Package org.eclipse.jetty.security.jaspi
Class JaspiAuthenticator
java.lang.Object
org.eclipse.jetty.security.authentication.LoginAuthenticator
org.eclipse.jetty.security.jaspi.JaspiAuthenticator
- All Implemented Interfaces:
Authenticator
Implementation of Jetty
LoginAuthenticator
that is a bridge from Jakarta Authentication to Jetty Security.-
Nested Class Summary
Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator
Authenticator.AuthConfiguration, Authenticator.Factory
-
Field Summary
Fields inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator
_loginService
-
Constructor Summary
ConstructorDescriptionJaspiAuthenticator
(jakarta.security.auth.message.config.ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler, Subject serviceSubject, boolean allowLazyAuthentication, IdentityService identityService) Deprecated.JaspiAuthenticator
(Subject serviceSubject, String appContext, boolean allowLazyAuthentication) -
Method Summary
Modifier and TypeMethodDescriptionIf the UserIdentity is not null after this method callsLoginService.login(String, Object, ServletRequest)
, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.boolean
secureResponse
(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser) is response secureboolean
secureResponse
(JaspiMessageInfo messageInfo, Authentication validatedUser) void
setConfiguration
(Authenticator.AuthConfiguration configuration) Configure the AuthenticatorvalidateRequest
(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, boolean mandatory) Validate a requestvalidateRequest
(JaspiMessageInfo messageInfo) Methods inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator
getLoginService, logout, prepareRequest, renewSession
-
Constructor Details
-
JaspiAuthenticator
-
JaspiAuthenticator
@Deprecated public JaspiAuthenticator(jakarta.security.auth.message.config.ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler, Subject serviceSubject, boolean allowLazyAuthentication, IdentityService identityService) Deprecated.
-
-
Method Details
-
setConfiguration
Description copied from interface:Authenticator
Configure the Authenticator- Specified by:
setConfiguration
in interfaceAuthenticator
- Overrides:
setConfiguration
in classLoginAuthenticator
- Parameters:
configuration
- the configuration
-
getAuthMethod
- Returns:
- The name of the authentication method
-
login
Description copied from class:LoginAuthenticator
If the UserIdentity is not null after this method callsLoginService.login(String, Object, ServletRequest)
, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.- Overrides:
login
in classLoginAuthenticator
- Parameters:
username
- the username of the client to be authenticatedpassword
- the user's credentialrequest
- the inbound request that needs authentication
-
validateRequest
public Authentication validateRequest(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, boolean mandatory) throws ServerAuthException Description copied from interface:Authenticator
Validate a request- Parameters:
request
- The requestresponse
- The responsemandatory
- True if authentication is mandatory.- Returns:
- An Authentication. If Authentication is successful, this will be a
Authentication.User
. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implementAuthentication.ResponseSent
. If Authentication is not mandatory, then aAuthentication.Deferred
may be returned. - Throws:
ServerAuthException
- if unable to validate request
-
validateRequest
- Throws:
ServerAuthException
-
secureResponse
public boolean secureResponse(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser) throws ServerAuthException Description copied from interface:Authenticator
is response secure- Parameters:
req
- the requestres
- the responsemandatory
- if security is mandatorvalidatedUser
- the user that was validated- Returns:
- true if response is secure
- Throws:
ServerAuthException
- if unable to test response
-
secureResponse
public boolean secureResponse(JaspiMessageInfo messageInfo, Authentication validatedUser) throws ServerAuthException - Throws:
ServerAuthException
-