Class LoginAuthenticator
java.lang.Object
org.eclipse.jetty.security.authentication.LoginAuthenticator
- All Implemented Interfaces:
Authenticator
- Direct Known Subclasses:
BasicAuthenticator
,ClientCertAuthenticator
,ConfigurableSpnegoAuthenticator
,DigestAuthenticator
,FormAuthenticator
,JaspiAuthenticator
,OpenIdAuthenticator
,SslClientCertAuthenticator
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator
Authenticator.AuthConfiguration, Authenticator.Factory
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionIf the UserIdentity is not null after this method callsLoginService.login(String, Object, ServletRequest)
, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.void
logout
(jakarta.servlet.ServletRequest request) void
prepareRequest
(jakarta.servlet.ServletRequest request) Called prior to validateRequest.protected jakarta.servlet.http.HttpSession
renewSession
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Change the session id.void
setConfiguration
(Authenticator.AuthConfiguration configuration) Configure the AuthenticatorMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.eclipse.jetty.security.Authenticator
getAuthMethod, secureResponse, validateRequest
-
Field Details
-
_loginService
-
_identityService
-
-
Constructor Details
-
LoginAuthenticator
protected LoginAuthenticator()
-
-
Method Details
-
prepareRequest
public void prepareRequest(jakarta.servlet.ServletRequest request) Description copied from interface:Authenticator
Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.- Specified by:
prepareRequest
in interfaceAuthenticator
- Parameters:
request
- the request to manipulate
-
login
public UserIdentity login(String username, Object password, jakarta.servlet.ServletRequest servletRequest) If the UserIdentity is not null after this method callsLoginService.login(String, Object, ServletRequest)
, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.- Parameters:
username
- the username of the client to be authenticatedpassword
- the user's credentialservletRequest
- the inbound request that needs authentication
-
logout
public void logout(jakarta.servlet.ServletRequest request) -
setConfiguration
Description copied from interface:Authenticator
Configure the Authenticator- Specified by:
setConfiguration
in interfaceAuthenticator
- Parameters:
configuration
- the configuration
-
getLoginService
-
renewSession
protected jakarta.servlet.http.HttpSession renewSession(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Change the session id. The session is changed to a new instance with a new ID if and only if:- A session exists.
- The
Authenticator.AuthConfiguration.isSessionRenewedOnAuthentication()
returns true. - The session ID has been given to unauthenticated responses
- Parameters:
request
- the requestresponse
- the response- Returns:
- The new session.
-