ServletAuthenticator


1   /*
2    * Copyright (c) 1998-2006 Caucho Technology -- all rights reserved
3    *
4    * This file is part of Resin(R) Open Source
5    *
6    * Each copy or derived work must preserve the copyright notice and this
7    * notice unmodified.
8    *
9    * Resin Open Source is free software; you can redistribute it and/or modify
10   * it under the terms of the GNU General Public License as published by
11   * the Free Software Foundation; either version 2 of the License, or
12   * (at your option) any later version.
13   *
14   * Resin Open Source is distributed in the hope that it will be useful,
15   * but WITHOUT ANY WARRANTY; without even the implied warranty of
16   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, or any warranty
17   * of NON-INFRINGEMENT.  See the GNU General Public License for more
18   * details.
19   *
20   * You should have received a copy of the GNU General Public License
21   * along with Resin Open Source; if not, write to the
22   *
23   *   Free Software Foundation, Inc.
24   *   59 Temple Place, Suite 330
25   *   Boston, MA 02111-1307  USA
26   *
27   * @author Scott Ferguson
28   */
29  
30  package com.caucho.server.security;
31  
32  import javax.servlet.ServletContext  ;
33  import javax.servlet.ServletException  ;
34  import javax.servlet.http.HttpServletRequest  ;
35  import javax.servlet.http.HttpServletResponse  ;
36  import javax.servlet.http.HttpSession  ;
37  import java.security.Principal  ;
38  
39  /**
40   * Used in conjunction with AbstractLogin to authenticate users in
41   * a servlet request.  The ServletAuthenticator is typically responsible for
42   * the actual authentication and AbstractLogin is responsible for extracting
43   * credentials (user and password) from the request and returning any
44   * error pages.  Since Login classes typically delegate to the Authenticator,
45   * the same authenticator can be used for "basic", "form" or a custom login.
46   *
47   * <p>In general, applications should extend AbstractAuthenticator instead
48   * to protect from API changes in the Authenticator.
49   *
50   * <p>The authenticator is configured using init-param in the resin.conf.
51   * For example, if test.MyAuthenticator defines a <code>setFoo</code> method,
52   * it can be configured with &lt;init-param foo='bar'/>.
53   *
54   * <code><pre>
55   * &lt;authenticator id='name'>
56   *   &lt;class-name>test.MyAuthenticator&lt;/class-name>
57   *   &lt;init-param foo='bar'/>
58   * &lt;/authenticator>
59   * </pre></code>
60   *
61   * <p>Authenticator instances can be specific to a web-app, host, or
62   * server-wide.  If the authenticator is configured for the host, it
63   * is shared for all web-apps in that host, enabling single-signon.
64   *
65   * <code><pre>
66   * &lt;host id='foo'>
67   *   &lt;authenticator id='myauth'>...&lt;/authenticator>
68   *
69   *   &lt;web-app id='/a'>
70   *     ...
71   *   &lt;/web-app>
72   *
73   *   &lt;web-app id='/a'>
74   *     ...
75   *   &lt;/web-app>
76   * &lt;/host>
77   * </pre></code>
78   */
79  public interface ServletAuthenticator {
80    /**
81     * Initialize the authenticator.  <code>init()</code> is called after all
82     * the bean parameter have been set.
83     */
84    public void init()
85      throws ServletException  ;
86    
87    /**
88     * Logs a user in with a user name and a password.  The login method
89     * is generally called during servlet security checks.  The
90     * ServletRequest.getUserPrincipal call will generally call
91     * getUserPrincipal.
92     *
93     * <p>The implementation may only use the response to set cookies
94     * and headers.  It may not write output or set the response status.
95     * If the application needs to send a custom error reponse,
96     * it must implement a custom AbstractLogin instead.
97     *
98     * @param request servlet request
99     * @param response servlet response, in case any cookie need sending.
100    * @param application servlet application
101    * @param user the user name.
102    * @param password the users input password.
103    *
104    * @return the logged in principal on success, null on failure.
105    */
106   public Principal   login(HttpServletRequest   request,
107                          HttpServletResponse   response,
108                          ServletContext   application,
109                          String   user, String   password)
110     throws ServletException  ;
111   
112   /**
113    * Gets the authenticated user for the current request.  If the user
114    * has not logged in, just returns null.
115    *
116    * <p>getUserPrincipal is called in response to an application's call to
117    * HttpServletRequest.getUserPrincipal.
118    *
119    * <p>The implementation may only use the response to set cookies
120    * and headers.  It may not write output.
121    *
122    * @param request the request trying to authenticate.
123    * @param response the response for setting headers and cookies.
124    * @param application the servlet context
125    *
126    * @return the authenticated user or null if none has logged in
127    */
128   public Principal   getUserPrincipal(HttpServletRequest   request,
129                                     HttpServletResponse   response,
130                                     ServletContext   application)
131     throws ServletException  ;
132   
133   /**
134    * Validates the user when using HTTP Digest authentication.
135    * DigestLogin will call this method.  Most other AbstractLogin
136    * implementations, like BasicLogin and FormLogin, will use
137    * getUserPrincipal instead.
138    *
139    * <p>The HTTP Digest authentication uses the following algorithm
140    * to calculate the digest.  The digest is then compared to
141    * the client digest.
142    *
143    * <code><pre>
144    * A1 = MD5(username + ':' + realm + ':' + password)
145    * A2 = MD5(method + ':' + uri)
146    * digest = MD5(A1 + ':' + nonce + A2)
147    * </pre></code>
148    *
149    * @param request the request trying to authenticate.
150    * @param response the response for setting headers and cookies.
151    * @param app the servlet context
152    * @param user the username
153    * @param realm the authentication realm
154    * @param nonce the nonce passed to the client during the challenge
155    * @param uri te protected uri
156    * @param qop
157    * @param nc
158    * @param cnonce the client nonce
159    * @param clientDigest the client's calculation of the digest
160    *
161    * @return the logged in principal if successful
162    */
163   public Principal   loginDigest(HttpServletRequest   request,
164                                HttpServletResponse   response,
165                                ServletContext   app,
166                                String   user, String   realm,
167                                String   nonce, String   uri,
168                                String   qop, String   nc, String   cnonce,
169                                byte []clientDigset)
170     throws ServletException  ;
171   
172   /**
173    * Returns true if the user plays the named role.
174    *
175    * <p>This method is called in response to the
176    * HttpServletResponse.isUserInRole call and for security-constraints
177    * that check the use role.
178    *
179    * @param request the request testing the role.
180    * @param application the owning application
181    * @param user the user's Principal.
182    * @param role role name.
183    */
184   public boolean isUserInRole(HttpServletRequest   request,
185                               HttpServletResponse   response,
186                               ServletContext   application,
187                               Principal   user, String   role)
188     throws ServletException  ;
189   
190   /**
191    * Logs the user out from the given request.
192    *
193    * <p>Called via the session.logout() method.
194    *
195    * @param session for timeout, the session timing out. null if force logout
196    */
197   public void logout(ServletContext   application,
198              HttpSession   session,
199                      String   sessionId,
200                      Principal   user)
201     throws ServletException  ;
202 }
203
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags