com.atlassian.seraph.auth
Class DefaultAuthenticator

java.lang.Object
  extended by com.atlassian.seraph.auth.AbstractAuthenticator
      extended by com.atlassian.seraph.auth.DefaultAuthenticator
All Implemented Interfaces:
Authenticator, Initable, Serializable

public abstract class DefaultAuthenticator
extends AbstractAuthenticator

This authenticator stores the currently logged in user in the session as a Principal.

It also provides for cookie logins and creates cookies if needed.

Includes code from Jive 1.2.4 (released under the Apache license)

See Also:
Serialized Form

Field Summary
static String LOGGED_IN_KEY
          The key used to store the user object in the session
static String LOGGED_OUT_KEY
          The key used to indicate that the user has logged out and session regarding of it containing a cookie is not logged in.
 
Fields inherited from interface com.atlassian.seraph.auth.Authenticator
DEFAULT_AUTHENTICATOR
 
Constructor Summary
DefaultAuthenticator()
           
 
Method Summary
protected abstract  boolean authenticate(Principal user, String password)
          Authenticates the given user and password.
protected  boolean authoriseUserAndEstablishSession(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse, Principal principal)
          This is called to authorise the user with the application.
 String getAuthType()
           
protected  ElevatedSecurityGuard getElevatedSecurityGuard()
           
protected  List<LogoutInterceptor> getLogoutInterceptors()
           
protected  RememberMeService getRememberMeService()
           
protected  RoleMapper getRoleMapper()
          override this method if you need to retrieve the role mapper from elsewhere than the singleton-factory (injected dependency for instance)
 Principal getUser(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)
          Returns the currently logged in user, trying in order:

Session, only if one exists Cookie, only if no session exists Basic authentication, if the above fail, and authType=basic

Warning: only in the case of cookie and basic auth will the user be authenticated.

protected abstract  Principal getUser(String username)
          Retrieve a Principal for the given username.
protected  Principal getUserFromBasicAuthentication(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)
          Checks the Authorization header to see whether basic auth token is provided.
protected  Principal getUserFromCookie(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)
          Extracts the username and password from the cookie and calls login to authenticate, and if successful store the token in the session.
protected  Principal getUserFromSession(javax.servlet.http.HttpServletRequest httpServletRequest)
           Tries to get a logged in user from the session.
 void init(Map<String,String> params, SecurityConfig config)
          Initialise the configuration object with the given "init-params".
protected  boolean isAuthorised(javax.servlet.http.HttpServletRequest httpServletRequest, Principal principal)
          This method is called to estblish if the principal is authorised to use the appliction url in play
protected  boolean isPrincipalAlreadyInSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest, Principal principal)
          This is called to determine if the Principal is already in the HttpSession in a Seraph ready manner.
 boolean isUserInRole(javax.servlet.http.HttpServletRequest request, String role)
          Deprecated. Use RoleMapper directly
 boolean login(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse, String userName, String password, boolean setRememberMeCookie)
          Tries to authenticate a user.
 boolean logout(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse)
          Called to remove the current principal from the HttpSession and will also to remove any remember me cookies that may be in effect.
protected  void putPrincipalInSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest, Principal principal)
          This can be called to put the principal into the HttpSession in a Seraph ready manner
protected  Principal refreshPrincipalObtainedFromSession(javax.servlet.http.HttpServletRequest httpServletRequest, Principal principal)
          This is called to refresh the Principal object that has been retreived from the HTTP session.
protected  void removePrincipalFromSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest)
          This can be called to remove the principal into the HttpSession in a Seraph ready manner
 
Methods inherited from class com.atlassian.seraph.auth.AbstractAuthenticator
destroy, getConfig, getRemoteUser, getUser, login
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

LOGGED_IN_KEY

public static final String LOGGED_IN_KEY
The key used to store the user object in the session

See Also:
Constant Field Values

LOGGED_OUT_KEY

public static final String LOGGED_OUT_KEY
The key used to indicate that the user has logged out and session regarding of it containing a cookie is not logged in.

See Also:
Constant Field Values
Constructor Detail

DefaultAuthenticator

public DefaultAuthenticator()
Method Detail

init

public void init(Map<String,String> params,
                 SecurityConfig config)
Description copied from interface: Initable
Initialise the configuration object with the given "init-params".

Specified by:
init in interface Initable
Overrides:
init in class AbstractAuthenticator
Parameters:
params - The map of "init-params" extracted from the Seraph config file. This is guaranteed not null.
config - The Seraph SecurityConfig class that is initialising the config objects. This object will only be partially initialised at this time.

isUserInRole

@Deprecated
public boolean isUserInRole(javax.servlet.http.HttpServletRequest request,
                                       String role)
Deprecated. Use RoleMapper directly

Specified by:
isUserInRole in interface Authenticator
Specified by:
isUserInRole in class AbstractAuthenticator

login

public boolean login(javax.servlet.http.HttpServletRequest httpServletRequest,
                     javax.servlet.http.HttpServletResponse httpServletResponse,
                     String userName,
                     String password,
                     boolean setRememberMeCookie)
              throws AuthenticatorException
Tries to authenticate a user.

Specified by:
login in interface Authenticator
Specified by:
login in class AbstractAuthenticator
Parameters:
httpServletRequest - the request in play
httpServletResponse - the response in play
userName - the user name to check against the password
password - the password to authenticate the user with
setRememberMeCookie - whether to set a remember me cookie on sucessful login
Returns:
Whether the user was authenticated. This base implementation returns false if any errors occur, rather than throw an exception.
Throws:
AuthenticatorException - actualy this class does not throw any exceptions however the interface says we must and other classes may override us

logout

public boolean logout(javax.servlet.http.HttpServletRequest httpServletRequest,
                      javax.servlet.http.HttpServletResponse httpServletResponse)
               throws AuthenticatorException
Called to remove the current principal from the HttpSession and will also to remove any remember me cookies that may be in effect.

Specified by:
logout in interface Authenticator
Specified by:
logout in class AbstractAuthenticator
Parameters:
httpServletRequest - the request in play
httpServletResponse - the response in play
Returns:
true always for this implementation!
Throws:
AuthenticatorException - this implementation never does

authoriseUserAndEstablishSession

protected boolean authoriseUserAndEstablishSession(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                   javax.servlet.http.HttpServletResponse httpServletResponse,
                                                   Principal principal)
This is called to authorise the user with the application. The RoleMapper is invoked to see if the user is authorised to user this request via a call to isAuthorised(javax.servlet.http.HttpServletRequest, java.security.Principal)

If successful, then the HttpSession will contain the attribute marking that the user is logged in

Parameters:
httpServletRequest - the request in play
httpServletResponse - the response in play
principal - the principal to authorise
Returns:
true if the user was authorised

isAuthorised

protected boolean isAuthorised(javax.servlet.http.HttpServletRequest httpServletRequest,
                               Principal principal)
This method is called to estblish if the principal is authorised to use the appliction url in play

Parameters:
httpServletRequest - the request in play
principal - the principal to check
Returns:
true if they are authorised to use the application at thgis point of time

putPrincipalInSessionContext

protected void putPrincipalInSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest,
                                            Principal principal)
This can be called to put the principal into the HttpSession in a Seraph ready manner

Parameters:
httpServletRequest - the request in play
principal - the principal to put in the session

removePrincipalFromSessionContext

protected void removePrincipalFromSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest)
This can be called to remove the principal into the HttpSession in a Seraph ready manner

Parameters:
httpServletRequest - the request in play

isPrincipalAlreadyInSessionContext

protected boolean isPrincipalAlreadyInSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                     Principal principal)
This is called to determine if the Principal is already in the HttpSession in a Seraph ready manner.

Parameters:
httpServletRequest - the request in play
principal - the principal to put in the session
Returns:
true if the principal is already in the session

getRoleMapper

protected RoleMapper getRoleMapper()
override this method if you need to retrieve the role mapper from elsewhere than the singleton-factory (injected dependency for instance)

Returns:
the RoleMapper to use

getUser

protected abstract Principal getUser(String username)
Retrieve a Principal for the given username. Returns null if no such user exists.

Parameters:
username - the name of the user to find
Returns:
a Principal for the given username.

authenticate

protected abstract boolean authenticate(Principal user,
                                        String password)
                                 throws AuthenticatorException
Authenticates the given user and password. Returns true if the authentication succeeds, and false if the authentication details are invalid or if the user is not found. Implementations of this method must not attempt to downcast the user to an implementation class.

Parameters:
user - the user to authenticate. This object only stores the username of the user.
password - the password of the user
Returns:
true if the user was successfully authenticated and false otherwise.
Throws:
AuthenticatorException - if an error occurs that stops the user from being authenticated (eg remote communication failure).

getUser

public Principal getUser(javax.servlet.http.HttpServletRequest httpServletRequest,
                         javax.servlet.http.HttpServletResponse httpServletResponse)
Returns the currently logged in user, trying in order:

  1. Session, only if one exists
  2. Cookie, only if no session exists
  3. Basic authentication, if the above fail, and authType=basic

Warning: only in the case of cookie and basic auth will the user be authenticated.

Specified by:
getUser in interface Authenticator
Specified by:
getUser in class AbstractAuthenticator
Parameters:
httpServletRequest - the request in play
httpServletResponse - a response object that may be modified if basic auth is enabled
Returns:
a Principal object for the user if found, otherwise null

refreshPrincipalObtainedFromSession

protected Principal refreshPrincipalObtainedFromSession(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                        Principal principal)
This is called to refresh the Principal object that has been retreived from the HTTP session.

By default this will called getUser(String) again to get a fresh user.

Parameters:
httpServletRequest - the HTTP request in play
principal - the Principal in play
Returns:
a fresh up to date principal

getUserFromSession

protected Principal getUserFromSession(javax.servlet.http.HttpServletRequest httpServletRequest)

Tries to get a logged in user from the session.

Parameters:
httpServletRequest - the current HttpServletRequest
Returns:
the logged in user in the session. null if there is no logged in user in the session, or the LOGGED_OUT_KEY is set because the user has logged out.

getUserFromCookie

protected Principal getUserFromCookie(javax.servlet.http.HttpServletRequest httpServletRequest,
                                      javax.servlet.http.HttpServletResponse httpServletResponse)
Extracts the username and password from the cookie and calls login to authenticate, and if successful store the token in the session.

Parameters:
httpServletRequest - the HTTP request in play
httpServletResponse - the HTTP respone in play
Returns:
a Principal object for the user if successful, otherwise null

getUserFromBasicAuthentication

protected Principal getUserFromBasicAuthentication(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                   javax.servlet.http.HttpServletResponse httpServletResponse)
Checks the Authorization header to see whether basic auth token is provided. If it is, decode it, login and return the valid user. If it isn't, basic auth is still required, so return a 401 Authorization Required header in the response.

Parameters:
httpServletRequest - the HTTP request in play
httpServletResponse - a response object that will be modified if no token found
Returns:
a Principal or null if one cant be found

getAuthType

public String getAuthType()

getLogoutInterceptors

protected List<LogoutInterceptor> getLogoutInterceptors()

getElevatedSecurityGuard

protected ElevatedSecurityGuard getElevatedSecurityGuard()

getRememberMeService

protected RememberMeService getRememberMeService()


Copyright © 2013 Atlassian. All Rights Reserved.