com.atlassian.crowd.integration.http

Class HttpAuthenticatorImpl

java.lang.Object

com.atlassian.crowd.integration.http.HttpAuthenticatorImpl

All Implemented Interfaces:

HttpAuthenticator

public class HttpAuthenticatorImpl
extends Object
implements HttpAuthenticator

This bean is used to manage HTTP authentication.

It is the fundamental class for web/SSO authentication integration.

This class contains many convenience methods for authentication integration with existing applications. For most applications, using the following methods will be sufficient to achieve SSO:

1. authenticate: authenticate a user.
2. isAuthenticated: determine if a request is authenticated.
3. getPrincipal: retrieve the principal for an authenticated request.
4. logoff: sign the user out.

Use the HttpAuthenticatorFactory to get an instance of this class, or use an IoC container (like Spring) to manage this class as a singleton.

See Also:

SecurityServerClient

Constructor Summary

Constructors

Constructor and Description
HttpAuthenticatorImpl(AuthenticationManager authenticationManager)

Method Summary

Modifier and Type	Method and Description
void	authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password) Authenticate a remote user using SSO.
void	authenticateWithoutValidatingPassword(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username) Authenticate a remote user using SSO, without validating their password.
protected String	getCookieTokenKey()
SOAPPrincipal	getPrincipal(javax.servlet.http.HttpServletRequest request) Attempts to retrieve the principal from the request.
UserAuthenticationContext	getPrincipalAuthenticationContext(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password) Generate a PrincipalAuthenticationContext object containing the provided username and password, and validation factors from the the request.
SecurityServerClient	getSecurityServerClient() Retrieve the underlying SecurityServerClient used to communicate with the Crowd Security Server.
SoapClientProperties	getSoapClientProperties() Retrieve the underlying client properties used to communicate with the Crowd Security Server.
String	getToken(javax.servlet.http.HttpServletRequest request) Retrieve the Crowd authentication token from the request either via: a request attribute (not request parameter), OR a cookie on the request
ValidationFactor[]	getValidationFactors(javax.servlet.http.HttpServletRequest request) Retrieves validation factors from the request: Remote Address: the source IP address of the HTTP request. Original Address: the X-Forwarded-For HTTP header (if present and distinct from the Remote Address).
boolean	isAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Tests whether a request is authenticated via SSO.
void	logoff(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Log off the SSO authenticated user.
void	setPrincipalToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String token) Sets the underlying principal token on: the request: as an attribute, so the user is authenticated for the span of the request. the response: as a cookie, so the user is authenticated for subsequent requests.
void	verifyAuthentication(String username, String password) Authenticate a remote principal without using SSO.
String	verifyAuthentication(String username, String password, ValidationFactor[] validationFactors) Verifies the authentication of a principal's username/password, given a set of validation factors.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HttpAuthenticatorImpl

public HttpAuthenticatorImpl(AuthenticationManager authenticationManager)

Parameters:

authenticationManager - the client to use to talk to the Crowd Server.

Method Detail

setPrincipalToken

public void setPrincipalToken(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response,
                              String token)
                       throws InvalidAuthorizationTokenException,
                              RemoteException,
                              InvalidAuthenticationException

Description copied from interface: HttpAuthenticator

Sets the underlying principal token on:

1. the request: as an attribute, so the user is authenticated for the span of the request.
2. the response: as a cookie, so the user is authenticated for subsequent requests.

Specified by:

setPrincipalToken in interface HttpAuthenticator

Parameters:

request - HttpServletRequest

response - HttpServletResponse

token - token value to use.

Throws:

InvalidAuthorizationTokenException - the application client's token is invalid.

RemoteException - there was an underlying error communicating with the server.

InvalidAuthenticationException - the username/password combination is invalid.

getPrincipal

public SOAPPrincipal getPrincipal(javax.servlet.http.HttpServletRequest request)
                           throws InvalidAuthorizationTokenException,
                                  RemoteException,
                                  InvalidTokenException,
                                  InvalidAuthenticationException

Description copied from interface: HttpAuthenticator

Attempts to retrieve the principal from the request.

Specified by:

getPrincipal in interface HttpAuthenticator

Parameters:

request - servlet request

Returns:

SOAPPrincipal of the authenticated user

Throws:

InvalidAuthorizationTokenException - the application client's token is invalid

RemoteException - there are communication issues between the client and Crowd server

InvalidTokenException - unable to find the token

InvalidAuthenticationException - he username/password combination is invalid

getToken

public String getToken(javax.servlet.http.HttpServletRequest request)
                throws InvalidTokenException

Description copied from interface: HttpAuthenticator

Retrieve the Crowd authentication token from the request either via:

1. a request attribute (not request parameter), OR
2. a cookie on the request

Specified by:

getToken in interface HttpAuthenticator

Parameters:

request - HttpServletRequest.

Returns:

value of the token.

Throws:

InvalidTokenException - unable to find token in either a request attribute or cookie.

See Also:

HttpAuthenticator.setPrincipalToken(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, String)

isAuthenticated

public boolean isAuthenticated(javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpServletResponse response)
                        throws InvalidAuthorizationTokenException,
                               RemoteException,
                               ApplicationAccessDeniedException,
                               InvalidAuthenticationException

Description copied from interface: HttpAuthenticator

Tests whether a request is authenticated via SSO. This only tests against the Crowd server if the validation interval is exceeded, this value is obtained from crowd.properties AND that there is a valid token present for the user in the Crowd Cookie.

Specified by:

isAuthenticated in interface HttpAuthenticator

Parameters:

request - HttpServletRequest

response - HttpServletResponse

Returns:

true if and only if the request has been authenticated

Throws:

InvalidAuthorizationTokenException - the application client's token is invalid

RemoteException - there was an underlying error communicating with the server

ApplicationAccessDeniedException - user does not have access to the application

InvalidAuthenticationException - the username/password combination is invalid

authenticate

public void authenticate(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response,
                         String username,
                         String password)
                  throws InvalidAuthorizationTokenException,
                         RemoteException,
                         InvalidAuthenticationException,
                         InactiveAccountException,
                         ApplicationAccessDeniedException,
                         ExpiredCredentialException

Description copied from interface: HttpAuthenticator

Authenticate a remote user using SSO.

See HttpAuthenticator.getValidationFactors(javax.servlet.http.HttpServletRequest) for details regarding the validation factors used for authentication

Specified by:

authenticate in interface HttpAuthenticator

Parameters:

request - HttpServletRequest to obtain validation factors

response - HttpServletResponse to write SSO cookie

username - username of principal

password - password of principal

Throws:

InvalidAuthorizationTokenException - the application client's token is invalid

RemoteException - there was an underlying error communicating with the server

InvalidAuthenticationException - the username/password combination is invalid

InactiveAccountException - the principal's account has been deactivated

ApplicationAccessDeniedException - user does not have access to the application

ExpiredCredentialException - the user's credentials have expired. The user must change their credentials in order to successfully authenticate.

See Also:

HttpAuthenticator.getValidationFactors(javax.servlet.http.HttpServletRequest)

authenticateWithoutValidatingPassword

public void authenticateWithoutValidatingPassword(javax.servlet.http.HttpServletRequest request,
                                                  javax.servlet.http.HttpServletResponse response,
                                                  String username)
                                           throws ApplicationAccessDeniedException,
                                                  InvalidAuthenticationException,
                                                  InvalidAuthorizationTokenException,
                                                  InactiveAccountException,
                                                  RemoteException

Description copied from interface: HttpAuthenticator

Authenticate a remote user using SSO, without validating their password. You should not be using this method unless you have previously that the user has been authenticated via some other external means (eg. remember-me cookie etc). If you are unsure whether you should be using this method or not, then you should really be using HttpAuthenticator.authenticate(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, String, String) instead.

Specified by:

authenticateWithoutValidatingPassword in interface HttpAuthenticator

Parameters:

request - HttpServletRequest to obtain validation factors

response - HttpServletResponse to write SSO cookie

username - username of the principal that you have already authenticated via some external means

Throws:

ApplicationAccessDeniedException - user does not have access to the application

InvalidAuthenticationException - the username/password combination is invalid

InvalidAuthorizationTokenException - the application client's token is invalid

InactiveAccountException - the principal's account has been deactivated

RemoteException - there was an underlying error communicating with the server

verifyAuthentication

public String verifyAuthentication(String username,
                                   String password,
                                   ValidationFactor[] validationFactors)
                            throws InvalidAuthorizationTokenException,
                                   InvalidAuthenticationException,
                                   RemoteException,
                                   InactiveAccountException,
                                   ApplicationAccessDeniedException,
                                   ExpiredCredentialException

Description copied from interface: HttpAuthenticator

Verifies the authentication of a principal's username/password, given a set of validation factors. This will authenticate the principal using the username and password provided, and will use the validation factors to generate an SSO token. This token can then be used by 3rd party systems to implement SSO or can be ignored to only provide centralised authentication. NOTE: This method will not provide SSO functionality directly - use the authenticate method instead.

Specified by:

verifyAuthentication in interface HttpAuthenticator

Parameters:

username - username of principal

password - password of principal

validationFactors - validation factors used to generate a token

Returns:

Crowd authentication token

Throws:

InvalidAuthorizationTokenException - the application client's token is invalid.

InvalidAuthenticationException - the username/password combination is invalid.

RemoteException - there was an underlying error communicating with the server.

InactiveAccountException - the principal's account has been deactivate.

ApplicationAccessDeniedException - user does not have access to the application.

ExpiredCredentialException - the user's credentials have expired. The user must change their credentials in order to successfully authenticate/

verifyAuthentication

public void verifyAuthentication(String username,
                                 String password)
                          throws InvalidAuthorizationTokenException,
                                 InvalidAuthenticationException,
                                 RemoteException,
                                 InactiveAccountException,
                                 ApplicationAccessDeniedException,
                                 ExpiredCredentialException

Description copied from interface: HttpAuthenticator

Authenticate a remote principal without using SSO. This performs an instant verification of username/password with the centralised user repository (Crowd Server).

Specified by:

verifyAuthentication in interface HttpAuthenticator

Parameters:

username - username of the principal.

password - password of the principal.

Throws:

InvalidAuthorizationTokenException - the application client's token is invalid

InvalidAuthenticationException - the username/password combination is invalid

RemoteException - there was an underlying error while connecting to the remote server.

InactiveAccountException - the user's account is invalid.

ApplicationAccessDeniedException - the user does not have access to the application.

ExpiredCredentialException - the user's credentials have expired. The user must change their credentials in order to successfully authenticate.

See Also:

SecurityServerClient.authenticatePrincipalSimple(String, String)

getValidationFactors

public ValidationFactor[] getValidationFactors(javax.servlet.http.HttpServletRequest request)

Description copied from interface: HttpAuthenticator

Retrieves validation factors from the request:

1. Remote Address: the source IP address of the HTTP request.
2. Original Address: the X-Forwarded-For HTTP header (if present and distinct from the Remote Address).

Specified by:

getValidationFactors in interface HttpAuthenticator

Parameters:

request - HttpServletRequest.

Returns:

array of validation factors.

logoff

public void logoff(javax.servlet.http.HttpServletRequest request,
                   javax.servlet.http.HttpServletResponse response)
            throws InvalidAuthorizationTokenException,
                   RemoteException,
                   InvalidAuthenticationException

Description copied from interface: HttpAuthenticator

Log off the SSO authenticated user. This will also effectively log them off from all SSO applications. This will sign out an authenticated user by invalidating their SSO token and removing it from their cookies. If the request is not authenticated, this method will have no effect and will not throw an exception.

Specified by:

logoff in interface HttpAuthenticator

Parameters:

request - HttpServletRequest.

response - HttpServletResponse.

Throws:

InvalidAuthorizationTokenException - the application client's token is invalid

RemoteException - there was an error while connecting to the remote server.

InvalidAuthenticationException - the username/password combination is invalid.

getPrincipalAuthenticationContext

public UserAuthenticationContext getPrincipalAuthenticationContext(javax.servlet.http.HttpServletRequest request,
                                                                   javax.servlet.http.HttpServletResponse response,
                                                                   String username,
                                                                   String password)

Description copied from interface: HttpAuthenticator

Generate a PrincipalAuthenticationContext object containing the provided username and password, and validation factors from the the request.

Specified by:

getPrincipalAuthenticationContext in interface HttpAuthenticator

Parameters:

request - HttpServletRequest.

response - unused.

username - username of principal.

password - password of principal.

Returns:

populated PrincipalAuthenticationContext.

getSoapClientProperties

public SoapClientProperties getSoapClientProperties()

Description copied from interface: HttpAuthenticator

Retrieve the underlying client properties used to communicate with the Crowd Security Server.

Specified by:

getSoapClientProperties in interface HttpAuthenticator

Returns:

client properties.

See Also:

SecurityServerClient.getSoapClientProperties()

getCookieTokenKey

protected String getCookieTokenKey()

getSecurityServerClient

public SecurityServerClient getSecurityServerClient()

Description copied from interface: HttpAuthenticator

Retrieve the underlying SecurityServerClient used to communicate with the Crowd Security Server.

Specified by:

getSecurityServerClient in interface HttpAuthenticator

Returns:

SecurityServerClient.