Importing upstream Jetty jetty-9.2.1.v20140609

[gigi.git] / lib / jetty / org / eclipse / jetty / security / authentication / LoginAuthenticator.java

diff --git a/lib/jetty/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/lib/jetty/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
new file mode 100644 (file)
index 0000000..9a1940d
--- /dev/null
+++ b/lib/jetty/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
@@ -0,0 +1,133 @@
+//
+//  ========================================================================
+//  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
+//  ------------------------------------------------------------------------
+//  All rights reserved. This program and the accompanying materials
+//  are made available under the terms of the Eclipse Public License v1.0
+//  and Apache License v2.0 which accompanies this distribution.
+//
+//      The Eclipse Public License is available at
+//      http://www.eclipse.org/legal/epl-v10.html
+//
+//      The Apache License v2.0 is available at
+//      http://www.opensource.org/licenses/apache2.0.php
+//
+//  You may elect to redistribute this code under either of these licenses.
+//  ========================================================================
+//
+
+package org.eclipse.jetty.security.authentication;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.eclipse.jetty.security.Authenticator;
+import org.eclipse.jetty.security.IdentityService;
+import org.eclipse.jetty.security.LoginService;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.server.UserIdentity;
+import org.eclipse.jetty.server.session.AbstractSession;
+import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.log.Logger;
+
+public abstract class LoginAuthenticator implements Authenticator
+{
+    private static final Logger LOG = Log.getLogger(LoginAuthenticator.class);
+
+    protected LoginService _loginService;
+    protected IdentityService _identityService;
+    private boolean _renewSession;
+    
+    
+    /* ------------------------------------------------------------ */
+    protected LoginAuthenticator()
+    {
+    }
+
+    /* ------------------------------------------------------------ */
+    @Override
+    public void prepareRequest(ServletRequest request)
+    {
+        //empty implementation as the default
+    }
+
+
+    /* ------------------------------------------------------------ */
+    public UserIdentity login(String username, Object password, ServletRequest request)
+    {
+        UserIdentity user = _loginService.login(username,password);
+        if (user!=null)
+        {
+            renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null));
+            return user;
+        }
+        return null;
+    }
+
+    /* ------------------------------------------------------------ */
+    @Override
+    public void setConfiguration(AuthConfiguration configuration)
+    {
+        _loginService=configuration.getLoginService();
+        if (_loginService==null)
+            throw new IllegalStateException("No LoginService for "+this+" in "+configuration);
+        _identityService=configuration.getIdentityService();
+        if (_identityService==null)
+            throw new IllegalStateException("No IdentityService for "+this+" in "+configuration);
+        _renewSession=configuration.isSessionRenewedOnAuthentication();
+    }
+    
+    
+    /* ------------------------------------------------------------ */
+    public LoginService getLoginService()
+    {
+        return _loginService;
+    }
+    
+    
+    /* ------------------------------------------------------------ */
+    /** Change the session id.
+     * The session is changed to a new instance with a new ID if and only if:<ul>
+     * <li>A session exists.
+     * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true.
+     * <li>The session ID has been given to unauthenticated responses
+     * </ul>
+     * @param request
+     * @param response
+     * @return The new session.
+     */
+    protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
+    {
+        HttpSession httpSession = request.getSession(false);
+
+        if (_renewSession && httpSession!=null)
+        {
+            synchronized (httpSession)
+            {
+                //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
+                //(indicated by SESSION_SECURED not being set on the session) then we should change id
+                if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
+                {
+                    if (httpSession instanceof AbstractSession)
+                    {
+                        AbstractSession abstractSession = (AbstractSession)httpSession;
+                        String oldId = abstractSession.getId();
+                        abstractSession.renewId(request);
+                        abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
+                        if (abstractSession.isIdChanged() && response != null && (response instanceof Response))
+                            ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure()));
+                        LOG.debug("renew {}->{}",oldId,abstractSession.getId());
+                    }
+                    else
+                        LOG.warn("Unable to renew session "+httpSession);
+                    
+                    return httpSession;
+                }
+            }
+        }
+        return httpSession;
+    }
+}