Package org.openbravo.authentication
Class AuthenticationManager
- java.lang.Object
-
- org.openbravo.authentication.AuthenticationManager
-
- Direct Known Subclasses:
AutologonAuthenticationManager
,DefaultAuthenticationManager
public abstract class AuthenticationManager extends Object
- Author:
- adrianromero, iperdomo
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interface
AuthenticationManager.Stateless
To annotate a certain webservice/service as being stateless, i.e.protected class
AuthenticationManager.UserLoginInfo
A class used to keep and recover the login credentials (user and password)
-
Field Summary
Fields Modifier and Type Field Description protected ConnectionProvider
conn
protected String
defaultServletUrl
protected static String
FAILED_SESSION
protected String
localAdress
protected static String
LOGIN_PARAM
protected static ThreadLocal<String>
loginName
protected static String
PASSWORD_PARAM
static String
STATELESS_REQUEST_PARAMETER
-
Constructor Summary
Constructors Constructor Description AuthenticationManager()
AuthenticationManager(javax.servlet.http.HttpServlet s)
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description String
authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Used in the service method of theHttpSecureAppServlet
to know if the request is authenticated or not.protected void
bdErrorAjax(javax.servlet.http.HttpServletResponse response, String strType, String strTitle, String strText)
protected String
checkUserPassword(String userName, String password)
Method that checks the validity of the user and password.String
connectorAuthenticate(String user, String password)
Authentication for approved connectors.String
connectorAuthenticate(javax.servlet.http.HttpServletRequest request)
Authentication for approved connectors.protected String
createDBSession(javax.servlet.http.HttpServletRequest req, String strUser, String strUserAuth)
protected String
createDBSession(javax.servlet.http.HttpServletRequest req, String strUser, String strUserAuth, String successSessionType)
protected AuthenticationManager.UserLoginInfo
decodeBasicAuthenticationData(javax.servlet.http.HttpServletRequest request)
Retrieves the login credentials (user and password) from the basic authentication present in a HttpServletRequest.protected abstract String
doAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Called from the authenticate method makes the necessary processing to check if the request is authenticated or not.protected abstract void
doLogout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Method called from the logout method after clearing all session attributes.protected String
doWebServiceAuthenticate(String user, String password)
Authentication used by web services and connectors.protected String
doWebServiceAuthenticate(javax.servlet.http.HttpServletRequest request)
Authentication used by web services and connectors.static AuthenticationManager
getAuthenticationManager(javax.servlet.http.HttpServlet s)
Returns an instance of AuthenticationManager subclass, based on the authentication.class property in Openbravo.propertiesString
getLoginURL(javax.servlet.http.HttpServletRequest request)
Returns the URL that displays the login window (request for user/password)void
init(javax.servlet.http.HttpServlet s)
static boolean
isStatelessRequest(javax.servlet.http.HttpServletRequest request)
Is used to determine if the request is a stateless request.static boolean
isStatelessService(Class<?> clz)
Returns true if the passed class has the Stateless annotationvoid
logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Clears all session attributes and calls the doLogout methodprotected void
markRequestAsSelfAuthenticated(javax.servlet.http.HttpServletRequest request)
Utility method to mark that the current request has authentication data used to authenticate this particular requestprotected void
updateDBSession(String sessionId, boolean sessionActive, String status)
boolean
useExternalLoginPage()
This method can be overridden by those subclasses that expect to retrieve the authentication result from an external login page.String
webServiceAuthenticate(String user, String password)
Authentication for web services and external services.String
webServiceAuthenticate(javax.servlet.http.HttpServletRequest request)
Authentication for web services and external services.
-
-
-
Field Detail
-
FAILED_SESSION
protected static final String FAILED_SESSION
- See Also:
- Constant Field Values
-
LOGIN_PARAM
protected static final String LOGIN_PARAM
- See Also:
- Constant Field Values
-
PASSWORD_PARAM
protected static final String PASSWORD_PARAM
- See Also:
- Constant Field Values
-
STATELESS_REQUEST_PARAMETER
public static final String STATELESS_REQUEST_PARAMETER
- See Also:
- Constant Field Values
-
conn
protected ConnectionProvider conn
-
defaultServletUrl
protected String defaultServletUrl
-
localAdress
protected String localAdress
-
loginName
protected static ThreadLocal<String> loginName
-
-
Constructor Detail
-
AuthenticationManager
public AuthenticationManager()
-
AuthenticationManager
public AuthenticationManager(javax.servlet.http.HttpServlet s) throws AuthenticationException
- Throws:
AuthenticationException
-
-
Method Detail
-
isStatelessRequest
public static boolean isStatelessRequest(javax.servlet.http.HttpServletRequest request)
Is used to determine if the request is a stateless request. A stateless request does not create a httpsession. This also means that no preferences or other information is present. Stateless requests should normally be used only for relatively simple logic. A request is stateless if it has a parameter stateless=true or an attribute stateless with the string value "true".- Parameters:
request
-- Returns:
- true if this is a stateless request
-
isStatelessService
public static boolean isStatelessService(Class<?> clz)
Returns true if the passed class has the Stateless annotation
-
getAuthenticationManager
public static final AuthenticationManager getAuthenticationManager(javax.servlet.http.HttpServlet s)
Returns an instance of AuthenticationManager subclass, based on the authentication.class property in Openbravo.properties
-
bdErrorAjax
protected void bdErrorAjax(javax.servlet.http.HttpServletResponse response, String strType, String strTitle, String strText) throws IOException
- Throws:
IOException
-
init
public void init(javax.servlet.http.HttpServlet s) throws AuthenticationException
- Throws:
AuthenticationException
-
authenticate
public final String authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException, javax.servlet.ServletException, IOException
Used in the service method of theHttpSecureAppServlet
to know if the request is authenticated or not. This method calls the doAuthenticate that makes the actual checks and could be easily extended by sub-classes. Returns the user id if the user is already logged in or null if is not authenticated.- Parameters:
request
- HTTP request object to handle parameters and session attributesresponse
- HTTP response object to handle possible redirects- Returns:
- the value of AD_User_ID if the user is already authenticated or null if not
- Throws:
AuthenticationException
javax.servlet.ServletException
IOException
-
getLoginURL
public String getLoginURL(javax.servlet.http.HttpServletRequest request)
Returns the URL that displays the login window (request for user/password)
-
webServiceAuthenticate
public final String webServiceAuthenticate(javax.servlet.http.HttpServletRequest request) throws AuthenticationException
Authentication for web services and external services. All authenticated requests not using the standard UI *MUST* use this authentication orwebServiceAuthenticate(String, String)
.- Parameters:
request
- HTTP request object to handle parameters and session attributes- Returns:
- the value of AD_User_ID if the user is already authenticated or null if not
- Throws:
AuthenticationException
- in case of an authentication error different than incorrect user/password (which just returns null)
-
webServiceAuthenticate
public final String webServiceAuthenticate(String user, String password) throws AuthenticationException
Authentication for web services and external services. All authenticated requests not using the standard UI *MUST* use this authentication orwebServiceAuthenticate(HttpServletRequest)
. This one is intended for authentications for non standard REST web services (such as SOAP).- Parameters:
user
- User name to authenticatepassword
- Password to validate user- Returns:
- the value of AD_User_ID if the user is already authenticated or null if not
- Throws:
AuthenticationException
- in case of an authentication error different than incorrect user/password (which just returns null)
-
connectorAuthenticate
public final String connectorAuthenticate(javax.servlet.http.HttpServletRequest request) throws AuthenticationException
Authentication for approved connectors. Only authorized connectors are allowed to use this authentication.- Parameters:
request
- HTTP request object to handle parameters and session attributes- Returns:
- the value of AD_User_ID if the user is already authenticated or null if not
- Throws:
AuthenticationException
- in case of an authentication error different than incorrect user/password (which just returns null)
-
connectorAuthenticate
public final String connectorAuthenticate(String user, String password) throws AuthenticationException
Authentication for approved connectors. Only authorized connectors are allowed to use this authentication.- Parameters:
user
- User name to authenticatepassword
- Password to validate user- Returns:
- the value of AD_User_ID if the user is already authenticated or null if not
- Throws:
AuthenticationException
- in case of an authentication error different than incorrect user/password (which just returns null)
-
logout
public final void logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, IOException
Clears all session attributes and calls the doLogout method- Throws:
javax.servlet.ServletException
IOException
-
doAuthenticate
protected abstract String doAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException, javax.servlet.ServletException, IOException
Called from the authenticate method makes the necessary processing to check if the request is authenticated or not. The simplest way to check is if the #Authenticated_user session attribute is present and return it.- Parameters:
request
- HTTP request object, used for handling parameters and session attributesresponse
-- Returns:
- The user id (AD_User_ID) if the request is already authenticated or the authentication process succeeded
- null if the request is not authenticated or authentication process failed (e.g. wrong password)
- Throws:
AuthenticationException
javax.servlet.ServletException
IOException
- See Also:
DefaultAuthenticationManager
-
doWebServiceAuthenticate
protected String doWebServiceAuthenticate(javax.servlet.http.HttpServletRequest request)
Authentication used by web services and connectors. This authentication can be overridden by subclasses. By default it looks for user and password parameters in the request, if they are not present, Basic authentication is performed- Parameters:
request
- HTTP request object, used for handling parameters and session attributes- Returns:
- The user id (AD_User_ID) if the request is already authenticated or the authentication process succeeded
- null if the request is not authenticated or authentication process failed (e.g. wrong password)
-
markRequestAsSelfAuthenticated
protected void markRequestAsSelfAuthenticated(javax.servlet.http.HttpServletRequest request)
Utility method to mark that the current request has authentication data used to authenticate this particular request- Parameters:
request
- the request to be marked as self-authenticated
-
decodeBasicAuthenticationData
protected final AuthenticationManager.UserLoginInfo decodeBasicAuthenticationData(javax.servlet.http.HttpServletRequest request)
Retrieves the login credentials (user and password) from the basic authentication present in a HttpServletRequest.- Parameters:
request
- the HttpServletRequest that contains the basic authentication credentials- Returns:
- a UserLoginInfo that contains the decoded credentials (user and password) or null if is not possible to retrieve the credentials.
-
doWebServiceAuthenticate
protected String doWebServiceAuthenticate(String user, String password)
Authentication used by web services and connectors. This authentication can be overridden by subclasses. By default it looks for user and password parameters in the request, if they are not present, Basic authentication is performed- Parameters:
user
- A String with the user namepassword
- A String with the password of the user- Returns:
- The user id (AD_User_ID) if the request is already authenticated or the authentication process succeeded
- null if the request is not authenticated or authentication process failed (e.g. wrong password)
-
checkUserPassword
protected String checkUserPassword(String userName, String password) throws AuthenticationException
Method that checks the validity of the user and password. By default it checks against the AD_User table. It can be overridden by custom authentications in case the passwords are not stored in the same table.- Parameters:
userName
- the username used to login.password
- the unhashed password as it is entered by the user.- Returns:
- the User ID of the AD_User table related to the username or null in case of invalid user/password.
- Throws:
AuthenticationException
- in case there is any error checking the user and password
-
doLogout
protected abstract void doLogout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws javax.servlet.ServletException, IOException
Method called from the logout method after clearing all session attributes. The usual process is to redirect the user to the login page- Parameters:
request
- HTTP request objectresponse
- HTTP response object- Throws:
javax.servlet.ServletException
IOException
-
createDBSession
protected final String createDBSession(javax.servlet.http.HttpServletRequest req, String strUser, String strUserAuth)
-
createDBSession
protected final String createDBSession(javax.servlet.http.HttpServletRequest req, String strUser, String strUserAuth, String successSessionType)
-
updateDBSession
protected final void updateDBSession(String sessionId, boolean sessionActive, String status)
-
useExternalLoginPage
public boolean useExternalLoginPage()
This method can be overridden by those subclasses that expect to retrieve the authentication result from an external login page.- Returns:
true
if the authentication result is retrieved from an external login page. Otherwise, returnfalse
which is the value returned by default.
-
-