Class LoginAuthenticator
- java.lang.Object
-
- org.eclipse.jetty.security.authentication.LoginAuthenticator
-
- All Implemented Interfaces:
Authenticator
- Direct Known Subclasses:
BasicAuthenticator,ClientCertAuthenticator,ConfigurableSpnegoAuthenticator,DigestAuthenticator,FormAuthenticator,JaspiAuthenticator,OpenIdAuthenticator,SpnegoAuthenticator
public abstract class LoginAuthenticator extends java.lang.Object implements Authenticator
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator
Authenticator.AuthConfiguration, Authenticator.Factory
-
-
Field Summary
Fields Modifier and Type Field Description protected IdentityService_identityServiceprotected LoginService_loginService
-
Constructor Summary
Constructors Modifier Constructor Description protectedLoginAuthenticator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description LoginServicegetLoginService()UserIdentitylogin(java.lang.String username, java.lang.Object password, javax.servlet.ServletRequest servletRequest)If the UserIdentity is not null after this method callsLoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.voidlogout(javax.servlet.ServletRequest request)voidprepareRequest(javax.servlet.ServletRequest request)Called prior to validateRequest.protected javax.servlet.http.HttpSessionrenewSession(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)Change the session id.voidsetConfiguration(Authenticator.AuthConfiguration configuration)Configure the Authenticator-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.eclipse.jetty.security.Authenticator
getAuthMethod, secureResponse, validateRequest
-
-
-
-
Field Detail
-
_loginService
protected LoginService _loginService
-
_identityService
protected IdentityService _identityService
-
-
Method Detail
-
prepareRequest
public void prepareRequest(javax.servlet.ServletRequest request)
Description copied from interface:AuthenticatorCalled prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.- Specified by:
prepareRequestin interfaceAuthenticator- Parameters:
request- the request to manipulate
-
login
public UserIdentity login(java.lang.String username, java.lang.Object password, javax.servlet.ServletRequest servletRequest)
If the UserIdentity is not null after this method callsLoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.- Parameters:
username- the username of the client to be authenticatedpassword- the user's credentialservletRequest- the inbound request that needs authentication
-
logout
public void logout(javax.servlet.ServletRequest request)
-
setConfiguration
public void setConfiguration(Authenticator.AuthConfiguration configuration)
Description copied from interface:AuthenticatorConfigure the Authenticator- Specified by:
setConfigurationin interfaceAuthenticator- Parameters:
configuration- the configuration
-
getLoginService
public LoginService getLoginService()
-
renewSession
protected javax.servlet.http.HttpSession renewSession(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)Change the session id. The session is changed to a new instance with a new ID if and only if:- A session exists.
- The
Authenticator.AuthConfiguration.isSessionRenewedOnAuthentication()returns true. - The session ID has been given to unauthenticated responses
- Parameters:
request- the requestresponse- the response- Returns:
- The new session.
-
-