Class LoginAuthenticator

java.lang.Object

org.eclipse.jetty.ee8.security.authentication.LoginAuthenticator

All Implemented Interfaces:

Authenticator

Direct Known Subclasses:

BasicAuthenticator, ConfigurableSpnegoAuthenticator, DigestAuthenticator, FormAuthenticator, JaspiAuthenticator, OpenIdAuthenticator, SslClientCertAuthenticator

public abstract class LoginAuthenticator
extends Object
implements Authenticator

Nested Class Summary

Nested classes/interfaces inherited from interface Authenticator

Authenticator.AuthConfiguration, Authenticator.Factory

Field Summary

Fields

Modifier and Type	Field	Description
protected IdentityService	_identityService
protected LoginService	_loginService

Fields inherited from interface Authenticator

BASIC_AUTH, CERT_AUTH, CERT_AUTH2, DIGEST_AUTH, FORM_AUTH, NEGOTIATE_AUTH, OPENID_AUTH, SPNEGO_AUTH

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	LoginAuthenticator()

Method Summary

Modifier and Type	Method	Description
HttpHeader	getAuthorizationHeader()
HttpHeader	getChallengeHeader()
LoginService	getLoginService()
int	getUnauthorizedStatusCode()
boolean	isProxyMode()
UserIdentity	login(String username, Object password, javax.servlet.ServletRequest servletRequest)	If the UserIdentity returned from LoginService.login(String, Object, org.eclipse.jetty.server.Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
void	logout(javax.servlet.ServletRequest request)
void	prepareRequest(javax.servlet.ServletRequest request)	Called prior to validateRequest.
protected javax.servlet.http.HttpSession	renewSession(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Change the session id.
void	setConfiguration(Authenticator.AuthConfiguration configuration)	Configure the Authenticator
void	setProxyMode(boolean proxy)	Sets the authenticator to operate in proxy authentication mode.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface Authenticator

getAuthMethod, secureResponse, validateRequest

Field Details

_loginService

protected LoginService _loginService

_identityService

protected IdentityService _identityService

Constructor Details

LoginAuthenticator

protected LoginAuthenticator()

Method Details

isProxyMode

public boolean isProxyMode()

Returns:

true if this authenticator is in proxy mode.

See Also:

• setProxyMode(boolean)

setProxyMode

public void setProxyMode(boolean proxy)

Sets the authenticator to operate in proxy authentication mode.

When set to true, this mode changes the behavior of the authentication helpers:

• getChallengeHeader() will return Proxy-Authenticate.
• getUnauthorizedStatusCode() will return 407.
• getAuthorizationHeader() will return the Proxy-Authorization header.

The default is false, which uses the standard WWW-Authenticate and Authorization headers with a 401 status code.

Parameters:

proxy - true to enable proxy authentication mode.

getAuthorizationHeader

public HttpHeader getAuthorizationHeader()

Returns:

The authorization header to read credentials from, either Authorization or Proxy-Authorization, depending on the proxy mode.

See Also:

• setProxyMode(boolean)

getChallengeHeader

public HttpHeader getChallengeHeader()

Returns:

The challenge header to send to the client, either WWW-Authenticate or Proxy-Authenticate, depending on the proxy mode.

See Also:

• setProxyMode(boolean)

getUnauthorizedStatusCode

public int getUnauthorizedStatusCode()

Returns:

The status code for an authentication challenge, either 401 or 407, depending on the proxy mode.

See Also:

• setProxyMode(boolean)

prepareRequest

public void prepareRequest(javax.servlet.ServletRequest request)

Description copied from interface: Authenticator

Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.

Specified by:

prepareRequest in interface Authenticator

Parameters:

request - the request to manipulate

login

public UserIdentity login(String username,
 Object password,
 javax.servlet.ServletRequest servletRequest)

If the UserIdentity returned from LoginService.login(String, Object, org.eclipse.jetty.server.Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Parameters:

username - the username of the client to be authenticated

password - the user's credential

servletRequest - the inbound request that needs authentication

logout

public void logout(javax.servlet.ServletRequest request)

setConfiguration

public void setConfiguration(Authenticator.AuthConfiguration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Parameters:

configuration - the configuration

getLoginService

public LoginService getLoginService()

renewSession

protected javax.servlet.http.HttpSession renewSession(javax.servlet.http.HttpServletRequest request,
 javax.servlet.http.HttpServletResponse response)

Change the session id. The session is changed to a new instance with a new ID if and only if:

• A session exists.
• The Authenticator.AuthConfiguration.isSessionRenewedOnAuthentication() returns true.
• The session ID has been given to unauthenticated responses

Parameters:

request - the request

response - the response

Returns:

The new session.