Java > Open Source Codes > net > sf > jguard > jee > authentication > http > HttpAuthenticationUtils


1 /*
2 jGuard is a security framework based on top of jaas (java authentication and authorization security).
3 it is written for web applications, to resolve simply, access control problems.
4 version $Name$
5 http://sourceforge.net/projects/jguard/
6
7 Copyright (C) 2004 Charles GAY
8
9 This library is free software; you can redistribute it and/or
10 modify it under the terms of the GNU Lesser General Public
11 License as published by the Free Software Foundation; either
12 version 2.1 of the License, or (at your option) any later version.
13
14 This library is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
18
19 You should have received a copy of the GNU Lesser General Public
20 License along with this library; if not, write to the Free Software
21 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22
23
24 jGuard project home page:
25 http://sourceforge.net/projects/jguard/
26
27 */
28 package net.sf.jguard.jee.authentication.http;
29
30
31 import java.io.IOException ;
32 import java.util.ArrayList ;
33 import java.util.Collection ;
34 import java.util.Iterator ;
35 import java.util.Set ;
36
37 import javax.security.auth.Subject ;
38 import javax.security.auth.login.Configuration ;
39 import javax.security.auth.login.LoginException ;
40 import javax.servlet.http.HttpServletRequest ;
41 import javax.servlet.http.HttpServletResponse ;
42 import javax.servlet.http.HttpSession ;
43 import javax.servlet.http.HttpSessionActivationListener ;
44 import javax.servlet.http.HttpSessionBindingEvent ;
45 import javax.servlet.http.HttpSessionBindingListener ;
46 import javax.servlet.http.HttpSessionEvent ;
47
48 import net.sf.jguard.core.CoreConstants;
49 import net.sf.jguard.core.authentication.credentials.JGuardCredential;
50 import net.sf.jguard.ext.SecurityConstants;
51 import net.sf.jguard.ext.authentication.AuthenticationException;
52 import net.sf.jguard.ext.authentication.manager.AuthenticationManager;
53 import net.sf.jguard.ext.authentication.manager.AuthenticationUtils;
54 import net.sf.jguard.ext.registration.SubjectTemplate;
55 import net.sf.jguard.ext.util.SubjectUtils;
56 import net.sf.jguard.jee.authentication.callbacks.HttpCallbackHandler;
57
58 import org.apache.commons.logging.Log;
59 import org.apache.commons.logging.LogFactory;
60
61  
62
63 /**
64  * Authentication utility class stored on the user's session.
65  * @author <a HREF="mailto:diabolo512@users.sourceforge.net">Charles Gay</a>
66  * this class was inspired by the article on jaas published at <a HREF="http://www.mooreds.com/jaas.html">this</a> address.
67  *
68  */
69 public class HttpAuthenticationUtils implements HttpSessionActivationListener ,HttpSessionBindingListener {
70     private static final Log logger = LogFactory.getLog(HttpAuthenticationUtils.class);
71     
72     
73     private AuthenticationUtils authenticationUtils = null;
74
75     public HttpAuthenticationUtils(){
76         super();
77         authenticationUtils = new AuthenticationUtils();
78     }
79     
80     public HttpAuthenticationUtils(Configuration configuration){
81         super();
82         authenticationUtils = new AuthenticationUtils(configuration);
83     }
84     
85     
86     /**
87      * encapsulate JAAS login lifecycle.
88      * @param request
89      * @param response
90      * @param afterRegistration <code>true</code> if user registration was made just before; <code>false</code> otherwise.
91      * @throws LoginException
92      */
93      private void useLoginContext(HttpServletRequest request,HttpServletResponse response,boolean afterRegistration) throws LoginException {
94         HttpSession session = request.getSession();
95
96         String applicationName = (String )session.getServletContext().getAttribute(CoreConstants.APPLICATION_NAME);
97         String scheme = (String )session.getServletContext().getAttribute(HttpConstants.AUTH_SCHEME);
98         HttpCallbackHandler cbh = new HttpCallbackHandler(request,response,scheme);
99         cbh.setAfterRegistration(afterRegistration);
100         authenticationUtils.login(applicationName, cbh,request.getLocale());
101         
102       }
103
104
105
106     /**
107      * retrieve the subject from <strong>this</strong> object.
108      * @return authenticated Subject, otherwise <strong>null</strong>.
109      */
110     public Subject getSubject(){
111         return authenticationUtils.getSubject();
112     }
113
114     
115
116     /**
117      * grab the @link HttpAuthenticationUtils from the HttpServletRequest.
118      * @param req
119      * @return HttpAuthenticationUtils
120      */
121     public static HttpAuthenticationUtils getHttpAuthenticationUtils(HttpServletRequest req,boolean local){
122         HttpSession session = req.getSession(true);
123         HttpAuthenticationUtils httpAuthenticationUtils = (HttpAuthenticationUtils) session.getAttribute(HttpConstants.AUTHN_UTILS);
124
125         //auth.getSubject() can return null if the user in session has been deleted by authenticationManager
126 if(httpAuthenticationUtils!= null && httpAuthenticationUtils.getSubject()==null){
127             logger.debug(" subject into HttpAuthenticationUtils is null ");
128             httpAuthenticationUtils.logout();
129             session.removeAttribute(HttpConstants.AUTHN_UTILS);
130             httpAuthenticationUtils = null;
131         }
132
133         if(httpAuthenticationUtils==null){
134             Configuration configuration = (Configuration )req.getSession().getServletContext().getAttribute(HttpConstants.JGUARD_CONFIGURATION);
135             if(local){
136             httpAuthenticationUtils = new HttpAuthenticationUtils(configuration);
137             }else{
138                 httpAuthenticationUtils = new HttpAuthenticationUtils();
139             }
140             session.setAttribute(HttpConstants.AUTHN_UTILS,httpAuthenticationUtils);
141         }
142         return httpAuthenticationUtils;
143     }
144
145     /**
146      * authenticate user and put the corresponding Subject in its session if succeed.
147      * @param req
148      * @param res
149      * @param afterRegistration :<code>true</code> if user registration was made just before;
150      * <code>false</code> otherwise.
151      * @return authenticationresult: <strong>true</strong> if authentication succeed,
152      * <strong>false</strong> otherwise.
153      * @throws IOException
154      */
155     public static boolean authenticate(HttpServletRequest req, HttpServletResponse res,boolean afterRegistration,boolean local) throws IOException {
156
157         HttpAuthenticationUtils auth = getHttpAuthenticationUtils(req,local);
158         HttpSession session = req.getSession(true);
159         boolean authenticationSucceed = true;
160         try {
161             auth.useLoginContext(req, res,afterRegistration);
162         } catch (LoginException e) {
163             authenticationSucceed = false;
164             String messageError = null;
165             messageError = e.getLocalizedMessage();
166             
167             //we store in the user' session the reason the authentication failed
168 session.setAttribute(HttpConstants.LOGIN_EXCEPTION_MESSAGE,messageError);
169             session.setAttribute(HttpConstants.LOGIN_EXCEPTION_CLASS,e.getClass());
170         }
171
172         return authenticationSucceed;
173     }
174
175
176
177     /**
178      * method called by the container when session is serialized.
179      * @param sessionEvent
180      */
181     public void sessionWillPassivate(HttpSessionEvent sessionEvent) {
182         if(authenticationUtils!=null){
183             authenticationUtils.logout();
184         }
185         HttpAuthenticationUtils authUtils = (HttpAuthenticationUtils)sessionEvent.getSession().getAttribute(HttpConstants.AUTHN_UTILS);
186         if(authUtils!=null){
187             authUtils.logout();
188         }
189         sessionEvent.getSession().removeAttribute(HttpConstants.AUTHN_UTILS);
190     }
191
192
193     /**
194      * method called by container when session is deserialized.
195      * @param sessionEvent
196      */
197     public void sessionDidActivate(HttpSessionEvent sessionEvent) {
198
199
200     }
201
202
203     public void valueBound(HttpSessionBindingEvent bindingEvent) {
204         if(HttpConstants.AUTHN_UTILS.equals(bindingEvent.getName())){
205             Collection users = (Collection )bindingEvent.getSession().getServletContext().getAttribute(HttpConstants.USERS_IN_SESSION);
206             users.add(this);
207         }
208         
209     }
210
211
212
213     public void valueUnbound(HttpSessionBindingEvent bindingEvent) {
214         if(HttpConstants.AUTHN_UTILS.equals(bindingEvent.getName())){
215             Collection users = (Collection )bindingEvent.getSession().getServletContext().getAttribute(HttpConstants.USERS_IN_SESSION);
216             if(users!=null && users.contains(this)){
217                 users.remove(this);
218             }
219         }
220     }
221
222    
223
224     public void logout() {
225         authenticationUtils.logout();
226     }
227
228     public AuthenticationUtils getAuthenticationUtils() {
229         return authenticationUtils;
230     }
231
232     /**
233      * return the Subject from the HttpSession, or null if no Subject is present.
234      * @param session
235      * @return
236      */
237     public static Subject getSubject(HttpSession session){
238         HttpAuthenticationUtils authutils = (HttpAuthenticationUtils)session.getAttribute(HttpConstants.AUTHN_UTILS);
239         if(authutils!=null){
240             return authutils.getSubject();
241         }
242         return null;
243     }
244
245     
246 }

A to Z: JavaDoc & Examples

---

Daily Java News & Articles

---

Open Source Projects

---

Open Source Codes

---

Free Computer Books

---

Remove Frame

---

Popular Tags