Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.caucho.server.security
Class AbstractAuthenticator

java.lang.Object
  extended by com.caucho.server.security.AbstractAuthenticator
All Implemented Interfaces:
ServletAuthenticator, HandleAware, java.io.Serializable
Direct Known Subclasses:
AbstractAuthenticator, AbstractPasswordAuthenticator, AnonymousAuthenticator, JaasAuthenticator, JdbcAuthenticator, NullAuthenticator
public class AbstractAuthenticator
extends java.lang.Object
implements ServletAuthenticator, HandleAware, java.io.Serializable

All applications should extend AbstractAuthenticator to implement their custom authenticators. While this isn't absolutely required, it protects implementations from API changes.

The AbstractAuthenticator provides a single-signon cache. Users logged into one web-app will share the same principal.

See Also:
Serialized Form

Field Summary
protected  PasswordDigest _passwordDigest
           
protected  java.lang.String _passwordDigestAlgorithm
           
protected  java.lang.String _passwordDigestRealm
           
protected  LruCache<java.lang.String,com.caucho.server.security.AbstractAuthenticator.PrincipalEntry> _principalCache
           
protected  int _principalCacheSize
           
static java.lang.String LOGIN_NAME
           
 
Constructor Summary
AbstractAuthenticator()
           
 
Method Summary
 void addRoleMapping(java.security.Principal principal, java.lang.String role)
          Adds a role mapping.
protected  byte[] digest(java.lang.String value)
           
protected  java.lang.String getDigestPassword(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.lang.String username, java.lang.String realm)
          Returns the password for authenticators too lazy to calculate the digest.
protected  byte[] getDigestSecret(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.lang.String username, java.lang.String realm, java.lang.String algorithm)
          Returns the digest secret for Digest authentication.
 boolean getLogoutOnSessionTimeout()
          Returns true if the user should be logged out on a session timeout.
 PasswordDigest getPasswordDigest()
          Returns the password digest
 java.lang.String getPasswordDigest(HttpServletRequest request, HttpServletResponse response, ServletContext app, java.lang.String user, java.lang.String password)
          Returns the digest view of the password.
 java.lang.String getPasswordDigestAlgorithm()
          Returns the password digest algorithm
 java.lang.String getPasswordDigestRealm()
          Returns the password digest realm
 int getPrincipalCacheSize()
          Returns the size of the principal cache.
 java.security.Principal getUserPrincipal(HttpServletRequest request, HttpServletResponse response, ServletContext application)
          Grab the user from the request, assuming the user has already logged in.
protected  java.security.Principal getUserPrincipalImpl(HttpServletRequest request, ServletContext application)
          Gets the user from a persistent cookie, uaing authenticateCookie to actually look the cookie up.
 void init()
          Initialize the authenticator with the application.
 boolean isUserInRole(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.security.Principal user, java.lang.String role)
          Returns true if the user plays the named role.
 java.security.Principal login(HttpServletRequest request, HttpServletResponse response, ServletContext app, java.lang.String user, java.lang.String password)
          Logs the user in with any appropriate password.
 java.security.Principal loginDigest(HttpServletRequest request, HttpServletResponse response, ServletContext app, java.lang.String user, java.lang.String realm, java.lang.String nonce, java.lang.String uri, java.lang.String qop, java.lang.String nc, java.lang.String cnonce, byte[] clientDigest)
          Validates the user when using HTTP Digest authentication.
 java.security.Principal loginDigestImpl(HttpServletRequest request, HttpServletResponse response, ServletContext app, java.lang.String user, java.lang.String realm, java.lang.String nonce, java.lang.String uri, java.lang.String qop, java.lang.String nc, java.lang.String cnonce, byte[] clientDigest)
          Validates the user when HTTP Digest authentication.
protected  java.security.Principal loginImpl(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.lang.String user, java.lang.String password)
          Authenticate (login) the user.
 void logout(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.security.Principal user)
          Deprecated.  
 void logout(ServletContext application, HttpSession timeoutSession, java.lang.String sessionId, java.security.Principal user)
          Logs the user out from the session.
 void logout(ServletContext application, java.lang.String sessionId, java.security.Principal user)
          Deprecated.  
 void setLogoutOnSessionTimeout(boolean logout)
          Sets true if the principal should logout when the session times out.
 void setPasswordDigest(PasswordDigest digest)
          Sets the password digest.
 void setPasswordDigestAlgorithm(java.lang.String digest)
          Sets the password digest algorithm.
 void setPasswordDigestRealm(java.lang.String realm)
          Sets the password digest realm.
 void setPrincipalCacheSize(int size)
          Sets the size of the principal cache.
 void setSerializationHandle(java.lang.Object handle)
          Sets the serialization handle
protected  byte[] stringToDigest(java.lang.String digest)
           
 java.lang.String toString()
           
 java.lang.Object writeReplace()
          Serialize to the handle
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

LOGIN_NAME

public static final java.lang.String LOGIN_NAME
See Also:
Constant Field Values

_principalCacheSize

protected int _principalCacheSize

_principalCache

protected LruCache<java.lang.String,com.caucho.server.security.AbstractAuthenticator.PrincipalEntry> _principalCache

_passwordDigestAlgorithm

protected java.lang.String _passwordDigestAlgorithm

_passwordDigestRealm

protected java.lang.String _passwordDigestRealm

_passwordDigest

protected PasswordDigest _passwordDigest
Constructor Detail

AbstractAuthenticator

public AbstractAuthenticator()
Method Detail

getPrincipalCacheSize

public int getPrincipalCacheSize()
Returns the size of the principal cache.

setPrincipalCacheSize

public void setPrincipalCacheSize(int size)
Sets the size of the principal cache.

getPasswordDigest

public PasswordDigest getPasswordDigest()
Returns the password digest

setPasswordDigest

public void setPasswordDigest(PasswordDigest digest)
Sets the password digest. The password digest of the form: "algorithm-format", e.g. "MD5-base64".

getPasswordDigestAlgorithm

public java.lang.String getPasswordDigestAlgorithm()
Returns the password digest algorithm

setPasswordDigestAlgorithm

public void setPasswordDigestAlgorithm(java.lang.String digest)
Sets the password digest algorithm. The password digest of the form: "algorithm-format", e.g. "MD5-base64".

getPasswordDigestRealm

public java.lang.String getPasswordDigestRealm()
Returns the password digest realm

setPasswordDigestRealm

public void setPasswordDigestRealm(java.lang.String realm)
Sets the password digest realm.

getLogoutOnSessionTimeout

public boolean getLogoutOnSessionTimeout()
Returns true if the user should be logged out on a session timeout.

setLogoutOnSessionTimeout

public void setLogoutOnSessionTimeout(boolean logout)
Sets true if the principal should logout when the session times out.

addRoleMapping

public void addRoleMapping(java.security.Principal principal,
                           java.lang.String role)
Adds a role mapping.

init

public void init()
          throws ServletException
Initialize the authenticator with the application.

Specified by:
init in interface ServletAuthenticator
Throws:
ServletException

login

public java.security.Principal login(HttpServletRequest request,
                                     HttpServletResponse response,
                                     ServletContext app,
                                     java.lang.String user,
                                     java.lang.String password)
                              throws ServletException
Logs the user in with any appropriate password.

Specified by:
login in interface ServletAuthenticator
Parameters:
request - servlet request
response - servlet response, in case any cookie need sending.
app - servlet application
user - the user name.
password - the users input password.
Returns:
the logged in principal on success, null on failure.
Throws:
ServletException

getPasswordDigest

public java.lang.String getPasswordDigest(HttpServletRequest request,
                                          HttpServletResponse response,
                                          ServletContext app,
                                          java.lang.String user,
                                          java.lang.String password)
                                   throws ServletException
Returns the digest view of the password. The default uses the PasswordDigest class if available, and returns the plaintext password if not.

Throws:
ServletException

loginImpl

protected java.security.Principal loginImpl(HttpServletRequest request,
                                            HttpServletResponse response,
                                            ServletContext application,
                                            java.lang.String user,
                                            java.lang.String password)
                                     throws ServletException
Authenticate (login) the user.

Throws:
ServletException

loginDigest

public java.security.Principal loginDigest(HttpServletRequest request,
                                           HttpServletResponse response,
                                           ServletContext app,
                                           java.lang.String user,
                                           java.lang.String realm,
                                           java.lang.String nonce,
                                           java.lang.String uri,
                                           java.lang.String qop,
                                           java.lang.String nc,
                                           java.lang.String cnonce,
                                           byte[] clientDigest)
                                    throws ServletException
Validates the user when using HTTP Digest authentication. DigestLogin will call this method. Most other AbstractLogin implementations, like BasicLogin and FormLogin, will use getUserPrincipal instead.

The HTTP Digest authentication uses the following algorithm to calculate the digest. The digest is then compared to the client digest. 

 A1 = MD5(username + ':' + realm + ':' + password)
 A2 = MD5(method + ':' + uri)
 digest = MD5(A1 + ':' + nonce + A2)

Specified by:
loginDigest in interface ServletAuthenticator
Parameters:
request - the request trying to authenticate.
response - the response for setting headers and cookies.
app - the servlet context
user - the username
realm - the authentication realm
nonce - the nonce passed to the client during the challenge
uri - te protected uri
qop -
nc -
cnonce - the client nonce
clientDigest - the client's calculation of the digest
Returns:
the logged in principal if successful
Throws:
ServletException

loginDigestImpl

public java.security.Principal loginDigestImpl(HttpServletRequest request,
                                               HttpServletResponse response,
                                               ServletContext app,
                                               java.lang.String user,
                                               java.lang.String realm,
                                               java.lang.String nonce,
                                               java.lang.String uri,
                                               java.lang.String qop,
                                               java.lang.String nc,
                                               java.lang.String cnonce,
                                               byte[] clientDigest)
                                        throws ServletException
Validates the user when HTTP Digest authentication. The HTTP Digest authentication uses the following algorithm to calculate the digest. The digest is then compared to the client digest. 
 A1 = MD5(username + ':' + realm + ':' + password)
 A2 = MD5(method + ':' + uri)
 digest = MD5(A1 + ':' + nonce + A2)

Parameters:
request - the request trying to authenticate.
response - the response for setting headers and cookies.
app - the servlet context
user - the username
realm - the authentication realm
nonce - the nonce passed to the client during the challenge
uri - te protected uri
qop -
nc -
cnonce - the client nonce
clientDigest - the client's calculation of the digest
Returns:
the logged in principal if successful
Throws:
ServletException

stringToDigest

protected byte[] stringToDigest(java.lang.String digest)

getDigestSecret

protected byte[] getDigestSecret(HttpServletRequest request,
                                 HttpServletResponse response,
                                 ServletContext application,
                                 java.lang.String username,
                                 java.lang.String realm,
                                 java.lang.String algorithm)
                          throws ServletException
Returns the digest secret for Digest authentication.

Throws:
ServletException

digest

protected byte[] digest(java.lang.String value)
                 throws ServletException
Throws:
ServletException

getDigestPassword

protected java.lang.String getDigestPassword(HttpServletRequest request,
                                             HttpServletResponse response,
                                             ServletContext application,
                                             java.lang.String username,
                                             java.lang.String realm)
                                      throws ServletException
Returns the password for authenticators too lazy to calculate the digest.

Throws:
ServletException

getUserPrincipal

public java.security.Principal getUserPrincipal(HttpServletRequest request,
                                                HttpServletResponse response,
                                                ServletContext application)
                                         throws ServletException
Grab the user from the request, assuming the user has already logged in. In other words, overriding methods could use cookies or the session to find the logged in principal, but shouldn't try to log the user in with form parameters.

Specified by:
getUserPrincipal in interface ServletAuthenticator
Parameters:
request - the servlet request.
response - the response for setting headers and cookies.
application - the servlet context
Returns:
a Principal representing the user or null if none has logged in.
Throws:
ServletException

getUserPrincipalImpl

protected java.security.Principal getUserPrincipalImpl(HttpServletRequest request,
                                                       ServletContext application)
                                                throws ServletException
Gets the user from a persistent cookie, uaing authenticateCookie to actually look the cookie up.

Throws:
ServletException

isUserInRole

public boolean isUserInRole(HttpServletRequest request,
                            HttpServletResponse response,
                            ServletContext application,
                            java.security.Principal user,
                            java.lang.String role)
                     throws ServletException
Returns true if the user plays the named role.

Specified by:
isUserInRole in interface ServletAuthenticator
Parameters:
request - the servlet request
user - the user to test
role - the role to test
application - the owning application
Throws:
ServletException

logout

public void logout(ServletContext application,
                   HttpSession timeoutSession,
                   java.lang.String sessionId,
                   java.security.Principal user)
            throws ServletException
Logs the user out from the session.

Specified by:
logout in interface ServletAuthenticator
Parameters:
application - the application
timeoutSession - the session timing out, null if not a timeout logout
user - the logged in user
Throws:
ServletException

logout

public void logout(HttpServletRequest request,
                   HttpServletResponse response,
                   ServletContext application,
                   java.security.Principal user)
            throws ServletException
Deprecated. 

Logs the user out from the session.

Parameters:
request - the servlet request
Throws:
ServletException

logout

public void logout(ServletContext application,
                   java.lang.String sessionId,
                   java.security.Principal user)
            throws ServletException
Deprecated. 

Logs the user out from the session.

Parameters:
request - the servlet request
Throws:
ServletException

setSerializationHandle

public void setSerializationHandle(java.lang.Object handle)
Sets the serialization handle

Specified by:
setSerializationHandle in interface HandleAware

writeReplace

public java.lang.Object writeReplace()
Serialize to the handle

toString

public java.lang.String toString()
Overrides:
toString in class java.lang.Object
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD