Package com.jalios.jcms.authentication

Class AuthenticationContext

  • public final class AuthenticationContext
extends java.lang.Object
    Object used by AuthenticationHandler when implementing AuthenticationHandler.login(AuthenticationContext) or AuthenticationHandler.logout(AuthenticationContext)

    Use the AuthenticationContext to :
    • retrieve informations required to perform the authentication (request, response, login.. etc)
    • set the authentication information (principally the authenticated member)
    • invoke the next handler in the login chain (if the calling handler is the last handler in the chain, it will perform the authentication action)
    • perform redirection, set information/warning/error message/

    A new instance of this class is used per login/logout chain invokation.
    Since:
    jcms-5.7.0
    Author:
    Olivier Jaquemet
    See Also:
    AuthenticationHandler

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String AUTHENTICATION_HANDLER_CLASS
      Request attribute name used to store the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for the request.
      protected static Channel channel  
      static java.lang.String FORCED_INVALID_SETLOGGEDMEMBER
      Request attribute name used to store a Member which even though it is invalid (disabled or contact), is allowed to log in.
      AuthenticationHandler wishing to log in disabled member (which is not advised!!) must perform two operations : invoke setLoggedMember(Member) as usual store the member in the request attribute using this constant request.setAttribute(FORCED_INVALID_SETLOGGEDMEMBER, theDisableMember);
      static java.lang.String INVALID_SETLOGGEDMEMBER_STACKTRACE
      Request attribute name used to store the StackTraceElement[] during which setLoggedMember(Member) was invoked with an invalid member.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void doChain()
      Causes the next handler in the chain to be invoked, or if the calling handler is the last handler in the chain, end the chain invokation.
      java.lang.Object getAttribute​(java.lang.String name)
      Returns the value of the named attribute as an Object, or null if no attribute of the given name exists.
      java.util.Map<java.lang.String,​java.lang.Object> getAttributeMap()
      Returns a java.util.Map of the attributes of this contexts.
      java.lang.Class<? extends AuthenticationHandler> getAuthenticationHandlerClass()
      Retrieve the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for this request, by invoking setLoggedMember(Member).
      static java.lang.Class<? extends AuthenticationHandler> getAuthenticationHandlerClass​(javax.servlet.http.HttpServletRequest request)
      Retrieve the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for this request, by invoking setLoggedMember(Member).
      Member getLoggedMember()
      Retrieve the member that was previously authenticated by previous AuthenticationHandler of the chain.
      java.lang.String getLogin()
      Return the login received from the form.
      May not be available if isCredentialProvided() returns false.
      java.lang.String getPassword()
      Return the clear text password received from the form.
      May not be available if isCredentialProvided() returns false.
      javax.servlet.http.HttpServletRequest getRequest()
      Return the current HttpServletRequest available for this authentication.
      Warning: this method may return a fake request, with partial implementation of the Servlet specification, if the authentication process is called in a context where no servlet request is available (for example from a "ftp plugin").
      javax.servlet.http.HttpServletResponse getResponse()
      Return the current HttpServletResponse available for this authentication.
      Warning: this method may return a fake response, with partial implementation of the Servlet specification, if the authentication process is called in a context where no servlet response is available (for example from a "ftp plugin").
      java.lang.String getUserCountry()
      Return the current user country guessed from browser preference or session.
      java.lang.String getUserLang()
      Return the current user language guessed from browser preference or session.
      java.util.Locale getUserLocale()
      Return the current user Locale guessed from browser preference or session.
      void invalidateSession()
      Invalidate the current session when appropriate.
      boolean isCredentialProvided()
      Checks if the credential (login/password) have been provided.
      boolean isLogged()
      Checks if a member is already logged in or if any authentication handler has logged a member, during the chain invokation, till the call to this method.
      boolean isPersistent()
      Return whether a persistent authentication was asked by the user in the login form.
      void recordAuthenticationFailure​(java.lang.String userId, java.lang.Class<? extends AuthenticationHandler> authHdlrClass)
      Record a failed authentication attempt, and throttle if needed.
      java.lang.Object removeAttribute​(java.lang.String name)
      Removes an attribute from this context.
      void sendRedirect​(java.lang.String url)
      Redirect to the given url, using a 303 (HttpServletResponse.SC_SEE_OTHER) status code.

      Doing a 303 redirect will ensure that the next request will be a GET and not a POST (which would submit all parameters again and break the authentication process)
      java.lang.Object setAttribute​(java.lang.String name, java.lang.Object obj)
      Stores an attribute in this context.
      void setCredentialProvided​(boolean provided)
      Define whether the login/password credential have been provided.
      void setErrorMsg​(java.lang.String key)
      Set JCMS error message for current request (displayed through doMessageBox.jsp)
      void setInformationMsg​(java.lang.String key)
      Set JCMS information message for current request (displayed through doMessageBox.jsp)
      void setLoggedMember​(Member mbr)
      Set the member that will be authenticated at the end of this login chain.
      Because handler can override a previously saved Member, you cannot be guaranteed your Member will be used unless you interrupt the chain.
      void setLogin​(java.lang.String login)
      Define the login to be used during the authentication.
      void setPassword​(java.lang.String password)
      Define the (clear text) password to be used during the authentication.
      void setWarningMsg​(java.lang.String key)
      Set JCMS warning message for current request (displayed through doMessageBox.jsp)
      void throttleIfNeeded​(java.lang.String userId, java.lang.Class<? extends AuthenticationHandler> authHdlrClass)
      Checks and perform throttling if it is required for the current authentication attempt.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • channel

        protected static final Channel channel

      • AUTHENTICATION_HANDLER_CLASS

        public static final java.lang.String AUTHENTICATION_HANDLER_CLASS
        Request attribute name used to store the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for the request.
        Since:
        jcms-10.0.4 / JCMS-7955
        See Also:
        Constant Field Values

      • INVALID_SETLOGGEDMEMBER_STACKTRACE

        public static final java.lang.String INVALID_SETLOGGEDMEMBER_STACKTRACE
        Request attribute name used to store the StackTraceElement[] during which setLoggedMember(Member) was invoked with an invalid member.
        See Also:
        Constant Field Values

      • FORCED_INVALID_SETLOGGEDMEMBER

        public static final java.lang.String FORCED_INVALID_SETLOGGEDMEMBER
        Request attribute name used to store a Member which even though it is invalid (disabled or contact), is allowed to log in.
        AuthenticationHandler wishing to log in disabled member (which is not advised!!) must perform two operations :
        • invoke setLoggedMember(Member) as usual
        • store the member in the request attribute using this constant request.setAttribute(FORCED_INVALID_SETLOGGEDMEMBER, theDisableMember);
        See Also:
        Constant Field Values

    • Method Detail

      • doChain

        public void doChain()
             throws java.io.IOException
        Causes the next handler in the chain to be invoked, or if the calling handler is the last handler in the chain, end the chain invokation.
        Throws:
        java.io.IOException
        Since:
        jcms-5.7.0

      • getRequest

        public javax.servlet.http.HttpServletRequest getRequest()
        Return the current HttpServletRequest available for this authentication.
        Warning: this method may return a fake request, with partial implementation of the Servlet specification, if the authentication process is called in a context where no servlet request is available (for example from a "ftp plugin"). It will usually happends when calling AuthenticationManager.login(String, String).
        Returns:
        an instance of HttpServletRequest, never return null.

      • getResponse

        public javax.servlet.http.HttpServletResponse getResponse()
        Return the current HttpServletResponse available for this authentication.
        Warning: this method may return a fake response, with partial implementation of the Servlet specification, if the authentication process is called in a context where no servlet response is available (for example from a "ftp plugin"). It will usually happends when calling AuthenticationManager.login(String, String).
        Returns:
        an instance of HttpServletResponse, never return null.

      • getUserLang

        public java.lang.String getUserLang()
        Return the current user language guessed from browser preference or session.
        Returns:
        an ISO-639 language code, never return null.

      • getUserCountry

        public java.lang.String getUserCountry()
        Return the current user country guessed from browser preference or session.
        Returns:
        an ISO-3166-1 language code, never return null.
        Since:
        jcms-7.1

      • getUserLocale

        public java.util.Locale getUserLocale()
        Return the current user Locale guessed from browser preference or session.
        Returns:
        a Locale , never return null.
        Since:
        jcms-7.1

      • getLogin

        public java.lang.String getLogin()
        Return the login received from the form.
        May not be available if isCredentialProvided() returns false.
        Returns:
        a string containing the login provided through the login form or null if not available.

      • setLogin

        public void setLogin​(java.lang.String login)
        Define the login to be used during the authentication.
        Parameters:
        login - a string containing the user login.

      • getPassword

        public java.lang.String getPassword()
        Return the clear text password received from the form.
        May not be available if isCredentialProvided() returns false.
        Returns:
        a string containing the password provided through the login form or null if not available.

      • setPassword

        public void setPassword​(java.lang.String password)
        Define the (clear text) password to be used during the authentication.
        Parameters:
        password - a string containing the user password.

      • isPersistent

        public boolean isPersistent()
        Return whether a persistent authentication was asked by the user in the login form. May not be correct if isCredentialProvided() returns false.
        Returns:
        true if a persistent login was asked, false otherwise. default value is false.

      • isCredentialProvided

        public boolean isCredentialProvided()
        Checks if the credential (login/password) have been provided.
        Usually true after a login form submit (even if login or password empty), but can also be true if the proper parameters have been provided.
        Returns:
        true if a credential have been provided, false otherwise. Also returns true when the login form was submitted with empty login/password.

      • setCredentialProvided

        public void setCredentialProvided​(boolean provided)
        Define whether the login/password credential have been provided.
        Parameters:
        provided - true if the crediential have been provided, false otherwise.

      • recordAuthenticationFailure

        public void recordAuthenticationFailure​(java.lang.String userId,
                                        java.lang.Class<? extends AuthenticationHandler> authHdlrClass)
        Record a failed authentication attempt, and throttle if needed.

        Records of failed authentication must be performed to ensure throttling of brute force authentication atttempt for same context (user/ip).

        Parameters:
        userId - a unique and constant identifier used to track the User/Member for which authentication failed
        authHdlrClass - the class of AuthenticationHandler trying to handle the authentication attempt
        Since:
        jcms-10.0.7 / JCMS-8083

      • throttleIfNeeded

        public void throttleIfNeeded​(java.lang.String userId,
                             java.lang.Class<? extends AuthenticationHandler> authHdlrClass)
                      throws AuthenticationThrottledError
        Checks and perform throttling if it is required for the current authentication attempt.

        Invoke this method in your implementation of AuthenticationHandler.login(AuthenticationContext) as soon as you have the user id for which authentication is tried and before attempting to perform the authentication.
        You do not need to invoke this method if your authentication relies on getLogin(), in such case, throttling verification is performed before invoking the authentication handlers chain.

        Implementation note : Throttling happens by following rules defined on AuthenticationThrottleManager. In such case, AuthenticationThrottledError is thrown and authentication is completely interrupted.

        Parameters:
        userId - a unique and constant identifier used to track the User/Member for which authentication is being attempted
        authHdlrClass - the class of AuthenticationHandler trying to handle the authentication attempt
        Throws:
        AuthenticationThrottledError
        Since:
        jcms-10.0.7 / JCMS-8083

      • setLoggedMember

        public void setLoggedMember​(Member mbr)
        Set the member that will be authenticated at the end of this login chain.
        Because handler can override a previously saved Member, you cannot be guaranteed your Member will be used unless you interrupt the chain.
        Parameters:
        mbr - the mbr to authenticate.
        Since:
        jcms-5.7.0

      • getLoggedMember

        public Member getLoggedMember()
        Retrieve the member that was previously authenticated by previous AuthenticationHandler of the chain.
        Returns:
        the authentication member or null if no member has been authenticated.
        Since:
        jcms-5.7.0

      • isLogged

        public boolean isLogged()
        Checks if a member is already logged in or if any authentication handler has logged a member, during the chain invokation, till the call to this method.
        Returns:
        true if a member is logged in, false otherwise

      • getAuthenticationHandlerClass

        public java.lang.Class<? extends AuthenticationHandler> getAuthenticationHandlerClass()
        Retrieve the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for this request, by invoking setLoggedMember(Member).

        You may also retrieve the same information without from the current request using getAuthenticationHandlerClass(HttpServletRequest)

        Returns:
        an instance of Class<? extends AuthenticationHandler>, or null if authentication was not yet performed
        Since:
        jcms-10.0.4 / JCMS-7955

      • getAuthenticationHandlerClass

        public static java.lang.Class<? extends AuthenticationHandler> getAuthenticationHandlerClass​(javax.servlet.http.HttpServletRequest request)
        Retrieve the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for this request, by invoking setLoggedMember(Member).
        Returns:
        an instance of Class<? extends AuthenticationHandler>, or null if authentication was not yet performed
        Since:
        jcms-10.0.4 / JCMS-7955

      • setInformationMsg

        public final void setInformationMsg​(java.lang.String key)
        Set JCMS information message for current request (displayed through doMessageBox.jsp)
        Parameters:
        key - the property key of the message to display, e.g "ui.msg.my-information-msg"

      • setWarningMsg

        public final void setWarningMsg​(java.lang.String key)
        Set JCMS warning message for current request (displayed through doMessageBox.jsp)
        Parameters:
        key - the property key of the message to display, e.g "ui.msg.my-warning-msg"

      • setErrorMsg

        public final void setErrorMsg​(java.lang.String key)
        Set JCMS error message for current request (displayed through doMessageBox.jsp)
        Parameters:
        key - the property key of the message to display, e.g "ui.msg.my-error-msg"

      • sendRedirect

        public final void sendRedirect​(java.lang.String url)
                        throws java.io.IOException
        Redirect to the given url, using a 303 (HttpServletResponse.SC_SEE_OTHER) status code.

        Doing a 303 redirect will ensure that the next request will be a GET and not a POST (which would submit all parameters again and break the authentication process)
        Parameters:
        url - the URL to redirect to, absolute (e.g. "http://www.jalios.com/") or relative to the webapp base url (e.g. "work/index.jsp").
        Throws:
        java.io.IOException - if the response header could not be set

      • setAttribute

        public java.lang.Object setAttribute​(java.lang.String name,
                                     java.lang.Object obj)
        Stores an attribute in this context.
        If the object passed in is null, the effect is the same as calling removeAttribute(java.lang.String).
        Parameters:
        name - a String specifying the name of the attribute
        obj - the Object to be stored
        Returns:
        previous value associated with specified name, or null if there was no mapping for name. A null return can also indicate that null was associated with the specified name.
        Since:
        jcms-6.1.0

      • removeAttribute

        public java.lang.Object removeAttribute​(java.lang.String name)
        Removes an attribute from this context.
        Parameters:
        name - a String specifying
        Returns:
        previous value associated with specified name, or null if there was no mapping for name. A null return can also indicate that null was associated with the specified name.
        Since:
        jcms-6.1.0

      • getAttribute

        public java.lang.Object getAttribute​(java.lang.String name)
        Returns the value of the named attribute as an Object, or null if no attribute of the given name exists.
        Parameters:
        name - a String specifying the name of the attribute
        Returns:
        an Object containing the value of the attribute, or null if the attribute does not exist
        Since:
        jcms-6.1.0

      • getAttributeMap

        public java.util.Map<java.lang.String,​java.lang.Object> getAttributeMap()
        Returns a java.util.Map of the attributes of this contexts.
        Returns:
        the internal Map used by this contexts, modify with care.
        Since:
        jcms-6.1.0

      • invalidateSession

        public void invalidateSession()
        Invalidate the current session when appropriate.
        Since:
        jcms-6.1.4 jcms-7.0.2 jcms-7.1