AbstractLogin


1   /*
2    * Copyright (c) 1998-2006 Caucho Technology -- all rights reserved
3    *
4    * This file is part of Resin(R) Open Source
5    *
6    * Each copy or derived work must preserve the copyright notice and this
7    * notice unmodified.
8    *
9    * Resin Open Source is free software; you can redistribute it and/or modify
10   * it under the terms of the GNU General Public License as published by
11   * the Free Software Foundation; either version 2 of the License, or
12   * (at your option) any later version.
13   *
14   * Resin Open Source is distributed in the hope that it will be useful,
15   * but WITHOUT ANY WARRANTY; without even the implied warranty of
16   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, or any warranty
17   * of NON-INFRINGEMENT.  See the GNU General Public License for more
18   * details.
19   *
20   * You should have received a copy of the GNU General Public License
21   * along with Resin Open Source; if not, write to the
22   *   Free SoftwareFoundation, Inc.
23   *   59 Temple Place, Suite 330
24   *   Boston, MA 02111-1307  USA
25   *
26   * @author Scott Ferguson
27   */
28  
29  package com.caucho.server.security;
30  
31  import com.caucho.log.Log;
32  
33  import javax.annotation.PostConstruct;
34  import javax.naming.Context  ;
35  import javax.naming.InitialContext  ;
36  import javax.servlet.ServletContext  ;
37  import javax.servlet.ServletException  ;
38  import javax.servlet.http.HttpServletRequest  ;
39  import javax.servlet.http.HttpServletResponse  ;
40  import java.io.IOException  ;
41  import java.security.Principal  ;
42  import java.util.logging.Level  ;
43  import java.util.logging.Logger  ;
44  
45  /**
46   * Used to authenticate users in a servlet request.  AbstractLogin handles
47   * the different login types like "basic" or "form".  Normally, a Login
48   * will delegate the actual authentication to a ServletAuthenticator.
49   *
50   * <p>The Login is primarily responsible for extracting the credentials
51   * from the request (typically username and password) and passing those
52   * to the ServletAuthenticator.
53   *
54   * <p>The Servlet API calls the Login in two contexts: directly from
55   * <code>ServletRequest.getUserPrincipal()</code>, and during 
56   * security checking.   When called from the Servlet API, the login class
57   * can't change the response.  In other words, if an application
58   * calls getUserPrincipal(), the Login class can't return a forbidden
59   * error page.  When the servlet engine calls authenticate(), the login class
60   * can return an error page (or forward internally.)
61   *
62   * <p>Normally, Login implementations will defer the actual authentication
63   * to a ServletAuthenticator class.  That way, both "basic" and "form" login
64   * can use the same JdbcAuthenticator.  Some applications, like SSL
65   * client certificate login, may want to combine the Login and authentication
66   * into one class.
67   *
68   * <p>Login instances are configured through bean introspection.  Adding
69   * a public <code>setFoo(String foo)</code> method will be configured with
70   * the following login-config:
71   *
72   * <code><pre>
73   * &lt;login-config>
74   *   &lt;class-name>test.CustomLogin&lt/class-name>
75   *   &lt;foo>bar&lt;/bar>
76   * &lt;/login-config>
77   * </pre></code>
78   *
79   * @since Resin 2.0.2
80   */
81  public abstract class AbstractLogin {
82    protected final static Logger   log = Log.open(AbstractLogin.class);
83  
84    /**
85     * The configured authenticator for the login.  Implementing classes will
86     * typically delegate calls to the authenticator after extracting the
87     * username and password.
88     */
89    protected ServletAuthenticator _auth;
90  
91    /**
92     * Sets the authenticator.
93     */
94    public void setAuthenticator(ServletAuthenticator auth)
95    {
96      _auth = auth;
97    }
98  
99    /**
100    * Gets the authenticator.
101    */
102   public ServletAuthenticator getAuthenticator()
103   {
104     if (_auth == null) {
105       try {
106         Context   ic = new InitialContext  ();
107         _auth = (ServletAuthenticator) ic.lookup("java:comp/env/caucho/auth");
108       } catch (Exception   e) {
109         log.log(Level.FINEST, e.toString(), e);
110       }
111 
112       if (_auth == null)
113         _auth = new NullAuthenticator();
114     }
115     
116     return _auth;
117   }
118   
119   /**
120    * Initialize the login.  <code>init()</code> will be called after all
121    * the bean parameters have been set.
122    */
123   @PostConstruct
124   public void init()
125     throws ServletException  
126   {
127   }
128 
129   /**
130    * Returns the authentication type.  <code>getAuthType</code> is called
131    * by <code>HttpServletRequest.getAuthType</code>.
132    */
133   public String   getAuthType()
134   {
135     return "none";
136   }
137   
138   /**
139    * Logs a user in.  The authenticate method is called during the
140    * security check.  If the user does not exist, <code>authenticate</code>
141    * sets the reponse error page and returns null.
142    *
143    * @param request servlet request
144    * @param response servlet response for a failed authentication.
145    * @param application servlet application
146    *
147    * @return the logged in principal on success, null on failure.
148    */
149   public Principal   authenticate(HttpServletRequest   request,
150                                 HttpServletResponse   response,
151                                 ServletContext   application)
152     throws ServletException  , IOException  
153   {
154     // Most login classes will extract the user and password (or some other
155     // credentials) from the request and call auth.login.
156     Principal   user = getUserPrincipal(request, response, application);
157 
158     if (user == null)
159       response.sendError(HttpServletResponse.SC_FORBIDDEN);
160 
161     return user;
162   }
163   
164   /**
165    * Returns the Principal associated with the current request.
166    * getUserPrincipal is called in response to the Request.getUserPrincipal
167    * call.  Login.getUserPrincipal can't modify the response or return
168    * an error page.
169    *
170    * <p/>authenticate is used for the security checks.
171    *
172    * @param request servlet request
173    * @param application servlet application
174    *
175    * @return the logged in principal on success, null on failure.
176    */
177   public Principal   getUserPrincipal(HttpServletRequest   request,
178                                     HttpServletResponse   response,
179                                     ServletContext   application)
180     throws ServletException  
181   {
182     return getAuthenticator().getUserPrincipal(request, response, application);
183   }
184   
185   /**
186    * Returns true if the current user plays the named role.
187    * <code>isUserInRole</code> is called in response to the
188    * <code>HttpServletRequest.isUserInRole</code> call.
189    *
190    * @param request servlet request
191    * @param application servlet application
192    *
193    * @return the logged in principal on success, null on failure.
194    */
195   public boolean isUserInRole(HttpServletRequest   request,
196                               HttpServletResponse   response,
197                               ServletContext   application,
198                               Principal   user, String   role)
199     throws ServletException  
200   {
201     return getAuthenticator().isUserInRole(request, response,
202                                            application, user, role);
203   }
204   
205   /**
206    * Logs the user out from the given request.
207    *
208    * <p>Since there is no servlet API for logout, this must be called
209    * directly from user code.  Resin stores the web-app's login object
210    * in the ServletContext attribute "caucho.login".
211    */
212   public void logout(HttpServletRequest   request,
213                      HttpServletResponse   response,
214                      ServletContext   application)
215     throws ServletException  
216   {
217     Principal   principal = getUserPrincipal(request, response, application);
218 
219     if (principal != null)
220       getAuthenticator().logout(application,
221                 null,
222                 request.getRequestedSessionId(),
223                                 principal);
224   }
225 }
226
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags