just implement the authenticate() method as it does not provide the HttpServletRequest nor the HttpServletResponse, which are both required for generating and setting the Crowd SSO token.

Specified by:: authenticate in class com.atlassian.seraph.auth.DefaultAuthenticator

login

public boolean login(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response,
                     String username,
                     String password,
                     boolean cookie)
              throws com.atlassian.seraph.auth.AuthenticatorException

We must override the login() method as it gives us access to the HttpServletRequest and HttpServletResponse, which Crowd needs in order to generate and set the Crowd SSO token. However, super.login() does some magic, including elevated security checks, so we still need to call super.login() - which in turn calls authenticate(). Problem is, we can't put our actual authentication login in their as authenticate() doesn't pass the HttpServletRequest or HttpServletResponse into the method. Perhaps in a later version of Seraph, we can change authenticate to take the HttpServletRequest and HttpServletResponse as parameters. But for now, we have a hacky solution that piggybacks the password parameter so authenticate() knows whether to return true or false.

Specified by:: login in interface com.atlassian.seraph.auth.Authenticator
Overrides:: login in class com.atlassian.seraph.auth.DefaultAuthenticator

Parameters:: request - HttpServletRequest obtain validation factors.; response - HttpServletResponse SSO cookie is set on response.; username - name of user to authenticate.; password - credential to authenticate.; cookie - whether to set a remember-me cookie or not.
Returns:: true if and only if authentication was succe
Throws:: com.atlassian.seraph.auth.AuthenticatorException

logout

public boolean logout(javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)
               throws com.atlassian.seraph.auth.AuthenticatorException

Specified by:: logout in interface com.atlassian.seraph.auth.Authenticator
Overrides:: logout in class com.atlassian.seraph.auth.DefaultAuthenticator

Throws:: com.atlassian.seraph.auth.AuthenticatorException

isAuthenticated

protected boolean isAuthenticated(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response)

Checks to see if the request can be authenticated. This method checks (in order):

Trusted Apps: it is possible that an earlier filter authenticated the request, so check to see if this is the case.
Crowd Authenticator: if a valid Crowd session-cookie (token) exists, the HttpAuthenticator will authenticate the request as "valid". This will not place the user into the session. See getUser() to see exactly when the user gets placed into session.
Seraph-Remember Me: sees if the request is authenticated via a remember me cookie. If it is, then the user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.
Basic Authentication: determines if the request has Basic Auth username/password headers and proceeds to authenticate the user with Crowd if they are present. The user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.

If all checks fail authentication, the isAuthenticated method returns false, and the user is logged out.

Parameters:: request - servlet request.; response - servlet response.
Returns:: true if request can be authenticated.

rememberMeLoginToCrowd

protected boolean rememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request,
                                         javax.servlet.http.HttpServletResponse response)

Attempts to authenticate the request based on the auto-login cookie (if set). This will only authenticate to Crowd via HttpAuthenticator. This will not set any session variables and the like.

Parameters:: request - servlet request.; response - servlet response.
Returns:: true if authentication via HttpAuthenticator using auto-login credentials successful.

logoutUser

protected abstract void logoutUser(javax.servlet.http.HttpServletRequest request)

This method will allow you to remove all session information about the user and force them to re-authenticate If you wish to remove specific application attributes for the user, e.g. org.acegisecurity.context.SecurityContextHolder.clearContext(); from Bamboo

Parameters:: request - the current request

getUser

public Principal getUser(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)

Specified by:: getUser in interface com.atlassian.seraph.auth.Authenticator
Overrides:: getUser in class com.atlassian.seraph.auth.DefaultAuthenticator