Package com.atlassian.crowd.integration.springsecurity

Class CrowdAuthenticationProvider

java.lang.Object
com.atlassian.crowd.integration.springsecurity.CrowdAuthenticationProvider
All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider
Direct Known Subclasses:
LocalCrowdAuthenticationProvider, RemoteCrowdAuthenticationProvider
public abstract class CrowdAuthenticationProvider extends Object implements org.springframework.security.authentication.AuthenticationProvider
The CrowdAuthenticationProvider can be used in both SSO and non-SSO mode.

When coupled with the CrowdSSOAuthenticationProcessingFilter, single-sign on is establish via the Crowd server and Crowd SSO tokens.

When coupled with the Spring Security AuthenticationProcessingFilter, centralised authentication is established via the Crowd server.

Author:
Shihab Hamid

  • Constructor Details

    • CrowdAuthenticationProvider

      public CrowdAuthenticationProvider()

  • Method Details

    • authenticate

      public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException
      Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication) (org.springframework.security.Authentication)}.

      This AuthenticationProvider supports UsernamePasswordAuthenticationTokens for login operations where a username, password and possibly validation factors (for SSO) are provided. It also supports CrowdSSOAuthenticationToken for authentication verification operations, where the SSO token and validation factors are provided for SSO authentication.

      See CrowdAuthenticationProvider.authenticateUsernamePassword() and CrowdAuthenticationProvider.authenticateCrowdSSO() for more specific information on the authentication process.

      Specified by:
      authenticate in interface org.springframework.security.authentication.AuthenticationProvider
      Parameters:
      authentication - the authentication request object.
      Returns:
      a fully authenticated object including credentials. May return null if the AuthenticationProvider is unable to support authentication of the passed Authentication object. In such a case, the next AuthenticationProvider that supports the presented Authentication class will be tried.
      Throws:
      org.springframework.security.core.AuthenticationException - if authentication fails.

    • authenticateUsernamePassword

      protected org.springframework.security.core.Authentication authenticateUsernamePassword(org.springframework.security.authentication.UsernamePasswordAuthenticationToken passwordToken) throws org.springframework.security.core.AuthenticationException
      Attempts to authenticate a login request based on username (principal), password (credentials), and (optional) ValidationFactor[]s (details).

      The returned Authentication will be either: - a UsernamePasswordAuthenticationToken, if the request has no ValidationFactor[]s and hence is not SSO. The credentials will be the password. - a CrowdSSOAuthenticationToken, if the request does have ValidationFactor[]s. The credentials will be set to the SSO token string.

      The principal will be set to the UserDetails object corresponding to the username. The granted authorities will be UserDetails.getAuthorities().

      Parameters:
      passwordToken - authentication token containing the username, password and (optiona) ValidationFactor[]s.
      Returns:
      an authenticated Authentication token.
      Throws:
      org.springframework.security.core.AuthenticationException - if there was a problem authenticating the username/password combination.

    • isAuthenticated

      protected abstract boolean isAuthenticated(String token, List<ValidationFactor> validationFactors) throws OperationFailedException, InvalidAuthenticationException, ApplicationPermissionException
      Determine if a remote user is authenticated via SSO based on the supplied SSO token string and validation factors.
      Parameters:
      token - Crowd SSO token.
      validationFactors - validation factors.
      Returns:
      true iff the remote user is authenticated.
      Throws:
      OperationFailedException
      InvalidAuthenticationException
      ApplicationPermissionException

    • authenticate

      protected abstract String authenticate(String username, String password, List<ValidationFactor> validationFactors) throws InactiveAccountException, ExpiredCredentialException, ApplicationPermissionException, InvalidAuthenticationException, OperationFailedException, ApplicationAccessDeniedException
      Authenticate a remote user and return the Crowd SSO token string.
      Parameters:
      username - username of the remote user.
      password - password of the remote user.
      validationFactors - validation factors from the remote user.
      Returns:
      Crowd SSO token string
      Throws:
      InvalidAuthorizationTokenException - invalid application client.
      InvalidAuthenticationException - invalid username/password.
      InactiveAccountException
      ExpiredCredentialException
      ApplicationPermissionException
      OperationFailedException
      ApplicationAccessDeniedException

    • authenticateWithoutPassword

      protected abstract String authenticateWithoutPassword(String username, List<ValidationFactor> validationFactors) throws InactiveAccountException, ExpiredCredentialException, ApplicationPermissionException, InvalidAuthenticationException, OperationFailedException, ApplicationAccessDeniedException
      Authenticate a remote user without password and return the Crowd SSO token string.
      Parameters:
      username - username of the remote user.
      validationFactors - validation factors from the remote user.
      Returns:
      Crowd SSO token string
      Throws:
      InvalidAuthorizationTokenException - invalid application client.
      InvalidAuthenticationException - invalid username.
      InactiveAccountException
      ExpiredCredentialException
      ApplicationPermissionException
      OperationFailedException
      ApplicationAccessDeniedException
      Since:
      v3.4

    • loadUserByUsername

      protected abstract CrowdUserDetails loadUserByUsername(String username) throws org.springframework.security.core.userdetails.UsernameNotFoundException, org.springframework.dao.DataAccessException
      Retreive the user details for a user based on their username.
      Parameters:
      username - username of user.
      Returns:
      user details of user.
      Throws:
      org.springframework.security.core.userdetails.UsernameNotFoundException - user with supplied username does not exist.
      org.springframework.dao.DataAccessException - error retrieving user.

    • loadUserByToken

      protected abstract CrowdUserDetails loadUserByToken(String token) throws CrowdSSOTokenInvalidException, org.springframework.dao.DataAccessException
      Retrieve a user from Crowd by looking up the principal by their authenticated Crowd token.
      Parameters:
      token - Crowd SSO token string.
      Returns:
      CrowdUserDetails corresponding to the principal.
      Throws:
      CrowdSSOTokenInvalidException - if the provided token is invalid.
      org.springframework.dao.DataAccessException - error retrieveing user.

    • authenticateCrowdSSO

      protected org.springframework.security.core.Authentication authenticateCrowdSSO(CrowdSSOAuthenticationToken ssoToken) throws org.springframework.security.core.AuthenticationException
      Attempts to authenticate based on an existing Crowd token and validation factors from a HttpServletRequest.

      The credentials of the ssoToken must be set to the String representation of the Crowd SSO token, the details must be set to the ValidationFactor[]s from the request.

      The returned authentication will be a CrowdSSOAuthenticationToken with the same SSO token string credential. The principal will be set to the UserDetails object corresponding to the username. The granted authorities will be UserDetails.getAuthorities().

      Parameters:
      ssoToken - ssoToken containing the token string credential and validation factors as details.
      Returns:
      an authenticated Authentication token.
      Throws:
      org.springframework.security.core.AuthenticationException - if there was a problem verifying the existing token is valid.

    • authenticateCrowdRememberedUsername

      protected org.springframework.security.core.Authentication authenticateCrowdRememberedUsername(CrowdRememberMeAuthentication rememberMeAuthentication) throws org.springframework.security.core.AuthenticationException
      Throws:
      org.springframework.security.core.AuthenticationException

    • translateException

      protected org.springframework.security.core.AuthenticationException translateException(Exception e)
      Converts Crowd-specific exceptions to Spring Security-friendly exceptions.
      Parameters:
      e - Crowd-specific exception.
      Returns:
      Spring Security-friendly exception.

    • supports

      public boolean supports(Class<?> authentication)
      Returns true if this AuthenticationProvider supports the indicated Authentication object.

      The CrowdAuthenticationProvider supports UsernamePasswordAuthenticationTokens and CrowdSSOAuthenticationTokens.

      Specified by:
      supports in interface org.springframework.security.authentication.AuthenticationProvider

    • supports

      public boolean supports(org.springframework.security.authentication.AbstractAuthenticationToken authenticationToken)