Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.atlassian.crowd.manager.authentication
Class TokenAuthenticationManagerImpl

java.lang.Object
  extended by com.atlassian.crowd.manager.authentication.TokenAuthenticationManagerImpl
All Implemented Interfaces:
TokenAuthenticationManager
public class TokenAuthenticationManagerImpl
extends Object
implements TokenAuthenticationManager

Constructor Summary
TokenAuthenticationManagerImpl()
           
 
Method Summary
protected  List<ValidationFactor> activeValidationFactors(ValidationFactor[] factors)
           
 Token authenticateApplication(ApplicationAuthenticationContext authenticationContext)
          Authenticates an application and generates an authentication token.
 Token authenticateUser(UserAuthenticationContext authenticateContext)
          Deprecated. 
 Token authenticateUser(UserAuthenticationContext authenticationContext, boolean validatePassword, boolean ignoreCache, TokenLifetime tokenLifetime)
           
 Token authenticateUser(UserAuthenticationContext authenticateContext, TokenLifetime tokenLifetime)
          Authenticates a user and and generates an authentication token.
 Token authenticateUserWithoutValidatingPassword(UserAuthenticationContext authenticateContext)
          Feigns the authentication process for a user and creates a token for the authentication without validating the password.
 List<Application> findAuthorisedApplications(User user, String applicationName)
          Returns a list of applications a user is authorised to authenticate with.
 User findUserByToken(String tokenKey, String applicationName)
          Will find a user via the passed in token key.
 Token findUserTokenByKey(String tokenKey, String applicationName)
          Returns the token matching a given key
protected  Token generateApplicationToken(ApplicationAuthenticationContext authenticationContext)
           
protected  Token generateUserToken(long directoryID, AuthenticationContext authenticationContext, TokenLifetime tokenLifetime)
          This method will return a Token based on the passed in parameters.
protected  Token genericValidateToken(String token, ValidationFactor[] validationFactors)
          Will validate a token key with the given ValidationFactor's against one (if it exists) in the datastore.
 Date getTokenExpiryTime(Token token)
          Returns the expiry time of a token.
 void invalidateToken(String tokenKey)
          Attempts to invalidate a Token based on the passed in Token key (random hash).
 void invalidateTokensForUser(String username, String exclusionToken, String applicationName)
          Invalidates all sessions for a user, possibly excluding a specific one.
 boolean isAllowedToAuthenticate(String username, long directoryId, Application application)
          Determines if a user is authorised to authenticate with a given application.
 boolean isAllowedToAuthenticate(Token token, Application application)
           
 boolean isAllowedToAuthenticate(Token token, Application application, boolean ignoreCache)
           
protected  boolean isExpired(Token token)
           
 void removeExpiredTokens()
          Removes all tokens that have exceeded their expiry time.
 List<Token> searchTokens(EntityQuery<Token> query)
          Returns a list of tokens matching the given query.
 void setApplicationDao(ApplicationDAO applicationDao)
           
 void setApplicationManager(ApplicationManager applicationManager)
           
 void setApplicationService(ApplicationService applicationService)
           
 void setCacheManager(CacheManager cacheManager)
           
 void setDirectoryManager(DirectoryManager directoryManager)
           
 void setEventPublisher(com.atlassian.event.api.EventPublisher eventPublisher)
           
 void setPropertyManager(PropertyManager propertyManager)
           
 void setTokenFactory(TokenFactory tokenFactory)
           
 void setTokenManager(TokenManager tokenManager)
           
 Token validateApplicationToken(String tokenKey, ValidationFactor[] clientValidationFactors)
          Validates an application token key given validation factors.
 Token validateUserToken(String userTokenKey, ValidationFactor[] validationFactors, String applicationName)
          Validates a user token key given validation factors and checks that the user is allowed to authenticate with the specified application
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

TokenAuthenticationManagerImpl

public TokenAuthenticationManagerImpl()
Method Detail

invalidateToken

public void invalidateToken(String tokenKey)
Description copied from interface: TokenAuthenticationManager
Attempts to invalidate a Token based on the passed in Token key (random hash).

If the token does not exist (ie. already invalidated) this method silently returns. If an existing token is successfully invalidated, a TokenInvalidatedEvent is fired.

Specified by:
invalidateToken in interface TokenAuthenticationManager
Parameters:
tokenKey - the token key (random hash) to invalidate.

searchTokens

public List<Token> searchTokens(EntityQuery<Token> query)
Description copied from interface: TokenAuthenticationManager
Returns a list of tokens matching the given query.

Specified by:
searchTokens in interface TokenAuthenticationManager
Parameters:
query - entity query for Entity.TOKEN.
Returns:
list of Token matching the search criteria.

removeExpiredTokens

public void removeExpiredTokens()
Description copied from interface: TokenAuthenticationManager
Removes all tokens that have exceeded their expiry time.

NOTE: Do not call this method from the web layer, as this is wrapped in a Spring managed transaction.

Specified by:
removeExpiredTokens in interface TokenAuthenticationManager

findUserByToken

public User findUserByToken(String tokenKey,
                            String applicationName)
                     throws InvalidTokenException,
                            OperationFailedException,
                            ApplicationAccessDeniedException
Description copied from interface: TokenAuthenticationManager
Will find a user via the passed in token key.

Specified by:
findUserByToken in interface TokenAuthenticationManager
Parameters:
tokenKey - the token key
applicationName - name of the current application
Returns:
the User associated to the given token key
Throws:
InvalidTokenException - if the User or Directory cannot be found that relates to the given token, or the token is associated to an Application and not a User
OperationFailedException - if there was an issue accessing the user from the underlying directory
ApplicationAccessDeniedException - the user is not allowed to authenticate with the application.

findUserTokenByKey

public Token findUserTokenByKey(String tokenKey,
                                String applicationName)
                         throws InvalidTokenException,
                                ApplicationAccessDeniedException,
                                OperationFailedException,
                                ApplicationNotFoundException
Description copied from interface: TokenAuthenticationManager
Returns the token matching a given key

Specified by:
findUserTokenByKey in interface TokenAuthenticationManager
Parameters:
tokenKey - the token key
applicationName - name of the current application
Returns:
the Token with the given token key
Throws:
InvalidTokenException - if the token cannot be found by the give key, or the token is associated to an Application and not a User
ApplicationAccessDeniedException - the user is not allowed to authenticate with the application.
OperationFailedException - if there was an issue accessing the user from the underlying directory
ApplicationNotFoundException - if the application could not be found

findAuthorisedApplications

public List<Application> findAuthorisedApplications(User user,
                                                    String applicationName)
                                             throws OperationFailedException,
                                                    DirectoryNotFoundException
Description copied from interface: TokenAuthenticationManager
Returns a list of applications a user is authorised to authenticate with.

NOTE: this is a potentially expensive call, iterating all applications and all group mappings for each application and determining group membership, ie. expense = number of applications * number of group mappings per application.

Specified by:
findAuthorisedApplications in interface TokenAuthenticationManager
Parameters:
user - user to search for.
applicationName - name of the current application
Returns:
list of applications.
Throws:
OperationFailedException - if there was an error querying directory.
DirectoryNotFoundException - if the directory could not be found.

authenticateApplication

public Token authenticateApplication(ApplicationAuthenticationContext authenticationContext)
                              throws InvalidAuthenticationException
Description copied from interface: TokenAuthenticationManager
Authenticates an application and generates an authentication token.

Specified by:
authenticateApplication in interface TokenAuthenticationManager
Parameters:
authenticationContext - application authentication credentials.
Returns:
generated authentication token.
Throws:
InvalidAuthenticationException - authentication was not successful because either the application does not exist, the password is incorrect, the application is inactive or there was a problem generating the authentication token.

authenticateUser

public Token authenticateUser(UserAuthenticationContext authenticationContext,
                              boolean validatePassword,
                              boolean ignoreCache,
                              TokenLifetime tokenLifetime)
                       throws InvalidAuthenticationException,
                              OperationFailedException,
                              InactiveAccountException,
                              ApplicationAccessDeniedException,
                              ExpiredCredentialException
Throws:
InvalidAuthenticationException
OperationFailedException
InactiveAccountException
ApplicationAccessDeniedException
ExpiredCredentialException

authenticateUser

@Deprecated
public Token authenticateUser(UserAuthenticationContext authenticateContext)
                       throws InvalidAuthenticationException,
                              OperationFailedException,
                              InactiveAccountException,
                              ApplicationAccessDeniedException,
                              ExpiredCredentialException
Deprecated. 

Specified by:
authenticateUser in interface TokenAuthenticationManager
Throws:
InvalidAuthenticationException
OperationFailedException
InactiveAccountException
ApplicationAccessDeniedException
ExpiredCredentialException
See Also:
TokenAuthenticationManager.authenticateUser(com.atlassian.crowd.model.authentication.UserAuthenticationContext, TokenLifetime)

authenticateUser

public Token authenticateUser(UserAuthenticationContext authenticateContext,
                              TokenLifetime tokenLifetime)
                       throws InvalidAuthenticationException,
                              OperationFailedException,
                              InactiveAccountException,
                              ApplicationAccessDeniedException,
                              ExpiredCredentialException
Description copied from interface: TokenAuthenticationManager
Authenticates a user and and generates an authentication token. The password of the user is validated before generating a token.

The RemoteDirectory.authenticate(String, com.atlassian.crowd.embedded.api.PasswordCredential) method is iteratively called for each assigned directory. If the user does not exist in one directory, the directory is skipped and the next one is examined. If the user does not exist in any of the assigned directories then an InvalidAuthenticationException is thrown.

Specified by:
authenticateUser in interface TokenAuthenticationManager
Parameters:
authenticateContext - The authentication details for the user.
tokenLifetime - Requested lifetime of the token
Returns:
The authenticated token for the user.
Throws:
InvalidAuthenticationException - The authentication was not successful.
OperationFailedException - error thrown by directory implementation when attempting to find or authenticate the user.
InactiveAccountException - user account is inactive.
ApplicationAccessDeniedException - user does not have access to authenticate with application.
ExpiredCredentialException - the user's credentials have expired. The user must change their credentials in order to successfully authenticate.

authenticateUserWithoutValidatingPassword

public Token authenticateUserWithoutValidatingPassword(UserAuthenticationContext authenticateContext)
                                                throws InvalidAuthenticationException,
                                                       OperationFailedException,
                                                       InactiveAccountException,
                                                       ApplicationAccessDeniedException
Description copied from interface: TokenAuthenticationManager
Feigns the authentication process for a user and creates a token for the authentication without validating the password.

This method only be used to generate a token for a user that has already authenticated credentials via some other means (eg. SharePoint NTLM connector) as this method bypasses any password checks.

If you want actual password authentication, use the TokenAuthenticationManager.authenticateUser(com.atlassian.crowd.model.authentication.UserAuthenticationContext, TokenLifetime) method.

Specified by:
authenticateUserWithoutValidatingPassword in interface TokenAuthenticationManager
Parameters:
authenticateContext - The authentication details for the user.
Returns:
The authenticated token for the user.
Throws:
InvalidAuthenticationException - if the authentication was not successful.
OperationFailedException - if the error thrown by directory implementation when attempting to find or authenticate the user.
InactiveAccountException - if the user account is inactive.
ApplicationAccessDeniedException - if the user does not have access to authenticate with application.

validateApplicationToken

public Token validateApplicationToken(String tokenKey,
                                      ValidationFactor[] clientValidationFactors)
                               throws InvalidTokenException
Description copied from interface: TokenAuthenticationManager
Validates an application token key given validation factors.

Specified by:
validateApplicationToken in interface TokenAuthenticationManager
Parameters:
tokenKey - returns a valid token corresponding to the tokenKey.
clientValidationFactors - validation factors for generating the token hash.
Returns:
validated token.
Throws:
InvalidTokenException - if the tokenKey or corresponding client validation factors do not represent a valid application token.

validateUserToken

public Token validateUserToken(String userTokenKey,
                               ValidationFactor[] validationFactors,
                               String applicationName)
                        throws InvalidTokenException,
                               ApplicationAccessDeniedException,
                               OperationFailedException
Description copied from interface: TokenAuthenticationManager
Validates a user token key given validation factors and checks that the user is allowed to authenticate with the specified application

Specified by:
validateUserToken in interface TokenAuthenticationManager
Parameters:
userTokenKey - returns a valid token corresponding to the tokenKey.
validationFactors - validation factors for generating the token hash.
applicationName - name of application to authenticate with.
Returns:
validated authentication token.
Throws:
InvalidTokenException - if the userTokenKey or corresponding validationFactors do not represent a valid SSO token.
ApplicationAccessDeniedException - the user is not allowed to authenticate with the application.
OperationFailedException - there was an error communicating with an underlying directory when determining if a user is allowed to authenticate with the application (eg. if a user has the appropriate group memberships).

activeValidationFactors

protected List<ValidationFactor> activeValidationFactors(ValidationFactor[] factors)

generateUserToken

protected Token generateUserToken(long directoryID,
                                  AuthenticationContext authenticationContext,
                                  TokenLifetime tokenLifetime)
                           throws InvalidTokenException
This method will return a Token based on the passed in parameters. If a token already exists in the datastore, this token will be returned with an updated lastAccessed time. If a token is not found based on the passed in parameters a new Token will be generated an stored in the datastore.

Parameters:
directoryID - the directoryID you wish to generate a Token for
authenticationContext - holder for the required attributes to authenticate against the Crowd server
tokenLifetime - requested lifetime of the token
Returns:
a Token
Throws:
InvalidTokenException - if there was an issue generating the key for a token.

generateApplicationToken

protected Token generateApplicationToken(ApplicationAuthenticationContext authenticationContext)
                                  throws InvalidTokenException
Throws:
InvalidTokenException

genericValidateToken

protected Token genericValidateToken(String token,
                                     ValidationFactor[] validationFactors)
                              throws InvalidTokenException
Will validate a token key with the given ValidationFactor's against one (if it exists) in the datastore.

Parameters:
token - the key of a Token
validationFactors - the ValidationFactor's that are being used for authentication
Returns:
the existing token if there is a match (with an updated lastAccessed time)
Throws:
InvalidTokenException - thrown if the token keys are not equal, or the token has expired, or the token does not exist

isExpired

protected boolean isExpired(Token token)

isAllowedToAuthenticate

public boolean isAllowedToAuthenticate(String username,
                                       long directoryId,
                                       Application application)
                                throws OperationFailedException,
                                       DirectoryNotFoundException
Determines if a user is authorised to authenticate with a given application.

For a a user to have access to an application:

  1. the Application must be active.

And either:

Note that this call is not cached and does not affect the cache.

Parameters:
application - application the user wants to authenticate with.
username - the username of the user that wants to authenticate with the application.
directoryId - the directoryId of the user that wants to authenticate with the application.
Returns:
true iff the user is authorised to authenticate with the application.
Throws:
OperationFailedException - if the directory implementation could not be loaded when performing a membership check.
DirectoryNotFoundException

isAllowedToAuthenticate

public boolean isAllowedToAuthenticate(Token token,
                                       Application application,
                                       boolean ignoreCache)
                                throws OperationFailedException,
                                       DirectoryNotFoundException
Throws:
OperationFailedException
DirectoryNotFoundException

isAllowedToAuthenticate

public boolean isAllowedToAuthenticate(Token token,
                                       Application application)
                                throws OperationFailedException,
                                       DirectoryNotFoundException
Throws:
OperationFailedException
DirectoryNotFoundException

invalidateTokensForUser

public void invalidateTokensForUser(String username,
                                    String exclusionToken,
                                    String applicationName)
                             throws UserNotFoundException,
                                    ApplicationNotFoundException
Description copied from interface: TokenAuthenticationManager
Invalidates all sessions for a user, possibly excluding a specific one.

Specified by:
invalidateTokensForUser in interface TokenAuthenticationManager
exclusionToken - the random hash of a token to leave valid
applicationName - name of the current application
Throws:
UserNotFoundException
ApplicationNotFoundException

getTokenExpiryTime

public Date getTokenExpiryTime(Token token)
Description copied from interface: TokenAuthenticationManager
Returns the expiry time of a token.

Specified by:
getTokenExpiryTime in interface TokenAuthenticationManager
Parameters:
token - a token
Returns:
the expiry time for the given token

setTokenManager

public void setTokenManager(TokenManager tokenManager)

setApplicationDao

public void setApplicationDao(ApplicationDAO applicationDao)

setTokenFactory

public void setTokenFactory(TokenFactory tokenFactory)

setCacheManager

public void setCacheManager(CacheManager cacheManager)

setEventPublisher

public void setEventPublisher(com.atlassian.event.api.EventPublisher eventPublisher)

setPropertyManager

public void setPropertyManager(PropertyManager propertyManager)

setDirectoryManager

public void setDirectoryManager(DirectoryManager directoryManager)

setApplicationManager

public void setApplicationManager(ApplicationManager applicationManager)

setApplicationService

public void setApplicationService(ApplicationService applicationService)
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2013 Atlassian. All Rights Reserved.