org.owasp.esapi.reference

Class AbstractAuthenticator

java.lang.Object

org.owasp.esapi.reference.AbstractAuthenticator

All Implemented Interfaces:

Authenticator

Direct Known Subclasses:

FileBasedAuthenticator

public abstract class AbstractAuthenticator
extends java.lang.Object
implements Authenticator

A partial implementation of the Authenticator interface. This class should not implement any methods that would be meant to modify a User object, since that's probably implementation specific.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private class	AbstractAuthenticator.ThreadLocalUser

Field Summary

Fields

Modifier and Type	Field and Description
private AbstractAuthenticator.ThreadLocalUser	currentUser The currentUser ThreadLocal variable is used to make the currentUser available to any call in any part of an application.
private Logger	logger
protected static java.lang.String	USER Key for user in session

Constructor Summary

Constructors

Constructor and Description
AbstractAuthenticator()

Method Summary

Modifier and Type	Method and Description
void	clearCurrent() Clears the current User.
boolean	exists(java.lang.String accountName) Determine if the account exists.
User	getCurrentUser() Returns the currently logged in User.
protected DefaultUser	getUserFromRememberToken() Returns the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.
protected User	getUserFromSession() Gets the user from session.
User	login() Calls login with the *current* request and response.
User	login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) This method should be called for every HTTP request, to login the current user either from the session of HTTP request.
private User	loginWithUsernameAndPassword(javax.servlet.http.HttpServletRequest request) Utility method to extract credentials and verify them.
void	logout() Logs out the current user.
void	setCurrentUser(User user) Sets the currently logged in User.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.owasp.esapi.Authenticator

changePassword, createUser, generateStrongPassword, generateStrongPassword, getUser, getUser, getUserNames, hashPassword, removeUser, verifyAccountNameStrength, verifyPassword, verifyPasswordStrength

Field Detail

USER

protected static final java.lang.String USER

Key for user in session

See Also:

Constant Field Values

logger

private final Logger logger

currentUser

private final AbstractAuthenticator.ThreadLocalUser currentUser

The currentUser ThreadLocal variable is used to make the currentUser available to any call in any part of an application. Otherwise, each thread would have to pass the User object through the calltree to any methods that need it. Because we want exceptions and log calls to contain user data, that could be almost anywhere. Therefore, the ThreadLocal approach simplifies things greatly.

As a possible extension, one could create a delegation framework by adding another ThreadLocal to hold the delegating user identity.

Constructor Detail

AbstractAuthenticator

public AbstractAuthenticator()

Method Detail

clearCurrent

public void clearCurrent()

Clears the current User. This allows the thread to be reused safely. This clears all threadlocal variables from the thread. This should ONLY be called after all possible ESAPI operations have concluded. If you clear too early, many calls will fail, including logging, which requires the user identity.

Specified by:

clearCurrent in interface Authenticator

exists

public boolean exists(java.lang.String accountName)

Determine if the account exists.

Specified by:

exists in interface Authenticator

Parameters:

accountName - the account name

Returns:

true, if the account exists

getCurrentUser

public User getCurrentUser()

Returns the currently logged in User.

Returns the currently logged user as set by the setCurrentUser() methods. Must not log in this method because the logger calls getCurrentUser() and this could cause a loop.

Specified by:

getCurrentUser in interface Authenticator

Returns:

the matching User object, or the Anonymous User if no match exists

getUserFromSession

protected User getUserFromSession()

Gets the user from session.

Returns:

the user from session or null if no user is found in the session

getUserFromRememberToken

protected DefaultUser getUserFromRememberToken()

Returns the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.

Returns:

the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.

loginWithUsernameAndPassword

private User loginWithUsernameAndPassword(javax.servlet.http.HttpServletRequest request)
                                   throws AuthenticationException

Utility method to extract credentials and verify them.

Parameters:

request - The current HTTP request

Returns:

The user that successfully authenticated

Throws:

AuthenticationException - if the submitted credentials are invalid.

login

public User login()
           throws AuthenticationException

Calls login with the *current* request and response.

Specified by:

login in interface Authenticator

Returns:

Authenticated User if login is successful.

Throws:

AuthenticationException

See Also:

HTTPUtilities.setCurrentHTTP(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)

login

public User login(javax.servlet.http.HttpServletRequest request,
                  javax.servlet.http.HttpServletResponse response)
           throws AuthenticationException

This method should be called for every HTTP request, to login the current user either from the session of HTTP request. This method will set the current user so that getCurrentUser() will work properly. Authenticates the user's credentials from the HttpServletRequest if necessary, creates a session if necessary, and sets the user as the current user. Specification: The implementation should do the following: 1) Check if the User is already stored in the session a. If so, check that session absolute and inactivity timeout have not expired b. Step 2 may not be required if 1a has been satisfied 2) Verify User credentials a. It is recommended that you use loginWithUsernameAndPassword(HttpServletRequest, HttpServletResponse) to verify credentials 3) Set the last host of the User (ex. user.setLastHostAddress(address) ) 4) Verify that the request is secure (ex. over SSL) 5) Verify the User account is allowed to be logged in a. Verify the User is not disabled, expired or locked 6) Assign User to session variable

Specified by:

login in interface Authenticator

Parameters:

request - the current HTTP request

response - the HTTP response

Returns:

the User

Throws:

AuthenticationException - if the credentials are not verified, or if the account is disabled, locked, expired, or timed out

logout

public void logout()

Logs out the current user. This is usually done by calling User.logout on the current User.

Specified by:

logout in interface Authenticator

setCurrentUser

public void setCurrentUser(User user)

Sets the currently logged in User.

Specified by:

setCurrentUser in interface Authenticator

Parameters:

user - the user to set as the current user