Class DelegationAuthenticationHandler

  • All Implemented Interfaces:
    PluginComponent, java.lang.Comparable<AuthenticationHandler>

    public class DelegationAuthenticationHandler
    extends AuthenticationHandler
    Uses the Member's delegation to allow him to change its identity to somebody else.

    Any account can be excluded from delegation by adding its member's ID to the property (seperated with space or coma) : auth-mgr.delegation.excluded-mbr-ids: c_42

    $Revision: 128015 $
    • Field Detail


        public static final int ORDER_DELEGATION_HANDLER
        Order used by the DelegationAuthenticationHandler
        See Also:
        Constant Field Values

        public static final java.lang.String PROP_ENABLED
        Property key used to read if delegation is enabled or not
        See Also:
        Constant Field Values

        public static final java.lang.String PROP_EXCLUDED_MBR_IDS
        Property key used to read the member ids which are excluded from delegation
        See Also:
        Constant Field Values

        public static final java.lang.String PROP_REQUIRES_CSRF_TOKEN
        Property key used to read boolean setting indicating if CSRF token is required to delegate into another member
        See Also:
        Constant Field Values
    • Method Detail

      • loadProperties

        public void loadProperties()
        Description copied from class: AuthenticationHandler
        This method will be called by the AuthenticationManager each time the Channel properties are loaded/reloaded.
        You can use it to reload properties that might have been changed.
        This method is called during initialization of the AuthenticationManager
        loadProperties in class AuthenticationHandler
      • login

        public void login​(AuthenticationContext ctxt)
        Description copied from class: AuthenticationHandler
        Authenticate a member.
        This method is invoked by the authentication chain on each request.
        A typical implementation of this method would follow the following pattern :
        1. Examine informations required to perform the authentication through the AuthenticationContext object (request, response, login.. etc)
        2. Perform your authentication before chain invokation and set the logged Member AuthenticationContext.setLoggedMember(com.jalios.jcms.Member)
        3. a) Either invoke the next entity in the chain using AuthenticationContext.doChain(),
        4. b) or else skip the chain invokation and block other authentication handler of the chain (do this with caution...)
        5. Perform redirection, set information/warning/error message or any other process, after chain invokation, using AuthenticationContext.

        Default implementation is to invoke the next handler in the chain.
        login in class AuthenticationHandler
        ctxt - the AuthenticationContext used for this login
      • isEnabled

        public boolean isEnabled()
        Check if delegation is enabled on this site.
        true if enabled, false if disabled
        jcms-10.0.2 / JCMS-6766
      • canDelegateTo

        public boolean canDelegateTo​(Member loggedMember,
                                     Member targetMbr,
                                     javax.servlet.http.HttpServletRequest request)
        Check if the logged Member is allowed to delegate to the specified target Member.

        This method verify all known restrictions and authorizations related to delegation.

        Current implementation includes the following rules.

        • Delegation is always granted if target member is a Member in which the user was previously logged in the current session.
          It allows the "log back" feature, e.g.: a user delegates from M1 to M2, user is allowed to log back from M2 to M1.
        • Delegations from a member matching any of the following conditions are NOT authorized :
          • logged member is null
          • logged member is a contact
          • logged member is disabled
        • Delegations to a member matching any of the following conditions are NOT authorized :
          • target member is null
          • target member is same as logged member
          • target member is a contact
          • target member is part of the exclude mbr specified in property PROP_EXCLUDED_MBR_IDS
          • target member is disabled (unless logged member is an administrator)
        • If none of the above authorizations or restrictions matched, a delegation is authorized if :
          • logged member is administrator
          • target member has been specified in the logged member's authorized delegation holder set
        • At last, delegation is refused.
        loggedMember - the member currently logged for which verification is performed
        targetMbr - the Member in which delegation is requested
        request - the current servlet request, may be null, but required to allow "log back"
        true if member is allowed to delegate, false otherwise
        jcms-10.0.3 (JCMS-7349)
      • sendDelegationAlert

        public void sendDelegationAlert​(Member from,
                                        Member to)
        Send an alert to inform a Member that delegation was used to sign in with his account.
        from - the member who performed the sign in operation, must not be null
        to - the member in which signed in was performed, must not be null
        jcms-10.0.4 - JCMS-7867
      • getDelegationHolderSet

        public java.util.Set<Member> getDelegationHolderSet​(Member mbr)
        Retrieves the list of member into which this member is allowed to log in.

        This method filters any unauthorized member (such as contact, disabled Member, or Member which have been excluded from delegation using property "auth-mgr.delegation.excluded-mbr-ids").

        a new instance of Set (sorted by Member's name), never return null.
        jcms-10.0.2 / JCMS-6766
      • filterExcludedMember

        public java.util.Set<Member> filterExcludedMember​(java.util.Set<Member> setToFilter)
        since jcms-10.0.3, use getDelegationHolderSet(Member) if you want to retrieve logged member's possible delegation, or canDelegateTo(Member, Member, HttpServletRequest) to check if delegation is authorized as it performs all verifications
        Filter the specified member Set to remove all member excluded from delegation.
        setToFilter - the Member set to filter (this collection is NOT modified)
        a new TreeSet of Member (sorted by name)
        jcms-7.1.2 (JCMS-3097)
        See Also:
      • isExcludedFromDelegation

        public boolean isExcludedFromDelegation​(Member suMbr)
        since jcms-10.0.3, use canDelegateTo(Member, Member, HttpServletRequest) which performs all verifications
        Check if the specified Member can be used as the target of a delegation.

        A member can be a target of a delegation if the following condition are met :

        • specified member is NOT a contact
        • specified member is NOT part of the exclude mbr specified in property PROP_EXCLUDED_MBR_IDS
        suMbr - the Member in which a delegation could be request
        true if the member is excluded, false if it can be used safely.
      • getSuHistory

        public static final java.util.List<Member> getSuHistory​(javax.servlet.http.HttpServletRequest request)
        Retrieve the change user history from the current session.
        request - the current HttpServletRequest
        a List of Member (never return null).
      • getSuLink

        public static final java.lang.String getSuLink​(Member suMember)
        Retrieves a link that will request an user changer to the specified member.
        Note : The link is always return, even though the su might not be allowed.
        suMember - the member to login into
        a relative URL to request a user change (e.g. "index.jsp?JCMS_sulogin=johndoe")