com.atlassian.crowd.integration.seraph.v25
Class CrowdAuthenticator
java.lang.Object
com.atlassian.seraph.auth.AbstractAuthenticator
com.atlassian.seraph.auth.DefaultAuthenticator
com.atlassian.crowd.integration.seraph.v25.CrowdAuthenticator
- All Implemented Interfaces:
- com.atlassian.seraph.auth.Authenticator, com.atlassian.seraph.Initable, Serializable
public abstract class CrowdAuthenticator
- extends com.atlassian.seraph.auth.DefaultAuthenticator
- See Also:
- Serialized Form
Field Summary |
protected static org.slf4j.Logger |
logger
|
Fields inherited from class com.atlassian.seraph.auth.DefaultAuthenticator |
LOGGED_IN_KEY, LOGGED_OUT_KEY |
Fields inherited from interface com.atlassian.seraph.auth.Authenticator |
DEFAULT_AUTHENTICATOR |
Method Summary |
protected boolean |
authenticate(Principal user,
String password)
Override the super method, always return true so that authentication is not called twice when a user logs in. |
protected void |
fetchUserInCache(String username)
Fetches a user with the given username in the cache, in case the user
exists, but cannot be found from the cache yet. |
Principal |
getUser(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected boolean |
isAuthenticated(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Checks to see if the request can be authenticated. |
boolean |
login(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String username,
String password,
boolean cookie)
We must override the login() method as it gives us access to the HttpServletRequest and HttpServletResponse,
which Crowd needs in order to generate and set the Crowd SSO token. |
boolean |
logout(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected abstract void |
logoutUser(javax.servlet.http.HttpServletRequest request)
This method will allow you to remove all session information about the user and force them to re-authenticate
If you wish to remove specific application attributes for the user, e.g. |
protected boolean |
rememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Attempts to authenticate the request based on the auto-login cookie (if set). |
Methods inherited from class com.atlassian.seraph.auth.DefaultAuthenticator |
authoriseUserAndEstablishSession, getAuthType, getElevatedSecurityGuard, getLogoutInterceptors, getRememberMeService, getRoleMapper, getUser, getUserFromBasicAuthentication, getUserFromCookie, getUserFromSession, init, isAuthorised, isPrincipalAlreadyInSessionContext, isUserInRole, putPrincipalInSessionContext, refreshPrincipalObtainedFromSession, removePrincipalFromSessionContext |
Methods inherited from class com.atlassian.seraph.auth.AbstractAuthenticator |
destroy, getConfig, getRemoteUser, getUser, login |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
logger
protected static final org.slf4j.Logger logger
CrowdAuthenticator
public CrowdAuthenticator(CrowdHttpAuthenticator crowdHttpAuthenticator)
fetchUserInCache
protected void fetchUserInCache(String username)
throws UserNotFoundException,
InvalidAuthenticationException,
OperationFailedException
- Fetches a user with the given username in the cache, in case the user
exists, but cannot be found from the cache yet.
By default this method will call
DefaultAuthenticator.getUser(String)
, but JIRA needs
to override it, because DefaultAuthenticator.getUser(String)
only checks the local cache when retrieving users.
- Parameters:
username
- username of the user to be fetched
- Throws:
InvalidAuthenticationException
- if the application or user authentication was not successful.
OperationFailedException
- if the operation has failed for an unknown reason
UserNotFoundException
authenticate
protected boolean authenticate(Principal user,
String password)
- Override the super method, always return true so that authentication is not called twice when a user logs in.
More info: this is because we subclass login() to perform the authentication, but also call super.login(),
which then calls this authenticate() method. We also can't just implement the authenticate() method as it
does not provide the HttpServletRequest nor the HttpServletResponse, which are both required for generating
and setting the Crowd SSO token.
- Specified by:
authenticate
in class com.atlassian.seraph.auth.DefaultAuthenticator
login
public boolean login(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String username,
String password,
boolean cookie)
throws com.atlassian.seraph.auth.AuthenticatorException
- We must override the login() method as it gives us access to the HttpServletRequest and HttpServletResponse,
which Crowd needs in order to generate and set the Crowd SSO token.
However, super.login() does some magic, including elevated security checks, so we still need to call
super.login() - which in turn calls authenticate().
Problem is, we can't put our actual authentication login in their as authenticate() doesn't pass the
HttpServletRequest or HttpServletResponse into the method.
Perhaps in a later version of Seraph, we can change authenticate to take the HttpServletRequest and
HttpServletResponse as parameters. But for now, we have a hacky solution that piggybacks the password
parameter so authenticate() knows whether to return true or false.
- Specified by:
login
in interface com.atlassian.seraph.auth.Authenticator
- Overrides:
login
in class com.atlassian.seraph.auth.DefaultAuthenticator
- Parameters:
request
- HttpServletRequest obtain validation factors.response
- HttpServletResponse SSO cookie is set on response.username
- name of user to authenticate.password
- credential to authenticate.cookie
- whether to set a remember-me cookie or not.
- Returns:
true
if and only if authentication was succe
- Throws:
com.atlassian.seraph.auth.AuthenticatorException
logout
public boolean logout(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws com.atlassian.seraph.auth.AuthenticatorException
- Specified by:
logout
in interface com.atlassian.seraph.auth.Authenticator
- Overrides:
logout
in class com.atlassian.seraph.auth.DefaultAuthenticator
- Throws:
com.atlassian.seraph.auth.AuthenticatorException
isAuthenticated
protected boolean isAuthenticated(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
- Checks to see if the request can be authenticated. This method checks (in order):
-
Trusted Apps: it is possible that an earlier filter authenticated the request,
so check to see if this is the case.
-
Crowd Authenticator: if a valid Crowd session-cookie (token) exists,
the HttpAuthenticator will authenticate the request as "valid". This will not
place the user into the session. See getUser() to see exactly when the user
gets placed into session.
-
Seraph-Remember Me: sees if the request is authenticated via a remember me cookie.
If it is, then the user will be automatically logged into session and a Crowd SSO
token will be generated and put on the response.
-
Basic Authentication: determines if the request has Basic Auth username/password headers
and proceeds to authenticate the user with Crowd if they are present. The user will be
automatically logged into session and a Crowd SSO token will be generated and put on the response.
If all checks fail authentication, the isAuthenticated method returns false, and the user is logged out.
- Parameters:
request
- servlet request.response
- servlet response.
- Returns:
- true if request can be authenticated.
rememberMeLoginToCrowd
protected boolean rememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
- Attempts to authenticate the request based on the auto-login cookie (if set).
This will only authenticate to Crowd via HttpAuthenticator. This will not set
any session variables and the like.
- Parameters:
request
- servlet request.response
- servlet response.
- Returns:
- true if authentication via HttpAuthenticator using auto-login credentials successful.
logoutUser
protected abstract void logoutUser(javax.servlet.http.HttpServletRequest request)
- This method will allow you to remove all session information about the user and force them to re-authenticate
If you wish to remove specific application attributes for the user, e.g.
org.acegisecurity.context.SecurityContextHolder.clearContext();
from Bamboo
- Parameters:
request
- the current request
getUser
public Principal getUser(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
- Specified by:
getUser
in interface com.atlassian.seraph.auth.Authenticator
- Overrides:
getUser
in class com.atlassian.seraph.auth.DefaultAuthenticator
Copyright © 2012 Atlassian. All Rights Reserved.