View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  
20  package org.eclipse.jetty.security.authentication;
21  
22  import java.io.IOException;
23  import java.io.ObjectInputStream;
24  import java.io.Serializable;
25  
26  import javax.servlet.http.HttpSession;
27  import javax.servlet.http.HttpSessionActivationListener;
28  import javax.servlet.http.HttpSessionBindingEvent;
29  import javax.servlet.http.HttpSessionBindingListener;
30  import javax.servlet.http.HttpSessionEvent;
31  
32  import org.eclipse.jetty.security.AbstractUserAuthentication;
33  import org.eclipse.jetty.security.LoginService;
34  import org.eclipse.jetty.security.SecurityHandler;
35  import org.eclipse.jetty.server.UserIdentity;
36  import org.eclipse.jetty.server.session.AbstractSession;
37  import org.eclipse.jetty.util.log.Log;
38  import org.eclipse.jetty.util.log.Logger;
39  
40  public class SessionAuthentication extends AbstractUserAuthentication implements Serializable, HttpSessionActivationListener, HttpSessionBindingListener
41  {
42      private static final Logger LOG = Log.getLogger(SessionAuthentication.class);
43  
44      private static final long serialVersionUID = -4643200685888258706L;
45  
46  
47  
48      public final static String __J_AUTHENTICATED="org.eclipse.jetty.security.UserIdentity";
49  
50      private final String _name;
51      private final Object _credentials;
52      private transient HttpSession _session;
53  
54      public SessionAuthentication(String method, UserIdentity userIdentity, Object credentials)
55      {
56          super(method, userIdentity);
57          _name=userIdentity.getUserPrincipal().getName();
58          _credentials=credentials;
59      }
60  
61  
62      private void readObject(ObjectInputStream stream)
63          throws IOException, ClassNotFoundException
64      {
65          stream.defaultReadObject();
66  
67          SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
68          if (security==null)
69              throw new IllegalStateException("!SecurityHandler");
70          LoginService login_service=security.getLoginService();
71          if (login_service==null)
72              throw new IllegalStateException("!LoginService");
73  
74          _userIdentity=login_service.login(_name,_credentials, null);
75          LOG.debug("Deserialized and relogged in {}",this);
76      }
77  
78      public void logout()
79      {
80          if (_session!=null && _session.getAttribute(__J_AUTHENTICATED)!=null)
81              _session.removeAttribute(__J_AUTHENTICATED);
82  
83          doLogout();
84      }
85  
86      private void doLogout()
87      {
88          SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
89          if (security!=null)
90              security.logout(this);
91          if (_session!=null)
92              _session.removeAttribute(AbstractSession.SESSION_CREATED_SECURE);
93      }
94  
95      @Override
96      public String toString()
97      {
98          return String.format("%s@%x{%s,%s}",this.getClass().getSimpleName(),hashCode(),_session==null?"-":_session.getId(),_userIdentity);
99      }
100 
101     @Override
102     public void sessionWillPassivate(HttpSessionEvent se)
103     {
104        
105     }
106 
107     @Override
108     public void sessionDidActivate(HttpSessionEvent se)
109     {
110         if (_session==null)
111         {
112             _session=se.getSession();
113         }
114     }
115 
116     @Override
117     public void valueBound(HttpSessionBindingEvent event)
118     {
119         if (_session==null)
120         {
121             _session=event.getSession();
122         }
123     }
124 
125     @Override
126     public void valueUnbound(HttpSessionBindingEvent event)
127     {
128         doLogout();
129     }
130 
131 }