com.caucho.security

Class AbstractLogin

java.lang.Object

com.caucho.security.AbstractLogin

All Implemented Interfaces:

Login

Direct Known Subclasses:

AbstractLogin, BasicLogin, ClientCertLogin, DigestLogin, FormLogin

public abstract class AbstractLogin
extends java.lang.Object
implements Login

Used to authenticate users in a servlet request. AbstractLogin handles the different login types like "basic" or "form". Normally, a Login will delegate the actual authentication to a ServletAuthenticator.

The Login is primarily responsible for extracting the credentials from the request (typically username and password) and passing those to the ServletAuthenticator.

The Servlet API calls the Login in two contexts: directly from ServletRequest.getUserPrincipal(), and during security checking. When called from the Servlet API, the login class can't change the response. In other words, if an application calls getUserPrincipal(), the Login class can't return a forbidden error page. When the servlet engine calls authenticate(), the login class can return an error page (or forward internally.)

Normally, Login implementations will defer the actual authentication to a ServletAuthenticator class. That way, both "basic" and "form" login can use the same DatabaseAuthenticator. Some applications, like SSL client certificate login, may want to combine the Login and authentication into one class.

Login instances are configured through bean introspection. Adding a public setFoo(String foo) method will be configured with the following login-config:

 <myfoo:CustomLogin xmlns:myfoo="urn:java:com.foo.myfoo">
   <foo>bar</foo>
 </myfoo:CustomLogin>
 

Since:

Resin 4.0.0

Field Summary

Fields

Modifier and Type	Field and Description
protected Authenticator	_auth The configured authenticator for the login.
protected SingleSignon	_singleSignon

Fields inherited from interface com.caucho.security.Login

LOGIN_PASSWORD, LOGIN_USER, LOGIN_USER_NAME

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	AbstractLogin()

Method Summary

Modifier and Type	Method and Description
protected java.security.Principal	findSavedUser(HttpServletRequest request) Looks up the user based on session or single signon.
Authenticator	getAuthenticator() Gets the authenticator.
java.lang.String	getAuthType() Returns the authentication type.
protected java.security.Principal	getLoginPrincipalImpl(HttpServletRequest request) Gets the user from a persistent cookie, using authenticateCookie to actually look the cookie up.
protected SingleSignon	getSingleSignon()
java.security.Principal	getUserPrincipal(HttpServletRequest request) Returns the Principal associated with the current request.
protected java.security.Principal	getUserPrincipalImpl(HttpServletRequest request) Gets the user from a persistent cookie, using authenticateCookie to actually look the cookie up.
void	init() Initialize the login.
boolean	isLoginUsedForRequest(HttpServletRequest request) Returns true if the login can be used for this request.
boolean	isLogoutOnSessionTimeout() Returns true if the user should be logged out on a session timeout.
boolean	isPasswordBased() Returns true if username and password based authentication is supported.
protected boolean	isSavedUserValid(HttpServletRequest request, java.security.Principal savedUser) Returns the non-authenticated principal for the user request
boolean	isSessionSaveLogin() Sets true if the user should be saved in the session.
boolean	isUserInRole(java.security.Principal user, java.lang.String role) Returns true if the current user plays the named role.
protected java.security.Principal	login(HttpServletRequest request, HttpServletResponse response) Attempts to login the user if the user cannot be found in the session or the single-signon.
java.security.Principal	login(HttpServletRequest request, HttpServletResponse response, boolean isFail) Logs a user in.
protected void	loginChallenge(HttpServletRequest request, HttpServletResponse response) Implementation of the login challenge
protected void	loginSuccessResponse(java.security.Principal user, HttpServletRequest request, HttpServletResponse response) HTTP updates after a successful login
void	logout(java.security.Principal user, HttpServletRequest request, HttpServletResponse response) Logs the user out from the given request.
protected void	logoutImpl(java.security.Principal user, HttpServletRequest request, HttpServletResponse response) Logs the user out from the given request.
protected void	saveUser(HttpServletRequest request, java.security.Principal user) Saves the user based on session or single signon.
void	sessionInvalidate(HttpSession session, boolean isTimeout) Called when the session invalidates.
void	setAuthenticator(Authenticator auth) Sets the authenticator.
void	setLogoutOnSessionTimeout(boolean logout) Sets true if the principal should logout when the session times out.
void	setSessionSaveLogin(boolean isSave) Sets true if the user should be saved in the session.
java.lang.String	toString() Logs the user out from the session.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

_auth

protected Authenticator _auth

The configured authenticator for the login. Implementing classes will typically delegate calls to the authenticator after extracting the username and password.

_singleSignon

protected SingleSignon _singleSignon

Constructor Detail

AbstractLogin

protected AbstractLogin()

Method Detail

setAuthenticator

public void setAuthenticator(Authenticator auth)

Sets the authenticator.

getAuthenticator

public Authenticator getAuthenticator()

Gets the authenticator.

Specified by:

getAuthenticator in interface Login

getSingleSignon

protected SingleSignon getSingleSignon()

isLogoutOnSessionTimeout

public boolean isLogoutOnSessionTimeout()

Returns true if the user should be logged out on a session timeout.

setLogoutOnSessionTimeout

public void setLogoutOnSessionTimeout(boolean logout)

Sets true if the principal should logout when the session times out.

setSessionSaveLogin

public void setSessionSaveLogin(boolean isSave)

Sets true if the user should be saved in the session.

isSessionSaveLogin

public boolean isSessionSaveLogin()

Sets true if the user should be saved in the session.

init

@PostConstruct
public void init()
                         throws ServletException

Initialize the login. init() will be called after all the bean parameters have been set.

Throws:

ServletException

getAuthType

public java.lang.String getAuthType()

Returns the authentication type. getAuthType is called by HttpServletRequest.getAuthType.

Specified by:

getAuthType in interface Login

isLoginUsedForRequest

public boolean isLoginUsedForRequest(HttpServletRequest request)

Returns true if the login can be used for this request. This lets webapps use multiple login methods.

Specified by:

isLoginUsedForRequest in interface Login

getUserPrincipal

public java.security.Principal getUserPrincipal(HttpServletRequest request)

Returns the Principal associated with the current request. getUserPrincipal is called in response to the Request.getUserPrincipal call. Login.getUserPrincipal can't modify the response or return an error page.

authenticate is used for the security checks.

Specified by:

getUserPrincipal in interface Login

Parameters:

request - servlet request

Returns:

the logged in principal on success, null on failure.

login

public java.security.Principal login(HttpServletRequest request,
                                     HttpServletResponse response,
                                     boolean isFail)

Logs a user in. The authenticate method is called during the security check. If the user does not exist, authenticate sets the reponse error page and returns null.

Specified by:

login in interface Login

Parameters:

request - servlet request

response - servlet response for a failed authentication.

isFail - if true send a challenge (Form|HTTP Basic,etc.)

Returns:

the logged in principal on success, null on failure.

login

protected java.security.Principal login(HttpServletRequest request,
                                        HttpServletResponse response)

Attempts to login the user if the user cannot be found in the session or the single-signon.

findSavedUser

protected java.security.Principal findSavedUser(HttpServletRequest request)

Looks up the user based on session or single signon.

saveUser

protected void saveUser(HttpServletRequest request,
                        java.security.Principal user)

Saves the user based on session or single signon.

isPasswordBased

public boolean isPasswordBased()

Description copied from interface: Login

Returns true if username and password based authentication is supported.

Specified by:

isPasswordBased in interface Login

Returns:

See Also:

BasicLogin

getUserPrincipalImpl

protected java.security.Principal getUserPrincipalImpl(HttpServletRequest request)

Gets the user from a persistent cookie, using authenticateCookie to actually look the cookie up.

isSavedUserValid

protected boolean isSavedUserValid(HttpServletRequest request,
                                   java.security.Principal savedUser)

Returns the non-authenticated principal for the user request

getLoginPrincipalImpl

protected java.security.Principal getLoginPrincipalImpl(HttpServletRequest request)

Gets the user from a persistent cookie, using authenticateCookie to actually look the cookie up.

loginChallenge

protected void loginChallenge(HttpServletRequest request,
                              HttpServletResponse response)
                       throws ServletException,
                              java.io.IOException

Implementation of the login challenge

Throws:

ServletException

java.io.IOException

loginSuccessResponse

protected void loginSuccessResponse(java.security.Principal user,
                                    HttpServletRequest request,
                                    HttpServletResponse response)
                             throws ServletException,
                                    java.io.IOException

HTTP updates after a successful login

Throws:

ServletException

java.io.IOException

isUserInRole

public boolean isUserInRole(java.security.Principal user,
                            java.lang.String role)

Returns true if the current user plays the named role. isUserInRole is called in response to the HttpServletRequest.isUserInRole call.

Specified by:

isUserInRole in interface Login

Parameters:

user - UserPrincipal object associated with request

role - to be tested

Returns:

the logged in principal on success, null on failure.

logout

public void logout(java.security.Principal user,
                   HttpServletRequest request,
                   HttpServletResponse response)

Logs the user out from the given request.

Since there is no servlet API for logout, this must be called directly from user code. Resin stores the web-app's login object in the ServletContext attribute "caucho.login".

Specified by:

logout in interface Login

sessionInvalidate

public void sessionInvalidate(HttpSession session,
                              boolean isTimeout)

Called when the session invalidates.

Specified by:

sessionInvalidate in interface Login

logoutImpl

protected void logoutImpl(java.security.Principal user,
                          HttpServletRequest request,
                          HttpServletResponse response)

Logs the user out from the given request.

Since there is no servlet API for logout, this must be called directly from user code. Resin stores the web-app's login object in the ServletContext attribute "caucho.login".

toString

public java.lang.String toString()

Logs the user out from the session.

Overrides:

toString in class java.lang.Object

Parameters:

user - the logged in user