org.apache.sling.auth.form.impl
Class FormAuthenticationHandler

java.lang.Object
  extended by org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler
      extended by org.apache.sling.auth.core.spi.AbstractAuthenticationHandler
          extended by org.apache.sling.auth.form.impl.FormAuthenticationHandler
All Implemented Interfaces:
AuthenticationFeedbackHandler, AuthenticationHandler

@Properties(value={@Property(name="service.description",value="Apache Sling Form Based Authentication Handler"),@Property(name="service.vendor",value="The Apache Software Foundation"),@Property(name="path",value="/",cardinality=100),@Property(name="authtype",value=,propertyPrivate=true),@Property(name="service.ranking",intValue=0,propertyPrivate=false)})
@Service
public class FormAuthenticationHandler
extends AbstractAuthenticationHandler

The FormAuthenticationHandler class implements the authorization steps based on a cookie.


Field Summary
static String PAR_AUTH_TIMEOUT
          The number of minutes after which a login session times out.
static String PAR_INCLUDE_FORM
          Whether to redirect to the login form or simple do an include.
 
Fields inherited from interface org.apache.sling.auth.core.spi.AuthenticationHandler
FAILURE_REASON, PATH_PROPERTY, REQUEST_LOGIN_PARAMETER, SERVICE_NAME, TYPE_PROPERTY
 
Constructor Summary
FormAuthenticationHandler()
           
 
Method Summary
protected  void activate(org.osgi.service.component.ComponentContext componentContext)
          Called by SCR to activate the authentication handler.
 void authenticationFailed(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationInfo authInfo)
          Called after an unsuccessful login attempt.
 boolean authenticationSucceeded(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthenticationInfo authInfo)
          Called after successfull login with the given authentication info.
protected  void deactivate(org.osgi.service.component.ComponentContext componentContext)
           
 void dropCredentials(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Clears all authentication state which might have been prepared by this authentication handler.
 AuthenticationInfo extractCredentials(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Extracts cookie/session based credentials from the request.
 boolean requestCredentials(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Unless the sling:authRequestLogin to anything other than Form this method either sends back a 403/FORBIDDEN response if the j_verify parameter is set to true or redirects to the login form to ask for credentials.
 String toString()
           
 
Methods inherited from class org.apache.sling.auth.core.spi.AbstractAuthenticationHandler
getAttributeOrParameter, getLoginResource, isValidateRequest, sendInvalid, sendRedirect, sendValid, setLoginResourceAttribute
 
Methods inherited from class org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler
handleRedirect
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

PAR_AUTH_TIMEOUT

@Property(intValue=30)
public static final String PAR_AUTH_TIMEOUT
The number of minutes after which a login session times out. This value is used as the expiry time set in the authentication data.

See Also:
Constant Field Values

PAR_INCLUDE_FORM

@Property(boolValue=false)
public static final String PAR_INCLUDE_FORM
Whether to redirect to the login form or simple do an include.

See Also:
Constant Field Values
Constructor Detail

FormAuthenticationHandler

public FormAuthenticationHandler()
Method Detail

extractCredentials

public AuthenticationInfo extractCredentials(javax.servlet.http.HttpServletRequest request,
                                             javax.servlet.http.HttpServletResponse response)
Extracts cookie/session based credentials from the request. Returns null if the handler assumes HTTP Basic authentication would be more appropriate, if no form fields are present in the request and if the secure user data is not present either in the cookie or an HTTP Session.

Parameters:
request - The request object containing the information for the authentication.
response - The response object which may be used to send the information on the request failure to the user.
Returns:
A valid AuthenticationInfo instance identifying the request user, AuthenticationInfo.DOING_AUTH if the handler is in an authentication transaction with the client or null if the request does not contain authentication information. In case of AuthenticationInfo.DOING_AUTH, the method must have sent a response indicating that fact to the client.

requestCredentials

public boolean requestCredentials(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response)
                           throws IOException
Unless the sling:authRequestLogin to anything other than Form this method either sends back a 403/FORBIDDEN response if the j_verify parameter is set to true or redirects to the login form to ask for credentials.

This method assumes the j_verify request parameter to only be set in the initial username/password submission through the login form. No further checks are applied, though, before sending back the 403/FORBIDDEN response.

Parameters:
request - The request object.
response - The response object to which to send the request.
Returns:
true if the handler is able to send an authentication inquiry for the given request. false otherwise.
Throws:
IOException - If an error occurrs sending the authentication inquiry to the client.

dropCredentials

public void dropCredentials(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response)
Clears all authentication state which might have been prepared by this authentication handler.

Parameters:
request - The request object.
response - The response object to which to send the request.

authenticationFailed

public void authenticationFailed(javax.servlet.http.HttpServletRequest request,
                                 javax.servlet.http.HttpServletResponse response,
                                 AuthenticationInfo authInfo)
Called after an unsuccessful login attempt. This implementation makes sure the authentication data is removed either by removing the cookie or by remove the HTTP Session attribute.

Specified by:
authenticationFailed in interface AuthenticationFeedbackHandler
Overrides:
authenticationFailed in class DefaultAuthenticationFeedbackHandler
Parameters:
request - The current request
response - The current response
authInfo - The AuthenticationInfo object used to authenticate the request.

authenticationSucceeded

public boolean authenticationSucceeded(javax.servlet.http.HttpServletRequest request,
                                       javax.servlet.http.HttpServletResponse response,
                                       AuthenticationInfo authInfo)
Called after successfull login with the given authentication info. This implementation ensures the authentication data is set in either the cookie or the HTTP session with the correct security tokens.

If no authentication data already exists, it is created. Otherwise if the data has expired the data is updated with a new security token and a new expiry time.

If creating or updating the authentication data fails, it is actually removed from the cookie or the HTTP session and future requests will not be authenticated any longer.

Specified by:
authenticationSucceeded in interface AuthenticationFeedbackHandler
Overrides:
authenticationSucceeded in class DefaultAuthenticationFeedbackHandler
Parameters:
request - The current request
response - The current response
authInfo - The AuthenticationInfo object used to authenticate the request.
Returns:
the result of calling the DefaultAuthenticationFeedbackHandler.handleRedirect(HttpServletRequest, HttpServletResponse) method.

toString

public String toString()
Overrides:
toString in class Object

activate

protected void activate(org.osgi.service.component.ComponentContext componentContext)
                 throws InvalidKeyException,
                        NoSuchAlgorithmException,
                        IllegalStateException,
                        UnsupportedEncodingException
Called by SCR to activate the authentication handler.

Throws:
InvalidKeyException
NoSuchAlgorithmException
IllegalStateException
UnsupportedEncodingException

deactivate

protected void deactivate(org.osgi.service.component.ComponentContext componentContext)


Copyright © 2007-2013 The Apache Software Foundation. All Rights Reserved.