Class JaspiAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

org.eclipse.jetty.security.jaspi.JaspiAuthenticator

All Implemented Interfaces:

Authenticator

public class JaspiAuthenticator
extends LoginAuthenticator

Version:

$Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $

Nested Class Summary

Nested classes/interfaces inherited from interface Authenticator

Authenticator.AuthConfiguration, Authenticator.Factory

Field Summary

Fields

Modifier and Type	Field	Description
private final boolean	_allowLazyAuthentication
private final javax.security.auth.message.config.ServerAuthConfig	_authConfig
private final Map	_authProperties
private final ServletCallbackHandler	_callbackHandler
private final IdentityService	_identityService
private final Subject	_serviceSubject
private static final Logger	LOG

Fields inherited from class LoginAuthenticator

_loginService

Constructor Summary

Constructors

Constructor	Description
JaspiAuthenticator(javax.security.auth.message.config.ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler, Subject serviceSubject, boolean allowLazyAuthentication, IdentityService identityService)

Method Summary

Modifier and Type	Method	Description
String	getAuthMethod()
UserIdentity	login(String username, Object password, javax.servlet.ServletRequest request)	If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
boolean	secureResponse(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser)	is response secure
boolean	secureResponse(JaspiMessageInfo messageInfo, Authentication validatedUser)
void	setConfiguration(Authenticator.AuthConfiguration configuration)	Configure the Authenticator
Authentication	validateRequest(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, boolean mandatory)	Validate a request
Authentication	validateRequest(JaspiMessageInfo messageInfo)

Methods inherited from class LoginAuthenticator

getLoginService, logout, prepareRequest, renewSession

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

LOG

private static final Logger LOG

_authConfig

private final javax.security.auth.message.config.ServerAuthConfig _authConfig

_authProperties

private final Map _authProperties

_callbackHandler

private final ServletCallbackHandler _callbackHandler

_serviceSubject

private final Subject _serviceSubject

_allowLazyAuthentication

private final boolean _allowLazyAuthentication

_identityService

private final IdentityService _identityService

Constructor Details

JaspiAuthenticator

public JaspiAuthenticator(javax.security.auth.message.config.ServerAuthConfig authConfig,
 Map authProperties,
 ServletCallbackHandler callbackHandler,
 Subject serviceSubject,
 boolean allowLazyAuthentication,
 IdentityService identityService)

Method Details

setConfiguration

public void setConfiguration(Authenticator.AuthConfiguration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Overrides:

setConfiguration in class LoginAuthenticator

Parameters:

configuration - the configuration

getAuthMethod

public String getAuthMethod()

Returns:

The name of the authentication method

validateRequest

public Authentication validateRequest(javax.servlet.ServletRequest request,
 javax.servlet.ServletResponse response,
 boolean mandatory)
                               throws ServerAuthException

Description copied from interface: Authenticator

Validate a request

Parameters:

request - The request

response - The response

mandatory - True if authentication is mandatory.

Returns:

An Authentication. If Authentication is successful, this will be a Authentication.User. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement Authentication.ResponseSent. If Authentication is not mandatory, then a Authentication.Deferred may be returned.

Throws:

ServerAuthException - if unable to validate request

secureResponse

public boolean secureResponse(javax.servlet.ServletRequest req,
 javax.servlet.ServletResponse res,
 boolean mandatory,
 Authentication.User validatedUser)
                       throws ServerAuthException

Description copied from interface: Authenticator

is response secure

Parameters:

req - the request

res - the response

mandatory - if security is mandator

validatedUser - the user that was validated

Returns:

true if response is secure

Throws:

ServerAuthException - if unable to test response

login

public UserIdentity login(String username,
 Object password,
 javax.servlet.ServletRequest request)

Description copied from class: LoginAuthenticator

If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Overrides:

login in class LoginAuthenticator

Parameters:

username - the username of the client to be authenticated

password - the user's credential

request - the inbound request that needs authentication

See Also:

• LoginAuthenticator.login(java.lang.String, java.lang.Object, javax.servlet.ServletRequest)

validateRequest

public Authentication validateRequest(JaspiMessageInfo messageInfo)
                               throws ServerAuthException

Throws:

ServerAuthException

secureResponse

public boolean secureResponse(JaspiMessageInfo messageInfo,
 Authentication validatedUser)
                       throws ServerAuthException

Throws:

ServerAuthException