com.atlassian.crowd.integration.seraph

Class CrowdAuthenticator

java.lang.Object

com.atlassian.seraph.auth.AbstractAuthenticator

com.atlassian.seraph.auth.DefaultAuthenticator

com.atlassian.crowd.integration.seraph.CrowdAuthenticator

All Implemented Interfaces:

com.atlassian.seraph.auth.Authenticator, com.atlassian.seraph.Initable, Serializable

public abstract class CrowdAuthenticator
extends com.atlassian.seraph.auth.DefaultAuthenticator

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
protected static org.slf4j.Logger	logger
static String	PASSWORD_RESET_REQUIRED_HEADER

Fields inherited from class com.atlassian.seraph.auth.DefaultAuthenticator

LOGGED_IN_KEY, LOGGED_OUT_KEY

Constructor Summary

Constructors

Constructor and Description
CrowdAuthenticator(CrowdHttpAuthenticator crowdHttpAuthenticator, Supplier<CrowdService> crowdServiceSupplier)

Method Summary

Modifier and Type	Method and Description
protected boolean	authenticate(Principal user, String password) Override the super method, always return true so that authentication is not called twice when a user logs in.
protected AuthenticationState	checkAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Checks to see if the request can be authenticated.
protected AuthenticationState	checkRememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Attempts to authenticate the request based on the auto-login cookie (if set).
protected void	fetchUserInCache(String username) Fetches a user with the given username in the cache, in case the user exists, but cannot be found from the cache yet.
Principal	getUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected boolean	isAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Deprecated. since 2.9.0. Use checkAuthenticated(HttpServletRequest, HttpServletResponse) instead.
boolean	login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password, boolean cookie) We must override the login() method as it gives us access to the HttpServletRequest and HttpServletResponse, which Crowd needs in order to generate and set the Crowd SSO token.
boolean	logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected abstract void	logoutUser(javax.servlet.http.HttpServletRequest request) This method will allow you to remove all session information about the user and force them to re-authenticate If you wish to remove specific application attributes for the user, e.g.
protected boolean	rememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Deprecated. since 2.9.0. Use checkRememberMeLoginToCrowd(HttpServletRequest, HttpServletResponse) instead.

Methods inherited from class com.atlassian.seraph.auth.DefaultAuthenticator

authoriseUserAndEstablishSession, getAuthType, getElevatedSecurityGuard, getLogoutInterceptors, getRememberMeService, getRoleMapper, getUser, getUserFromBasicAuthentication, getUserFromCookie, getUserFromSession, init, isAuthorised, isPrincipalAlreadyInSessionContext, putPrincipalInSessionContext, refreshPrincipalObtainedFromSession, removePrincipalFromSessionContext

Methods inherited from class com.atlassian.seraph.auth.AbstractAuthenticator

destroy, getConfig, getRemoteUser, getUser, login

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PASSWORD_RESET_REQUIRED_HEADER

public static final String PASSWORD_RESET_REQUIRED_HEADER

See Also:

Constant Field Values

logger

protected static final org.slf4j.Logger logger

Constructor Detail

CrowdAuthenticator

public CrowdAuthenticator(CrowdHttpAuthenticator crowdHttpAuthenticator,
                          Supplier<CrowdService> crowdServiceSupplier)

Method Detail

fetchUserInCache

protected void fetchUserInCache(String username)
                         throws UserNotFoundException,
                                InvalidAuthenticationException,
                                OperationFailedException

Fetches a user with the given username in the cache, in case the user exists, but cannot be found from the cache yet. By default this method will call DefaultAuthenticator.getUser(String), but JIRA needs to override it, because DefaultAuthenticator.getUser(String) only checks the local cache when retrieving users.

Parameters:

username - username of the user to be fetched

Throws:

InvalidAuthenticationException - if the application or user authentication was not successful.

OperationFailedException - if the operation has failed for an unknown reason

UserNotFoundException

authenticate

protected boolean authenticate(Principal user,
                               String password)

Override the super method, always return true so that authentication is not called twice when a user logs in. More info: this is because we subclass login() to perform the authentication, but also call super.login(), which then calls this authenticate() method. We also can't just implement the authenticate() method as it does not provide the HttpServletRequest nor the HttpServletResponse, which are both required for generating and setting the Crowd SSO token.

Specified by:

authenticate in class com.atlassian.seraph.auth.DefaultAuthenticator

login

public boolean login(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response,
                     String username,
                     String password,
                     boolean cookie)
              throws com.atlassian.seraph.auth.AuthenticatorException

We must override the login() method as it gives us access to the HttpServletRequest and HttpServletResponse, which Crowd needs in order to generate and set the Crowd SSO token. However, super.login() does some magic, including elevated security checks, so we still need to call super.login() - which in turn calls authenticate(). Problem is, we can't put our actual authentication login in their as authenticate() doesn't pass the HttpServletRequest or HttpServletResponse into the method. Perhaps in a later version of Seraph, we can change authenticate to take the HttpServletRequest and HttpServletResponse as parameters. But for now, we have a hacky solution that piggybacks the password parameter so authenticate() knows whether to return true or false.

Specified by:

login in interface com.atlassian.seraph.auth.Authenticator

Overrides:

login in class com.atlassian.seraph.auth.DefaultAuthenticator

Parameters:

request - HttpServletRequest obtain validation factors.

response - HttpServletResponse SSO cookie is set on response.

username - name of user to authenticate.

password - credential to authenticate.

cookie - whether to set a remember-me cookie or not.

Returns:

true if and only if authentication was successful

Throws:

com.atlassian.seraph.auth.AuthenticatorException

logout

public boolean logout(javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)
               throws com.atlassian.seraph.auth.AuthenticatorException

Specified by:

logout in interface com.atlassian.seraph.auth.Authenticator

Overrides:

logout in class com.atlassian.seraph.auth.DefaultAuthenticator

Throws:

com.atlassian.seraph.auth.AuthenticatorException

isAuthenticated

@Deprecated
protected boolean isAuthenticated(javax.servlet.http.HttpServletRequest request,
                                              javax.servlet.http.HttpServletResponse response)

Deprecated. since 2.9.0. Use checkAuthenticated(HttpServletRequest, HttpServletResponse) instead.

Checks to see if the request can be authenticated. This method checks (in order):

1. Trusted Apps: it is possible that an earlier filter authenticated the request, so check to see if this is the case.
2. Crowd Authenticator: if a valid Crowd session-cookie (token) exists, the HttpAuthenticator will authenticate the request as "valid". This will not place the user into the session. See getUser() to see exactly when the user gets placed into session.
3. Seraph-Remember Me: sees if the request is authenticated via a remember me cookie. If it is, then the user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.
4. Basic Authentication: determines if the request has Basic Auth username/password headers and proceeds to authenticate the user with Crowd if they are present. The user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.

If all checks fail authentication, the isAuthenticated method returns false, and the user is logged out.

Parameters:

request - servlet request.

response - servlet response.

Returns:

true if request can be authenticated.

checkAuthenticated

protected AuthenticationState checkAuthenticated(javax.servlet.http.HttpServletRequest request,
                                                 javax.servlet.http.HttpServletResponse response)

Checks to see if the request can be authenticated. This method checks (in order):

1. Trusted Apps: it is possible that an earlier filter authenticated the request, so check to see if this is the case.
2. Crowd Authenticator: if a valid Crowd session-cookie (token) exists, the HttpAuthenticator will authenticate the request as "valid". This will not place the user into the session. See getUser() to see exactly when the user gets placed into session.
3. Seraph-Remember Me: sees if the request is authenticated via a remember me cookie. If it is, then the user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.
4. Basic Authentication: determines if the request has Basic Auth username/password headers and proceeds to authenticate the user with Crowd if they are present. The user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.

If all checks fail authentication, the isAuthenticated method returns false, and the user will be logged out.

Parameters:

request - servlet request.

response - servlet response.

Returns:

authentication state of the request

Since:

2.8.3

rememberMeLoginToCrowd

@Deprecated
protected boolean rememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request,
                                                     javax.servlet.http.HttpServletResponse response)

Deprecated. since 2.9.0. Use checkRememberMeLoginToCrowd(HttpServletRequest, HttpServletResponse) instead.

Attempts to authenticate the request based on the auto-login cookie (if set). This will only authenticate to Crowd via HttpAuthenticator. This will not set any session variables and the like.

Parameters:

request - servlet request.

response - servlet response.

Returns:

true if authentication via HttpAuthenticator using auto-login credentials successful.

checkRememberMeLoginToCrowd

protected AuthenticationState checkRememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request,
                                                          javax.servlet.http.HttpServletResponse response)

Attempts to authenticate the request based on the auto-login cookie (if set). This will only authenticate to Crowd via HttpAuthenticator. This will not set any session variables and the like.

Parameters:

request - servlet request.

response - servlet response.

Returns:

true if authentication via HttpAuthenticator using auto-login credentials successful.

Since:

2.8.3

logoutUser

protected abstract void logoutUser(javax.servlet.http.HttpServletRequest request)

This method will allow you to remove all session information about the user and force them to re-authenticate If you wish to remove specific application attributes for the user, e.g. org.acegisecurity.context.SecurityContextHolder.clearContext(); from Bamboo

Parameters:

request - the current request

getUser

public Principal getUser(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)

Specified by:

getUser in interface com.atlassian.seraph.auth.Authenticator

Overrides:

getUser in class com.atlassian.seraph.auth.DefaultAuthenticator