Package org.eclipse.jetty.security.authentication

Class FormAuthenticator

  • All Implemented Interfaces:
    Authenticator
    public class FormAuthenticator
extends LoginAuthenticator
    FORM Authenticator.

    This authenticator implements form authentication will use dispatchers to the login page if the __FORM_DISPATCH init parameter is set to true. Otherwise it will redirect.

    The form authenticator redirects unauthenticated requests to a log page which should use a form to gather username/password from the user and send them to the /j_security_check URI within the context. FormAuthentication uses SessionAuthentication to wrap Authentication results so that they are associated with the session.

    • Constructor Detail

      • FormAuthenticator

        public FormAuthenticator()

      • FormAuthenticator

        public FormAuthenticator​(java.lang.String login,
                         java.lang.String error,
                         boolean dispatch)

    • Method Detail

      • setAlwaysSaveUri

        public void setAlwaysSaveUri​(boolean alwaysSave)
        If true, uris that cause a redirect to a login page will always be remembered. If false, only the first uri that leads to a login page redirect is remembered. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=379909
        Parameters:
        alwaysSave - true to always save the uri

      • getAlwaysSaveUri

        public boolean getAlwaysSaveUri()

      • getAuthMethod

        public java.lang.String getAuthMethod()
        Returns:
        The name of the authentication method

      • login

        public UserIdentity login​(java.lang.String username,
                          java.lang.Object password,
                          javax.servlet.ServletRequest request)
        Description copied from class: LoginAuthenticator
        If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.
        Overrides:
        login in class LoginAuthenticator
        Parameters:
        username - the username of the client to be authenticated
        password - the user's credential
        request - the inbound request that needs authentication

      • prepareRequest

        public void prepareRequest​(javax.servlet.ServletRequest request)
        Description copied from interface: Authenticator
        Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.
        Specified by:
        prepareRequest in interface Authenticator
        Overrides:
        prepareRequest in class LoginAuthenticator
        Parameters:
        request - the request to manipulate

      • validateRequest

        public Authentication validateRequest​(javax.servlet.ServletRequest req,
                                      javax.servlet.ServletResponse res,
                                      boolean mandatory)
                               throws ServerAuthException
        Description copied from interface: Authenticator
        Validate a request
        Parameters:
        req - The request
        res - The response
        mandatory - True if authentication is mandatory.
        Returns:
        An Authentication. If Authentication is successful, this will be a Authentication.User. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement Authentication.ResponseSent. If Authentication is not mandatory, then a Authentication.Deferred may be returned.
        Throws:
        ServerAuthException - if unable to validate request

      • isJSecurityCheck

        public boolean isJSecurityCheck​(java.lang.String uri)

      • isLoginOrErrorPage

        public boolean isLoginOrErrorPage​(java.lang.String pathInContext)

      • secureResponse

        public boolean secureResponse​(javax.servlet.ServletRequest req,
                              javax.servlet.ServletResponse res,
                              boolean mandatory,
                              Authentication.User validatedUser)
                       throws ServerAuthException
        Description copied from interface: Authenticator
        is response secure
        Parameters:
        req - the request
        res - the response
        mandatory - if security is mandator
        validatedUser - the user that was validated
        Returns:
        true if response is secure
        Throws:
        ServerAuthException - if unable to test response