Class FormAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

org.eclipse.jetty.security.authentication.FormAuthenticator

All Implemented Interfaces:

Authenticator

public class FormAuthenticator
extends LoginAuthenticator

FORM Authenticator.

This authenticator implements form authentication will use dispatchers to the login page if the __FORM_DISPATCH init parameter is set to true. Otherwise it will redirect.

The form authenticator redirects unauthenticated requests to a log page which should use a form to gather username/password from the user and send them to the /j_security_check URI within the context. FormAuthentication uses SessionAuthentication to wrap Authentication results so that they are associated with the session.

Nested Class Summary

Nested classes/interfaces inherited from class LoginAuthenticator

LoginAuthenticator.LoggedOutAuthentication, LoginAuthenticator.UserAuthenticationSent, LoginAuthenticator.UserAuthenticationSucceeded

Nested classes/interfaces inherited from interface Authenticator

Authenticator.Configuration, Authenticator.Factory, Authenticator.NoOp

Field Summary

Fields

Modifier and Type	Field	Description
static final String	__FORM_DISPATCH
static final String	__FORM_ERROR_PAGE
static final String	__FORM_LOGIN_PAGE
static final String	__J_METHOD
static final String	__J_PASSWORD
static final String	__J_POST
static final String	__J_SECURITY_CHECK
static final String	__J_URI
static final String	__J_USERNAME

Fields inherited from class LoginAuthenticator

_identityService, _loginService

Fields inherited from interface Authenticator

BASIC_AUTH, CERT_AUTH, CERT_AUTH2, DIGEST_AUTH, FORM_AUTH, MULTI_AUTH, NEGOTIATE_AUTH, OPENID_AUTH, SIWE_AUTH, SPNEGO_AUTH

Constructor Summary

Constructors

Constructor	Description
FormAuthenticator()
FormAuthenticator(String login, String error, boolean dispatch)

Method Summary

Modifier and Type	Method	Description
protected String	encodeURL(String url, Request request)
boolean	getAlwaysSaveUri()
String	getAuthenticationType()
Constraint.Authorization	getConstraintAuthentication(String pathInContext, Constraint.Authorization existing, Function<Boolean,Session> getSession)	Get an Constraint.Authorization applicable to the path for this authenticator.
protected Fields	getParameters(Request request)
boolean	isJSecurityCheck(String uri)
boolean	isLoginOrErrorPage(String pathInContext)
UserIdentity	login(String username, Object password, Request request, Response response)	If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
void	logout(Request request, Response response)
Request	prepareRequest(Request request, AuthenticationState authenticationState)	Called after Authenticator.validateRequest(Request, Response, Callback) and before calling Request.Handler.handle(Request, Response, Callback) of the nested handler.
void	setAlwaysSaveUri(boolean alwaysSave)	If true, uris that cause a redirect to a login page will always be remembered.
void	setConfiguration(Authenticator.Configuration configuration)	Configure the Authenticator
AuthenticationState	validateRequest(Request request, Response response, Callback callback)	Attempts to validate the authentication state of the given request.

Methods inherited from class LoginAuthenticator

getAuthorizationHeader, getChallengeHeader, getLoginService, getUnauthorizedStatusCode, isProxyMode, setLoginService, setProxyMode, updateSession

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

__FORM_LOGIN_PAGE

public static final String __FORM_LOGIN_PAGE

See Also:

• Constant Field Values

__FORM_ERROR_PAGE

public static final String __FORM_ERROR_PAGE

See Also:

• Constant Field Values

__FORM_DISPATCH

public static final String __FORM_DISPATCH

See Also:

• Constant Field Values

__J_URI

public static final String __J_URI

See Also:

• Constant Field Values

__J_POST

public static final String __J_POST

See Also:

• Constant Field Values

__J_METHOD

public static final String __J_METHOD

See Also:

• Constant Field Values

__J_SECURITY_CHECK

public static final String __J_SECURITY_CHECK

See Also:

• Constant Field Values

__J_USERNAME

public static final String __J_USERNAME

See Also:

• Constant Field Values

__J_PASSWORD

public static final String __J_PASSWORD

See Also:

• Constant Field Values

Constructor Details

FormAuthenticator

public FormAuthenticator()

FormAuthenticator

public FormAuthenticator(String login,
 String error,
 boolean dispatch)

Method Details

setAlwaysSaveUri

public void setAlwaysSaveUri(boolean alwaysSave)

If true, uris that cause a redirect to a login page will always be remembered. If false, only the first uri that leads to a login page redirect is remembered. See bug 379909

Parameters:

alwaysSave - true to always save the uri

getAlwaysSaveUri

public boolean getAlwaysSaveUri()

setConfiguration

public void setConfiguration(Authenticator.Configuration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Overrides:

setConfiguration in class LoginAuthenticator

Parameters:

configuration - the configuration

getAuthenticationType

public String getAuthenticationType()

Returns:

The name of the authentication type

login

public UserIdentity login(String username,
 Object password,
 Request request,
 Response response)

Description copied from class: LoginAuthenticator

If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Overrides:

login in class LoginAuthenticator

Parameters:

username - the username of the client to be authenticated

password - the user's credential

request - the inbound request that needs authentication

logout

public void logout(Request request,
 Response response)

Overrides:

logout in class LoginAuthenticator

prepareRequest

public Request prepareRequest(Request request,
 AuthenticationState authenticationState)

Description copied from interface: Authenticator

Called after Authenticator.validateRequest(Request, Response, Callback) and before calling Request.Handler.handle(Request, Response, Callback) of the nested handler. This may be used by an Authenticator to restore method or content from a previous request that was challenged.

Parameters:

request - the request to prepare for handling

authenticationState - The authentication for the request

getParameters

protected Fields getParameters(Request request)

encodeURL

protected String encodeURL(String url,
 Request request)

getConstraintAuthentication

public Constraint.Authorization getConstraintAuthentication(String pathInContext,
 Constraint.Authorization existing,
 Function<Boolean,Session> getSession)

Description copied from interface: Authenticator

Get an Constraint.Authorization applicable to the path for this authenticator. This is typically used to vary protection on special URIs known to a specific Authenticator (e.g. /j_security_check for the FormAuthenticator.

Parameters:

pathInContext - The pathInContext to potentially constrain.

existing - The existing authentication constraint for the pathInContext determined independently of Authenticator

getSession - Function to get or create a Session.

Returns:

The Constraint.Authorization to apply.

validateRequest

public AuthenticationState validateRequest(Request request,
 Response response,
 Callback callback)
                                    throws ServerAuthException

Description copied from interface: Authenticator

Attempts to validate the authentication state of the given request.

If authentication is successful, an AuthenticationState.Succeeded is returned. If the authenticator has already committed a response (for either success or failure), the returned value will implement AuthenticationState.ResponseSent, and the provided Callback will be eventually be completed, otherwise the caller is responsible for completing the Callback.

A null return value indicates that no authentication state could be established, possibly because the response has already been committed.

Parameters:

request - the request to validate.

response - the response associated with the request.

callback - the callback to use for writing a response.

Returns:

an AuthenticationState, or null if authentication could not be resolved.

Throws:

ServerAuthException - if unable to validate request.

isJSecurityCheck

public boolean isJSecurityCheck(String uri)

isLoginOrErrorPage

public boolean isLoginOrErrorPage(String pathInContext)