com.caucho.http.security
Class AbstractLogin

java.lang.Object
  |
  +--com.caucho.http.security.AbstractLogin
Direct Known Subclasses:
BasicLogin, DigestLogin, FormLogin

public abstract class AbstractLogin
extends java.lang.Object

Used to authenticate users in a servlet request. AbstractLogin handles the different login types like "basic" or "form". Normally, a Login will delegate the actual authentication to a ServletAuthenticator.

The Login is primarily responsible for extracting the credentials from the request (typically username and password) and passing those to the ServletAuthenticator.

The Servlet API calls the Login in two contexts: directly from ServletRequest.getUserPrincipal(), and during security checking. When called from the Servlet API, the login class can't change the response. In other words, if an application calls getUserPrincipal(), the Login class can't return a forbidden error page. When the servlet engine calls authenticate(), the login class can return an error page (or forward internally.)

Normally, Login implementations will defer the actual authentication to a ServletAuthenticator class. That way, both "basic" and "form" login can use the same JdbcAuthenticator. Some applications, like SSL client certificate login, may want to combine the Login and authentication into one class.

Login instances are configured through bean introspection. Adding a public setFoo(String foo) method will be configured with the following login-config:

 <login-config>
   <class-name>test.CustomLogin</class-name>
   <foo>bar</bar>
 </login-config>
 

Since:
Resin 2.0.2

Field Summary
protected  ServletAuthenticator auth
          The configured authenticator for the login.
protected static WriteStream dbg
           
 
Constructor Summary
AbstractLogin()
           
 
Method Summary
 java.security.Principal authenticate(HttpServletRequest request, HttpServletResponse response, ServletContext application)
          Logs a user in.
 ServletAuthenticator getAuthenticator()
          Gets the authenticator.
 java.lang.String getAuthType()
          Returns the authentication type.
 java.security.Principal getUserPrincipal(HttpServletRequest request, HttpServletResponse response, ServletContext application)
          Returns the Principal associated with the current request.
 void init()
          Initialize the login.
 boolean isUserInRole(HttpServletRequest request, HttpServletResponse response, ServletContext application, java.security.Principal user, java.lang.String role)
          Returns true if the current user plays the named role.
 void logout(HttpServletRequest request, HttpServletResponse response, ServletContext application)
          Logs the user out from the given request.
 void setAuthenticator(ServletAuthenticator auth)
          Sets the authenticator.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

dbg

protected static WriteStream dbg

auth

protected ServletAuthenticator auth
The configured authenticator for the login. Implementing classes will typically delegate calls to the authenticator after extracting the username and password.
Constructor Detail

AbstractLogin

public AbstractLogin()
Method Detail

setAuthenticator

public void setAuthenticator(ServletAuthenticator auth)
Sets the authenticator.

getAuthenticator

public ServletAuthenticator getAuthenticator()
Gets the authenticator.

init

public void init()
          throws ServletException
Initialize the login. init() will be called after all the bean parameters have been set.

getAuthType

public java.lang.String getAuthType()
Returns the authentication type. getAuthType is called by HttpServletRequest.getAuthType.

authenticate

public java.security.Principal authenticate(HttpServletRequest request,
                                            HttpServletResponse response,
                                            ServletContext application)
                                     throws ServletException,
                                            java.io.IOException
Logs a user in. The authenticate method is called during the security check. If the user does not exist, authenticate sets the reponse error page and returns null.
Parameters:
request - servlet request
response - servlet response for a failed authentication.
application - servlet application
Returns:
the logged in principal on success, null on failure.

getUserPrincipal

public java.security.Principal getUserPrincipal(HttpServletRequest request,
                                                HttpServletResponse response,
                                                ServletContext application)
                                         throws ServletException
Returns the Principal associated with the current request. getUserPrincipal is called in response to the Request.getUserPrincipal call. Login.getUserPrincipal can't modify the response or return an error page.

authenticate is used for the security checks.

Parameters:
request - servlet request
application - servlet application
Returns:
the logged in principal on success, null on failure.

isUserInRole

public boolean isUserInRole(HttpServletRequest request,
                            HttpServletResponse response,
                            ServletContext application,
                            java.security.Principal user,
                            java.lang.String role)
                     throws ServletException
Returns true if the current user plays the named role. isUserInRole is called in response to the HttpServletRequest.isUserInRole call.
Parameters:
request - servlet request
application - servlet application
Returns:
the logged in principal on success, null on failure.

logout

public void logout(HttpServletRequest request,
                   HttpServletResponse response,
                   ServletContext application)
            throws ServletException
Logs the user out from the given request.

Since there is no servlet API for logout, this must be called directly from user code. Resin stores the web-app's login object in the ServletContext attribute "caucho.login".