Package com.jalios.jcms.authentication.handlers

Class CookieAuthenticationHandler

  • All Implemented Interfaces:
    PluginComponent, java.lang.Comparable<AuthenticationHandler>
    public final class CookieAuthenticationHandler
extends AuthenticationHandler
    Save authentification made by other handlers into cookie and use it later on to re-authenticate.

    You can disable this handler by modifiying property "auth-mgr.cookie-enabled". Cookie can be disabled for admin by modifiying property "auth-mgr.allow-admin-cookie".
    Since:
    jcms-5.7.0
    Author:
    Olivier Jaquemet

    • Field Detail

      • ORDER_COOKIE_HANDLER

        public static final int ORDER_COOKIE_HANDLER
        Order used by the CookieAuthenticationHandler
        See Also:
        Constant Field Values

      • COOKIE_EXPECTED

        public static final java.lang.String COOKIE_EXPECTED
        Parameter named used by CookieAuthenticationHandler to check that cookie has correctly been received by browser and has been sent back.
        See Also:
        Constant Field Values

      • AUTHENTICATION_COOKIE_NAME

        public static final java.lang.String AUTHENTICATION_COOKIE_NAME
        Name of cookie used for authentication.
        See Also:
        Constant Field Values

    • Method Detail

      • loadProperties

        public void loadProperties()
        Description copied from class: AuthenticationHandler
        This method will be called by the AuthenticationManager each time the Channel properties are loaded/reloaded.
        You can use it to reload properties that might have been changed.
        This method is called during initialization of the AuthenticationManager
        Overrides:
        loadProperties in class AuthenticationHandler

      • login

        public void login​(AuthenticationContext ctxt)
           throws java.io.IOException
        Description copied from class: AuthenticationHandler
        Authenticate a member.
        This method is invoked by the authentication chain on each request.
        A typical implementation of this method would follow the following pattern :
        1. Examine informations required to perform the authentication through the AuthenticationContext object (request, response, login.. etc)
        2. Perform your authentication before chain invokation and set the logged Member AuthenticationContext.setLoggedMember(com.jalios.jcms.Member)
        3. a) Either invoke the next entity in the chain using AuthenticationContext.doChain(),
        4. b) or else skip the chain invokation and block other authentication handler of the chain (do this with caution...)
        5. Perform redirection, set information/warning/error message or any other process, after chain invokation, using AuthenticationContext.

        Default implementation is to invoke the next handler in the chain.
        Overrides:
        login in class AuthenticationHandler
        Parameters:
        ctxt - the AuthenticationContext used for this login
        Throws:
        java.io.IOException

      • logout

        public void logout​(AuthenticationContext ctxt)
            throws java.io.IOException
        Description copied from class: AuthenticationHandler
        This methods is called when users logout from JCMS.
        It may not be called if user simply close its browser. Don't rely on this for critical operation

        Default implementation is to invoke the next handler in the chain.
        Overrides:
        logout in class AuthenticationHandler
        Parameters:
        ctxt - the AuthenticationContext used for this login
        Throws:
        java.io.IOException

      • getCookieDigest

        public static final java.lang.String getCookieDigest​(java.lang.String timeStr,
                                                     java.lang.String password)
        Deprecated.
        Returns the cookie digest (MD5) composed of concatenation of the time (in millis) and the password of the member
        Parameters:
        timeStr - a time as a string (e.g. String.valueOf(System.currentTimeMillis()))
        password - the Member's password in its crypted version (e.g. member.getPassword())
        Returns:
        an authentication digest

      • getCookieDigest

        public static final java.lang.String getCookieDigest​(java.lang.String timeStr,
                                                     Member member)
        Returns the cookie digest for the specified time and Member.
        Parameters:
        timeStr - the time at which this cookie was emited, as a string (e.g. String.valueOf(System.currentTimeMillis()))
        member - the Member for which the digest is computed
        Returns:
        an authentication digest
        Since:
        jcms-7.1

      • checkCookieDigest

        public static final boolean checkCookieDigest​(java.lang.String digest,
                                              java.lang.String timeStr,
                                              Member member)
        Check if the specified time and password matches the encoded digest.
        Parameters:
        digest - the digest to check (as returned by getCookieDigest(String, String)
        timeStr - a time as a string (e.g. String.valueOf(System.currentTimeMillis()))
        member - the Member against which the digest is verified
        Returns:
        true if the specified digest matches the timeStr and Member
        Since:
        jcms-7.1

      • checkAuthenticationFromCookie

        public static final Member checkAuthenticationFromCookie​(javax.servlet.http.Cookie[] cookies)
        Returns the member corresponding to the member id which is contains in memberId cookie.
        Parameters:
        cookies - an array of cookies (request.getCookies())
        Returns:
        the member or null if not found

      • addAuthenticationCookie

        public static final javax.servlet.http.Cookie addAuthenticationCookie​(Member mbr,
                                                                      javax.servlet.http.HttpServletRequest request,
                                                                      javax.servlet.http.HttpServletResponse response,
                                                                      boolean isPersistent)
        Add a new AuthenticationCookie for the specified member.
        Parameters:
        mbr - the Member for which authentication Cookie is created and added, required, must not be null
        request - the current HTTP request leading to creation of cookie, required, must not be null
        response - the response in which cookie must be sent, required, must not be null
        isPersistent - set to false to create/add a cookie valid for the browser session, true to create/add a cookie valid until expiration is reached
        Returns:
        a new Cookie instance of null if cookie was not created
        Since:
        JCMS-5813

      • getAuthenticationCookie

        public static final javax.servlet.http.Cookie getAuthenticationCookie​(Member member,
                                                                      java.lang.String domain,
                                                                      java.lang.String path,
                                                                      boolean isPersistent)
                                                               throws java.net.UnknownHostException
        Returns a cookie for a given member
        Parameters:
        member - the member to use to generate the cookie.
        domain - an optional String containing the domain name within which the cookie is visible; form is according to RFC 2109
        path - the cookie path
        isPersistent - if true the cookie will persist on the user disk beyond the browser shutdown ; otherwise it will persist until browser shutdown.
        Returns:
        a new Cookie instance
        Throws:
        java.net.UnknownHostException - if the specified domain could not be resolved

      • getEmptyAuthenticationCookie

        public static final javax.servlet.http.Cookie getEmptyAuthenticationCookie​(java.lang.String domain,
                                                                           java.lang.String path)
                                                                    throws java.net.UnknownHostException
        Returns an empty authentication cookie (used for logout)
        Parameters:
        domain - the cookie domain (can be null)
        path - the cookie path
        Returns:
        a new Cookie instance
        Throws:
        java.net.UnknownHostException - if the specified domain could not be resolved

      • deleteAuthenticationCookie

        public static final void deleteAuthenticationCookie​(javax.servlet.http.Cookie[] cookies)
        Delete all AuthenticationCookie instance from the DB matching the specified coookies
        Parameters:
        cookies - the cookies received from the browser