Package org.eclipse.jetty.security.jaspi

Class JaspiAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

org.eclipse.jetty.security.jaspi.JaspiAuthenticator

All Implemented Interfaces:

Authenticator

public class JaspiAuthenticator
extends LoginAuthenticator

Version:

$Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $

Nested Class Summary

Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator

Authenticator.AuthConfiguration, Authenticator.Factory

Field Summary

Fields inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

_loginService

Constructor Summary

Constructors

Constructor	Description
JaspiAuthenticator(javax.security.auth.message.config.ServerAuthConfig authConfig, java.util.Map authProperties, ServletCallbackHandler callbackHandler, javax.security.auth.Subject serviceSubject, boolean allowLazyAuthentication, IdentityService identityService)

Method Summary

Modifier and Type	Method	Description
java.lang.String	getAuthMethod()
UserIdentity	login(java.lang.String username, java.lang.Object password, javax.servlet.ServletRequest request)	If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
boolean	secureResponse(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser)	is response secure
boolean	secureResponse(JaspiMessageInfo messageInfo, Authentication validatedUser)
void	setConfiguration(Authenticator.AuthConfiguration configuration)	Configure the Authenticator
Authentication	validateRequest(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, boolean mandatory)	Validate a request
Authentication	validateRequest(JaspiMessageInfo messageInfo)

Methods inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

getLoginService, logout, prepareRequest, renewSession

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JaspiAuthenticator

public JaspiAuthenticator(javax.security.auth.message.config.ServerAuthConfig authConfig,
                          java.util.Map authProperties,
                          ServletCallbackHandler callbackHandler,
                          javax.security.auth.Subject serviceSubject,
                          boolean allowLazyAuthentication,
                          IdentityService identityService)

Method Detail

setConfiguration

public void setConfiguration(Authenticator.AuthConfiguration configuration)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Overrides:

setConfiguration in class LoginAuthenticator

Parameters:

configuration - the configuration

getAuthMethod

public java.lang.String getAuthMethod()

Returns:

The name of the authentication method

validateRequest

public Authentication validateRequest(javax.servlet.ServletRequest request,
                                      javax.servlet.ServletResponse response,
                                      boolean mandatory)
                               throws ServerAuthException

Description copied from interface: Authenticator

Validate a request

Parameters:

request - The request

response - The response

mandatory - True if authentication is mandatory.

Returns:

An Authentication. If Authentication is successful, this will be a Authentication.User. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement Authentication.ResponseSent. If Authentication is not mandatory, then a Authentication.Deferred may be returned.

Throws:

ServerAuthException - if unable to validate request

secureResponse

public boolean secureResponse(javax.servlet.ServletRequest req,
                              javax.servlet.ServletResponse res,
                              boolean mandatory,
                              Authentication.User validatedUser)
                       throws ServerAuthException

Description copied from interface: Authenticator

is response secure

Parameters:

req - the request

res - the response

mandatory - if security is mandator

validatedUser - the user that was validated

Returns:

true if response is secure

Throws:

ServerAuthException - if unable to test response

login

public UserIdentity login(java.lang.String username,
                          java.lang.Object password,
                          javax.servlet.ServletRequest request)

Description copied from class: LoginAuthenticator

If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Overrides:

login in class LoginAuthenticator

Parameters:

username - the username of the client to be authenticated

password - the user's credential

request - the inbound request that needs authentication

See Also:

LoginAuthenticator.login(java.lang.String, java.lang.Object, javax.servlet.ServletRequest)

validateRequest

public Authentication validateRequest(JaspiMessageInfo messageInfo)
                               throws ServerAuthException

Throws:

ServerAuthException

secureResponse

public boolean secureResponse(JaspiMessageInfo messageInfo,
                              Authentication validatedUser)
                       throws ServerAuthException

Throws:

ServerAuthException