com.caucho.security
Class AbstractLogin

java.lang.Object
  extended by com.caucho.security.AbstractLogin
All Implemented Interfaces:
Login
Direct Known Subclasses:
AbstractLogin, BasicLogin, ClientCertLogin, DigestLogin, FormLogin

public abstract class AbstractLogin
extends java.lang.Object
implements Login

Used to authenticate users in a servlet request. AbstractLogin handles the different login types like "basic" or "form". Normally, a Login will delegate the actual authentication to a ServletAuthenticator.

The Login is primarily responsible for extracting the credentials from the request (typically username and password) and passing those to the ServletAuthenticator.

The Servlet API calls the Login in two contexts: directly from ServletRequest.getUserPrincipal(), and during security checking. When called from the Servlet API, the login class can't change the response. In other words, if an application calls getUserPrincipal(), the Login class can't return a forbidden error page. When the servlet engine calls authenticate(), the login class can return an error page (or forward internally.)

Normally, Login implementations will defer the actual authentication to a ServletAuthenticator class. That way, both "basic" and "form" login can use the same DatabaseAuthenticator. Some applications, like SSL client certificate login, may want to combine the Login and authentication into one class.

Login instances are configured through bean introspection. Adding a public setFoo(String foo) method will be configured with the following login-config:

 <myfoo:CustomLogin xmlns:myfoo="urn:java:com.foo.myfoo">
   <foo>bar</foo>
 </myfoo:CustomLogin>
 

Since:
Resin 4.0.0

Field Summary
protected  Authenticator _auth
          The configured authenticator for the login.
protected  SingleSignon _singleSignon
           
 
Fields inherited from interface com.caucho.security.Login
LOGIN_PASSWORD, LOGIN_USER, LOGIN_USER_NAME
 
Constructor Summary
protected AbstractLogin()
           
 
Method Summary
protected  java.security.Principal findSavedUser(HttpServletRequest request)
          Looks up the user based on session or single signon.
 Authenticator getAuthenticator()
          Gets the authenticator.
 java.lang.String getAuthType()
          Returns the authentication type.
protected  java.security.Principal getLoginPrincipalImpl(HttpServletRequest request)
          Gets the user from a persistent cookie, using authenticateCookie to actually look the cookie up.
protected  SingleSignon getSingleSignon()
           
 java.security.Principal getUserPrincipal(HttpServletRequest request)
          Returns the Principal associated with the current request.
protected  java.security.Principal getUserPrincipalImpl(HttpServletRequest request)
          Gets the user from a persistent cookie, using authenticateCookie to actually look the cookie up.
 void init()
          Initialize the login.
 boolean isLoginUsedForRequest(HttpServletRequest request)
          Returns true if the login can be used for this request.
 boolean isLogoutOnSessionTimeout()
          Returns true if the user should be logged out on a session timeout.
 boolean isPasswordBased()
          Returns true if username and password based authentication is supported.
protected  boolean isSavedUserValid(HttpServletRequest request, java.security.Principal savedUser)
          Returns the non-authenticated principal for the user request
 boolean isSessionSaveLogin()
          Sets true if the user should be saved in the session.
 boolean isUserInRole(java.security.Principal user, java.lang.String role)
          Returns true if the current user plays the named role.
protected  java.security.Principal login(HttpServletRequest request, HttpServletResponse response)
          Attempts to login the user if the user cannot be found in the session or the single-signon.
 java.security.Principal login(HttpServletRequest request, HttpServletResponse response, boolean isFail)
          Logs a user in.
protected  void loginChallenge(HttpServletRequest request, HttpServletResponse response)
          Implementation of the login challenge
protected  void loginSuccessResponse(java.security.Principal user, HttpServletRequest request, HttpServletResponse response)
          HTTP updates after a successful login
 void logout(java.security.Principal user, HttpServletRequest request, HttpServletResponse response)
          Logs the user out from the given request.
protected  void logoutImpl(java.security.Principal user, HttpServletRequest request, HttpServletResponse response)
          Logs the user out from the given request.
protected  void saveUser(HttpServletRequest request, java.security.Principal user)
          Saves the user based on session or single signon.
 void sessionInvalidate(HttpSession session, boolean isTimeout)
          Called when the session invalidates.
 void setAuthenticator(Authenticator auth)
          Sets the authenticator.
 void setLogoutOnSessionTimeout(boolean logout)
          Sets true if the principal should logout when the session times out.
 void setSessionSaveLogin(boolean isSave)
          Sets true if the user should be saved in the session.
 java.lang.String toString()
          Logs the user out from the session.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

_auth

protected Authenticator _auth
The configured authenticator for the login. Implementing classes will typically delegate calls to the authenticator after extracting the username and password.


_singleSignon

protected SingleSignon _singleSignon
Constructor Detail

AbstractLogin

protected AbstractLogin()
Method Detail

setAuthenticator

public void setAuthenticator(Authenticator auth)
Sets the authenticator.


getAuthenticator

public Authenticator getAuthenticator()
Gets the authenticator.

Specified by:
getAuthenticator in interface Login

getSingleSignon

protected SingleSignon getSingleSignon()

isLogoutOnSessionTimeout

public boolean isLogoutOnSessionTimeout()
Returns true if the user should be logged out on a session timeout.


setLogoutOnSessionTimeout

public void setLogoutOnSessionTimeout(boolean logout)
Sets true if the principal should logout when the session times out.


setSessionSaveLogin

public void setSessionSaveLogin(boolean isSave)
Sets true if the user should be saved in the session.


isSessionSaveLogin

public boolean isSessionSaveLogin()
Sets true if the user should be saved in the session.


init

@PostConstruct
public void init()
          throws ServletException
Initialize the login. init() will be called after all the bean parameters have been set.

Throws:
ServletException

getAuthType

public java.lang.String getAuthType()
Returns the authentication type. getAuthType is called by HttpServletRequest.getAuthType.

Specified by:
getAuthType in interface Login

isLoginUsedForRequest

public boolean isLoginUsedForRequest(HttpServletRequest request)
Returns true if the login can be used for this request. This lets webapps use multiple login methods.

Specified by:
isLoginUsedForRequest in interface Login

getUserPrincipal

public java.security.Principal getUserPrincipal(HttpServletRequest request)
Returns the Principal associated with the current request. getUserPrincipal is called in response to the Request.getUserPrincipal call. Login.getUserPrincipal can't modify the response or return an error page.

authenticate is used for the security checks.

Specified by:
getUserPrincipal in interface Login
Parameters:
request - servlet request
Returns:
the logged in principal on success, null on failure.

login

public java.security.Principal login(HttpServletRequest request,
                                     HttpServletResponse response,
                                     boolean isFail)
Logs a user in. The authenticate method is called during the security check. If the user does not exist, authenticate sets the reponse error page and returns null.

Specified by:
login in interface Login
Parameters:
request - servlet request
response - servlet response for a failed authentication.
isFail - if true send a challenge (Form|HTTP Basic,etc.)
Returns:
the logged in principal on success, null on failure.

login

protected java.security.Principal login(HttpServletRequest request,
                                        HttpServletResponse response)
Attempts to login the user if the user cannot be found in the session or the single-signon.


findSavedUser

protected java.security.Principal findSavedUser(HttpServletRequest request)
Looks up the user based on session or single signon.


saveUser

protected void saveUser(HttpServletRequest request,
                        java.security.Principal user)
Saves the user based on session or single signon.


isPasswordBased

public boolean isPasswordBased()
Description copied from interface: Login
Returns true if username and password based authentication is supported.

Specified by:
isPasswordBased in interface Login
Returns:
See Also:
BasicLogin

getUserPrincipalImpl

protected java.security.Principal getUserPrincipalImpl(HttpServletRequest request)
Gets the user from a persistent cookie, using authenticateCookie to actually look the cookie up.


isSavedUserValid

protected boolean isSavedUserValid(HttpServletRequest request,
                                   java.security.Principal savedUser)
Returns the non-authenticated principal for the user request


getLoginPrincipalImpl

protected java.security.Principal getLoginPrincipalImpl(HttpServletRequest request)
Gets the user from a persistent cookie, using authenticateCookie to actually look the cookie up.


loginChallenge

protected void loginChallenge(HttpServletRequest request,
                              HttpServletResponse response)
                       throws ServletException,
                              java.io.IOException
Implementation of the login challenge

Throws:
ServletException
java.io.IOException

loginSuccessResponse

protected void loginSuccessResponse(java.security.Principal user,
                                    HttpServletRequest request,
                                    HttpServletResponse response)
                             throws ServletException,
                                    java.io.IOException
HTTP updates after a successful login

Throws:
ServletException
java.io.IOException

isUserInRole

public boolean isUserInRole(java.security.Principal user,
                            java.lang.String role)
Returns true if the current user plays the named role. isUserInRole is called in response to the HttpServletRequest.isUserInRole call.

Specified by:
isUserInRole in interface Login
Parameters:
user - UserPrincipal object associated with request
role - to be tested
Returns:
the logged in principal on success, null on failure.

logout

public void logout(java.security.Principal user,
                   HttpServletRequest request,
                   HttpServletResponse response)
Logs the user out from the given request.

Since there is no servlet API for logout, this must be called directly from user code. Resin stores the web-app's login object in the ServletContext attribute "caucho.login".

Specified by:
logout in interface Login

sessionInvalidate

public void sessionInvalidate(HttpSession session,
                              boolean isTimeout)
Called when the session invalidates.

Specified by:
sessionInvalidate in interface Login

logoutImpl

protected void logoutImpl(java.security.Principal user,
                          HttpServletRequest request,
                          HttpServletResponse response)
Logs the user out from the given request.

Since there is no servlet API for logout, this must be called directly from user code. Resin stores the web-app's login object in the ServletContext attribute "caucho.login".


toString

public java.lang.String toString()
Logs the user out from the session.

Overrides:
toString in class java.lang.Object
Parameters:
user - the logged in user