Package org.owasp.esapi.reference
Class AbstractAuthenticator
- java.lang.Object
-
- org.owasp.esapi.reference.AbstractAuthenticator
-
- All Implemented Interfaces:
Authenticator
- Direct Known Subclasses:
FileBasedAuthenticator
public abstract class AbstractAuthenticator extends java.lang.Object implements Authenticator
A partial implementation of the Authenticator interface. This class should not implement any methods that would be meant to modify a User object, since that's probably implementation specific.
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.lang.String
USER
Key for user in session
-
Constructor Summary
Constructors Constructor Description AbstractAuthenticator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
clearCurrent()
Clears the current User.boolean
exists(java.lang.String accountName)
Determine if the account exists.User
getCurrentUser()
Returns the currently logged in User.protected DefaultUser
getUserFromRememberToken()
Returns the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.protected User
getUserFromSession()
Gets the user from session.User
login()
Calls login with the *current* request and response.User
login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
This method should be called for every HTTP request, to login the current user either from the session of HTTP request.void
logout()
Logs out the current user.void
setCurrentUser(User user)
Sets the currently logged in User.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.owasp.esapi.Authenticator
changePassword, createUser, generateStrongPassword, generateStrongPassword, getUser, getUser, getUserNames, hashPassword, removeUser, verifyAccountNameStrength, verifyPassword, verifyPasswordStrength
-
-
-
-
Field Detail
-
USER
protected static final java.lang.String USER
Key for user in session- See Also:
- Constant Field Values
-
-
Method Detail
-
clearCurrent
public void clearCurrent()
Clears the current User. This allows the thread to be reused safely. This clears all threadlocal variables from the thread. This should ONLY be called after all possible ESAPI operations have concluded. If you clear too early, many calls will fail, including logging, which requires the user identity.- Specified by:
clearCurrent
in interfaceAuthenticator
-
exists
public boolean exists(java.lang.String accountName)
Determine if the account exists.- Specified by:
exists
in interfaceAuthenticator
- Parameters:
accountName
- the account name- Returns:
- true, if the account exists
-
getCurrentUser
public User getCurrentUser()
Returns the currently logged in User. Returns the currently logged user as set by the setCurrentUser() methods. Must not log in this method because the logger calls getCurrentUser() and this could cause a loop.- Specified by:
getCurrentUser
in interfaceAuthenticator
- Returns:
- the matching User object, or the Anonymous User if no match exists
-
getUserFromSession
protected User getUserFromSession()
Gets the user from session.- Returns:
- the user from session or null if no user is found in the session
-
getUserFromRememberToken
protected DefaultUser getUserFromRememberToken()
Returns the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.- Returns:
- the user if a matching remember token is found, or null if the token is missing, token is corrupt, token is expired, account name does not match and existing account, or hashed password does not match user's hashed password.
-
login
public User login() throws AuthenticationException
Calls login with the *current* request and response.- Specified by:
login
in interfaceAuthenticator
- Returns:
- Authenticated
User
if login is successful. - Throws:
AuthenticationException
- See Also:
HTTPUtilities.setCurrentHTTP(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
-
login
public User login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException
This method should be called for every HTTP request, to login the current user either from the session of HTTP request. This method will set the current user so that getCurrentUser() will work properly. Authenticates the user's credentials from the HttpServletRequest if necessary, creates a session if necessary, and sets the user as the current user. Specification: The implementation should do the following: 1) Check if the User is already stored in the session a. If so, check that session absolute and inactivity timeout have not expired b. Step 2 may not be required if 1a has been satisfied 2) Verify User credentials a. It is recommended that you use loginWithUsernameAndPassword(HttpServletRequest, HttpServletResponse) to verify credentials 3) Set the last host of the User (ex. user.setLastHostAddress(address) ) 4) Verify that the request is secure (ex. over SSL) 5) Verify the User account is allowed to be logged in a. Verify the User is not disabled, expired or locked 6) Assign User to session variable- Specified by:
login
in interfaceAuthenticator
- Parameters:
request
- the current HTTP requestresponse
- the HTTP response- Returns:
- the User
- Throws:
AuthenticationException
- if the credentials are not verified, or if the account is disabled, locked, expired, or timed out
-
logout
public void logout()
Logs out the current user. This is usually done by calling User.logout on the current User.- Specified by:
logout
in interfaceAuthenticator
-
setCurrentUser
public void setCurrentUser(User user)
Sets the currently logged in User.- Specified by:
setCurrentUser
in interfaceAuthenticator
- Parameters:
user
- the user to set as the current user
-
-