Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.atlassian.seraph.auth
Class DefaultAuthenticator

java.lang.Object
  extended bycom.atlassian.seraph.auth.AbstractAuthenticator
      extended bycom.atlassian.seraph.auth.DefaultAuthenticator
All Implemented Interfaces:
Authenticator, Initable, java.io.Serializable
public class DefaultAuthenticator
extends AbstractAuthenticator

This authenticator stores the currently logged in user in the session as OSUser User objects.

It also provides for cookie logins and creates cookies if needed.

Includes code from Jive 1.2.4 (released under the Apache license)

See Also:
Serialized Form

Field Summary
static java.lang.String LOGGED_IN_KEY
          The key used to store the user object in the session
static java.lang.String LOGGED_OUT_KEY
          The key used to indicate that the user has logged out and session regarding of it containing a cookie is not logged in.
 
Fields inherited from interface com.atlassian.seraph.auth.Authenticator
DEFAULT_AUTHENTICATOR
 
Constructor Summary
DefaultAuthenticator()
           
 
Method Summary
protected  boolean authenticate(java.security.Principal user, java.lang.String password)
          Uses OSUser's authenticate() to authenticate a user.
protected  java.lang.String[] decodeCookie(java.lang.String value)
           
protected  java.lang.String encodeCookie(java.lang.String username, java.lang.String password)
           
 java.lang.String getAuthType()
           
protected  java.lang.String getCookiePath(javax.servlet.http.HttpServletRequest request)
          Root the login cookie at the same location as the webapp.
protected  java.lang.String getLoginCookieKey()
           
protected  java.lang.String getLoginCookiePath()
           
protected  java.util.List getLogoutInterceptors()
           
protected  RoleMapper getRoleMapper()
           
 java.security.Principal getUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Returns the currently logged in user, trying in order:

Session, only if one exists Cookie, only if no session exists Basic authentication, if the above fail, and authType=basic

Warning: only in the case of cookie and basic auth will the user be authenticated.
protected  java.security.Principal getUser(java.lang.String username)
          Uses OSUser to retrieve a Principal for a given username.
protected  java.security.Principal getUserFromBasicAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Checks the Authorization header to see whether basic auth token is provided.
protected  java.security.Principal getUserFromCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Extracts the username and password from the cookie and calls login to authenticate, and if successful store the token in the session.
protected  java.security.Principal getUserFromSession(javax.servlet.http.HttpServletRequest request)
           Tries to get a logged in user from the session.
 void init(java.util.Map params, SecurityConfig config)
           
 boolean isUserInRole(javax.servlet.http.HttpServletRequest request, java.lang.String role)
          Deprecated. Use RoleMapper directly
 boolean login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String username, java.lang.String password, boolean cookie)
          Tries to authenticate a user (via OSUser).
 boolean logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
           
 
Methods inherited from class com.atlassian.seraph.auth.AbstractAuthenticator
destroy, getConfig, getRemoteUser, getUser, login
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

LOGGED_IN_KEY

public static final java.lang.String LOGGED_IN_KEY
The key used to store the user object in the session

See Also:
Constant Field Values

LOGGED_OUT_KEY

public static final java.lang.String LOGGED_OUT_KEY
The key used to indicate that the user has logged out and session regarding of it containing a cookie is not logged in.

See Also:
Constant Field Values
Constructor Detail

DefaultAuthenticator

public DefaultAuthenticator()
Method Detail

init

public void init(java.util.Map params,
                 SecurityConfig config)
Specified by:
init in interface Initable
Overrides:
init in class AbstractAuthenticator

isUserInRole

public boolean isUserInRole(javax.servlet.http.HttpServletRequest request,
                            java.lang.String role)
Deprecated. Use RoleMapper directly

Specified by:
isUserInRole in interface Authenticator
Specified by:
isUserInRole in class AbstractAuthenticator

login

public boolean login(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response,
                     java.lang.String username,
                     java.lang.String password,
                     boolean cookie)
              throws AuthenticatorException
Tries to authenticate a user (via OSUser). If successful, sets a session attribute and cookie indicating their logged-in status.

Specified by:
login in interface Authenticator
Specified by:
login in class AbstractAuthenticator
Returns:
Whether the user was authenticated. This base implementation returns false if any errors occur, rather than throw an exception.
Throws:
AuthenticatorException

getRoleMapper

protected RoleMapper getRoleMapper()

getUser

protected java.security.Principal getUser(java.lang.String username)
Uses OSUser to retrieve a Principal for a given username. Returns null if no user exists.

authenticate

protected boolean authenticate(java.security.Principal user,
                               java.lang.String password)
Uses OSUser's authenticate() to authenticate a user.

logout

public boolean logout(javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)
               throws AuthenticatorException
Specified by:
logout in interface Authenticator
Specified by:
logout in class AbstractAuthenticator
Throws:
AuthenticatorException

getUser

public java.security.Principal getUser(javax.servlet.http.HttpServletRequest request,
                                       javax.servlet.http.HttpServletResponse response)
Returns the currently logged in user, trying in order:

  1. Session, only if one exists
  2. Cookie, only if no session exists
  3. Basic authentication, if the above fail, and authType=basic

Warning: only in the case of cookie and basic auth will the user be authenticated.

Specified by:
getUser in interface Authenticator
Specified by:
getUser in class AbstractAuthenticator
Parameters:
response - a response object that may be modified if basic auth is enabled
Returns:
a Principal object for the user if found, otherwise null

getUserFromCookie

protected java.security.Principal getUserFromCookie(javax.servlet.http.HttpServletRequest request,
                                                    javax.servlet.http.HttpServletResponse response)
Extracts the username and password from the cookie and calls login to authenticate, and if successful store the token in the session.

Returns:
a Principal object for the user if successful, otherwise null

getUserFromSession

protected java.security.Principal getUserFromSession(javax.servlet.http.HttpServletRequest request)

Tries to get a logged in user from the session.

Parameters:
request - the current HttpServletRequest
Returns:
the logged in user in the session. null if there is no logged in user in the session, or the LOGGED_OUT_KEY is set because the user has logged out.

getUserFromBasicAuthentication

protected java.security.Principal getUserFromBasicAuthentication(javax.servlet.http.HttpServletRequest request,
                                                                 javax.servlet.http.HttpServletResponse response)
Checks the Authorization header to see whether basic auth token is provided. If it is, decode it, login and return the valid user. If it isn't, basic auth is still required, so return a 401 Authorization Required header in the response.

Parameters:
response - a response object that will be modified if no token found

getCookiePath

protected java.lang.String getCookiePath(javax.servlet.http.HttpServletRequest request)
Root the login cookie at the same location as the webapp.

Anyone wanting a different cookie path policy can override the authenticator and provide one.

getLoginCookieKey

protected java.lang.String getLoginCookieKey()

getAuthType

public java.lang.String getAuthType()

getLogoutInterceptors

protected java.util.List getLogoutInterceptors()

encodeCookie

protected java.lang.String encodeCookie(java.lang.String username,
                                        java.lang.String password)

decodeCookie

protected java.lang.String[] decodeCookie(java.lang.String value)

getLoginCookiePath

protected java.lang.String getLoginCookiePath()
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2008 Atlassian Software Systems Pty Ltd. All Rights Reserved.