AbstractLogin (Resin 3.2.s080828)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.caucho.server.security
Class AbstractLogin

java.lang.Object
  com.caucho.server.security.AbstractLogin

All Implemented Interfaces:: LoginFilter

Direct Known Subclasses:: BasicLogin, ClientCertLogin, DigestLogin, FormLogin

public abstract class AbstractLogin
extends java.lang.Object
implements LoginFilter
extends java.lang.Object
implements LoginFilter

Used to authenticate users in a servlet request. AbstractLogin handles the different login types like "basic" or "form". Normally, a Login will delegate the actual authentication to a ServletAuthenticator.

The Login is primarily responsible for extracting the credentials from the request (typically username and password) and passing those to the ServletAuthenticator.

The Servlet API calls the Login in two contexts: directly from ServletRequest.getUserPrincipal(), and during security checking. When called from the Servlet API, the login class can't change the response. In other words, if an application calls getUserPrincipal(), the Login class can't return a forbidden error page. When the servlet engine calls authenticate(), the login class can return an error page (or forward internally.)

Normally, Login implementations will defer the actual authentication to a ServletAuthenticator class. That way, both "basic" and "form" login can use the same JdbcAuthenticator. Some applications, like SSL client certificate login, may want to combine the Login and authentication into one class.

Login instances are configured through bean introspection. Adding a public setFoo(String foo) method will be configured with the following login-config:

 <login-config>
   <class-name>test.CustomLogin</class-name>
   <foo>bar</bar>
 </login-config>

Since:: Resin 2.0.2

Field Summary
`protected ServletAuthenticator`	`_auth` The configured authenticator for the login.
`protected static java.util.logging.Logger`	`log`

Constructor Summary
`AbstractLogin()`

Method Summary
`java.security.Principal`	`authenticate(HttpServletRequest request, HttpServletResponse response, ServletContext application)` Logs a user in.
`ServletAuthenticator`	`getAuthenticator()` Gets the authenticator.
`java.lang.String`	`getAuthType()` Returns the authentication type.
`java.security.Principal`	`getUserPrincipal(HttpServletRequest request, HttpServletResponse response, ServletContext application)` Returns the Principal associated with the current request.
`void`	`init()` Initialize the login.
`boolean`	`isUserInRole(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.security.Principal user, java.lang.String role)` Returns true if the current user plays the named role.
`void`	`logout(HttpServletRequest request, HttpServletResponse response, ServletContext application)` Logs the user out from the given request.
`void`	`setAuthenticator(ServletAuthenticator auth)` Sets the authenticator.
`java.lang.String`	`toString()`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait`

Field Detail

log

protected static final java.util.logging.Logger log

_auth

protected ServletAuthenticator _auth

The configured authenticator for the login. Implementing classes will typically delegate calls to the authenticator after extracting the username and password.

Constructor Detail

AbstractLogin

public AbstractLogin()

Method Detail

setAuthenticator

public void setAuthenticator(ServletAuthenticator auth)

Sets the authenticator.

getAuthenticator

public ServletAuthenticator getAuthenticator()

Gets the authenticator.

init

public void init()
          throws ServletException

Initialize the login. init() will be called after all the bean parameters have been set.

Throws:: ServletException

getAuthType

public java.lang.String getAuthType()

Returns the authentication type. getAuthType is called by HttpServletRequest.getAuthType.

authenticate

public java.security.Principal authenticate(HttpServletRequest request,
                                            HttpServletResponse response,
                                            ServletContext application)
                                     throws ServletException,
                                            java.io.IOException

Logs a user in. The authenticate method is called during the security check. If the user does not exist, authenticate sets the reponse error page and returns null.

Parameters:: request - servlet request; response - servlet response for a failed authentication.; application - servlet application
Returns:: the logged in principal on success, null on failure.
Throws:: ServletException; java.io.IOException

getUserPrincipal

public java.security.Principal getUserPrincipal(HttpServletRequest request,
                                                HttpServletResponse response,
                                                ServletContext application)
                                         throws ServletException

Returns the Principal associated with the current request. getUserPrincipal is called in response to the Request.getUserPrincipal call. Login.getUserPrincipal can't modify the response or return an error page.

authenticate is used for the security checks.

Parameters:: request - servlet request; application - servlet application
Returns:: the logged in principal on success, null on failure.
Throws:: ServletException

isUserInRole

public boolean isUserInRole(HttpServletRequest request,
                            HttpServletResponse response,
                            ServletContext application,
                            java.security.Principal user,
                            java.lang.String role)
                     throws ServletException

Returns true if the current user plays the named role. isUserInRole is called in response to the HttpServletRequest.isUserInRole call.

Parameters:: request - servlet request; application - servlet application
Returns:: the logged in principal on success, null on failure.
Throws:: ServletException

logout

public void logout(HttpServletRequest request,
                   HttpServletResponse response,
                   ServletContext application)
            throws ServletException

Logs the user out from the given request.

Since there is no servlet API for logout, this must be called directly from user code. Resin stores the web-app's login object in the ServletContext attribute "caucho.login".

Throws:: ServletException

toString

public java.lang.String toString()

Overrides:: toString in class java.lang.Object