Class FormAuthenticator
- All Implemented Interfaces:
Authenticator
This authenticator implements form authentication will use dispatchers to
the login page if the __FORM_DISPATCH
init parameter is set to true.
Otherwise it will redirect.
The form authenticator redirects unauthenticated requests to a log page
which should use a form to gather username/password from the user and send them
to the /j_security_check URI within the context. FormAuthentication uses
SessionAuthentication
to wrap Authentication results so that they
are associated with the session.
-
Nested Class Summary
Nested classes/interfaces inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator
LoginAuthenticator.LoggedOutAuthentication, LoginAuthenticator.UserAuthenticationSent, LoginAuthenticator.UserAuthenticationSucceeded
Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator
Authenticator.Configuration, Authenticator.Factory, Authenticator.NoOp
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
Fields inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator
_identityService, _loginService
Fields inherited from interface org.eclipse.jetty.security.Authenticator
BASIC_AUTH, CERT_AUTH, CERT_AUTH2, DIGEST_AUTH, FORM_AUTH, MULTI_AUTH, NEGOTIATE_AUTH, OPENID_AUTH, SIWE_AUTH, SPNEGO_AUTH
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected String
boolean
getConstraintAuthentication
(String pathInContext, Constraint.Authorization existing, Function<Boolean, Session> getSession) Get anConstraint.Authorization
applicable to the path for this authenticator.protected Fields
getParameters
(Request request) boolean
isJSecurityCheck
(String uri) boolean
isLoginOrErrorPage
(String pathInContext) If the UserIdentity returned fromLoginService.login(String, Object, Request, Function)
is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.void
prepareRequest
(Request request, AuthenticationState authenticationState) Called afterAuthenticator.validateRequest(Request, Response, Callback)
and before callingRequest.Handler.handle(Request, Response, Callback)
of the nested handler.void
setAlwaysSaveUri
(boolean alwaysSave) If true, uris that cause a redirect to a login page will always be remembered.void
setConfiguration
(Authenticator.Configuration configuration) Configure the AuthenticatorvalidateRequest
(Request request, Response response, Callback callback) Attempts to validate the authentication state of the given request.Methods inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator
getLoginService, setLoginService, updateSession
-
Field Details
-
__FORM_LOGIN_PAGE
- See Also:
-
__FORM_ERROR_PAGE
- See Also:
-
__FORM_DISPATCH
- See Also:
-
__J_URI
- See Also:
-
__J_POST
- See Also:
-
__J_METHOD
- See Also:
-
__J_SECURITY_CHECK
- See Also:
-
__J_USERNAME
- See Also:
-
__J_PASSWORD
- See Also:
-
-
Constructor Details
-
FormAuthenticator
public FormAuthenticator() -
FormAuthenticator
-
-
Method Details
-
setAlwaysSaveUri
public void setAlwaysSaveUri(boolean alwaysSave) If true, uris that cause a redirect to a login page will always be remembered. If false, only the first uri that leads to a login page redirect is remembered. See bug 379909- Parameters:
alwaysSave
- true to always save the uri
-
getAlwaysSaveUri
public boolean getAlwaysSaveUri() -
setConfiguration
Description copied from interface:Authenticator
Configure the Authenticator- Specified by:
setConfiguration
in interfaceAuthenticator
- Overrides:
setConfiguration
in classLoginAuthenticator
- Parameters:
configuration
- the configuration
-
getAuthenticationType
- Returns:
- The name of the authentication type
-
login
Description copied from class:LoginAuthenticator
If the UserIdentity returned fromLoginService.login(String, Object, Request, Function)
is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.- Overrides:
login
in classLoginAuthenticator
- Parameters:
username
- the username of the client to be authenticatedpassword
- the user's credentialrequest
- the inbound request that needs authentication
-
logout
- Overrides:
logout
in classLoginAuthenticator
-
prepareRequest
Description copied from interface:Authenticator
Called afterAuthenticator.validateRequest(Request, Response, Callback)
and before callingRequest.Handler.handle(Request, Response, Callback)
of the nested handler. This may be used by anAuthenticator
to restore method or content from a previous request that was challenged.- Parameters:
request
- the request to prepare for handlingauthenticationState
- The authentication for the request
-
getParameters
-
encodeURL
-
getConstraintAuthentication
public Constraint.Authorization getConstraintAuthentication(String pathInContext, Constraint.Authorization existing, Function<Boolean, Session> getSession) Description copied from interface:Authenticator
Get anConstraint.Authorization
applicable to the path for this authenticator. This is typically used to vary protection on special URIs known to a specificAuthenticator
(e.g. /j_security_check for theFormAuthenticator
.- Parameters:
pathInContext
- The pathInContext to potentially constrain.existing
- The existing authentication constraint for the pathInContext determined independently ofAuthenticator
getSession
- Function to get or create aSession
.- Returns:
- The
Constraint.Authorization
to apply.
-
validateRequest
public AuthenticationState validateRequest(Request request, Response response, Callback callback) throws ServerAuthException Description copied from interface:Authenticator
Attempts to validate the authentication state of the given request.If authentication is successful, an
AuthenticationState.Succeeded
is returned. If the authenticator has already committed a response (for either success or failure), the returned value will implementAuthenticationState.ResponseSent
, and the providedCallback
will be eventually be completed, otherwise the caller is responsible for completing theCallback
.A
null
return value indicates that no authentication state could be established, possibly because the response has already been committed.- Parameters:
request
- the request to validate.response
- the response associated with the request.callback
- the callback to use for writing a response.- Returns:
- an
AuthenticationState
, ornull
if authentication could not be resolved. - Throws:
ServerAuthException
- if unable to validate request.
-
isJSecurityCheck
-
isLoginOrErrorPage
-