Package com.atlassian.crowd.integration.seraph

Class CrowdAuthenticator

java.lang.Object
com.atlassian.seraph.auth.AbstractAuthenticator
com.atlassian.seraph.auth.DefaultAuthenticator
com.atlassian.crowd.integration.seraph.CrowdAuthenticator
All Implemented Interfaces:
com.atlassian.seraph.auth.Authenticator, com.atlassian.seraph.Initable, Serializable
public abstract class CrowdAuthenticator extends com.atlassian.seraph.auth.DefaultAuthenticator
See Also:

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected static final org.slf4j.Logger
    logger
     
    static final String
    PASSWORD_RESET_REQUIRED_HEADER
     

    Fields inherited from class com.atlassian.seraph.auth.DefaultAuthenticator

    LOGGED_IN_KEY, LOGGED_IN_USER_ID_KEY, LOGGED_OUT_KEY

  • Constructor Summary

    Constructors
    Constructor
    Description
    CrowdAuthenticator(CrowdHttpAuthenticator crowdHttpAuthenticator, Supplier<CrowdService> crowdServiceSupplier)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected boolean
    authenticate(Principal user, String password)
    Override the super method, always return true so that authentication is not called twice when a user logs in.
    protected AuthenticationState
    checkAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Checks to see if the request can be authenticated.
    protected AuthenticationState
    checkRememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Attempts to authenticate the request based on the auto-login cookie (if set).
    protected void
    fetchUserInCache(String username)
    Fetches a user with the given username in the cache, in case the user exists, but cannot be found from the cache yet.
    Principal
    getUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
     
    protected boolean
    isAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Deprecated.
    since 2.9.0.
    boolean
    login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password, boolean cookie)
    We must override the login() method as it gives us access to the HttpServletRequest and HttpServletResponse, which Crowd needs in order to generate and set the Crowd SSO token.
    boolean
    logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
     
    protected abstract void
    logoutUser(javax.servlet.http.HttpServletRequest request)
    This method will allow you to remove all session information about the user and force them to re-authenticate If you wish to remove specific application attributes for the user, e.g.
    protected boolean
    rememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Deprecated.
    since 2.9.0.

    Methods inherited from class com.atlassian.seraph.auth.DefaultAuthenticator

    authoriseUserAndEstablishSession, getAuthType, getElevatedSecurityGuard, getLogoutInterceptors, getPrincipalFromSession, getRememberMeService, getRoleMapper, getUser, getUserFromBasicAuthentication, getUserFromCookie, getUserFromSession, init, isAuthorised, isPrincipalAlreadyInSessionContext, putPrincipalInSessionContext, refreshPrincipalObtainedFromSession, removePrincipalFromSessionContext

    Methods inherited from class com.atlassian.seraph.auth.AbstractAuthenticator

    destroy, getConfig, getRemoteUser, getUser, login

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • PASSWORD_RESET_REQUIRED_HEADER

      public static final String PASSWORD_RESET_REQUIRED_HEADER
      See Also:

    • logger

      protected static final org.slf4j.Logger logger

  • Constructor Details

  • Method Details

    • fetchUserInCache

      protected void fetchUserInCache(String username) throws UserNotFoundException, InvalidAuthenticationException, OperationFailedException
      Fetches a user with the given username in the cache, in case the user exists, but cannot be found from the cache yet. By default this method will call DefaultAuthenticator.getUser(String), but JIRA needs to override it, because DefaultAuthenticator.getUser(String) only checks the local cache when retrieving users.
      Parameters:
      username - username of the user to be fetched
      Throws:
      InvalidAuthenticationException - if the application or user authentication was not successful.
      OperationFailedException - if the operation has failed for an unknown reason
      UserNotFoundException

    • authenticate

      protected boolean authenticate(Principal user, String password)
      Override the super method, always return true so that authentication is not called twice when a user logs in. More info: this is because we subclass login() to perform the authentication, but also call super.login(), which then calls this authenticate() method. We also can't just implement the authenticate() method as it does not provide the HttpServletRequest nor the HttpServletResponse, which are both required for generating and setting the Crowd SSO token.
      Specified by:
      authenticate in class com.atlassian.seraph.auth.DefaultAuthenticator

    • login

      public boolean login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password, boolean cookie) throws com.atlassian.seraph.auth.AuthenticatorException
      We must override the login() method as it gives us access to the HttpServletRequest and HttpServletResponse, which Crowd needs in order to generate and set the Crowd SSO token. However, super.login() does some magic, including elevated security checks, so we still need to call super.login() - which in turn calls authenticate(). Problem is, we can't put our actual authentication login in their as authenticate() doesn't pass the HttpServletRequest or HttpServletResponse into the method. Perhaps in a later version of Seraph, we can change authenticate to take the HttpServletRequest and HttpServletResponse as parameters. But for now, we have a hacky solution that piggybacks the password parameter so authenticate() knows whether to return true or false.
      Specified by:
      login in interface com.atlassian.seraph.auth.Authenticator
      Overrides:
      login in class com.atlassian.seraph.auth.DefaultAuthenticator
      Parameters:
      request - HttpServletRequest obtain validation factors.
      response - HttpServletResponse SSO cookie is set on response.
      username - name of user to authenticate.
      password - credential to authenticate.
      cookie - whether to set a remember-me cookie or not.
      Returns:
      true if and only if authentication was successful
      Throws:
      com.atlassian.seraph.auth.AuthenticatorException

    • logout

      public boolean logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws com.atlassian.seraph.auth.AuthenticatorException
      Specified by:
      logout in interface com.atlassian.seraph.auth.Authenticator
      Overrides:
      logout in class com.atlassian.seraph.auth.DefaultAuthenticator
      Throws:
      com.atlassian.seraph.auth.AuthenticatorException

    • isAuthenticated

      @Deprecated protected boolean isAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Deprecated.
      since 2.9.0. Use checkAuthenticated(HttpServletRequest, HttpServletResponse) instead.
      Checks to see if the request can be authenticated. This method checks (in order):
      1. Trusted Apps: it is possible that an earlier filter authenticated the request, so check to see if this is the case.
      2. Crowd Authenticator: if a valid Crowd session-cookie (token) exists, the HttpAuthenticator will authenticate the request as "valid". This will not place the user into the session. See getUser() to see exactly when the user gets placed into session.
      3. Seraph-Remember Me: sees if the request is authenticated via a remember me cookie. If it is, then the user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.
      4. Basic Authentication: determines if the request has Basic Auth username/password headers and proceeds to authenticate the user with Crowd if they are present. The user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.
      If all checks fail authentication, the isAuthenticated method returns false, and the user is logged out.
      Parameters:
      request - servlet request.
      response - servlet response.
      Returns:
      true if request can be authenticated.

    • checkAuthenticated

      protected AuthenticationState checkAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Checks to see if the request can be authenticated. This method checks (in order):
      1. Trusted Apps: it is possible that an earlier filter authenticated the request, so check to see if this is the case.
      2. Crowd Authenticator: if a valid Crowd session-cookie (token) exists, the HttpAuthenticator will authenticate the request as "valid". This will not place the user into the session. See getUser() to see exactly when the user gets placed into session.
      3. Seraph-Remember Me: sees if the request is authenticated via a remember me cookie. If it is, then the user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.
      4. Basic Authentication: determines if the request has Basic Auth username/password headers and proceeds to authenticate the user with Crowd if they are present. The user will be automatically logged into session and a Crowd SSO token will be generated and put on the response.
      If all checks fail authentication, the isAuthenticated method returns false, and the user will be logged out.
      Parameters:
      request - servlet request.
      response - servlet response.
      Returns:
      authentication state of the request
      Since:
      2.8.3

    • rememberMeLoginToCrowd

      @Deprecated protected boolean rememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Deprecated.
      since 2.9.0. Use checkRememberMeLoginToCrowd(HttpServletRequest, HttpServletResponse) instead.
      Attempts to authenticate the request based on the auto-login cookie (if set). This will only authenticate to Crowd via HttpAuthenticator. This will not set any session variables and the like.
      Parameters:
      request - servlet request.
      response - servlet response.
      Returns:
      true if authentication via HttpAuthenticator using auto-login credentials successful.

    • checkRememberMeLoginToCrowd

      protected AuthenticationState checkRememberMeLoginToCrowd(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Attempts to authenticate the request based on the auto-login cookie (if set). This will only authenticate to Crowd via HttpAuthenticator. This will not set any session variables and the like.
      Parameters:
      request - servlet request.
      response - servlet response.
      Returns:
      true if authentication via HttpAuthenticator using auto-login credentials successful.
      Since:
      2.8.3

    • logoutUser

      protected abstract void logoutUser(javax.servlet.http.HttpServletRequest request)
      This method will allow you to remove all session information about the user and force them to re-authenticate If you wish to remove specific application attributes for the user, e.g. org.acegisecurity.context.SecurityContextHolder.clearContext(); from Bamboo
      Parameters:
      request - the current request

    • getUser

      public Principal getUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Specified by:
      getUser in interface com.atlassian.seraph.auth.Authenticator
      Overrides:
      getUser in class com.atlassian.seraph.auth.DefaultAuthenticator