com.jalios.jcms.authentication.handlers

Class DelegationAuthenticationHandler

java.lang.Object

com.jalios.jcms.authentication.AuthenticationHandler

com.jalios.jcms.authentication.handlers.DelegationAuthenticationHandler

All Implemented Interfaces:

PluginComponent, java.lang.Comparable<AuthenticationHandler>

public class DelegationAuthenticationHandler
extends AuthenticationHandler

Uses the Member's delegation to allow him to change its identity to somebody else.

Any account can be excluded from delegation by adding its member's ID to the property (seperated with space or coma) : auth-mgr.delegation.excluded-mbr-ids: c_42

Since:

jcms-5.7.0

Version:

$Revision: 118314 $

Field Summary

Fields

Modifier and Type	Field and Description
static int	ORDER_DELEGATION_HANDLER Order used by the DelegationAuthenticationHandler
static java.lang.String	PROP_ENABLED Property key used to read if delegation is enabled or not
static java.lang.String	PROP_EXCLUDED_MBR_IDS Property key used to read the member ids which are excluded from delegation
static java.lang.String	PROP_REQUIRES_CSRF_TOKEN Property key used to read boolean setting indicating if CSRF token is required to delegate into another member

Fields inherited from class com.jalios.jcms.authentication.AuthenticationHandler

channel, GENERIC_BAD_AUTHENTICATION_MSG, REVISION

Method Summary

Modifier and Type	Method and Description
boolean	canDelegateTo(Member loggedMember, Member targetMbr, javax.servlet.http.HttpServletRequest request) Check if the logged Member is allowed to delegate to the specified target Member.
java.util.Set<Member>	filterExcludedMember(java.util.Set<Member> setToFilter) Deprecated. since jcms-10.0.3, use getDelegationHolderSet(Member) if you want to retrieve logged member's possible delegation, or canDelegateTo(Member, Member, HttpServletRequest) to check if delegation is authorized as it performs all verifications
java.util.Set<Member>	getDelegationHolderSet(Member mbr) Retrieves the list of member into which this member is allowed to log in.
static DelegationAuthenticationHandler	getInstance()
static java.util.List<Member>	getSuHistory(javax.servlet.http.HttpServletRequest request) Retrieve the change user history from the current session.
static java.lang.String	getSuLink(Member suMember) Retrieves a link that will request an user changer to the specified member. Note : The link is always return, even though the su might not be allowed.
boolean	isEnabled() Check if delegation is enabled on this site.
boolean	isExcludedFromDelegation(Member suMbr) Deprecated. since jcms-10.0.3, use canDelegateTo(Member, Member, HttpServletRequest) which performs all verifications
void	loadProperties() This method will be called by the AuthenticationManager each time the Channel properties are loaded/reloaded. You can use it to reload properties that might have been changed. This method is called during initialization of the AuthenticationManager
void	login(AuthenticationContext ctxt) Authenticate a member.

Methods inherited from class com.jalios.jcms.authentication.AuthenticationHandler

compareTo, equals, getOrder, init, logout, setOrder

Methods inherited from class java.lang.Object

clone, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ORDER_DELEGATION_HANDLER

public static final int ORDER_DELEGATION_HANDLER

Order used by the DelegationAuthenticationHandler

See Also:

Constant Field Values

PROP_ENABLED

public static final java.lang.String PROP_ENABLED

Property key used to read if delegation is enabled or not

See Also:

Constant Field Values

PROP_EXCLUDED_MBR_IDS

public static final java.lang.String PROP_EXCLUDED_MBR_IDS

Property key used to read the member ids which are excluded from delegation

See Also:

Constant Field Values

PROP_REQUIRES_CSRF_TOKEN

public static final java.lang.String PROP_REQUIRES_CSRF_TOKEN

Property key used to read boolean setting indicating if CSRF token is required to delegate into another member

See Also:

Constant Field Values

Method Detail

getInstance

public static final DelegationAuthenticationHandler getInstance()

loadProperties

public void loadProperties()

Description copied from class: AuthenticationHandler

This method will be called by the AuthenticationManager each time the Channel properties are loaded/reloaded.
You can use it to reload properties that might have been changed.
This method is called during initialization of the AuthenticationManager

Overrides:

loadProperties in class AuthenticationHandler

login

public void login(AuthenticationContext ctxt)
           throws java.io.IOException

Description copied from class: AuthenticationHandler

Authenticate a member.
This method is invoked by the authentication chain on each request.
A typical implementation of this method would follow the following pattern :

1. Examine informations required to perform the authentication through the AuthenticationContext object (request, response, login.. etc)
2. Perform your authentication before chain invokation and set the logged Member AuthenticationContext.setLoggedMember(com.jalios.jcms.Member)
3. a) Either invoke the next entity in the chain using AuthenticationContext.doChain(),
4. b) or else skip the chain invokation and block other authentication handler of the chain (do this with caution...)
5. Perform redirection, set information/warning/error message or any other process, after chain invokation, using AuthenticationContext.

Default implementation is to invoke the next handler in the chain.

Overrides:

login in class AuthenticationHandler

Parameters:

ctxt - the AuthenticationContext used for this login

Throws:

java.io.IOException

isEnabled

public boolean isEnabled()

Check if delegation is enabled on this site.

Returns:

true if enabled, false if disabled

Since:

jcms-10.0.2 / JCMS-6766

canDelegateTo

public boolean canDelegateTo(Member loggedMember,
                             Member targetMbr,
                             javax.servlet.http.HttpServletRequest request)

Check if the logged Member is allowed to delegate to the specified target Member.

This method verify all known restrictions and authorizations related to delegation.

Current implementation includes the following rules.

• Delegation is always granted if target member is a Member in which the user was previously logged in the current session.
  It allows the "log back" feature, e.g.: a user delegates from M1 to M2, user is allowed to log back from M2 to M1.
• Delegations from a member matching any of the following conditions are NOT authorized :
  • logged member is null
  • logged member is a contact
  • logged member is disabled
• Delegations to a member matching any of the following conditions are NOT authorized :
  • target member is null
  • target member is same as logged member
  • target member is a contact
  • target member is part of the exclude mbr specified in property PROP_EXCLUDED_MBR_IDS
  • target member is disabled (unless logged member is an administrator)
• If none of the above authorizations or restrictions matched, a delegation is authorized if :
  • logged member is administrator
  • target member has been specified in the logged member's authorized delegation holder set
• At last, delegation is refused.

Parameters:

loggedMember - the member currently logged for which verification is performed

targetMbr - the Member in which delegation is requested

request - the current servlet request, may be null, but required to allow "log back"

Returns:

true if member is allowed to delegate, false otherwise

Since:

jcms-10.0.3 (JCMS-7349)

getDelegationHolderSet

public java.util.Set<Member> getDelegationHolderSet(Member mbr)

Retrieves the list of member into which this member is allowed to log in.

This method filters any unauthorized member (such as contact, disabled Member, or Member which have been excluded from delegation using property "auth-mgr.delegation.excluded-mbr-ids").

Returns:

a new instance of Set (sorted by Member's name), never return null.

Since:

jcms-10.0.2 / JCMS-6766

filterExcludedMember

public java.util.Set<Member> filterExcludedMember(java.util.Set<Member> setToFilter)

Deprecated. since jcms-10.0.3, use getDelegationHolderSet(Member) if you want to retrieve logged member's possible delegation, or canDelegateTo(Member, Member, HttpServletRequest) to check if delegation is authorized as it performs all verifications

Filter the specified member Set to remove all member excluded from delegation.

Parameters:

setToFilter - the Member set to filter (this collection is NOT modified)

Returns:

a new TreeSet of Member (sorted by name)

Since:

jcms-7.1.2 (JCMS-3097)

See Also:

isExcludedFromDelegation(Member)

isExcludedFromDelegation

public boolean isExcludedFromDelegation(Member suMbr)

Deprecated. since jcms-10.0.3, use canDelegateTo(Member, Member, HttpServletRequest) which performs all verifications

Check if the specified Member can be used as the target of a delegation.

A member can be a target of a delegation if the following condition are met :

• specified member is NOT a contact
• specified member is NOT part of the exclude mbr specified in property PROP_EXCLUDED_MBR_IDS

Parameters:

suMbr - the Member in which a delegation could be request

Returns:

true if the member is excluded, false if it can be used safely.

getSuHistory

public static final java.util.List<Member> getSuHistory(javax.servlet.http.HttpServletRequest request)

Retrieve the change user history from the current session.

Parameters:

request - the current HttpServletRequest

Returns:

a List of Member (never return null).

getSuLink

public static final java.lang.String getSuLink(Member suMember)

Retrieves a link that will request an user changer to the specified member.
Note : The link is always return, even though the su might not be allowed.

Parameters:

suMember - the member to login into

Returns:

a relative URL to request a user change (e.g. "index.jsp?JCMS_sulogin=johndoe")