Package com.jalios.jcms.authentication

Class AuthenticationContext

java.lang.Object

com.jalios.jcms.authentication.AuthenticationContext

public final class AuthenticationContext
extends java.lang.Object

Object used by AuthenticationHandler when implementing AuthenticationHandler.login(AuthenticationContext) or AuthenticationHandler.logout(AuthenticationContext)

Use the AuthenticationContext to :

• retrieve informations required to perform the authentication (request, response, login.. etc)
• set the authentication information (principally the authenticated member)
• invoke the next handler in the login chain (if the calling handler is the last handler in the chain, it will perform the authentication action)
• perform redirection, set information/warning/error message/

A new instance of this class is used per login/logout chain invokation.

Since:

jcms-5.7.0

Version:

$Revision: 135756 $

Author:

Olivier Jaquemet

See Also:

AuthenticationHandler

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	AUTHENTICATION_HANDLER_CLASS	Request attribute name used to store the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for the request.
protected static Channel	channel
static java.lang.String	FORCED_INVALID_SETLOGGEDMEMBER	Request attribute name used to store a Member which even though it is invalid (disabled or contact), is allowed to log in. AuthenticationHandler wishing to log in disabled member (which is not advised!!) must perform two operations : invoke setLoggedMember(Member) as usual store the member in the request attribute using this constant request.setAttribute(FORCED_INVALID_SETLOGGEDMEMBER, theDisableMember);
static java.lang.String	INVALID_SETLOGGEDMEMBER_STACKTRACE	Request attribute name used to store the StackTraceElement[] during which setLoggedMember(Member) was invoked with an invalid member.
static java.lang.String	REVISION

Method Summary

Modifier and Type	Method	Description
void	doChain()	Causes the next handler in the chain to be invoked, or if the calling handler is the last handler in the chain, end the chain invokation.
java.lang.Object	getAttribute(java.lang.String name)	Returns the value of the named attribute as an Object, or null if no attribute of the given name exists.
java.util.Map<java.lang.String,java.lang.Object>	getAttributeMap()	Returns a java.util.Map of the attributes of this contexts.
java.lang.Class<? extends AuthenticationHandler>	getAuthenticationHandlerClass()	Retrieve the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for this request, by invoking setLoggedMember(Member).
static java.lang.Class<? extends AuthenticationHandler>	getAuthenticationHandlerClass(javax.servlet.http.HttpServletRequest request)	Retrieve the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for this request, by invoking setLoggedMember(Member).
Member	getLoggedMember()	Retrieve the member that was previously authenticated by previous AuthenticationHandler of the chain.
java.lang.String	getLogin()	Return the login received from the form. May not be available if isCredentialProvided() returns false.
java.lang.String	getPassword()	Return the clear text password received from the form. May not be available if isCredentialProvided() returns false.
javax.servlet.http.HttpServletRequest	getRequest()	Return the current HttpServletRequest available for this authentication. Warning: this method may return a fake request, with partial implementation of the Servlet specification, if the authentication process is called in a context where no servlet request is available (for example from a "ftp plugin").
javax.servlet.http.HttpServletResponse	getResponse()	Return the current HttpServletResponse available for this authentication. Warning: this method may return a fake response, with partial implementation of the Servlet specification, if the authentication process is called in a context where no servlet response is available (for example from a "ftp plugin").
java.lang.String	getUserCountry()	Return the current user country guessed from browser preference or session.
java.lang.String	getUserLang()	Return the current user language guessed from browser preference or session.
java.util.Locale	getUserLocale()	Return the current user Locale guessed from browser preference or session.
void	invalidateSession()	Invalidate the current session when appropriate.
boolean	isCredentialProvided()	Checks if the credential (login/password) have been provided.
boolean	isLogged()	Checks if a member is already logged in or if any authentication handler has logged a member, during the chain invokation, till the call to this method.
boolean	isPersistent()	Return whether a persistent authentication was asked by the user in the login form.
void	recordAuthenticationFailure(java.lang.String userId, java.lang.Class<? extends AuthenticationHandler> authHdlrClass)	Record a failed authentication attempt, and throttle if needed.
java.lang.Object	removeAttribute(java.lang.String name)	Removes an attribute from this context.
void	sendRedirect(java.lang.String url)	Redirect to the given url, using a 303 (HttpServletResponse.SC_SEE_OTHER) status code. Doing a 303 redirect will ensure that the next request will be a GET and not a POST (which would submit all parameters again and break the authentication process)
java.lang.Object	setAttribute(java.lang.String name, java.lang.Object obj)	Stores an attribute in this context.
void	setCredentialProvided(boolean provided)	Define whether the login/password credential have been provided.
void	setErrorMsg(java.lang.String key)	Set JCMS error message for current request (displayed through doMessageBox.jsp)
void	setInformationMsg(java.lang.String key)	Set JCMS information message for current request (displayed through doMessageBox.jsp)
void	setLoggedMember(Member mbr)	Set the member that will be authenticated at the end of this login chain. Because handler can override a previously saved Member, you cannot be guaranteed your Member will be used unless you interrupt the chain.
void	setLogin(java.lang.String login)	Define the login to be used during the authentication.
void	setPassword(java.lang.String password)	Define the (clear text) password to be used during the authentication.
void	setWarningMsg(java.lang.String key)	Set JCMS warning message for current request (displayed through doMessageBox.jsp)
void	throttleIfNeeded(java.lang.String userId, java.lang.Class<? extends AuthenticationHandler> authHdlrClass)	Checks and perform throttling if it is required for the current authentication attempt.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REVISION

public static final java.lang.String REVISION

See Also:

Constant Field Values

channel

protected static final Channel channel

AUTHENTICATION_HANDLER_CLASS

public static final java.lang.String AUTHENTICATION_HANDLER_CLASS

Request attribute name used to store the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for the request.

Since:

jcms-10.0.4 / JCMS-7955

See Also:

Constant Field Values

INVALID_SETLOGGEDMEMBER_STACKTRACE

public static final java.lang.String INVALID_SETLOGGEDMEMBER_STACKTRACE

Request attribute name used to store the StackTraceElement[] during which setLoggedMember(Member) was invoked with an invalid member.

See Also:

Constant Field Values

FORCED_INVALID_SETLOGGEDMEMBER

public static final java.lang.String FORCED_INVALID_SETLOGGEDMEMBER

Request attribute name used to store a Member which even though it is invalid (disabled or contact), is allowed to log in.
AuthenticationHandler wishing to log in disabled member (which is not advised!!) must perform two operations :

• invoke setLoggedMember(Member) as usual
• store the member in the request attribute using this constant request.setAttribute(FORCED_INVALID_SETLOGGEDMEMBER, theDisableMember);

See Also:

Constant Field Values

Method Detail

doChain

public void doChain()
             throws java.io.IOException

Causes the next handler in the chain to be invoked, or if the calling handler is the last handler in the chain, end the chain invokation.

Throws:

java.io.IOException

Since:

jcms-5.7.0

getRequest

public javax.servlet.http.HttpServletRequest getRequest()

Return the current HttpServletRequest available for this authentication.
Warning: this method may return a fake request, with partial implementation of the Servlet specification, if the authentication process is called in a context where no servlet request is available (for example from a "ftp plugin"). It will usually happends when calling AuthenticationManager.login(String, String).

Returns:

an instance of HttpServletRequest, never return null.

getResponse

public javax.servlet.http.HttpServletResponse getResponse()

Return the current HttpServletResponse available for this authentication.
Warning: this method may return a fake response, with partial implementation of the Servlet specification, if the authentication process is called in a context where no servlet response is available (for example from a "ftp plugin"). It will usually happends when calling AuthenticationManager.login(String, String).

Returns:

an instance of HttpServletResponse, never return null.

getUserLang

public java.lang.String getUserLang()

Return the current user language guessed from browser preference or session.

Returns:

an ISO-639 language code, never return null.

getUserCountry

public java.lang.String getUserCountry()

Return the current user country guessed from browser preference or session.

Returns:

an ISO-3166-1 language code, never return null.

Since:

jcms-7.1

getUserLocale

public java.util.Locale getUserLocale()

Return the current user Locale guessed from browser preference or session.

Returns:

a Locale , never return null.

Since:

jcms-7.1

getLogin

public java.lang.String getLogin()

Return the login received from the form.
May not be available if isCredentialProvided() returns false.

Returns:

a string containing the login provided through the login form or null if not available.

setLogin

public void setLogin(java.lang.String login)

Define the login to be used during the authentication.

Parameters:

login - a string containing the user login.

getPassword

public java.lang.String getPassword()

Return the clear text password received from the form.
May not be available if isCredentialProvided() returns false.

Returns:

a string containing the password provided through the login form or null if not available.

setPassword

public void setPassword(java.lang.String password)

Define the (clear text) password to be used during the authentication.

Parameters:

password - a string containing the user password.

isPersistent

public boolean isPersistent()

Return whether a persistent authentication was asked by the user in the login form. May not be correct if isCredentialProvided() returns false.

Returns:

true if a persistent login was asked, false otherwise. default value is false.

isCredentialProvided

public boolean isCredentialProvided()

Checks if the credential (login/password) have been provided.
Usually true after a login form submit (even if login or password empty), but can also be true if the proper parameters have been provided.

Returns:

true if a credential have been provided, false otherwise. Also returns true when the login form was submitted with empty login/password.

setCredentialProvided

public void setCredentialProvided(boolean provided)

Define whether the login/password credential have been provided.

Parameters:

provided - true if the crediential have been provided, false otherwise.

recordAuthenticationFailure

public void recordAuthenticationFailure(java.lang.String userId,
                                        java.lang.Class<? extends AuthenticationHandler> authHdlrClass)

Record a failed authentication attempt, and throttle if needed.

Records of failed authentication must be performed to ensure throttling of brute force authentication atttempt for same context (user/ip).

Parameters:

userId - a unique and constant identifier used to track the User/Member for which authentication failed

authHdlrClass - the class of AuthenticationHandler trying to handle the authentication attempt

Since:

jcms-10.0.7 / JCMS-8083

throttleIfNeeded

public void throttleIfNeeded(java.lang.String userId,
                             java.lang.Class<? extends AuthenticationHandler> authHdlrClass)
                      throws AuthenticationThrottledError

Checks and perform throttling if it is required for the current authentication attempt.

Invoke this method in your implementation of AuthenticationHandler.login(AuthenticationContext) as soon as you have the user id for which authentication is tried and before attempting to perform the authentication.
You do not need to invoke this method if your authentication relies on getLogin(), in such case, throttling verification is performed before invoking the authentication handlers chain.

Implementation note : Throttling happens by following rules defined on AuthenticationThrottleManager. In such case, AuthenticationThrottledError is thrown and authentication is completely interrupted.

Parameters:

userId - a unique and constant identifier used to track the User/Member for which authentication is being attempted

authHdlrClass - the class of AuthenticationHandler trying to handle the authentication attempt

Throws:

AuthenticationThrottledError

Since:

jcms-10.0.7 / JCMS-8083

setLoggedMember

public void setLoggedMember(Member mbr)

Set the member that will be authenticated at the end of this login chain.
Because handler can override a previously saved Member, you cannot be guaranteed your Member will be used unless you interrupt the chain.

Parameters:

mbr - the mbr to authenticate.

Since:

jcms-5.7.0

getLoggedMember

public Member getLoggedMember()

Retrieve the member that was previously authenticated by previous AuthenticationHandler of the chain.

Returns:

the authentication member or null if no member has been authenticated.

Since:

jcms-5.7.0

isLogged

public boolean isLogged()

Checks if a member is already logged in or if any authentication handler has logged a member, during the chain invokation, till the call to this method.

Returns:

true if a member is logged in, false otherwise

getAuthenticationHandlerClass

public java.lang.Class<? extends AuthenticationHandler> getAuthenticationHandlerClass()

Retrieve the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for this request, by invoking setLoggedMember(Member).

You may also retrieve the same information without from the current request using getAuthenticationHandlerClass(HttpServletRequest)

Returns:

an instance of Class<? extends AuthenticationHandler>, or null if authentication was not yet performed

Since:

jcms-10.0.4 / JCMS-7955

getAuthenticationHandlerClass

public static java.lang.Class<? extends AuthenticationHandler> getAuthenticationHandlerClass(javax.servlet.http.HttpServletRequest request)

Retrieve the Class<? extends AuthenticationHandler> of the AuthenticationHandler that was used to authenticate the member for this request, by invoking setLoggedMember(Member).

Returns:

an instance of Class<? extends AuthenticationHandler>, or null if authentication was not yet performed

Since:

jcms-10.0.4 / JCMS-7955

setInformationMsg

public final void setInformationMsg(java.lang.String key)

Set JCMS information message for current request (displayed through doMessageBox.jsp)

Parameters:

key - the property key of the message to display, e.g "ui.msg.my-information-msg"

setWarningMsg

public final void setWarningMsg(java.lang.String key)

Set JCMS warning message for current request (displayed through doMessageBox.jsp)

Parameters:

key - the property key of the message to display, e.g "ui.msg.my-warning-msg"

setErrorMsg

public final void setErrorMsg(java.lang.String key)

Set JCMS error message for current request (displayed through doMessageBox.jsp)

Parameters:

key - the property key of the message to display, e.g "ui.msg.my-error-msg"

sendRedirect

public final void sendRedirect(java.lang.String url)
                        throws java.io.IOException

Redirect to the given url, using a 303 (HttpServletResponse.SC_SEE_OTHER) status code.

Doing a 303 redirect will ensure that the next request will be a GET and not a POST (which would submit all parameters again and break the authentication process)

Parameters:

url - the URL to redirect to, absolute (e.g. "http://www.jalios.com/") or relative to the webapp base url (e.g. "work/index.jsp").

Throws:

java.io.IOException - if the response header could not be set

setAttribute

public java.lang.Object setAttribute(java.lang.String name,
                                     java.lang.Object obj)

Stores an attribute in this context.
If the object passed in is null, the effect is the same as calling removeAttribute(java.lang.String).

Parameters:

name - a String specifying the name of the attribute

obj - the Object to be stored

Returns:

previous value associated with specified name, or null if there was no mapping for name. A null return can also indicate that null was associated with the specified name.

Since:

jcms-6.1.0

removeAttribute

public java.lang.Object removeAttribute(java.lang.String name)

Removes an attribute from this context.

Parameters:

name - a String specifying

Returns:

previous value associated with specified name, or null if there was no mapping for name. A null return can also indicate that null was associated with the specified name.

Since:

jcms-6.1.0

getAttribute

public java.lang.Object getAttribute(java.lang.String name)

Returns the value of the named attribute as an Object, or null if no attribute of the given name exists.

Parameters:

name - a String specifying the name of the attribute

Returns:

an Object containing the value of the attribute, or null if the attribute does not exist

Since:

jcms-6.1.0

getAttributeMap

public java.util.Map<java.lang.String,java.lang.Object> getAttributeMap()

Returns a java.util.Map of the attributes of this contexts.

Returns:

the internal Map used by this contexts, modify with care.

Since:

jcms-6.1.0

invalidateSession

public void invalidateSession()

Invalidate the current session when appropriate.

Since:

jcms-6.1.4 jcms-7.0.2 jcms-7.1