|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.apache.wiki.auth.AuthenticationManager
public class AuthenticationManager
Manages authentication activities for a WikiEngine: user login, logout, and credential refreshes. This class uses JAAS to determine how users log in.
The login procedure is protected in addition by a mechanism which prevents a hacker to try and force-guess passwords by slowing down attempts to log in into the same account. Every login attempt is recorded, and stored for a while (currently ten minutes), and each login attempt during that time incurs a penalty of 2^login attempts milliseconds - that is, 10 login attempts incur a login penalty of 1.024 seconds. The delay is currently capped to 20 seconds.
Field Summary | |
---|---|
static String |
COOKIE_AUTHENTICATION_MODULE
The name of the built-in cookie authentication module |
static String |
COOKIE_MODULE
The name of the built-in cookie assertion module |
protected static Map<String,String> |
EMPTY_MAP
Empty Map passed to JAAS doJAASLogin(Class, CallbackHandler, Map) method. |
protected static org.apache.log4j.Logger |
log
|
protected Class<? extends LoginModule> |
m_loginModuleClass
Class (of type LoginModule) to use for custom authentication. |
protected Map<String,String> |
m_loginModuleOptions
Options passed to LoginModule.initialize(Subject, CallbackHandler, Map, Map) ;
initialized by initialize(WikiEngine, Properties) . |
protected static String |
PREFIX_LOGIN_MODULE_OPTIONS
Prefix for LoginModule options key/value pairs. |
protected static String |
PROP_ALLOW_COOKIE_ASSERTIONS
If this jspwiki.properties property is true , allow cookies to be used to assert identities. |
static String |
PROP_ALLOW_COOKIE_AUTH
If this jspwiki.properties property is true , allow cookies to be used for authentication. |
protected static String |
PROP_LOGIN_MODULE
The LoginModule to use for custom authentication. |
static String |
PROP_LOGIN_THROTTLING
Whether logins should be throttled to limit brute-forcing attempts. |
static String |
PROP_SECURITY
Deprecated. |
static String |
PROP_STOREIPADDRESS
If this jspwiki.properties property is true , logs the IP address of the editor on saving. |
protected static String |
SECURITY_CONTAINER
Deprecated. use SECURITY_OFF instead |
static String |
SECURITY_JAAS
Value specifying that the user wants to use the built-in JAAS-based system |
static String |
SECURITY_OFF
Value specifying that the user wants to use the container-managed security, just like in JSPWiki 2.2. |
Constructor Summary | |
---|---|
AuthenticationManager()
|
Method Summary | |
---|---|
void |
addWikiEventListener(WikiEventListener listener)
Registers a WikiEventListener with this instance. |
boolean |
allowsCookieAssertions()
Determines whether this WikiEngine allows users to assert identities using cookies instead of passwords. |
boolean |
allowsCookieAuthentication()
Determines whether this WikiEngine allows users to authenticate using cookies instead of passwords. |
protected Set<Principal> |
doJAASLogin(Class<? extends LoginModule> clazz,
CallbackHandler handler,
Map<String,String> options)
Instantiates and executes a single JAAS LoginModule , and returns a Set of
Principals that results from a successful login. |
protected static URL |
findConfigFile(WikiEngine engine,
String name)
Looks up and obtains a configuration file inside the WEB-INF folder of a wiki webapp. |
protected void |
fireEvent(int type,
Principal principal,
Object target)
Fires a WikiSecurityEvent of the provided type, Principal and target Object to all registered listeners. |
protected Principal |
getLoginPrincipal(Set<Principal> principals)
Returns the first Principal in a set that isn't a Role or
GroupPrincipal . |
void |
initialize(WikiEngine engine,
Properties props)
Creates an AuthenticationManager instance for the given WikiEngine and the specified set of properties. |
boolean |
isContainerAuthenticated()
Returns true if this WikiEngine uses container-managed authentication. |
static boolean |
isRolePrincipal(Principal principal)
Determines whether the supplied Principal is a "role principal". |
static boolean |
isUserPrincipal(Principal principal)
Determines whether the supplied Principal is a "user principal". |
boolean |
login(javax.servlet.http.HttpServletRequest request)
Logs in the user by attempting to populate a WikiSession Subject from a web servlet request by examining the request for the presence of container credentials and user cookies. |
boolean |
login(WikiSession session,
javax.servlet.http.HttpServletRequest request,
String username,
String password)
Attempts to perform a WikiSession login for the given username/password combination using JSPWiki's custom authentication mode. |
boolean |
login(WikiSession session,
String username,
String password)
Deprecated. use login(WikiSession, HttpServletRequest, String, String) instead |
void |
logout(javax.servlet.http.HttpServletRequest request)
Logs the user out by retrieving the WikiSession associated with the HttpServletRequest and unbinding all of the Subject's Principals, except for Role.ALL , Role.ANONYMOUS . |
void |
removeWikiEventListener(WikiEventListener listener)
Un-registers a WikiEventListener with this instance. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final String COOKIE_MODULE
public static final String COOKIE_AUTHENTICATION_MODULE
public static final String PROP_STOREIPADDRESS
true
, logs the IP address of the editor on saving.
public static final String PROP_ALLOW_COOKIE_AUTH
true
, allow cookies to be used for authentication.
public static final String PROP_SECURITY
Setting this is now deprecated - we do not guarantee that it works.
public static final String SECURITY_OFF
public static final String SECURITY_JAAS
public static final String PROP_LOGIN_THROTTLING
protected static final org.apache.log4j.Logger log
protected static final String PREFIX_LOGIN_MODULE_OPTIONS
protected static final String PROP_ALLOW_COOKIE_ASSERTIONS
true
, allow cookies to be used to assert identities.
protected static final String PROP_LOGIN_MODULE
LoginModule
to use for custom authentication.
protected static final Map<String,String> EMPTY_MAP
doJAASLogin(Class, CallbackHandler, Map)
method.
protected Class<? extends LoginModule> m_loginModuleClass
protected Map<String,String> m_loginModuleOptions
LoginModule.initialize(Subject, CallbackHandler, Map, Map)
;
initialized by initialize(WikiEngine, Properties)
.
protected static final String SECURITY_CONTAINER
SECURITY_OFF
instead
Constructor Detail |
---|
public AuthenticationManager()
Method Detail |
---|
public void initialize(WikiEngine engine, Properties props) throws WikiException
engine
- the wiki engineprops
- the properties used to initialize the wiki engine
WikiException
- if the AuthenticationManager cannot be initializedpublic boolean isContainerAuthenticated()
WebContainerAuthorizer.isContainerAuthorized()
,
if used as the external authorizer; otherwise, returns false
.
true
if the wiki's authentication is managed by
the container, false
otherwisepublic boolean login(javax.servlet.http.HttpServletRequest request) throws WikiSecurityException
Logs in the user by attempting to populate a WikiSession Subject from a web servlet request by examining the request for the presence of container credentials and user cookies. The processing logic is as follows:
userPrincipal
, container remoteUser
,
or authentication cookie. If the user is authenticated, this method fires event
WikiSecurityEvent.LOGIN_AUTHENTICATED
with two parameters: a Principal representing the login principal,
and the current WikiSession. In addition, if the authorizer is of type
WebContainerAuthorizer, this method iterates through the container roles returned by
WebContainerAuthorizer.getRoles()
,
tests for membership in each one, and adds those that pass to the Subject's principal set.WikiSecurityEvent.LOGIN_ASSERTED
with two parameters: WikiPrincipal(cookievalue)
, and
the current WikiSession.WikiSecurityEvent.LOGIN_ANONYMOUS
with
two parameters: WikiPrincipal(remoteAddress)
,
and the current WikiSession
request
- servlet request for this user
true
(because anonymous login, at least, will always succeed)
WikiSecurityException
- if the user cannot be logged in for any reasonpublic boolean login(WikiSession session, String username, String password) throws WikiSecurityException
login(WikiSession, HttpServletRequest, String, String)
instead
login(WikiSession, String, String)
, except that user's HTTP request is not made available
to LoginModules via the HttpRequestCallback
.
session
- the current wiki session; may not be null
.username
- The user name. This is a login name, not a WikiName. In
most cases they are the same, but in some cases, they might
not be.password
- the password
WikiSecurityException
- if the Authorizer or UserManager cannot be obtainedpublic boolean login(WikiSession session, javax.servlet.http.HttpServletRequest request, String username, String password) throws WikiSecurityException
PROP_LOGIN_MODULE
will be instantiated, and its
LoginModule.initialize(Subject, CallbackHandler, Map, Map)
method will be invoked. By default, the UserDatabaseLoginModule
class will be used. When the LoginModule's initialize
method is invoked,
an options Map populated by properties keys prefixed by PREFIX_LOGIN_MODULE_OPTIONS
will be passed as a parameter.
session
- the current wiki session; may not be null
.request
- the user's HTTP request. This parameter may be null
, but the configured
LoginModule will not have access to the HTTP request in this case.username
- The user name. This is a login name, not a WikiName. In
most cases they are the same, but in some cases, they might
not be.password
- the password
WikiSecurityException
- if the Authorizer or UserManager cannot be obtainedpublic void logout(javax.servlet.http.HttpServletRequest request)
Role.ALL
, Role.ANONYMOUS
.
is a cheap-and-cheerful way to do it without invoking JAAS LoginModules.
The logout operation will also flush the JSESSIONID cookie from
the user's browser session, if it was set.
request
- the current HTTP requestpublic boolean allowsCookieAssertions()
PROP_ALLOW_COOKIE_ASSERTIONS
.
true
if cookies are allowedpublic boolean allowsCookieAuthentication()
PROP_ALLOW_COOKIE_AUTH
.
true
if cookies are allowed for authenticationpublic static boolean isRolePrincipal(Principal principal)
principal
- the principal to test
true
if the Principal is of type
GroupPrincipal
or
Role
,
false
otherwisepublic static boolean isUserPrincipal(Principal principal)
principal
- the principal to test
false
if the Principal is of type
GroupPrincipal
or
Role
,
true
otherwiseprotected Set<Principal> doJAASLogin(Class<? extends LoginModule> clazz, CallbackHandler handler, Map<String,String> options) throws WikiSecurityException
LoginModule
, and returns a Set of
Principals that results from a successful login. The LoginModule is instantiated,
then its LoginModule.initialize(Subject, CallbackHandler, Map, Map)
method is called. The parameters passed to initialize
is a
dummy Subject, an empty shared-state Map, and an options Map the caller supplies.
clazz
- the LoginModule class to instantiatehandler
- the callback handler to supply to the LoginModuleoptions
- a Map of key/value strings for initializing the LoginModule
Subject.getPrincipals()
WikiSecurityException
- if the LoginModule could not be instantiated for any reasonprotected static URL findConfigFile(WikiEngine engine, String name)
engine
- the wiki enginename
- the file to obtain, e.g., jspwiki.policy
protected Principal getLoginPrincipal(Set<Principal> principals)
Role
or
GroupPrincipal
.
principals
- the principal set
public void addWikiEventListener(WikiEventListener listener)
listener
- the event listenerpublic void removeWikiEventListener(WikiEventListener listener)
listener
- the event listenerprotected void fireEvent(int type, Principal principal, Object target)
type
- the event type to be firedprincipal
- the subject of the event, which may be null
target
- the changed Object, which may be null
WikiSecurityEvent
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |