View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package org.eclipse.jetty.security.authentication;
20  
21  import javax.servlet.ServletRequest;
22  import javax.servlet.http.HttpServletRequest;
23  import javax.servlet.http.HttpServletResponse;
24  import javax.servlet.http.HttpSession;
25  
26  import org.eclipse.jetty.security.Authenticator;
27  import org.eclipse.jetty.security.IdentityService;
28  import org.eclipse.jetty.security.LoginService;
29  import org.eclipse.jetty.server.Request;
30  import org.eclipse.jetty.server.Response;
31  import org.eclipse.jetty.server.UserIdentity;
32  import org.eclipse.jetty.server.session.AbstractSession;
33  import org.eclipse.jetty.util.log.Log;
34  import org.eclipse.jetty.util.log.Logger;
35  
36  public abstract class LoginAuthenticator implements Authenticator
37  {
38      private static final Logger LOG = Log.getLogger(LoginAuthenticator.class);
39  
40      protected LoginService _loginService;
41      protected IdentityService _identityService;
42      private boolean _renewSession;
43      
44      
45      /* ------------------------------------------------------------ */
46      protected LoginAuthenticator()
47      {
48      }
49  
50      /* ------------------------------------------------------------ */
51      @Override
52      public void prepareRequest(ServletRequest request)
53      {
54          //empty implementation as the default
55      }
56  
57  
58      /* ------------------------------------------------------------ */
59      public UserIdentity login(String username, Object password, ServletRequest request)
60      {
61          UserIdentity user = _loginService.login(username,password, request);
62          if (user!=null)
63          {
64              renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null));
65              return user;
66          }
67          return null;
68      }
69  
70      /* ------------------------------------------------------------ */
71      @Override
72      public void setConfiguration(AuthConfiguration configuration)
73      {
74          _loginService=configuration.getLoginService();
75          if (_loginService==null)
76              throw new IllegalStateException("No LoginService for "+this+" in "+configuration);
77          _identityService=configuration.getIdentityService();
78          if (_identityService==null)
79              throw new IllegalStateException("No IdentityService for "+this+" in "+configuration);
80          _renewSession=configuration.isSessionRenewedOnAuthentication();
81      }
82      
83      
84      /* ------------------------------------------------------------ */
85      public LoginService getLoginService()
86      {
87          return _loginService;
88      }
89      
90      
91      /* ------------------------------------------------------------ */
92      /** Change the session id.
93       * The session is changed to a new instance with a new ID if and only if:<ul>
94       * <li>A session exists.
95       * <li>The {@link org.eclipse.jetty.security.Authenticator.AuthConfiguration#isSessionRenewedOnAuthentication()} returns true.
96       * <li>The session ID has been given to unauthenticated responses
97       * </ul>
98       * @param request the request
99       * @param response the response
100      * @return The new session.
101      */
102     protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
103     {
104         HttpSession httpSession = request.getSession(false);
105 
106         if (_renewSession && httpSession!=null)
107         {
108             synchronized (httpSession)
109             {
110                 //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
111                 //(indicated by SESSION_SECURED not being set on the session) then we should change id
112                 if (httpSession.getAttribute(AbstractSession.SESSION_CREATED_SECURE)!=Boolean.TRUE)
113                 {
114                     if (httpSession instanceof AbstractSession)
115                     {
116                         AbstractSession abstractSession = (AbstractSession)httpSession;
117                         String oldId = abstractSession.getId();
118                         abstractSession.renewId(request);
119                         abstractSession.setAttribute(AbstractSession.SESSION_CREATED_SECURE, Boolean.TRUE);
120                         if (abstractSession.isIdChanged() && response != null && (response instanceof Response))
121                             ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure()));
122                         LOG.debug("renew {}->{}",oldId,abstractSession.getId());
123                     }
124                     else
125                         LOG.warn("Unable to renew session "+httpSession);
126                     
127                     return httpSession;
128                 }
129             }
130         }
131         return httpSession;
132     }
133 }