com.atlassian.refapp.auth.internal

Class AtlassianUserAuthenticator

java.lang.Object

com.atlassian.seraph.auth.AbstractAuthenticator

com.atlassian.refapp.auth.internal.AtlassianUserAuthenticator

All Implemented Interfaces:

com.atlassian.seraph.auth.Authenticator, com.atlassian.seraph.Initable, Serializable

public class AtlassianUserAuthenticator
extends com.atlassian.seraph.auth.AbstractAuthenticator

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static String	LOGGED_IN_KEY The key used to store the user object in the session
static String	LOGGED_OUT_KEY The key used to indicate that the user has logged out and session regarding of it containing a cookie is not logged in.

Fields inherited from interface com.atlassian.seraph.auth.Authenticator

DEFAULT_AUTHENTICATOR

Constructor Summary

Constructors

Constructor and Description
AtlassianUserAuthenticator(com.atlassian.user.UserManager userManager, com.atlassian.user.security.authentication.Authenticator authenticator, WebSudoSessionManager websudoManager)

Method Summary

Modifier and Type	Method and Description
protected boolean	authenticate(String username, String password)
protected String[]	decodeCookie(String value)
protected String	encodeCookie(String username, String password)
String	getAuthType()
protected String	getCookiePath(javax.servlet.http.HttpServletRequest request) Root the login cookie at the same location as the webapp.
protected String	getLoginCookieKey()
protected String	getLoginCookiePath()
protected List	getLogoutInterceptors()
protected com.atlassian.seraph.auth.RoleMapper	getRoleMapper()
Principal	getUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Returns the currently logged in user, trying in order: Session, only if one exists Cookie, only if no session exists Basic authentication, if the above fail, and authType=basic
protected Principal	getUser(String username)
protected Principal	getUserFromBasicAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Checks the Authorization header to see whether basic auth token is provided.
protected Principal	getUserFromCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Extracts the username and password from the cookie and calls login to authenticate, and if successful store the token in the session.
protected Principal	getUserFromSession(javax.servlet.http.HttpServletRequest request) Tries to get a logged in user from the session.
void	init(Map params, com.atlassian.seraph.config.SecurityConfig config)
boolean	isUserInRole(javax.servlet.http.HttpServletRequest request, String role) Deprecated. Use RoleMapper directly
boolean	login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password, boolean cookie) Tries to authenticate a user (via OSUser).
boolean	logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)

Methods inherited from class com.atlassian.seraph.auth.AbstractAuthenticator

destroy, getConfig, getRemoteUser, getUser, login

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOGGED_IN_KEY

public static final String LOGGED_IN_KEY

The key used to store the user object in the session

See Also:

Constant Field Values

LOGGED_OUT_KEY

public static final String LOGGED_OUT_KEY

The key used to indicate that the user has logged out and session regarding of it containing a cookie is not logged in.

See Also:

Constant Field Values

Constructor Detail

AtlassianUserAuthenticator

public AtlassianUserAuthenticator(com.atlassian.user.UserManager userManager,
                                  com.atlassian.user.security.authentication.Authenticator authenticator,
                                  WebSudoSessionManager websudoManager)

Method Detail

init

public void init(Map params,
                 com.atlassian.seraph.config.SecurityConfig config)

Specified by:

init in interface com.atlassian.seraph.Initable

Overrides:

init in class com.atlassian.seraph.auth.AbstractAuthenticator

isUserInRole

public boolean isUserInRole(javax.servlet.http.HttpServletRequest request,
                            String role)

Deprecated. Use RoleMapper directly

Specified by:

isUserInRole in interface com.atlassian.seraph.auth.Authenticator

Specified by:

isUserInRole in class com.atlassian.seraph.auth.AbstractAuthenticator

login

public boolean login(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response,
                     String username,
                     String password,
                     boolean cookie)
              throws com.atlassian.seraph.auth.AuthenticatorException

Tries to authenticate a user (via OSUser). If successful, sets a session attribute and cookie indicating their logged-in status.

Specified by:

login in interface com.atlassian.seraph.auth.Authenticator

Specified by:

login in class com.atlassian.seraph.auth.AbstractAuthenticator

Returns:

Whether the user was authenticated. This base implementation returns false if any errors occur, rather than throw an exception.

Throws:

com.atlassian.seraph.auth.AuthenticatorException

getRoleMapper

protected com.atlassian.seraph.auth.RoleMapper getRoleMapper()

logout

public boolean logout(javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)
               throws com.atlassian.seraph.auth.AuthenticatorException

Specified by:

logout in interface com.atlassian.seraph.auth.Authenticator

Specified by:

logout in class com.atlassian.seraph.auth.AbstractAuthenticator

Throws:

com.atlassian.seraph.auth.AuthenticatorException

getUser

public Principal getUser(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)

Returns the currently logged in user, trying in order:

1. Session, only if one exists
2. Cookie, only if no session exists
3. Basic authentication, if the above fail, and authType=basic

Warning: only in the case of cookie and basic auth will the user be authenticated.

Specified by:

getUser in interface com.atlassian.seraph.auth.Authenticator

Specified by:

getUser in class com.atlassian.seraph.auth.AbstractAuthenticator

Parameters:

response - a response object that may be modified if basic auth is enabled

Returns:

a Principal object for the user if found, otherwise null

getUserFromCookie

protected Principal getUserFromCookie(javax.servlet.http.HttpServletRequest request,
                                      javax.servlet.http.HttpServletResponse response)

Extracts the username and password from the cookie and calls login to authenticate, and if successful store the token in the session.

Parameters:

request - to get cookie for

response - to set cookie in

Returns:

a Principal object for the user if successful, otherwise null

getUserFromSession

protected Principal getUserFromSession(javax.servlet.http.HttpServletRequest request)

Tries to get a logged in user from the session.

Parameters:

request - the current HttpServletRequest

Returns:

the logged in user in the session. null if there is no logged in user in the session, or the LOGGED_OUT_KEY is set because the user has logged out.

getUserFromBasicAuthentication

protected Principal getUserFromBasicAuthentication(javax.servlet.http.HttpServletRequest request,
                                                   javax.servlet.http.HttpServletResponse response)

Checks the Authorization header to see whether basic auth token is provided. If it is, decode it, login and return the valid user. If it isn't, basic auth is still required, so return a 401 Authorization Required header in the response.

Parameters:

request - object to get headers from

response - a response object that will be modified if no token found

Returns:

Logged user or null if no user logger in

getCookiePath

protected String getCookiePath(javax.servlet.http.HttpServletRequest request)

Root the login cookie at the same location as the webapp.

Anyone wanting a different cookie path policy can override the authenticator and provide one.

Parameters:

request - to c

Returns:

login path

getLoginCookieKey

protected String getLoginCookieKey()

getAuthType

public String getAuthType()

getLogoutInterceptors

protected List getLogoutInterceptors()

encodeCookie

protected String encodeCookie(String username,
                              String password)

decodeCookie

protected String[] decodeCookie(String value)

getLoginCookiePath

protected String getLoginCookiePath()

getUser

protected Principal getUser(String username)

authenticate

protected boolean authenticate(String username,
                               String password)