View Javadoc

1   package com.atlassian.seraph.auth;
2   
3   import com.atlassian.seraph.config.SecurityConfig;
4   
5   import javax.servlet.http.HttpServletRequest;
6   
7   /**
8    * If an authType is specified by the user that doesn't match a specific auth type as defined by this enum,
9    * 'NONE' will be returned.  
10   *
11   * @since 2.2
12   */
13  public enum AuthType
14  {
15      /**
16       * There has been no authentication type specified for this request. If the user has provided an invalid cookie they
17       * will be allowed to view the page as an anonymous user.
18       */
19      NONE,
20  
21      /**
22       * The user is presenting a session cookie that they expect to work. If it doesn't work they want to know that,
23       * rather than silently proceeding as an anonymous user. In practice this means they should get a 401 or 403
24       * if their session has expired.
25       */
26      COOKIE,
27  
28      /**
29       * The user is either presenting HTTP BASIC Authentication credentials or wants the application to initial a
30       * BASIC Auth challenge.
31       */
32      BASIC,
33  
34      /**
35       * This is sort of like a combination of all three above. If you don't present BASIC Auth or a session cookie
36       * then you will proceed anonymous. If you present one of those and they are invalid then you get a 401 or 403 instead.
37       *
38       * The difference between NONE and ANY is that with NONE you can *think* you are logging in but end up anonymous because
39       * your session has expired. Remote API users (like scripts) don't notice this and just get different results. They would
40       * prefer to get an obvious response code telling them that something isn't quite right.
41       */
42      ANY;
43  
44      public static final String DEFAULT_ATTRIBUTE = "os_authTypeDefault";
45  
46      public static AuthType getAuthTypeInformation(final HttpServletRequest request, final SecurityConfig config)
47      {
48          final String authTypeParamName = config.getAuthType();
49          String authType = request.getParameter(authTypeParamName);
50          if (authType == null)
51          {
52              authType = (String) request.getAttribute(DEFAULT_ATTRIBUTE);
53          }
54          if (authType == null)
55          {
56              return NONE;
57          }
58          else
59          {
60              try
61              {
62                  return AuthType.valueOf(authType.toUpperCase());
63              }
64              catch (IllegalArgumentException e)
65              {
66                  // If a non-valid authentication type is specified
67                  // do not use any authentication 
68                  return NONE;
69              }
70          }
71      }
72  }