1// 2// ======================================================================== 3// Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd. 4// ------------------------------------------------------------------------ 5// All rights reserved. This program and the accompanying materials 6// are made available under the terms of the Eclipse Public License v1.0 7// and Apache License v2.0 which accompanies this distribution. 8// 9// The Eclipse Public License is available at 10// http://www.eclipse.org/legal/epl-v10.html 11// 12// The Apache License v2.0 is available at 13// http://www.opensource.org/licenses/apache2.0.php 14// 15// You may elect to redistribute this code under either of these licenses. 16// ======================================================================== 17// 18 19package org.eclipse.jetty.security.authentication; 20 21import javax.servlet.ServletRequest; 22import javax.servlet.http.HttpServletRequest; 23import javax.servlet.http.HttpServletResponse; 24import javax.servlet.http.HttpSession; 25 26import org.eclipse.jetty.security.Authenticator; 27import org.eclipse.jetty.security.IdentityService; 28import org.eclipse.jetty.security.LoginService; 29import org.eclipse.jetty.server.Authentication; 30import org.eclipse.jetty.server.UserIdentity; 31import org.eclipse.jetty.server.session.AbstractSessionManager; 32 33public abstract class LoginAuthenticator implements Authenticator 34{ 35 protected LoginService _loginService; 36 protected IdentityService _identityService; 37 private boolean _renewSession; 38 39 protected LoginAuthenticator() 40 { 41 } 42 43 44 /* ------------------------------------------------------------ */ 45 public UserIdentity login(String username, Object password, ServletRequest request) 46 { 47 UserIdentity user = _loginService.login(username,password); 48 if (user!=null) 49 { 50 renewSession((HttpServletRequest)request, null); 51 return user; 52 } 53 return null; 54 } 55 56 57 public void setConfiguration(AuthConfiguration configuration) 58 { 59 _loginService=configuration.getLoginService(); 60 if (_loginService==null) 61 throw new IllegalStateException("No LoginService for "+this+" in "+configuration); 62 _identityService=configuration.getIdentityService(); 63 if (_identityService==null) 64 throw new IllegalStateException("No IdentityService for "+this+" in "+configuration); 65 _renewSession=configuration.isSessionRenewedOnAuthentication(); 66 } 67 68 public LoginService getLoginService() 69 { 70 return _loginService; 71 } 72 73 /** Change the session id. 74 * The session is changed to a new instance with a new ID if and only if:<ul> 75 * <li>A session exists. 76 * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true. 77 * <li>The session ID has been given to unauthenticated responses 78 * </ul> 79 * @param request 80 * @param response 81 * @return The new session. 82 */ 83 protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response) 84 { 85 HttpSession httpSession = request.getSession(false); 86 87 //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users 88 //(indicated by SESSION_SECURED not being set on the session) then we should change id 89 if (_renewSession && httpSession!=null && httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE) 90 { 91 synchronized (this) 92 { 93 httpSession = AbstractSessionManager.renewSession(request, httpSession,true); 94 } 95 } 96 return httpSession; 97 } 98} 99