com.atlassian.seraph.auth
Class DefaultAuthenticator

java.lang.Object
  com.atlassian.seraph.auth.AbstractAuthenticator
      com.atlassian.seraph.auth.DefaultAuthenticator

All Implemented Interfaces:

Authenticator, Initable, java.io.Serializable

public abstract class DefaultAuthenticator
extends AbstractAuthenticator

This authenticator stores the currently logged in user in the session as a Principal.

It also provides for cookie logins and creates cookies if needed.

Includes code from Jive 1.2.4 (released under the Apache license)

See Also:

Serialized Form

Field Summary

static java.lang.String	LOGGED_IN_KEY The key used to store the user object in the session
static java.lang.String	LOGGED_OUT_KEY The key used to indicate that the user has logged out and session regarding of it containing a cookie is not logged in.

Fields inherited from interface com.atlassian.seraph.auth.Authenticator

DEFAULT_AUTHENTICATOR

Constructor Summary

DefaultAuthenticator()

Method Summary

protected abstract boolean	authenticate(java.security.Principal user, java.lang.String password) Authenticates the given user and password.
protected boolean	authoriseUserAndEstablishSession(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse, java.security.Principal principal) This is called to authorise the user with the application.
java.lang.String	getAuthType()
protected ElevatedSecurityGuard	getElevatedSecurityGuard()
protected java.util.List<LogoutInterceptor>	getLogoutInterceptors()
protected RememberMeService	getRememberMeService()
protected RoleMapper	getRoleMapper() override this method if you need to retrieve the role mapper from elsewhere than the singleton-factory (injected dependency for instance)
java.security.Principal	getUser(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) Returns the currently logged in user, trying in order: Session, only if one exists Cookie, only if no session exists Basic authentication, if the above fail, and authType=basic Warning: only in the case of cookie and basic auth will the user be authenticated.
protected abstract java.security.Principal	getUser(java.lang.String username) Retrieve a Principal for the given username.
protected java.security.Principal	getUserFromBasicAuthentication(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) Checks the Authorization header to see whether basic auth token is provided.
protected java.security.Principal	getUserFromCookie(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) Extracts the username and password from the cookie and calls login to authenticate, and if successful store the token in the session.
protected java.security.Principal	getUserFromSession(javax.servlet.http.HttpServletRequest httpServletRequest) Tries to get a logged in user from the session.
void	init(java.util.Map<java.lang.String,java.lang.String> params, SecurityConfig config) Initialise the configuration object with the given "init-params".
protected boolean	isAuthorised(javax.servlet.http.HttpServletRequest httpServletRequest, java.security.Principal principal) This method is called to estblish if the principal is authorised to use the appliction url in play
protected boolean	isPrincipalAlreadyInSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest, java.security.Principal principal) This is called to determine if the Principal is already in the HttpSession in a Seraph ready manner.
boolean	isUserInRole(javax.servlet.http.HttpServletRequest request, java.lang.String role) Deprecated. Use RoleMapper directly
boolean	login(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse, java.lang.String userName, java.lang.String password, boolean setRememberMeCookie) Tries to authenticate a user.
boolean	logout(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) Called to remove the current principal from the HttpSession and will also to remove any remember me cookies that may be in effect.
protected void	putPrincipalInSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest, java.security.Principal principal) This can be called to put the principal into the HttpSession in a Seraph ready manner
protected java.security.Principal	refreshPrincipalObtainedFromSession(javax.servlet.http.HttpServletRequest httpServletRequest, java.security.Principal principal) This is called to refresh the Principal object that has been retreived from the HTTP session.
protected void	removePrincipalFromSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest) This can be called to remove the principal into the HttpSession in a Seraph ready manner

Methods inherited from class com.atlassian.seraph.auth.AbstractAuthenticator

destroy, getConfig, getRemoteUser, getUser, login

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOGGED_IN_KEY

public static final java.lang.String LOGGED_IN_KEY

The key used to store the user object in the session

See Also:

Constant Field Values

LOGGED_OUT_KEY

public static final java.lang.String LOGGED_OUT_KEY

The key used to indicate that the user has logged out and session regarding of it containing a cookie is not logged in.

See Also:

Constant Field Values

Constructor Detail

DefaultAuthenticator

public DefaultAuthenticator()

Method Detail

init

public void init(java.util.Map<java.lang.String,java.lang.String> params,
                 SecurityConfig config)

Description copied from interface: Initable

Initialise the configuration object with the given "init-params".

Specified by:

init in interface Initable

Overrides:

init in class AbstractAuthenticator

Parameters:

params - The map of "init-params" extracted from the Seraph config file. This is guaranteed not null.

config - The Seraph SecurityConfig class that is initialising the config objects. This object will only be partially initialised at this time.

isUserInRole

@Deprecated
public boolean isUserInRole(javax.servlet.http.HttpServletRequest request,
                                       java.lang.String role)

Deprecated. Use RoleMapper directly

Specified by:

isUserInRole in interface Authenticator

Specified by:

isUserInRole in class AbstractAuthenticator

login

public boolean login(javax.servlet.http.HttpServletRequest httpServletRequest,
                     javax.servlet.http.HttpServletResponse httpServletResponse,
                     java.lang.String userName,
                     java.lang.String password,
                     boolean setRememberMeCookie)
              throws AuthenticatorException

Tries to authenticate a user.

Specified by:

login in interface Authenticator

Specified by:

login in class AbstractAuthenticator

Parameters:

httpServletRequest - the request in play

httpServletResponse - the response in play

userName - the user name to check against the password

password - the password to authenticate the user with

setRememberMeCookie - whether to set a remember me cookie on sucessful login

Returns:

Whether the user was authenticated. This base implementation returns false if any errors occur, rather than throw an exception.

Throws:

AuthenticatorException - actualy this class does not throw any exceptions however the interface says we must and other classes may override us

logout

public boolean logout(javax.servlet.http.HttpServletRequest httpServletRequest,
                      javax.servlet.http.HttpServletResponse httpServletResponse)
               throws AuthenticatorException

Called to remove the current principal from the HttpSession and will also to remove any remember me cookies that may be in effect.

Specified by:

logout in interface Authenticator

Specified by:

logout in class AbstractAuthenticator

Parameters:

httpServletRequest - the request in play

httpServletResponse - the response in play

Returns:

true always for this implementation!

Throws:

AuthenticatorException - this implementation never does

authoriseUserAndEstablishSession

protected boolean authoriseUserAndEstablishSession(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                   javax.servlet.http.HttpServletResponse httpServletResponse,
                                                   java.security.Principal principal)

This is called to authorise the user with the application. The RoleMapper is invoked to see if the user is authorised to user this request via a call to isAuthorised(javax.servlet.http.HttpServletRequest, java.security.Principal)

If successful, then the HttpSession will contain the attribute marking that the user is logged in

Parameters:

httpServletRequest - the request in play

httpServletResponse - the response in play

principal - the principal to authorise

Returns:

true if the user was authorised

isAuthorised

protected boolean isAuthorised(javax.servlet.http.HttpServletRequest httpServletRequest,
                               java.security.Principal principal)

This method is called to estblish if the principal is authorised to use the appliction url in play

Parameters:

httpServletRequest - the request in play

principal - the principal to check

Returns:

true if they are authorised to use the application at thgis point of time

putPrincipalInSessionContext

protected void putPrincipalInSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest,
                                            java.security.Principal principal)

This can be called to put the principal into the HttpSession in a Seraph ready manner

Parameters:

httpServletRequest - the request in play

principal - the principal to put in the session

removePrincipalFromSessionContext

protected void removePrincipalFromSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest)

This can be called to remove the principal into the HttpSession in a Seraph ready manner

Parameters:

httpServletRequest - the request in play

isPrincipalAlreadyInSessionContext

protected boolean isPrincipalAlreadyInSessionContext(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                     java.security.Principal principal)

This is called to determine if the Principal is already in the HttpSession in a Seraph ready manner.

Parameters:

httpServletRequest - the request in play

principal - the principal to put in the session

Returns:

true if the principal is already in the session

getRoleMapper

protected RoleMapper getRoleMapper()

override this method if you need to retrieve the role mapper from elsewhere than the singleton-factory (injected dependency for instance)

Returns:

the RoleMapper to use

getUser

protected abstract java.security.Principal getUser(java.lang.String username)

Retrieve a Principal for the given username. Returns null if no such user exists.

Parameters:

username - the name of the user to find

Returns:

a Principal for the given username.

authenticate

protected abstract boolean authenticate(java.security.Principal user,
                                        java.lang.String password)
                                 throws AuthenticatorException

Authenticates the given user and password. Returns true if the authentication succeeds, and false if the authentication details are invalid or if the user is not found. Implementations of this method must not attempt to downcast the user to an implementation class.

Parameters:

user - the user to authenticate. This object only stores the username of the user.

password - the password of the user

Returns:

true if the user was successfully authenticated and false otherwise.

Throws:

AuthenticatorException - if an error occurs that stops the user from being authenticated (eg remote communication failure).

getUser

public java.security.Principal getUser(javax.servlet.http.HttpServletRequest httpServletRequest,
                                       javax.servlet.http.HttpServletResponse httpServletResponse)

Returns the currently logged in user, trying in order:

1. Session, only if one exists
2. Cookie, only if no session exists
3. Basic authentication, if the above fail, and authType=basic

Warning: only in the case of cookie and basic auth will the user be authenticated.

Specified by:

getUser in interface Authenticator

Specified by:

getUser in class AbstractAuthenticator

Parameters:

httpServletRequest - the request in play

httpServletResponse - a response object that may be modified if basic auth is enabled

Returns:

a Principal object for the user if found, otherwise null

refreshPrincipalObtainedFromSession

protected java.security.Principal refreshPrincipalObtainedFromSession(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                                      java.security.Principal principal)

This is called to refresh the Principal object that has been retreived from the HTTP session.

By default this will called getUser(String) again to get a fresh user.

Parameters:

httpServletRequest - the HTTP request in play

principal - the Principal in play

Returns:

a fresh up to date principal

getUserFromSession

protected java.security.Principal getUserFromSession(javax.servlet.http.HttpServletRequest httpServletRequest)

Tries to get a logged in user from the session.

Parameters:

httpServletRequest - the current HttpServletRequest

Returns:

the logged in user in the session. null if there is no logged in user in the session, or the LOGGED_OUT_KEY is set because the user has logged out.

getUserFromCookie

protected java.security.Principal getUserFromCookie(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                    javax.servlet.http.HttpServletResponse httpServletResponse)

Extracts the username and password from the cookie and calls login to authenticate, and if successful store the token in the session.

Parameters:

httpServletRequest - the HTTP request in play

httpServletResponse - the HTTP respone in play

Returns:

a Principal object for the user if successful, otherwise null

getUserFromBasicAuthentication

protected java.security.Principal getUserFromBasicAuthentication(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                                 javax.servlet.http.HttpServletResponse httpServletResponse)

Checks the Authorization header to see whether basic auth token is provided. If it is, decode it, login and return the valid user. If it isn't, basic auth is still required, so return a 401 Authorization Required header in the response.

Parameters:

httpServletRequest - the HTTP request in play

httpServletResponse - a response object that will be modified if no token found

Returns:

a Principal or null if one cant be found

getAuthType

public java.lang.String getAuthType()

getLogoutInterceptors

protected java.util.List<LogoutInterceptor> getLogoutInterceptors()

getElevatedSecurityGuard

protected ElevatedSecurityGuard getElevatedSecurityGuard()

getRememberMeService

protected RememberMeService getRememberMeService()