com.caucho.server.security
Class AuthenticatorList

java.lang.Object
  extended by com.caucho.server.security.AuthenticatorList
All Implemented Interfaces:
ServletAuthenticator

public class AuthenticatorList
extends java.lang.Object
implements ServletAuthenticator

The AuthenticatorList is used to configure more than one authenticators in a list, each authenticator is tried in turn and if the authentication fails the next authenticator in the list is attempted.

  <authenticator type="com.caucho.server.security.AuthenticatorList">
    <init>
      <authenticator resin:type="com.caucho.server.security.XmlAuthenticator">
        <user>admin:NIHlOSafJN2H7emQCkOQ2w==:user,admin</user>
      </authenticator>

      <authenticator resin:type='com.caucho.server.security.JdbcAuthenticator'>
        <data-source>jdbc/users</data-source>
        <password-query>
          SELECT password FROM LOGIN WHERE username=?
        </password-query>
        <cookie-auth-query>
          SELECT username FROM LOGIN WHERE cookie=?
        </cookie-auth-query>
        <cookie-auth-update>
          UPDATE LOGIN SET cookie=? WHERE username=?
        </cookie-auth-update>
        <role-query>
          SELECT role FROM LOGIN WHERE username=?
        </role-query>
      </authenticator>
    </init>
  </authenticator>

  <login-config auth-method='basic'/>

  <security-constraint url-pattern='/users/*' role-name='user'/>
  <security-constraint url-pattern='/admin/*' role-name='admin'/>

 


Constructor Summary
AuthenticatorList()
           
 
Method Summary
 void addAuthenticator(ServletAuthenticator authenticator)
          Sets the path to the XML file.
 java.security.Principal getUserPrincipal(HttpServletRequest request, HttpServletResponse response, ServletContext application)
          Gets the authenticated user for the current request.
 void init()
          Initialize the authenticator.
 boolean isUserInRole(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.security.Principal user, java.lang.String role)
          Returns true if the user plays the named role.
 java.security.Principal login(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.lang.String user, java.lang.String password)
          Logs a user in with a user name and a password.
 java.security.Principal loginDigest(HttpServletRequest request, HttpServletResponse response, ServletContext app, java.lang.String user, java.lang.String realm, java.lang.String nonce, java.lang.String uri, java.lang.String qop, java.lang.String nc, java.lang.String cnonce, byte[] clientDigset)
          Validates the user when using HTTP Digest authentication.
 void logout(ServletContext application, HttpSession timeoutSession, java.lang.String sessionId, java.security.Principal user)
          Logs the user out from the given request.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AuthenticatorList

public AuthenticatorList()
Method Detail

addAuthenticator

public void addAuthenticator(ServletAuthenticator authenticator)
Sets the path to the XML file.


init

@PostConstruct
public void init()
          throws ServletException
Description copied from interface: ServletAuthenticator
Initialize the authenticator. init() is called after all the bean parameter have been set.

Specified by:
init in interface ServletAuthenticator
Throws:
ServletException

login

public java.security.Principal login(HttpServletRequest request,
                                     HttpServletResponse response,
                                     ServletContext application,
                                     java.lang.String user,
                                     java.lang.String password)
                              throws ServletException
Description copied from interface: ServletAuthenticator
Logs a user in with a user name and a password. The login method is generally called during servlet security checks. The ServletRequest.getUserPrincipal call will generally call getUserPrincipal.

The implementation may only use the response to set cookies and headers. It may not write output or set the response status. If the application needs to send a custom error reponse, it must implement a custom AbstractLogin instead.

Specified by:
login in interface ServletAuthenticator
Parameters:
request - servlet request
response - servlet response, in case any cookie need sending.
application - servlet application
user - the user name.
password - the users input password.
Returns:
the logged in principal on success, null on failure.
Throws:
ServletException

getUserPrincipal

public java.security.Principal getUserPrincipal(HttpServletRequest request,
                                                HttpServletResponse response,
                                                ServletContext application)
                                         throws ServletException
Description copied from interface: ServletAuthenticator
Gets the authenticated user for the current request. If the user has not logged in, just returns null.

getUserPrincipal is called in response to an application's call to HttpServletRequest.getUserPrincipal.

The implementation may only use the response to set cookies and headers. It may not write output.

Specified by:
getUserPrincipal in interface ServletAuthenticator
Parameters:
request - the request trying to authenticate.
response - the response for setting headers and cookies.
application - the servlet context
Returns:
the authenticated user or null if none has logged in
Throws:
ServletException

loginDigest

public java.security.Principal loginDigest(HttpServletRequest request,
                                           HttpServletResponse response,
                                           ServletContext app,
                                           java.lang.String user,
                                           java.lang.String realm,
                                           java.lang.String nonce,
                                           java.lang.String uri,
                                           java.lang.String qop,
                                           java.lang.String nc,
                                           java.lang.String cnonce,
                                           byte[] clientDigset)
                                    throws ServletException
Description copied from interface: ServletAuthenticator
Validates the user when using HTTP Digest authentication. DigestLogin will call this method. Most other AbstractLogin implementations, like BasicLogin and FormLogin, will use getUserPrincipal instead.

The HTTP Digest authentication uses the following algorithm to calculate the digest. The digest is then compared to the client digest.

 A1 = MD5(username + ':' + realm + ':' + password)
 A2 = MD5(method + ':' + uri)
 digest = MD5(A1 + ':' + nonce + A2)
 

Specified by:
loginDigest in interface ServletAuthenticator
Parameters:
request - the request trying to authenticate.
response - the response for setting headers and cookies.
app - the servlet context
user - the username
realm - the authentication realm
nonce - the nonce passed to the client during the challenge
uri - te protected uri
cnonce - the client nonce
Returns:
the logged in principal if successful
Throws:
ServletException

isUserInRole

public boolean isUserInRole(HttpServletRequest request,
                            HttpServletResponse response,
                            ServletContext application,
                            java.security.Principal user,
                            java.lang.String role)
                     throws ServletException
Description copied from interface: ServletAuthenticator
Returns true if the user plays the named role.

This method is called in response to the HttpServletResponse.isUserInRole call and for security-constraints that check the use role.

Specified by:
isUserInRole in interface ServletAuthenticator
Parameters:
request - the request testing the role.
application - the owning application
user - the user's Principal.
role - role name.
Throws:
ServletException

logout

public void logout(ServletContext application,
                   HttpSession timeoutSession,
                   java.lang.String sessionId,
                   java.security.Principal user)
            throws ServletException
Description copied from interface: ServletAuthenticator
Logs the user out from the given request.

Called via the session.logout() method.

Specified by:
logout in interface ServletAuthenticator
timeoutSession - for timeout, the session timing out. null if force logout
Throws:
ServletException