View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package org.eclipse.jetty.security.authentication;
20  
21  import javax.servlet.ServletRequest;
22  import javax.servlet.http.HttpServletRequest;
23  import javax.servlet.http.HttpServletResponse;
24  import javax.servlet.http.HttpSession;
25  
26  import org.eclipse.jetty.security.Authenticator;
27  import org.eclipse.jetty.security.IdentityService;
28  import org.eclipse.jetty.security.LoginService;
29  import org.eclipse.jetty.server.Authentication;
30  import org.eclipse.jetty.server.UserIdentity;
31  import org.eclipse.jetty.server.session.AbstractSessionManager;
32  
33  public abstract class LoginAuthenticator implements Authenticator
34  {
35      protected LoginService _loginService;
36      protected IdentityService _identityService;
37      private boolean _renewSession;
38  
39      protected LoginAuthenticator()
40      {
41      }
42  
43  
44      /* ------------------------------------------------------------ */
45      public UserIdentity login(String username, Object password, ServletRequest request)
46      {
47          UserIdentity user = _loginService.login(username,password);
48          if (user!=null)
49          {
50              renewSession((HttpServletRequest)request, null);
51              return user;
52          }
53          return null;
54      }
55  
56  
57      public void setConfiguration(AuthConfiguration configuration)
58      {
59          _loginService=configuration.getLoginService();
60          if (_loginService==null)
61              throw new IllegalStateException("No LoginService for "+this+" in "+configuration);
62          _identityService=configuration.getIdentityService();
63          if (_identityService==null)
64              throw new IllegalStateException("No IdentityService for "+this+" in "+configuration);
65          _renewSession=configuration.isSessionRenewedOnAuthentication();
66      }
67      
68      public LoginService getLoginService()
69      {
70          return _loginService;
71      }
72      
73      /** Change the session id.
74       * The session is changed to a new instance with a new ID if and only if:<ul>
75       * <li>A session exists.
76       * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true.
77       * <li>The session ID has been given to unauthenticated responses
78       * </ul>
79       * @param request
80       * @param response
81       * @return The new session.
82       */
83      protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
84      {
85          HttpSession httpSession = request.getSession(false);
86         
87          //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
88          //(indicated by SESSION_SECURED not being set on the session) then we should change id
89          if (_renewSession && httpSession!=null && httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
90          {
91              synchronized (this)
92              {
93                  httpSession = AbstractSessionManager.renewSession(request, httpSession,true);
94              }
95          }
96          return httpSession;
97      }
98  }