1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.security.authentication;
20
21 import javax.servlet.ServletRequest;
22 import javax.servlet.http.HttpServletRequest;
23 import javax.servlet.http.HttpServletResponse;
24 import javax.servlet.http.HttpSession;
25
26 import org.eclipse.jetty.security.Authenticator;
27 import org.eclipse.jetty.security.IdentityService;
28 import org.eclipse.jetty.security.LoginService;
29 import org.eclipse.jetty.server.Request;
30 import org.eclipse.jetty.server.Response;
31 import org.eclipse.jetty.server.UserIdentity;
32 import org.eclipse.jetty.server.session.AbstractSession;
33 import org.eclipse.jetty.util.log.Log;
34 import org.eclipse.jetty.util.log.Logger;
35
36 public abstract class LoginAuthenticator implements Authenticator
37 {
38 private static final Logger LOG = Log.getLogger(LoginAuthenticator.class);
39
40 protected LoginService _loginService;
41 protected IdentityService _identityService;
42 private boolean _renewSession;
43
44
45
46 protected LoginAuthenticator()
47 {
48 }
49
50
51 @Override
52 public void prepareRequest(ServletRequest request)
53 {
54
55 }
56
57
58
59 public UserIdentity login(String username, Object password, ServletRequest request)
60 {
61 UserIdentity user = _loginService.login(username,password, request);
62 if (user!=null)
63 {
64 renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null));
65 return user;
66 }
67 return null;
68 }
69
70
71 @Override
72 public void setConfiguration(AuthConfiguration configuration)
73 {
74 _loginService=configuration.getLoginService();
75 if (_loginService==null)
76 throw new IllegalStateException("No LoginService for "+this+" in "+configuration);
77 _identityService=configuration.getIdentityService();
78 if (_identityService==null)
79 throw new IllegalStateException("No IdentityService for "+this+" in "+configuration);
80 _renewSession=configuration.isSessionRenewedOnAuthentication();
81 }
82
83
84
85 public LoginService getLoginService()
86 {
87 return _loginService;
88 }
89
90
91
92
93
94
95
96
97
98
99
100
101
102 protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
103 {
104 HttpSession httpSession = request.getSession(false);
105
106 if (_renewSession && httpSession!=null)
107 {
108 synchronized (httpSession)
109 {
110
111
112 if (httpSession.getAttribute(AbstractSession.SESSION_CREATED_SECURE)!=Boolean.TRUE)
113 {
114 if (httpSession instanceof AbstractSession)
115 {
116 AbstractSession abstractSession = (AbstractSession)httpSession;
117 String oldId = abstractSession.getId();
118 abstractSession.renewId(request);
119 abstractSession.setAttribute(AbstractSession.SESSION_CREATED_SECURE, Boolean.TRUE);
120 if (abstractSession.isIdChanged() && response != null && (response instanceof Response))
121 ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure()));
122 LOG.debug("renew {}->{}",oldId,abstractSession.getId());
123 }
124 else
125 LOG.warn("Unable to renew session "+httpSession);
126
127 return httpSession;
128 }
129 }
130 }
131 return httpSession;
132 }
133 }