Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Clearspace API (1.10.16) Core Javadocs
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.jivesoftware.base
Class AuthFactory

java.lang.Object
  extended by com.jivesoftware.base.AuthFactory

public abstract class AuthFactory
extends java.lang.Object

An abstract class that defines a framework for providing authentication services in Jive. The static getAuthToken(String, String), getAuthToken(HttpServletRequest, HttpServletResponse), and getAnonymousAuthToken() methods should be called directly from applications using Jive in order to obtain an AuthToken.

Users of Jive that wish to change the AuthFactory implementation used to generate tokens can set the AuthFactory.className Jive property. For example, if you have altered Jive to use LDAP for user information, you'd want to write a custom implementation of AuthFactory to make LDAP authToken queries. After changing the AuthFactory.className Jive property, you must restart your application server.

The getAuthToken method that takes servlet request and response objects as arguments can be used to implement single sign-on. Additionally, two helper methods are provided for securely encrypting and decrypting login information so that it can be stored as a cookie value to implement auto-login.

Nested Class Summary
static class AuthFactory.SystemAuthToken
           
 
Field Summary
static long ANONYMOUS_USER_ID
          Defines the id used for anonymous users.
static java.lang.String AUTH_PROVIDER_KEY
           
protected static com.jivesoftware.util.EncryptionUtil cipher
           
static java.lang.String COOKIE_AUTOLOGIN
          Name of the cookie used to store user info for auto-login purposes.
static java.lang.String COOKIE_JIVE_SERVER_INFO
          Cookie used for things like akamai to tell information about a specific server.
static java.lang.String COOKIE_LOGGED_IN
          Cookie used to show that the current user is logged in.
static java.lang.String KEY_AUTO_LOGIN
          Name of the user property key used to auto login random key.
static java.lang.String KEY_LAST_LOGGED_IN
          Name of the user property key used to store the last logged in date of a user
static java.lang.String SESSION_AUTHORIZATION
          Name of the key in a user's session that AuthToken tokens are customarily stored at.
 
Constructor Summary
AuthFactory()
           
 
Method Summary
protected  void addLoginCookie(AuthToken auth, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
           
protected  void addServerInfoCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
           
static void checkAuthorization(AuthToken authToken, javax.servlet.http.HttpServletRequest request)
          Checks if the specified AuthToken is authorized.
protected  void clearSessionUserInfo(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Concrete subclasses may wish to override this method to destroy session info as appropriate.
static void copyAuthProviderConfigToLDAP()
           
static void copyLdapConfigToAuthProvider()
           
protected  AuthToken createAnonymousAuthToken()
          Creates anonymous AuthToken tokens.
protected  AuthToken createAuthToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Creates AuthToken tokens based on information from servlet request and response objects.
protected  AuthToken createAuthToken(java.lang.String username, java.lang.String password)
          Creates AuthToken tokens based on a username.
protected  AuthToken createSessionUserInfo(java.lang.String username, java.lang.String password, boolean autoLogin, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Concrete subclasses may wish to override this method to create session info as appropriate.
static java.lang.String[] decryptAuthInfo(java.lang.String value)
          Utility method that decrypts a String built by the encryptAuthInfo method containing a username and password.
static void destroyAuthFactory()
          Method used internally by Jive.
static java.lang.String encryptAuthInfo(java.lang.String username, java.lang.String password)
          Utility method that builds an encrypted String containing a username and password, which is useful for storing as a cookie.
static void forceReload()
           
static AuthToken getAnonymousAuthToken()
          Returns an anonymous user AuthToken.
 AuthenticationProvider getAuthenticationProvider()
           
static AuthToken getAuthToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Returns the AuthToken token associated with the information in a servlet request and response object.
static AuthToken getAuthToken(java.lang.String username, java.lang.String password)
          Returns the AuthToken token associated with the specified username and password.
protected static java.lang.String getServerInfoCookieProperty(javax.naming.InitialContext ctx, java.lang.String property, java.lang.String defaultVal)
          This method will see if a property for the jive.server.info cookie is on the initial context under java:comp/env/jive/{myprop} if not found there it will check jive local properties for the property under jive.server.info.
static AuthToken getSessionAuthToken(javax.servlet.http.HttpServletRequest request)
          Returns the authToken in the session, if one does not exist an anonymous authToken will be returned.
static User getSessionUser(javax.servlet.http.HttpServletRequest request)
          Returns the currently logged in user.
static AuthToken getSystemAuthToken()
           
protected  User getUser(AuthToken authToken)
           
static AuthToken loginUser(java.lang.String username, java.lang.String password, boolean autoLogin, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          This method is a method for logging a user in and creating the appropriate session variables and/or cookies to keep state.
static void logoutUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          This method is a method for logging a user out and destroying or resetting the appropriate session variables and/or cookies to keep state.
protected  void updateLoginTimestamp(AuthToken authToken)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

ANONYMOUS_USER_ID

public static final long ANONYMOUS_USER_ID
Defines the id used for anonymous users.

See Also:
Constant Field Values

SESSION_AUTHORIZATION

public static final java.lang.String SESSION_AUTHORIZATION
Name of the key in a user's session that AuthToken tokens are customarily stored at.

See Also:
Constant Field Values

COOKIE_AUTOLOGIN

public static final java.lang.String COOKIE_AUTOLOGIN
Name of the cookie used to store user info for auto-login purposes.

See Also:
Constant Field Values

COOKIE_LOGGED_IN

public static final java.lang.String COOKIE_LOGGED_IN
Cookie used to show that the current user is logged in. This is used for things such as caching for Akimai

See Also:
Constant Field Values

COOKIE_JIVE_SERVER_INFO

public static final java.lang.String COOKIE_JIVE_SERVER_INFO
Cookie used for things like akamai to tell information about a specific server.

See Also:
Constant Field Values

KEY_LAST_LOGGED_IN

public static final java.lang.String KEY_LAST_LOGGED_IN
Name of the user property key used to store the last logged in date of a user

See Also:
Constant Field Values

KEY_AUTO_LOGIN

public static final java.lang.String KEY_AUTO_LOGIN
Name of the user property key used to auto login random key.

See Also:
Constant Field Values

AUTH_PROVIDER_KEY

public static final java.lang.String AUTH_PROVIDER_KEY
See Also:
Constant Field Values

cipher

protected static com.jivesoftware.util.EncryptionUtil cipher
Constructor Detail

AuthFactory

public AuthFactory()
Method Detail

getAuthToken

public static AuthToken getAuthToken(java.lang.String username,
                                     java.lang.String password)
                              throws UnauthorizedException
Returns the AuthToken token associated with the specified username and password. If the username and password do not match the record of any user in the system, the method throws an UnauthorizedException.

When using most implementations of this class, authToken tokens should be cached. A convenient place to store a token is often in the HttpSession.

Parameters:
username - the username to create an AuthToken with.
password - the password to create an AuthToken with.
Returns:
an AuthToken token if the username and password are correct.
Throws:
UnauthorizedException - if the username and password do not match any existing user.

getAuthToken

public static AuthToken getAuthToken(javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response)
                              throws UnauthorizedException
Returns the AuthToken token associated with the information in a servlet request and response object. This is useful for systems that store login information in a user's session or as a cookie, and can also be used to implement single sign-on in Jive. If no authentication information is found, the method throws an UnauthorizedException.

Parameters:
request - a HttpServletRequest object.
response - a HttpServletResponse object.
Returns:
the AuthToken token associated with the information in a servlet request and response object.
Throws:
UnauthorizedException - if no authToken information is found.

getAnonymousAuthToken

public static AuthToken getAnonymousAuthToken()
Returns an anonymous user AuthToken.

Returns:
an anonymous AuthToken token.

getSystemAuthToken

public static AuthToken getSystemAuthToken()

encryptAuthInfo

public static java.lang.String encryptAuthInfo(java.lang.String username,
                                               java.lang.String password)
Utility method that builds an encrypted String containing a username and password, which is useful for storing as a cookie. This is a cryptographically secure algorithm that uses a 56-bit DES key. The standard cookie name used by Jive for this information is stored in AuthFactory.COOKIE_AUTOLOGIN.

Parameters:
username - the username to encode.
password - the password to encode.
Returns:
an encrypted String containing the input parameters.

decryptAuthInfo

public static java.lang.String[] decryptAuthInfo(java.lang.String value)
                                          throws javax.crypto.IllegalBlockSizeException
Utility method that decrypts a String built by the encryptAuthInfo method containing a username and password. This is a cryptographically secure algorithm that uses a 56-bit DES key. The standard cookie name used by Jive for this information is stored in AuthFactory.COOKIE_AUTOLOGIN.

Parameters:
value - the encrypted String.
Returns:
String[] containing the username at index 0 and the password at index 1, or { null, null } if value equals null or the empty string.
Throws:
javax.crypto.IllegalBlockSizeException - if a decryption error occurs

createAuthToken

protected AuthToken createAuthToken(java.lang.String username,
                                    java.lang.String password)
Creates AuthToken tokens based on a username.

Parameters:
username - the username
password - the password
Returns:
an AuthToken
Throws:
UnauthorizedException - if no authToken information is found.

createAuthToken

protected AuthToken createAuthToken(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response)
                             throws UnauthorizedException
Creates AuthToken tokens based on information from servlet request and response objects. This method is optionally implemented by concrete subclasses of AuthFactory.

If this method is not overwriten by a concrete subclass of AuthFactory, then the following default behavior will be used to search for login information:

  • Look for an AuthToken object in the session using the session name AuthFactory.SESSION_AUTHORIZATION. Return it if found.
  • Look for encrypted login information at the cookie value named AuthFactory.COOKIE_AUTOLOGIN. Return an AuthToken object built using that info if found.
  • Throw an UnauthorizedException if the previous two steps failed or if the authToken returned would be anonymous.

    Parameters:
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.
    Returns:
    an AuthToken
    Throws:
    UnauthorizedException - if no authToken information is found.

    • updateLoginTimestamp

    protected void updateLoginTimestamp(AuthToken authToken)

    addLoginCookie

    protected void addLoginCookie(AuthToken auth,
                              javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response)

    addServerInfoCookie

    protected void addServerInfoCookie(javax.servlet.http.HttpServletRequest request,
                                   javax.servlet.http.HttpServletResponse response)

    createAnonymousAuthToken

    protected AuthToken createAnonymousAuthToken()
    Creates anonymous AuthToken tokens. This method must be implemented by concrete subclasses AuthFactory.

    Returns:
    an anonymous AuthToken token.

    loginUser

    public static AuthToken loginUser(java.lang.String username,
                                  java.lang.String password,
                                  boolean autoLogin,
                                  javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response)
                           throws UnauthorizedException
    This method is a method for logging a user in and creating the appropriate session variables and/or cookies to keep state. An AuthToken is returned upon a successful login, an UnauthorizedException is thrown is the login was not successful.

    Parameters:
    username - the username to create an AuthToken with.
    password - the password to create an AuthToken with.
    autoLogin - whether autoLogin capability is requested or not.
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.
    Returns:
    an AuthToken token if the username and password are correct.
    Throws:
    UnauthorizedException - if the username and password do not match any existing user.

    createSessionUserInfo

    protected AuthToken createSessionUserInfo(java.lang.String username,
                                          java.lang.String password,
                                          boolean autoLogin,
                                          javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response)
                                   throws UnauthorizedException
    Concrete subclasses may wish to override this method to create session info as appropriate. For instance, a subclass may override this method to set the appropriate single sign-on cookie.

    Parameters:
    username - the username to create an AuthToken with.
    password - the password to create an AuthToken with.
    autoLogin - whether autoLogin capability is requested or not.
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.
    Returns:
    an AuthToken token if the username and password are correct.
    Throws:
    UnauthorizedException - if the username and password do not match any existing user.

    getUser

    protected User getUser(AuthToken authToken)
                throws UserNotFoundException
    Throws:
    UserNotFoundException

    checkAuthorization

    public static void checkAuthorization(AuthToken authToken,
                                      javax.servlet.http.HttpServletRequest request)
                               throws UnauthorizedException
    Checks if the specified AuthToken is authorized. If the AuthToken is not authorized, this method will throw an UnauthorizedException. An AuthToken that has not been validated or that has been banned from logging into the system will not be authorized. This method can be extended to provide additional AuthToken authorization.

    Parameters:
    authToken - the auth token to check
    request - the current request
    Throws:
    UnauthorizedException - if the auth token is not authorized

    logoutUser

    public static void logoutUser(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response)
    This method is a method for logging a user out and destroying or resetting the appropriate session variables and/or cookies to keep state.

    Parameters:
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.

    getSessionAuthToken

    public static AuthToken getSessionAuthToken(javax.servlet.http.HttpServletRequest request)
    Returns the authToken in the session, if one does not exist an anonymous authToken will be returned.

    Parameters:
    request - The current servlet request.
    Returns:
    The authToken from the session if one exists, else an anonymous authToken.
    Since:
    1.7

    getSessionUser

    public static User getSessionUser(javax.servlet.http.HttpServletRequest request)
    Returns the currently logged in user. Null will be returned if the request is not made by a user with a session.

    Parameters:
    request - The request of the user.
    Returns:
    The request's logged in user, else null if not logged in
    Since:
    1.7

    clearSessionUserInfo

    protected void clearSessionUserInfo(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response)
    Concrete subclasses may wish to override this method to destroy session info as appropriate. For instance, a subclass may override this method to set the appropriate single sign-on cookie to denote that the user is no longer logged in.

    Parameters:
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.

    destroyAuthFactory

    public static void destroyAuthFactory()
    Method used internally by Jive. Do NOT use this method.

    Allows the class to be re-initialized.

    getAuthenticationProvider

    public AuthenticationProvider getAuthenticationProvider()

    copyLdapConfigToAuthProvider

    public static void copyLdapConfigToAuthProvider()

    copyAuthProviderConfigToLDAP

    public static void copyAuthProviderConfigToLDAP()

    getServerInfoCookieProperty

    protected static java.lang.String getServerInfoCookieProperty(javax.naming.InitialContext ctx,
                                                              java.lang.String property,
                                                              java.lang.String defaultVal)
    This method will see if a property for the jive.server.info cookie is on the initial context under java:comp/env/jive/{myprop} if not found there it will check jive local properties for the property under jive.server.info.{myprop}

    Parameters:
    ctx - used to look up values in the jndi context
    property - The property to lookup
    defaultVal - The default value if no values is found
    Returns:
    The value found

    forceReload

    public static void forceReload()
    Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
    		Clearspace Project Page
     PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
    SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
    Copyright © 1999-2007 Jive Software.