com.ecyrd.jspwiki.auth
Class AuthenticationManager

java.lang.Object
  extended by com.ecyrd.jspwiki.auth.AuthenticationManager

public final class AuthenticationManager
extends Object

Manages authentication activities for a WikiEngine: user login, logout, and credential refreshes. This class uses JAAS to determine how users log in.

Since:
2.3
Version:
$Revision: 1.27 $ $Date: 2006/06/17 23:09:56 $
Author:
Andrew Jaquith, Janne Jalkanen, Erik Bunn

Field Summary
static String COOKIE_MODULE
          The name of the built-in cookie authentication module
protected static org.apache.log4j.Logger log
           
static String LOGIN_CONTAINER
          The JAAS application name for the web container authentication stack.
static String LOGIN_CUSTOM
          The JAAS application name for the JSPWiki custom authentication stack.
protected  boolean m_isJaasConfiguredAtStartup
          Was JAAS login config already set before we startd up?
protected  boolean m_isJavaPolicyConfiguredAtStartup
          Was Java security policy already set before we startd up?
static String PROP_SECURITY
          This property determines whether we use JSPWiki authentication or not.
static String PROP_STOREIPADDRESS
          If this jspwiki.properties property is true, logs the IP address of the editor on saving.
static String SECURITY_CONTAINER
          Value specifying that the user wants to use the container-managed security, just like in JSPWiki 2.2.
static String SECURITY_JAAS
          Value specifying that the user wants to use the built-in JAAS-based system
 
Constructor Summary
AuthenticationManager()
           
 
Method Summary
 void addWikiEventListener(WikiEventListener listener)
          Registers a WikiEventListener with this instance.
static boolean allowsCookieAssertions()
          Determines whether this WikiEngine allows users to assert identities using cookies instead of passwords.
protected  void fireEvent(WikiSecurityEvent event)
          Fires a wiki event to all registered listeners.
 void initialize(WikiEngine engine, Properties props)
          Creates an AuthenticationManager instance for the given WikiEngine and the specified set of properties.
protected  void injectGroupPrincipals(WikiSession session)
          Injects GroupPrincipal objects into the user's Principal set based on the groups the user belongs to.
protected  void injectRolePrincipals(WikiSession session)
          Injects Role Principals into the user's Principal set based on the roles the user possesses, according to the external Authorizer.
 boolean isContainerAuthenticated()
          Returns true if this WikiEngine uses container-managed authentication.
 boolean login(javax.servlet.http.HttpServletRequest request)
          Logs in the user by attempting to populate a WikiSession Subject from a web servlet request.
 boolean login(WikiSession session, String username, String password)
          Attempts to perform a WikiSession login for the given username/password combination.
 void logout(javax.servlet.http.HttpServletRequest request)
          Logs the user out by retrieving the WikiSession associated with the HttpServletRequest and unbinding all of the Subject's Principals, except for Role.ALL, Role.ANONYMOUS.
 void refreshCredentials(WikiSession wikiSession)
          Reloads user Principals into the suppplied WikiSession's Subject.
 void removeWikiEventListener(WikiEventListener listener)
          Un-registers a WikiEventListener with this instance.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

COOKIE_MODULE

public static final String COOKIE_MODULE
The name of the built-in cookie authentication module


LOGIN_CONTAINER

public static final String LOGIN_CONTAINER
The JAAS application name for the web container authentication stack.

See Also:
Constant Field Values

LOGIN_CUSTOM

public static final String LOGIN_CUSTOM
The JAAS application name for the JSPWiki custom authentication stack.

See Also:
Constant Field Values

PROP_STOREIPADDRESS

public static final String PROP_STOREIPADDRESS
If this jspwiki.properties property is true, logs the IP address of the editor on saving.

See Also:
Constant Field Values

log

protected static final org.apache.log4j.Logger log

m_isJaasConfiguredAtStartup

protected boolean m_isJaasConfiguredAtStartup
Was JAAS login config already set before we startd up?


m_isJavaPolicyConfiguredAtStartup

protected boolean m_isJavaPolicyConfiguredAtStartup
Was Java security policy already set before we startd up?


SECURITY_CONTAINER

public static final String SECURITY_CONTAINER
Value specifying that the user wants to use the container-managed security, just like in JSPWiki 2.2.

See Also:
Constant Field Values

SECURITY_JAAS

public static final String SECURITY_JAAS
Value specifying that the user wants to use the built-in JAAS-based system

See Also:
Constant Field Values

PROP_SECURITY

public static final String PROP_SECURITY
This property determines whether we use JSPWiki authentication or not. Possible values are AUTH_JAAS or AUTH_CONTAINER.

See Also:
Constant Field Values
Constructor Detail

AuthenticationManager

public AuthenticationManager()
Method Detail

addWikiEventListener

public final void addWikiEventListener(WikiEventListener listener)
Registers a WikiEventListener with this instance.

Parameters:
listener - the event listener

initialize

public final void initialize(WikiEngine engine,
                             Properties props)
                      throws WikiException
Creates an AuthenticationManager instance for the given WikiEngine and the specified set of properties. All initialization for the modules is done here.

Throws:
WikiException

isContainerAuthenticated

public final boolean isContainerAuthenticated()
Returns true if this WikiEngine uses container-managed authentication. This method is used primarily for cosmetic purposes in the JSP tier, and performs no meaningful security function per se. Delegates to WebContainerAuthorizer.isContainerAuthorized(), if used as the external authorizer; otherwise, returns false.

Returns:
true if the wiki's authentication is managed by the container, false otherwise

login

public final boolean login(javax.servlet.http.HttpServletRequest request)
Logs in the user by attempting to populate a WikiSession Subject from a web servlet request. This method leverages container-managed authentication. This method logs in the user if the user's status is "unknown" to the WikiSession, or if the Http servlet container's authentication status has changed. This method assumes that the HttpServletRequest is not null; otherwise, an IllegalStateException is thrown. This method is a privileged action; the caller must posess the (name here) permission.

Parameters:
request - servlet request for this user
Throws:
IllegalStateException - if the wiki context's getHttpRequest or getWikiSession methods return null
IllegalArgumentException - if the context parameter is null
Since:
2.3

login

public final boolean login(WikiSession session,
                           String username,
                           String password)
Attempts to perform a WikiSession login for the given username/password combination. This is custom authentication.

Parameters:
session - the current wiki session; may not be null.
username - The user name. This is a login name, not a WikiName. In most cases they are the same, but in some cases, they might not be.
password - The password
Returns:
true, if the username/password is valid

logout

public final void logout(javax.servlet.http.HttpServletRequest request)
Logs the user out by retrieving the WikiSession associated with the HttpServletRequest and unbinding all of the Subject's Principals, except for Role.ALL, Role.ANONYMOUS. is a cheap-and-cheerful way to do it without invoking JAAS LoginModules. The logout operation will also flush the JSESSIONID cookie from the user's browser session, if it was set.

Parameters:
request - the current HTTP request

refreshCredentials

public final void refreshCredentials(WikiSession wikiSession)
Reloads user Principals into the suppplied WikiSession's Subject. Existing Role principals are preserved; all other Principal types are flushed and replaced by those returned by UserDatabase.getPrincipals(String). This method should generally be called after a user's UserProfile is saved. If the wiki session is null, or there is no matching user profile, the method returns silently.

Parameters:
wikiSession -

removeWikiEventListener

public final void removeWikiEventListener(WikiEventListener listener)
Un-registers a WikiEventListener with this instance.

Parameters:
listener - the event listener

allowsCookieAssertions

public static final boolean allowsCookieAssertions()
Determines whether this WikiEngine allows users to assert identities using cookies instead of passwords. This is determined by inspecting the LoginConfiguration for application JSPWiki-container.

Returns:
true if cookies are allowed

fireEvent

protected final void fireEvent(WikiSecurityEvent event)
Fires a wiki event to all registered listeners.

Parameters:
event - the event

injectGroupPrincipals

protected final void injectGroupPrincipals(WikiSession session)
Injects GroupPrincipal objects into the user's Principal set based on the groups the user belongs to. This method also attaches a WikiEventListener to the GroupManager so that changes to groups are detected automatically.

Parameters:
session - the wiki session

injectRolePrincipals

protected final void injectRolePrincipals(WikiSession session)
Injects Role Principals into the user's Principal set based on the roles the user possesses, according to the external Authorizer. This method is called during once, during login. The algorithm first calls the Authorizer.getRoles() to obtain the array of Principals the authorizer knows about. Then, the method Authorizer.isUserInRole(WikiSession, Principal) is called for each Principal. If the user possesses the role, an equivalent role Principal is injected into the user's principal set.

Parameters:
session - the wiki session