Example 1 with WebContainerCallbackHandler
use of org.apache.wiki.auth.login.WebContainerCallbackHandler in project jspwiki by apache.
the class AuthenticationManager method login.
/**
* <p>Logs in the user by attempting to populate a WikiSession Subject from
* a web servlet request by examining the request
* for the presence of container credentials and user cookies. The processing
* logic is as follows:
* </p>
* <ul>
* <li>If the WikiSession had previously been unauthenticated, check to see if
* user has subsequently authenticated. To be considered "authenticated,"
* the request must supply one of the following (in order of preference):
* the container <code>userPrincipal</code>, container <code>remoteUser</code>,
* or authentication cookie. If the user is authenticated, this method fires event
* {@link org.apache.wiki.event.WikiSecurityEvent#LOGIN_AUTHENTICATED}
* with two parameters: a Principal representing the login principal,
* and the current WikiSession. In addition, if the authorizer is of type
* WebContainerAuthorizer, this method iterates through the container roles returned by
* {@link org.apache.wiki.auth.authorize.WebContainerAuthorizer#getRoles()},
* tests for membership in each one, and adds those that pass to the Subject's principal set.</li>
* <li>If, after checking for authentication, the WikiSession is still Anonymous,
* this method next checks to see if the user has "asserted" an identity
* by supplying an assertion cookie. If the user is found to be asserted,
* this method fires event {@link org.apache.wiki.event.WikiSecurityEvent#LOGIN_ASSERTED}
* with two parameters: <code>WikiPrincipal(<em>cookievalue</em>)</code>, and
* the current WikiSession.</li>
* <li>If, after checking for authenticated and asserted status, the WikiSession is
* <em>still</em> anonymous, this method fires event
* {@link org.apache.wiki.event.WikiSecurityEvent#LOGIN_ANONYMOUS} with
* two parameters: <code>WikiPrincipal(<em>remoteAddress</em>)</code>,
* and the current WikiSession </li>
* </ul>
* @param request servlet request for this user
* @return always returns <code>true</code> (because anonymous login, at least, will always succeed)
* @throws org.apache.wiki.auth.WikiSecurityException if the user cannot be logged in for any reason
* @since 2.3
*/
public boolean login(HttpServletRequest request) throws WikiSecurityException {
HttpSession httpSession = request.getSession();
WikiSession session = SessionMonitor.getInstance(m_engine).find(httpSession);
AuthenticationManager authenticationMgr = m_engine.getAuthenticationManager();
AuthorizationManager authorizationMgr = m_engine.getAuthorizationManager();
CallbackHandler handler = null;
Map<String, String> options = EMPTY_MAP;
// there's an authentication cookie
if (!session.isAuthenticated()) {
// Create a callback handler
handler = new WebContainerCallbackHandler(m_engine, request);
// Execute the container login module, then (if that fails) the cookie auth module
Set<Principal> principals = authenticationMgr.doJAASLogin(WebContainerLoginModule.class, handler, options);
if (principals.size() == 0 && authenticationMgr.allowsCookieAuthentication()) {
principals = authenticationMgr.doJAASLogin(CookieAuthenticationLoginModule.class, handler, options);
}
// If the container logged the user in successfully, tell the WikiSession (and add all of the Principals)
if (principals.size() > 0) {
fireEvent(WikiSecurityEvent.LOGIN_AUTHENTICATED, getLoginPrincipal(principals), session);
for (Principal principal : principals) {
fireEvent(WikiSecurityEvent.PRINCIPAL_ADD, principal, session);
}
// Add all appropriate Authorizer roles
injectAuthorizerRoles(session, authorizationMgr.getAuthorizer(), request);
}
}
// If user still not authenticated, check if assertion cookie was supplied
if (!session.isAuthenticated() && authenticationMgr.allowsCookieAssertions()) {
// Execute the cookie assertion login module
Set<Principal> principals = authenticationMgr.doJAASLogin(CookieAssertionLoginModule.class, handler, options);
if (principals.size() > 0) {
fireEvent(WikiSecurityEvent.LOGIN_ASSERTED, getLoginPrincipal(principals), session);
}
}
// If user still anonymous, use the remote address
if (session.isAnonymous()) {
Set<Principal> principals = authenticationMgr.doJAASLogin(AnonymousLoginModule.class, handler, options);
if (principals.size() > 0) {
fireEvent(WikiSecurityEvent.LOGIN_ANONYMOUS, getLoginPrincipal(principals), session);
return true;
}
}
// If by some unusual turn of events the Anonymous login module doesn't work, login failed!
return false;
}
Also used :
WikiSession(org.apache.wiki.WikiSession)
WebContainerCallbackHandler(org.apache.wiki.auth.login.WebContainerCallbackHandler)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
WikiCallbackHandler(org.apache.wiki.auth.login.WikiCallbackHandler)
WebContainerCallbackHandler(org.apache.wiki.auth.login.WebContainerCallbackHandler)
CookieAuthenticationLoginModule(org.apache.wiki.auth.login.CookieAuthenticationLoginModule)
HttpSession(javax.servlet.http.HttpSession)
Principal(java.security.Principal)
Aggregations
Principal (java.security.Principal)1
CallbackHandler (javax.security.auth.callback.CallbackHandler)1
HttpSession (javax.servlet.http.HttpSession)1
WikiSession (org.apache.wiki.WikiSession)1
CookieAuthenticationLoginModule (org.apache.wiki.auth.login.CookieAuthenticationLoginModule)1
WebContainerCallbackHandler (org.apache.wiki.auth.login.WebContainerCallbackHandler)1
WikiCallbackHandler (org.apache.wiki.auth.login.WikiCallbackHandler)1
