2 // ========================================================================
3 // Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
4 // ------------------------------------------------------------------------
5 // All rights reserved. This program and the accompanying materials
6 // are made available under the terms of the Eclipse Public License v1.0
7 // and Apache License v2.0 which accompanies this distribution.
9 // The Eclipse Public License is available at
10 // http://www.eclipse.org/legal/epl-v10.html
12 // The Apache License v2.0 is available at
13 // http://www.opensource.org/licenses/apache2.0.php
15 // You may elect to redistribute this code under either of these licenses.
16 // ========================================================================
19 package org.eclipse.jetty.security.authentication;
21 import javax.servlet.ServletRequest;
22 import javax.servlet.http.HttpServletRequest;
23 import javax.servlet.http.HttpServletResponse;
24 import javax.servlet.http.HttpSession;
26 import org.eclipse.jetty.security.Authenticator;
27 import org.eclipse.jetty.security.IdentityService;
28 import org.eclipse.jetty.security.LoginService;
29 import org.eclipse.jetty.server.Request;
30 import org.eclipse.jetty.server.Response;
31 import org.eclipse.jetty.server.UserIdentity;
32 import org.eclipse.jetty.server.session.AbstractSession;
33 import org.eclipse.jetty.util.log.Log;
34 import org.eclipse.jetty.util.log.Logger;
36 public abstract class LoginAuthenticator implements Authenticator
38 private static final Logger LOG = Log.getLogger(LoginAuthenticator.class);
40 protected LoginService _loginService;
41 protected IdentityService _identityService;
42 private boolean _renewSession;
45 /* ------------------------------------------------------------ */
46 protected LoginAuthenticator()
50 /* ------------------------------------------------------------ */
52 public void prepareRequest(ServletRequest request)
54 //empty implementation as the default
58 /* ------------------------------------------------------------ */
59 public UserIdentity login(String username, Object password, ServletRequest request)
61 UserIdentity user = _loginService.login(username,password);
64 renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null));
70 /* ------------------------------------------------------------ */
72 public void setConfiguration(AuthConfiguration configuration)
74 _loginService=configuration.getLoginService();
75 if (_loginService==null)
76 throw new IllegalStateException("No LoginService for "+this+" in "+configuration);
77 _identityService=configuration.getIdentityService();
78 if (_identityService==null)
79 throw new IllegalStateException("No IdentityService for "+this+" in "+configuration);
80 _renewSession=configuration.isSessionRenewedOnAuthentication();
84 /* ------------------------------------------------------------ */
85 public LoginService getLoginService()
91 /* ------------------------------------------------------------ */
92 /** Change the session id.
93 * The session is changed to a new instance with a new ID if and only if:<ul>
94 * <li>A session exists.
95 * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true.
96 * <li>The session ID has been given to unauthenticated responses
100 * @return The new session.
102 protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
104 HttpSession httpSession = request.getSession(false);
106 if (_renewSession && httpSession!=null)
108 synchronized (httpSession)
110 //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
111 //(indicated by SESSION_SECURED not being set on the session) then we should change id
112 if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
114 if (httpSession instanceof AbstractSession)
116 AbstractSession abstractSession = (AbstractSession)httpSession;
117 String oldId = abstractSession.getId();
118 abstractSession.renewId(request);
119 abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
120 if (abstractSession.isIdChanged() && response != null && (response instanceof Response))
121 ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure()));
122 LOG.debug("renew {}->{}",oldId,abstractSession.getId());
125 LOG.warn("Unable to renew session "+httpSession);