com.atlassian.seraph.filter
Class BaseLoginFilter

java.lang.Object
  com.atlassian.seraph.filter.BaseLoginFilter

All Implemented Interfaces:

javax.servlet.Filter

Direct Known Subclasses:

PasswordBasedLoginFilter

public abstract class BaseLoginFilter
extends Object
implements javax.servlet.Filter

This is a base authentication filter. It delegates the actual login process to a child class but takes care of the redirection process.

If the authentication is successful, the user will be redirected by the filter to the URL given by the session attribute at SecurityFilter.ORIGINAL_URL_KEY.

If this URL doesn't exist, it will look for a parameter 'os_destination' to use as the redirected URL instead.

If neither is found, it is assumed that the page will check the authorisation status and handle redirection itself.

From the any other filter in the request, or the servlet/JSP/action which processes the request, you can look up the status of the authorisation attempt. The status is a String request attribute, with the key 'os_authstatus'.

The possible statuses are:

• LoginFilter.LOGIN_SUCCESS - the login was processed, and user was logged in
• LoginFilter.LOGIN_FAILURE - the login was processed, the user gave a bad username or password
• LoginFilter.LOGIN_ERROR - the login was processed, an exception occurred trying to log the user in
• LoginFilter.LOGIN_NOATTEMPT - the login was no processed, no form parameters existed

Field Summary

protected static String	ALREADY_FILTERED Deprecated. use SecurityUtils.isSeraphFilteringDisabled(javax.servlet.ServletRequest) or SecurityUtils.disableSeraphFiltering(javax.servlet.ServletRequest)
static String	AUTHENTICATION_ERROR_TYPE
static String	LOGIN_ERROR
static String	LOGIN_FAILED
static String	LOGIN_NOATTEMPT
static String	LOGIN_SUCCESS
static String	OS_AUTHSTATUS_KEY

Constructor Summary

BaseLoginFilter()

Method Summary

void	destroy()
void	doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain)
protected AuthenticationContext	getAuthenticationContext()
protected Authenticator	getAuthenticator()
protected ElevatedSecurityGuard	getElevatedSecurityGuard()
javax.servlet.FilterConfig	getFilterConfig() Deprecated. Not needed in latest version of Servlet 2.3 API
protected SecurityConfig	getSecurityConfig()
void	init(javax.servlet.FilterConfig config)
protected boolean	isAbsoluteUrl(String url)
abstract String	login(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) Performs the actual authentication (if required) and returns the status code.
protected boolean	redirectToOriginalDestination(javax.servlet.http.HttpServletRequest httpServletRequest, javax.servlet.http.HttpServletResponse httpServletResponse) Redirect the response to the original destination if present
void	setFilterConfig(javax.servlet.FilterConfig filterConfig) Deprecated. Not needed in latest version of Servlet 2.3 API - replaced by init().

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ALREADY_FILTERED

protected static final String ALREADY_FILTERED

Deprecated. use SecurityUtils.isSeraphFilteringDisabled(javax.servlet.ServletRequest) or SecurityUtils.disableSeraphFiltering(javax.servlet.ServletRequest)

See Also:

Constant Field Values

LOGIN_SUCCESS

public static final String LOGIN_SUCCESS

See Also:

Constant Field Values

LOGIN_FAILED

public static final String LOGIN_FAILED

See Also:

Constant Field Values

LOGIN_ERROR

public static final String LOGIN_ERROR

See Also:

Constant Field Values

LOGIN_NOATTEMPT

public static final String LOGIN_NOATTEMPT

OS_AUTHSTATUS_KEY

public static final String OS_AUTHSTATUS_KEY

See Also:

Constant Field Values

AUTHENTICATION_ERROR_TYPE

public static final String AUTHENTICATION_ERROR_TYPE

See Also:

Constant Field Values

Constructor Detail

BaseLoginFilter

public BaseLoginFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig config)

Specified by:

init in interface javax.servlet.Filter

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter

getFilterConfig

public javax.servlet.FilterConfig getFilterConfig()

Deprecated. Not needed in latest version of Servlet 2.3 API

Returns:

a FilterConfig

setFilterConfig

public void setFilterConfig(javax.servlet.FilterConfig filterConfig)

Deprecated. Not needed in latest version of Servlet 2.3 API - replaced by init().

Parameters:

filterConfig - a FilterConfig

doFilter

public void doFilter(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain filterChain)
              throws IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

IOException

javax.servlet.ServletException

login

public abstract String login(javax.servlet.http.HttpServletRequest httpServletRequest,
                             javax.servlet.http.HttpServletResponse httpServletResponse)

Performs the actual authentication (if required) and returns the status code. Status code is chosen to be one of these:

The possible statuses are:

• BaseLoginFilter.LOGIN_SUCCESS - the login was processed, and user was logged in
• BaseLoginFilter.LOGIN_FAILURE - the login was processed, the user gave a bad username or password
• BaseLoginFilter.LOGIN_ERROR - the login was processed, an exception occurred trying to log the user in
• BaseLoginFilter.LOGIN_NOATTEMPT - the login was no processed, no form parameters existed

When there is an error on login, implementations should set a request attribute with name AUTHENTICATION_ERROR_TYPE and a type of AuthenticationErrorType in order to indicate the type of error.

Parameters:

httpServletRequest - the HTTP request in play

httpServletResponse - the HTTP response in play

Returns:

authentication status

redirectToOriginalDestination

protected boolean redirectToOriginalDestination(javax.servlet.http.HttpServletRequest httpServletRequest,
                                                javax.servlet.http.HttpServletResponse httpServletResponse)
                                         throws IOException

Redirect the response to the original destination if present

Parameters:

httpServletRequest - the HTTP request in play

httpServletResponse - the HTTP response in play

Returns:

true if a redirect was needed and issued

Throws:

IOException - If the redirect throws IOException. See HttpServletResponse.sendRedirect(String)

isAbsoluteUrl

protected boolean isAbsoluteUrl(String url)

getAuthenticator

protected Authenticator getAuthenticator()

getElevatedSecurityGuard

protected ElevatedSecurityGuard getElevatedSecurityGuard()

getSecurityConfig

protected SecurityConfig getSecurityConfig()

getAuthenticationContext

protected AuthenticationContext getAuthenticationContext()