1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.security.authentication;
20
21 import javax.servlet.ServletRequest;
22 import javax.servlet.http.HttpServletRequest;
23 import javax.servlet.http.HttpServletResponse;
24 import javax.servlet.http.HttpSession;
25
26 import org.eclipse.jetty.security.Authenticator;
27 import org.eclipse.jetty.security.IdentityService;
28 import org.eclipse.jetty.security.LoginService;
29 import org.eclipse.jetty.server.Request;
30 import org.eclipse.jetty.server.Response;
31 import org.eclipse.jetty.server.UserIdentity;
32 import org.eclipse.jetty.server.session.AbstractSession;
33 import org.eclipse.jetty.util.log.Log;
34 import org.eclipse.jetty.util.log.Logger;
35
36 public abstract class LoginAuthenticator implements Authenticator
37 {
38 private static final Logger LOG = Log.getLogger(LoginAuthenticator.class);
39
40 protected LoginService _loginService;
41 protected IdentityService _identityService;
42 private boolean _renewSession;
43
44 protected LoginAuthenticator()
45 {
46 }
47
48
49
50 public UserIdentity login(String username, Object password, ServletRequest request)
51 {
52 UserIdentity user = _loginService.login(username,password);
53 if (user!=null)
54 {
55 renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null));
56 return user;
57 }
58 return null;
59 }
60
61
62 @Override
63 public void setConfiguration(AuthConfiguration configuration)
64 {
65 _loginService=configuration.getLoginService();
66 if (_loginService==null)
67 throw new IllegalStateException("No LoginService for "+this+" in "+configuration);
68 _identityService=configuration.getIdentityService();
69 if (_identityService==null)
70 throw new IllegalStateException("No IdentityService for "+this+" in "+configuration);
71 _renewSession=configuration.isSessionRenewedOnAuthentication();
72 }
73
74 public LoginService getLoginService()
75 {
76 return _loginService;
77 }
78
79
80
81
82
83
84
85
86
87
88
89 protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
90 {
91 HttpSession httpSession = request.getSession(false);
92
93 if (_renewSession && httpSession!=null)
94 {
95 synchronized (httpSession)
96 {
97
98
99 if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
100 {
101 if (httpSession instanceof AbstractSession)
102 {
103 AbstractSession abstractSession = (AbstractSession)httpSession;
104 String oldId = abstractSession.getId();
105 abstractSession.renewId(request);
106 abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
107 if (abstractSession.isIdChanged() && response != null && (response instanceof Response))
108 ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure()));
109 LOG.debug("renew {}->{}",oldId,abstractSession.getId());
110 }
111 else
112 LOG.warn("Unable to renew session "+httpSession);
113
114 return httpSession;
115 }
116 }
117 }
118 return httpSession;
119 }
120 }