Package org.owasp.esapi.reference
Class AbstractAuthenticator
- java.lang.Object
-
- org.owasp.esapi.reference.AbstractAuthenticator
-
- All Implemented Interfaces:
Authenticator
- Direct Known Subclasses:
FileBasedAuthenticator
public abstract class AbstractAuthenticator extends java.lang.Object implements Authenticator
A partial implementation of the Authenticator interface. This class should not implement any methods that would be meant to modify a User object, since that's probably implementation specific.
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.lang.StringUSERKey for user in session
-
Constructor Summary
Constructors Constructor Description AbstractAuthenticator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidclearCurrent()Clears the current User.booleanexists(java.lang.String accountName)Determine if the account exists.UsergetCurrentUser()Returns the currently logged in User.protected DefaultUsergetUserFromRememberToken()Returns the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.protected UsergetUserFromSession()Gets the user from session.Userlogin()Calls login with the *current* request and response.Userlogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)This method should be called for every HTTP request, to login the current user either from the session of HTTP request.voidlogout()Logs out the current user.voidsetCurrentUser(User user)Sets the currently logged in User.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.owasp.esapi.Authenticator
changePassword, createUser, generateStrongPassword, generateStrongPassword, getUser, getUser, getUserNames, hashPassword, removeUser, verifyAccountNameStrength, verifyPassword, verifyPasswordStrength
-
-
-
-
Field Detail
-
USER
protected static final java.lang.String USER
Key for user in session- See Also:
- Constant Field Values
-
-
Method Detail
-
clearCurrent
public void clearCurrent()
Clears the current User. This allows the thread to be reused safely. This clears all threadlocal variables from the thread. This should ONLY be called after all possible ESAPI operations have concluded. If you clear too early, many calls will fail, including logging, which requires the user identity.- Specified by:
clearCurrentin interfaceAuthenticator
-
exists
public boolean exists(java.lang.String accountName)
Determine if the account exists.- Specified by:
existsin interfaceAuthenticator- Parameters:
accountName- the account name- Returns:
- true, if the account exists
-
getCurrentUser
public User getCurrentUser()
Returns the currently logged in User. Returns the currently logged user as set by the setCurrentUser() methods. Must not log in this method because the logger calls getCurrentUser() and this could cause a loop.- Specified by:
getCurrentUserin interfaceAuthenticator- Returns:
- the matching User object, or the Anonymous User if no match exists
-
getUserFromSession
protected User getUserFromSession()
Gets the user from session.- Returns:
- the user from session or null if no user is found in the session
-
getUserFromRememberToken
protected DefaultUser getUserFromRememberToken()
Returns the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.- Returns:
- the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.
-
login
public User login() throws AuthenticationException
Calls login with the *current* request and response.- Specified by:
loginin interfaceAuthenticator- Returns:
- Authenticated
Userif login is successful. - Throws:
AuthenticationException- See Also:
HTTPUtilities.setCurrentHTTP(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
-
login
public User login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException
This method should be called for every HTTP request, to login the current user either from the session of HTTP request. This method will set the current user so that getCurrentUser() will work properly. Authenticates the user's credentials from the HttpServletRequest if necessary, creates a session if necessary, and sets the user as the current user. Specification: The implementation should do the following: 1) Check if the User is already stored in the session a. If so, check that session absolute and inactivity timeout have not expired b. Step 2 may not be required if 1a has been satisfied 2) Verify User credentials a. It is recommended that you use loginWithUsernameAndPassword(HttpServletRequest, HttpServletResponse) to verify credentials 3) Set the last host of the User (ex. user.setLastHostAddress(address) ) 4) Verify that the request is secure (ex. over SSL) 5) Verify the User account is allowed to be logged in a. Verify the User is not disabled, expired or locked 6) Assign User to session variable- Specified by:
loginin interfaceAuthenticator- Parameters:
request- the current HTTP requestresponse- the HTTP response- Returns:
- the User
- Throws:
AuthenticationException- if the credentials are not verified, or if the account is disabled, locked, expired, or timed out
-
logout
public void logout()
Logs out the current user. This is usually done by calling User.logout on the current User.- Specified by:
logoutin interfaceAuthenticator
-
setCurrentUser
public void setCurrentUser(User user)
Sets the currently logged in User.- Specified by:
setCurrentUserin interfaceAuthenticator- Parameters:
user- the user to set as the current user
-
-