Package org.apache.wiki.auth.login

Class CookieAuthenticationLoginModule

java.lang.Object
org.apache.wiki.auth.login.AbstractLoginModule
org.apache.wiki.auth.login.CookieAuthenticationLoginModule
All Implemented Interfaces:
javax.security.auth.spi.LoginModule
public class CookieAuthenticationLoginModule
extends AbstractLoginModule
Logs in an user based on a cookie stored in the user's computer. The cookie information is stored in the jspwiki.workDir, under the directory "logincookies". For security purposes it is a very, very good idea to prevent access to this directory by everyone except the web server process; otherwise people having read access to this directory may be able to spoof other users.

The cookie directory is scrubbed of old entries at regular intervals.

This module must be used with a CallbackHandler (such as WebContainerCallbackHandler) that supports the following Callback types:

  1. HttpRequestCallback- supplies the cookie, which should contain an unique id for fetching the UID.
  2. WikiEngineCallback - allows access to the Engine itself.

After authentication, a generic WikiPrincipal based on the username will be created and associated with the Subject.

Since:
2.5.62
See Also:
LoginModule.commit(), CookieAssertionLoginModule

  • Field Summary

    Fields
    Modifier and Type Field Description
    protected static java.lang.String COOKIE_DIR
    The directory name under which the cookies are stored.
    static java.lang.String PROP_LOGIN_EXPIRY_DAYS
    User property for setting how long the cookie is stored on the user's computer.

    Fields inherited from class org.apache.wiki.auth.login.AbstractLoginModule

    m_handler, m_options, m_principals, m_state, m_subject, NULL

  • Constructor Summary

    Constructors
    Constructor Description
    CookieAuthenticationLoginModule()  

  • Method Summary

    Modifier and Type Method Description
    static void clearLoginCookie​(Engine engine, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    Clears away the login cookie, and removes the uid-username mapping file as well.
    boolean login()
    Logs in the user by calling back to the registered CallbackHandler with a series of callbacks.
    static void setLoginCookie​(Engine engine, javax.servlet.http.HttpServletResponse response, java.lang.String username)
    Sets a login cookie based on properties set by the user.

    Methods inherited from class org.apache.wiki.auth.login.AbstractLoginModule

    abort, commit, initialize, logout

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • PROP_LOGIN_EXPIRY_DAYS

      public static final java.lang.String PROP_LOGIN_EXPIRY_DAYS
      User property for setting how long the cookie is stored on the user's computer. The value is "jspwiki.cookieAuthentication.expiry". The default expiry time is 14 days.
      See Also:
      Constant Field Values

  • Constructor Details

  • Method Details

    • login

      public boolean login() throws javax.security.auth.login.LoginException
      Description copied from class: AbstractLoginModule
      Logs in the user by calling back to the registered CallbackHandler with a series of callbacks. If the login succeeds, this method returns true
      Specified by:
      login in interface javax.security.auth.spi.LoginModule
      Specified by:
      login in class AbstractLoginModule
      Returns:
      true if the commit succeeded, or false if this LoginModule should be ignored.
      Throws:
      javax.security.auth.login.LoginException - if the authentication fails
      See Also:
      LoginModule.login()

    • setLoginCookie

      public static void setLoginCookie​(Engine engine, javax.servlet.http.HttpServletResponse response, java.lang.String username)
      Sets a login cookie based on properties set by the user. This method also creates the cookie uid-username mapping in the work directory.
      Parameters:
      engine - The Engine
      response - The HttpServletResponse
      username - The username for whom to create the cookie.

    • clearLoginCookie

      public static void clearLoginCookie​(Engine engine, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Clears away the login cookie, and removes the uid-username mapping file as well.
      Parameters:
      engine - Engine
      request - Servlet request
      response - Servlet response