Class LoginAuthenticator
java.lang.Object
org.eclipse.jetty.ee8.security.authentication.LoginAuthenticator
- All Implemented Interfaces:
Authenticator
- Direct Known Subclasses:
BasicAuthenticator, ConfigurableSpnegoAuthenticator, DigestAuthenticator, FormAuthenticator, JaspiAuthenticator, OpenIdAuthenticator, SslClientCertAuthenticator
-
Nested Class Summary
Nested classes/interfaces inherited from interface Authenticator
Authenticator.AuthConfiguration, Authenticator.Factory -
Field Summary
FieldsFields inherited from interface Authenticator
BASIC_AUTH, CERT_AUTH, CERT_AUTH2, DIGEST_AUTH, FORM_AUTH, NEGOTIATE_AUTH, OPENID_AUTH, SPNEGO_AUTH -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionIf the UserIdentity returned fromLoginService.login(String, Object, org.eclipse.jetty.server.Request, Function)is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.voidlogout(javax.servlet.ServletRequest request) voidprepareRequest(javax.servlet.ServletRequest request) Called prior to validateRequest.protected javax.servlet.http.HttpSessionrenewSession(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Change the session id.voidsetConfiguration(Authenticator.AuthConfiguration configuration) Configure the AuthenticatorMethods inherited from class Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface Authenticator
getAuthMethod, secureResponse, validateRequest
-
Field Details
-
_loginService
-
_identityService
-
-
Constructor Details
-
LoginAuthenticator
protected LoginAuthenticator()
-
-
Method Details
-
prepareRequest
public void prepareRequest(javax.servlet.ServletRequest request) Description copied from interface:AuthenticatorCalled prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.- Specified by:
prepareRequestin interfaceAuthenticator- Parameters:
request- the request to manipulate
-
login
public UserIdentity login(String username, Object password, javax.servlet.ServletRequest servletRequest) If the UserIdentity returned fromLoginService.login(String, Object, org.eclipse.jetty.server.Request, Function)is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.- Parameters:
username- the username of the client to be authenticatedpassword- the user's credentialservletRequest- the inbound request that needs authentication
-
logout
public void logout(javax.servlet.ServletRequest request) -
setConfiguration
Description copied from interface:AuthenticatorConfigure the Authenticator- Specified by:
setConfigurationin interfaceAuthenticator- Parameters:
configuration- the configuration
-
getLoginService
-
renewSession
protected javax.servlet.http.HttpSession renewSession(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Change the session id. The session is changed to a new instance with a new ID if and only if:- A session exists.
- The
Authenticator.AuthConfiguration.isSessionRenewedOnAuthentication()returns true. - The session ID has been given to unauthenticated responses
- Parameters:
request- the requestresponse- the response- Returns:
- The new session.
-