Class AbstractAuthenticator

  • All Implemented Interfaces:
    Authenticator
    Direct Known Subclasses:
    FileBasedAuthenticator

    public abstract class AbstractAuthenticator
    extends java.lang.Object
    implements Authenticator
    A partial implementation of the Authenticator interface. This class should not implement any methods that would be meant to modify a User object, since that's probably implementation specific.
    • Field Detail

      • USER

        protected static final java.lang.String USER
        Key for user in session
        See Also:
        Constant Field Values
    • Constructor Detail

      • AbstractAuthenticator

        public AbstractAuthenticator()
    • Method Detail

      • clearCurrent

        public void clearCurrent()
        Clears the current User. This allows the thread to be reused safely. This clears all threadlocal variables from the thread. This should ONLY be called after all possible ESAPI operations have concluded. If you clear too early, many calls will fail, including logging, which requires the user identity.
        Specified by:
        clearCurrent in interface Authenticator
      • exists

        public boolean exists​(java.lang.String accountName)
        Determine if the account exists.
        Specified by:
        exists in interface Authenticator
        Parameters:
        accountName - the account name
        Returns:
        true, if the account exists
      • getCurrentUser

        public User getCurrentUser()
        Returns the currently logged in User.

        Returns the currently logged user as set by the setCurrentUser() methods. Must not log in this method because the logger calls getCurrentUser() and this could cause a loop.

        Specified by:
        getCurrentUser in interface Authenticator
        Returns:
        the matching User object, or the Anonymous User if no match exists
      • getUserFromSession

        protected User getUserFromSession()
        Gets the user from session.
        Returns:
        the user from session or null if no user is found in the session
      • getUserFromRememberToken

        protected DefaultUser getUserFromRememberToken()
        Returns the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.
        Returns:
        the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.
      • login

        public User login​(javax.servlet.http.HttpServletRequest request,
                          javax.servlet.http.HttpServletResponse response)
                   throws AuthenticationException
        This method should be called for every HTTP request, to login the current user either from the session of HTTP request. This method will set the current user so that getCurrentUser() will work properly. Authenticates the user's credentials from the HttpServletRequest if necessary, creates a session if necessary, and sets the user as the current user. Specification: The implementation should do the following: 1) Check if the User is already stored in the session a. If so, check that session absolute and inactivity timeout have not expired b. Step 2 may not be required if 1a has been satisfied 2) Verify User credentials a. It is recommended that you use loginWithUsernameAndPassword(HttpServletRequest, HttpServletResponse) to verify credentials 3) Set the last host of the User (ex. user.setLastHostAddress(address) ) 4) Verify that the request is secure (ex. over SSL) 5) Verify the User account is allowed to be logged in a. Verify the User is not disabled, expired or locked 6) Assign User to session variable
        Specified by:
        login in interface Authenticator
        Parameters:
        request - the current HTTP request
        response - the HTTP response
        Returns:
        the User
        Throws:
        AuthenticationException - if the credentials are not verified, or if the account is disabled, locked, expired, or timed out
      • logout

        public void logout()
        Logs out the current user. This is usually done by calling User.logout on the current User.
        Specified by:
        logout in interface Authenticator
      • setCurrentUser

        public void setCurrentUser​(User user)
        Sets the currently logged in User.
        Specified by:
        setCurrentUser in interface Authenticator
        Parameters:
        user - the user to set as the current user