Package org.eclipse.jetty.security.authentication

Class LoginAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

All Implemented Interfaces:

Authenticator

Direct Known Subclasses:

BasicAuthenticator, DigestAuthenticator, FormAuthenticator, JaspiAuthenticator, OpenIdAuthenticator, SPNEGOAuthenticator, SslClientCertAuthenticator

public abstract class LoginAuthenticator
extends Object
implements Authenticator

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	LoginAuthenticator.LoggedOutAuthentication
static class	LoginAuthenticator.UserAuthenticationSent	This Authentication represents a just completed authentication, that has sent a response, typically to redirect the client to the original request target..
static class	LoginAuthenticator.UserAuthenticationSucceeded	Base class for representing a successful authentication state.

Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator

Authenticator.Configuration, Authenticator.Factory, Authenticator.NoOp

Field Summary

Fields

Modifier and Type	Field	Description
protected IdentityService	_identityService
protected LoginService	_loginService

Fields inherited from interface org.eclipse.jetty.security.Authenticator

BASIC_AUTH, CERT_AUTH, CERT_AUTH2, DIGEST_AUTH, FORM_AUTH, NEGOTIATE_AUTH, OPENID_AUTH, SPNEGO_AUTH

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	LoginAuthenticator()

Method Summary

Modifier and Type	Method	Description
LoginService	getLoginService()
UserIdentity	login(String username, Object password, Request request, Response response)	If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
void	logout(Request request, Response response)
void	setConfiguration(Authenticator.Configuration configuration)	Configure the Authenticator
protected void	updateSession(Request httpRequest, Response httpResponse)	Update the session on authentication.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.security.Authenticator

getAuthenticationType, getConstraintAuthentication, prepareRequest, validateRequest

Field Details

_loginService

protected LoginService _loginService

_identityService

protected IdentityService _identityService

Constructor Details

LoginAuthenticator

protected LoginAuthenticator()

Method Details

login

public UserIdentity login(String username,
 Object password,
 Request request,
 Response response)

If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Parameters:

username - the username of the client to be authenticated

password - the user's credential

request - the inbound request that needs authentication

logout

public void logout(Request request,
 Response response)

setConfiguration

public void setConfiguration(Authenticator.Configuration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Parameters:

configuration - the configuration

getLoginService

public LoginService getLoginService()

updateSession

protected void updateSession(Request httpRequest,
 Response httpResponse)

Update the session on authentication. The session is changed to a new instance with a new ID if and only if:

• A session exists.
• The Authenticator.Configuration.isSessionRenewedOnAuthentication() returns true.
• The session ID has been given to unauthenticated responses

Parameters:

httpRequest - the request

httpResponse - the response

See Also:

• Authenticator.Configuration.isSessionRenewedOnAuthentication()
• Authenticator.Configuration.getSessionMaxInactiveIntervalOnAuthentication()