Class DefaultAuthenticationManager

java.lang.Object
org.apache.wiki.auth.DefaultAuthenticationManager
All Implemented Interfaces:
Initializable, AuthenticationManager

public class DefaultAuthenticationManager
extends java.lang.Object
implements AuthenticationManager
Default implementation for AuthenticationManager
Since:
2.3
  • Field Summary

    Fields
    Modifier and Type Field Description
    protected static java.util.Map<java.lang.String,​java.lang.String> EMPTY_MAP
    Empty Map passed to JAAS doJAASLogin(Class, CallbackHandler, Map) method.
    protected java.lang.Class<? extends javax.security.auth.spi.LoginModule> m_loginModuleClass
    Class (of type LoginModule) to use for custom authentication.
    protected java.util.Map<java.lang.String,​java.lang.String> m_loginModuleOptions
    Options passed to LoginModule.initialize(Subject, CallbackHandler, Map, Map); initialized by initialize(Engine, Properties).
  • Constructor Summary

    Constructors
    Constructor Description
    DefaultAuthenticationManager()  
  • Method Summary

    Modifier and Type Method Description
    void addWikiEventListener​(WikiEventListener listener)
    Registers a WikiEventListener with this instance.
    boolean allowsCookieAssertions()
    Determines whether this Engine allows users to assert identities using cookies instead of passwords.
    boolean allowsCookieAuthentication()
    Determines whether this Engine allows users to authenticate using cookies instead of passwords.
    java.util.Set<java.security.Principal> doJAASLogin​(java.lang.Class<? extends javax.security.auth.spi.LoginModule> clazz, javax.security.auth.callback.CallbackHandler handler, java.util.Map<java.lang.String,​java.lang.String> options)
    Instantiates and executes a single JAAS LoginModule, and returns a Set of Principals that results from a successful login.
    void initialize​(Engine engine, java.util.Properties props)
    Initializes this Engine component.
    boolean isContainerAuthenticated()
    Returns true if this Engine uses container-managed authentication.
    boolean login​(javax.servlet.http.HttpServletRequest request)
    Logs in the user by attempting to populate a Session Subject from a web servlet request by examining the request for the presence of container credentials and user cookies.
    boolean login​(Session session, javax.servlet.http.HttpServletRequest request, java.lang.String username, java.lang.String password)
    Attempts to perform a Session login for the given username/password combination using JSPWiki's custom authentication mode.
    void logout​(javax.servlet.http.HttpServletRequest request)
    Logs the user out by retrieving the Session associated with the HttpServletRequest and unbinding all of the Subject's Principals, except for Role.ALL, Role.ANONYMOUS. is a cheap-and-cheerful way to do it without invoking JAAS LoginModules.
    void removeWikiEventListener​(WikiEventListener listener)
    Un-registers a WikiEventListener with this instance.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface org.apache.wiki.auth.AuthenticationManager

    fireEvent, getLoginPrincipal
  • Field Details

  • Constructor Details

  • Method Details

    • initialize

      public void initialize​(Engine engine, java.util.Properties props) throws WikiException

      Initializes this Engine component. Note that the engine is not fully initialized at this point, so don't do anything fancy here - use lazy init, if you have to.
       

      Specified by:
      initialize in interface Initializable
      Parameters:
      engine - Engine performing the initialization.
      props - Properties for setup.
      Throws:
      WikiException - if an exception occurs while initializing the component.
    • isContainerAuthenticated

      public boolean isContainerAuthenticated()
      Returns true if this Engine uses container-managed authentication. This method is used primarily for cosmetic purposes in the JSP tier, and performs no meaningful security function per se. Delegates to WebContainerAuthorizer.isContainerAuthorized(), if used as the external authorizer; otherwise, returns false.
      Specified by:
      isContainerAuthenticated in interface AuthenticationManager
      Returns:
      true if the wiki's authentication is managed by the container, false otherwise
    • login

      public boolean login​(javax.servlet.http.HttpServletRequest request) throws WikiSecurityException

      Logs in the user by attempting to populate a Session Subject from a web servlet request by examining the request for the presence of container credentials and user cookies. The processing logic is as follows:

      • If the Session had previously been unauthenticated, check to see if user has subsequently authenticated. To be considered "authenticated," the request must supply one of the following (in order of preference): the container userPrincipal, container remoteUser, or authentication cookie. If the user is authenticated, this method fires event WikiSecurityEvent.LOGIN_AUTHENTICATED with two parameters: a Principal representing the login principal, and the current Session. In addition, if the authorizer is of type WebContainerAuthorizer, this method iterates through the container roles returned by WebContainerAuthorizer.getRoles(), tests for membership in each one, and adds those that pass to the Subject's principal set.
      • If, after checking for authentication, the Session is still Anonymous, this method next checks to see if the user has "asserted" an identity by supplying an assertion cookie. If the user is found to be asserted, this method fires event WikiSecurityEvent.LOGIN_ASSERTED with two parameters: WikiPrincipal(cookievalue), and the current Session.
      • If, after checking for authenticated and asserted status, the Session is still anonymous, this method fires event WikiSecurityEvent.LOGIN_ANONYMOUS with two parameters: WikiPrincipal(remoteAddress), and the current Session
      Specified by:
      login in interface AuthenticationManager
      Parameters:
      request - servlet request for this user
      Returns:
      always returns true (because anonymous login, at least, will always succeed)
      Throws:
      WikiSecurityException - if the user cannot be logged in for any reason
    • login

      public boolean login​(Session session, javax.servlet.http.HttpServletRequest request, java.lang.String username, java.lang.String password) throws WikiSecurityException
      Attempts to perform a Session login for the given username/password combination using JSPWiki's custom authentication mode. In order to log in, the JAAS LoginModule supplied by the Engine property AuthenticationManager.PROP_LOGIN_MODULE will be instantiated, and its LoginModule.initialize(Subject, CallbackHandler, Map, Map) method will be invoked. By default, the UserDatabaseLoginModule class will be used. When the LoginModule's initialize method is invoked, an options Map populated by properties keys prefixed by AuthenticationManager.PREFIX_LOGIN_MODULE_OPTIONS will be passed as a parameter.
      Specified by:
      login in interface AuthenticationManager
      Parameters:
      session - the current wiki session; may not be null.
      request - the user's HTTP request. This parameter may be null, but the configured LoginModule will not have access to the HTTP request in this case.
      username - The user name. This is a login name, not a WikiName. In most cases they are the same, but in some cases, they might not be.
      password - the password
      Returns:
      true, if the username/password is valid
      Throws:
      WikiSecurityException - if the Authorizer or UserManager cannot be obtained
    • logout

      public void logout​(javax.servlet.http.HttpServletRequest request)
      Logs the user out by retrieving the Session associated with the HttpServletRequest and unbinding all of the Subject's Principals, except for Role.ALL, Role.ANONYMOUS. is a cheap-and-cheerful way to do it without invoking JAAS LoginModules. The logout operation will also flush the JSESSIONID cookie from the user's browser session, if it was set.
      Specified by:
      logout in interface AuthenticationManager
      Parameters:
      request - the current HTTP request
    • allowsCookieAssertions

      public boolean allowsCookieAssertions()
      Determines whether this Engine allows users to assert identities using cookies instead of passwords. This is determined by inspecting the Engine property AuthenticationManager.PROP_ALLOW_COOKIE_ASSERTIONS.
      Specified by:
      allowsCookieAssertions in interface AuthenticationManager
      Returns:
      true if cookies are allowed
    • allowsCookieAuthentication

      public boolean allowsCookieAuthentication()
      Determines whether this Engine allows users to authenticate using cookies instead of passwords. This is determined by inspecting the Engine property AuthenticationManager.PROP_ALLOW_COOKIE_AUTH.
      Specified by:
      allowsCookieAuthentication in interface AuthenticationManager
      Returns:
      true if cookies are allowed for authentication
    • doJAASLogin

      public java.util.Set<java.security.Principal> doJAASLogin​(java.lang.Class<? extends javax.security.auth.spi.LoginModule> clazz, javax.security.auth.callback.CallbackHandler handler, java.util.Map<java.lang.String,​java.lang.String> options) throws WikiSecurityException
      Instantiates and executes a single JAAS LoginModule, and returns a Set of Principals that results from a successful login. The LoginModule is instantiated, then its LoginModule.initialize(Subject, CallbackHandler, Map, Map) method is called. The parameters passed to initialize is a dummy Subject, an empty shared-state Map, and an options Map the caller supplies.
      Specified by:
      doJAASLogin in interface AuthenticationManager
      Parameters:
      clazz - the LoginModule class to instantiate
      handler - the callback handler to supply to the LoginModule
      options - a Map of key/value strings for initializing the LoginModule
      Returns:
      the set of Principals returned by the JAAS method Subject.getPrincipals()
      Throws:
      WikiSecurityException - if the LoginModule could not be instantiated for any reason
    • addWikiEventListener

      public void addWikiEventListener​(WikiEventListener listener)
      Registers a WikiEventListener with this instance. This is a convenience method.
      Specified by:
      addWikiEventListener in interface AuthenticationManager
      Parameters:
      listener - the event listener
    • removeWikiEventListener

      public void removeWikiEventListener​(WikiEventListener listener)
      Un-registers a WikiEventListener with this instance. This is a convenience method.
      Specified by:
      removeWikiEventListener in interface AuthenticationManager
      Parameters:
      listener - the event listener