Class JaspiAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

org.eclipse.jetty.ee11.security.jaspi.JaspiAuthenticator

All Implemented Interfaces:

Authenticator

public class JaspiAuthenticator
extends LoginAuthenticator

Implementation of Jetty LoginAuthenticator that is a bridge from Jakarta Authentication to Jetty Security.

Nested Class Summary

Nested classes/interfaces inherited from class LoginAuthenticator

LoginAuthenticator.LoggedOutAuthentication, LoginAuthenticator.UserAuthenticationSent, LoginAuthenticator.UserAuthenticationSucceeded

Nested classes/interfaces inherited from interface Authenticator

Authenticator.Configuration, Authenticator.Factory, Authenticator.NoOp

Field Summary

Fields inherited from class LoginAuthenticator

_loginService

Fields inherited from interface Authenticator

BASIC_AUTH, CERT_AUTH, CERT_AUTH2, DIGEST_AUTH, FORM_AUTH, MULTI_AUTH, NEGOTIATE_AUTH, OPENID_AUTH, SIWE_AUTH, SPNEGO_AUTH

Constructor Summary

Constructors

Constructor	Description
JaspiAuthenticator(jakarta.security.auth.message.config.ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler, Subject serviceSubject, boolean allowLazyAuthentication, IdentityService identityService)	Deprecated.
JaspiAuthenticator(Subject serviceSubject, String appContext, boolean allowLazyAuthentication)

Method Summary

Modifier and Type	Method	Description
String	getAuthenticationType()
UserIdentity	login(String username, Object password, Request request, Response response)	If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
boolean	secureResponse(JaspiMessageInfo messageInfo, AuthenticationState validatedUser)
boolean	secureResponse(Request request, Response response, Callback callback, boolean mandatory, AuthenticationState.Succeeded validatedSucceeded)
void	setConfiguration(Authenticator.Configuration configuration)	Configure the Authenticator
AuthenticationState	validateRequest(JaspiMessageInfo messageInfo)
AuthenticationState	validateRequest(Request request, Response response, Callback callback)	Attempts to validate the authentication state of the given request.

Methods inherited from class LoginAuthenticator

getAuthorizationHeader, getChallengeHeader, getLoginService, getUnauthorizedStatusCode, isProxyMode, logout, setLoginService, setProxyMode, updateSession

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface Authenticator

getConstraintAuthentication, prepareRequest

Constructor Details

JaspiAuthenticator

public JaspiAuthenticator(Subject serviceSubject,
 String appContext,
 boolean allowLazyAuthentication)

JaspiAuthenticator

@Deprecated
public JaspiAuthenticator(jakarta.security.auth.message.config.ServerAuthConfig authConfig,
 Map authProperties,
 ServletCallbackHandler callbackHandler,
 Subject serviceSubject,
 boolean allowLazyAuthentication,
 IdentityService identityService)

Deprecated.

Method Details

setConfiguration

public void setConfiguration(Authenticator.Configuration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Overrides:

setConfiguration in class LoginAuthenticator

Parameters:

configuration - the configuration

getAuthenticationType

public String getAuthenticationType()

Returns:

The name of the authentication type

login

public UserIdentity login(String username,
 Object password,
 Request request,
 Response response)

Description copied from class: LoginAuthenticator

If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Overrides:

login in class LoginAuthenticator

Parameters:

username - the username of the client to be authenticated

password - the user's credential

request - the inbound request that needs authentication

validateRequest

public AuthenticationState validateRequest(Request request,
 Response response,
 Callback callback)
                                    throws ServerAuthException

Description copied from interface: Authenticator

Attempts to validate the authentication state of the given request.

If authentication is successful, an AuthenticationState.Succeeded is returned. If the authenticator has already committed a response (for either success or failure), the returned value will implement AuthenticationState.ResponseSent, and the provided Callback will be eventually be completed, otherwise the caller is responsible for completing the Callback.

A null return value indicates that no authentication state could be established, possibly because the response has already been committed.

Parameters:

request - the request to validate.

response - the response associated with the request.

callback - the callback to use for writing a response.

Returns:

an AuthenticationState, or null if authentication could not be resolved.

Throws:

ServerAuthException - if unable to validate request.

validateRequest

public AuthenticationState validateRequest(JaspiMessageInfo messageInfo)
                                    throws ServerAuthException

Throws:

ServerAuthException

secureResponse

public boolean secureResponse(Request request,
 Response response,
 Callback callback,
 boolean mandatory,
 AuthenticationState.Succeeded validatedSucceeded)
                       throws ServerAuthException

Throws:

ServerAuthException

secureResponse

public boolean secureResponse(JaspiMessageInfo messageInfo,
 AuthenticationState validatedUser)
                       throws ServerAuthException

Throws:

ServerAuthException