Package org.eclipse.jetty.ee10.security.jaspi

Class JaspiAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

org.eclipse.jetty.ee10.security.jaspi.JaspiAuthenticator

All Implemented Interfaces:

Authenticator

public class JaspiAuthenticator
extends LoginAuthenticator

Implementation of Jetty LoginAuthenticator that is a bridge from Jakarta Authentication to Jetty Security.

Nested Class Summary

Nested classes/interfaces inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

LoginAuthenticator.LoggedOutAuthentication, LoginAuthenticator.UserAuthenticationSent, LoginAuthenticator.UserAuthenticationSucceeded

Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator

Authenticator.Configuration, Authenticator.Factory, Authenticator.NoOp

Field Summary

Fields inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

_loginService

Fields inherited from interface org.eclipse.jetty.security.Authenticator

BASIC_AUTH, CERT_AUTH, CERT_AUTH2, DIGEST_AUTH, FORM_AUTH, NEGOTIATE_AUTH, OPENID_AUTH, SPNEGO_AUTH

Constructor Summary

Constructors

Constructor	Description
JaspiAuthenticator(jakarta.security.auth.message.config.ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler, Subject serviceSubject, boolean allowLazyAuthentication, IdentityService identityService)	Deprecated.
JaspiAuthenticator(Subject serviceSubject, String appContext, boolean allowLazyAuthentication)

Method Summary

Modifier and Type	Method	Description
String	getAuthenticationType()
UserIdentity	login(String username, Object password, Request request, Response response)	If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
boolean	secureResponse(JaspiMessageInfo messageInfo, AuthenticationState validatedUser)
boolean	secureResponse(Request request, Response response, Callback callback, boolean mandatory, AuthenticationState.Succeeded validatedSucceeded)
void	setConfiguration(Authenticator.Configuration configuration)	Configure the Authenticator
AuthenticationState	validateRequest(JaspiMessageInfo messageInfo)
AuthenticationState	validateRequest(Request request, Response response, Callback callback)	Validate a request

Methods inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

getLoginService, logout, updateSession

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.security.Authenticator

getConstraintAuthentication, prepareRequest

Constructor Details

JaspiAuthenticator

public JaspiAuthenticator(Subject serviceSubject,
 String appContext,
 boolean allowLazyAuthentication)

JaspiAuthenticator

@Deprecated
public JaspiAuthenticator(jakarta.security.auth.message.config.ServerAuthConfig authConfig,
 Map authProperties,
 ServletCallbackHandler callbackHandler,
 Subject serviceSubject,
 boolean allowLazyAuthentication,
 IdentityService identityService)

Deprecated.

Method Details

setConfiguration

public void setConfiguration(Authenticator.Configuration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Overrides:

setConfiguration in class LoginAuthenticator

Parameters:

configuration - the configuration

getAuthenticationType

public String getAuthenticationType()

Returns:

The name of the authentication type

login

public UserIdentity login(String username,
 Object password,
 Request request,
 Response response)

Description copied from class: LoginAuthenticator

If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Overrides:

login in class LoginAuthenticator

Parameters:

username - the username of the client to be authenticated

password - the user's credential

request - the inbound request that needs authentication

validateRequest

public AuthenticationState validateRequest(Request request,
 Response response,
 Callback callback)
                                    throws ServerAuthException

Description copied from interface: Authenticator

Validate a request

Parameters:

request - The request

response - The response

callback - the callback to use for writing a response

Returns:

An Authentication. If Authentication is successful, this will be a AuthenticationState.Succeeded. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement AuthenticationState.ResponseSent.

Throws:

ServerAuthException - if unable to validate request

validateRequest

public AuthenticationState validateRequest(JaspiMessageInfo messageInfo)
                                    throws ServerAuthException

Throws:

ServerAuthException

secureResponse

public boolean secureResponse(Request request,
 Response response,
 Callback callback,
 boolean mandatory,
 AuthenticationState.Succeeded validatedSucceeded)
                       throws ServerAuthException

Throws:

ServerAuthException

secureResponse

public boolean secureResponse(JaspiMessageInfo messageInfo,
 AuthenticationState validatedUser)
                       throws ServerAuthException

Throws:

ServerAuthException