Package org.openbravo.authentication

Class AuthenticationManager

    • Method Detail

      • isStatelessRequest

        public static boolean isStatelessRequest​(javax.servlet.http.HttpServletRequest request)
        Is used to determine if the request is a stateless request. A stateless request does not create a httpsession. This also means that no preferences or other information is present. Stateless requests should normally be used only for relatively simple logic. A request is stateless if it has a parameter stateless=true or an attribute stateless with the string value "true".
        Parameters:
        request -
        Returns:
        true if this is a stateless request

      • isStatelessService

        public static boolean isStatelessService​(Class<?> clz)
        Returns true if the passed class has the Stateless annotation

      • getAuthenticationManager

        public static final AuthenticationManager getAuthenticationManager​(javax.servlet.http.HttpServlet s)
        Returns an instance of AuthenticationManager subclass, based on the authentication.class property in Openbravo.properties

      • authenticate

        public final String authenticate​(javax.servlet.http.HttpServletRequest request,
                                 javax.servlet.http.HttpServletResponse response)
                          throws AuthenticationException,
                                 javax.servlet.ServletException,
                                 IOException
        Used in the service method of the HttpSecureAppServlet to know if the request is authenticated or not. This method calls the doAuthenticate that makes the actual checks and could be easily extended by sub-classes. Returns the user id if the user is already logged in or null if is not authenticated.
        Parameters:
        request - HTTP request object to handle parameters and session attributes
        response - HTTP response object to handle possible redirects
        Returns:
        the value of AD_User_ID if the user is already authenticated or null if not
        Throws:
        AuthenticationException
        javax.servlet.ServletException
        IOException

      • getLoginURL

        public String getLoginURL​(javax.servlet.http.HttpServletRequest request)
        Returns the URL that displays the login window (request for user/password)

      • webServiceAuthenticate

        public final String webServiceAuthenticate​(javax.servlet.http.HttpServletRequest request)
                                    throws AuthenticationException
        Authentication for web services and external services. All authenticated requests not using the standard UI *MUST* use this authentication or webServiceAuthenticate(String, String).
        Parameters:
        request - HTTP request object to handle parameters and session attributes
        Returns:
        the value of AD_User_ID if the user is already authenticated or null if not
        Throws:
        AuthenticationException - in case of an authentication error different than incorrect user/password (which just returns null)

      • webServiceAuthenticate

        public final String webServiceAuthenticate​(String user,
                                           String password)
                                    throws AuthenticationException
        Authentication for web services and external services. All authenticated requests not using the standard UI *MUST* use this authentication or webServiceAuthenticate(HttpServletRequest). This one is intended for authentications for non standard REST web services (such as SOAP).
        Parameters:
        user - User name to authenticate
        password - Password to validate user
        Returns:
        the value of AD_User_ID if the user is already authenticated or null if not
        Throws:
        AuthenticationException - in case of an authentication error different than incorrect user/password (which just returns null)

      • connectorAuthenticate

        public final String connectorAuthenticate​(javax.servlet.http.HttpServletRequest request)
                                   throws AuthenticationException
        Authentication for approved connectors. Only authorized connectors are allowed to use this authentication.
        Parameters:
        request - HTTP request object to handle parameters and session attributes
        Returns:
        the value of AD_User_ID if the user is already authenticated or null if not
        Throws:
        AuthenticationException - in case of an authentication error different than incorrect user/password (which just returns null)

      • connectorAuthenticate

        public final String connectorAuthenticate​(String user,
                                          String password)
                                   throws AuthenticationException
        Authentication for approved connectors. Only authorized connectors are allowed to use this authentication.
        Parameters:
        user - User name to authenticate
        password - Password to validate user
        Returns:
        the value of AD_User_ID if the user is already authenticated or null if not
        Throws:
        AuthenticationException - in case of an authentication error different than incorrect user/password (which just returns null)

      • logout

        public final void logout​(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
                  throws javax.servlet.ServletException,
                         IOException
        Clears all session attributes and calls the doLogout method
        Throws:
        javax.servlet.ServletException
        IOException

      • doAuthenticate

        protected abstract String doAuthenticate​(javax.servlet.http.HttpServletRequest request,
                                         javax.servlet.http.HttpServletResponse response)
                                  throws AuthenticationException,
                                         javax.servlet.ServletException,
                                         IOException
        Called from the authenticate method makes the necessary processing to check if the request is authenticated or not. The simplest way to check is if the #Authenticated_user session attribute is present and return it.
        Parameters:
        request - HTTP request object, used for handling parameters and session attributes
        response -
        Returns:
        • The user id (AD_User_ID) if the request is already authenticated or the authentication process succeeded
        • null if the request is not authenticated or authentication process failed (e.g. wrong password)
        Throws:
        AuthenticationException
        javax.servlet.ServletException
        IOException
        See Also:
        DefaultAuthenticationManager

      • doWebServiceAuthenticate

        protected String doWebServiceAuthenticate​(javax.servlet.http.HttpServletRequest request)
        Authentication used by web services and connectors. This authentication can be overridden by subclasses. By default it looks for user and password parameters in the request, if they are not present, Basic authentication is performed
        Parameters:
        request - HTTP request object, used for handling parameters and session attributes
        Returns:
        • The user id (AD_User_ID) if the request is already authenticated or the authentication process succeeded
        • null if the request is not authenticated or authentication process failed (e.g. wrong password)

      • markRequestAsSelfAuthenticated

        protected void markRequestAsSelfAuthenticated​(javax.servlet.http.HttpServletRequest request)
        Utility method to mark that the current request has authentication data used to authenticate this particular request
        Parameters:
        request - the request to be marked as self-authenticated

      • decodeBasicAuthenticationData

        protected final AuthenticationManager.UserLoginInfo decodeBasicAuthenticationData​(javax.servlet.http.HttpServletRequest request)
        Retrieves the login credentials (user and password) from the basic authentication present in a HttpServletRequest.
        Parameters:
        request - the HttpServletRequest that contains the basic authentication credentials
        Returns:
        a UserLoginInfo that contains the decoded credentials (user and password) or null if is not possible to retrieve the credentials.

      • doWebServiceAuthenticate

        protected String doWebServiceAuthenticate​(String user,
                                          String password)
        Authentication used by web services and connectors. This authentication can be overridden by subclasses. By default it looks for user and password parameters in the request, if they are not present, Basic authentication is performed
        Parameters:
        user - A String with the user name
        password - A String with the password of the user
        Returns:
        • The user id (AD_User_ID) if the request is already authenticated or the authentication process succeeded
        • null if the request is not authenticated or authentication process failed (e.g. wrong password)

      • checkUserPassword

        protected String checkUserPassword​(String userName,
                                   String password)
                            throws AuthenticationException
        Method that checks the validity of the user and password. By default it checks against the AD_User table. It can be overridden by custom authentications in case the passwords are not stored in the same table.
        Parameters:
        userName - the username used to login.
        password - the unhashed password as it is entered by the user.
        Returns:
        the User ID of the AD_User table related to the username or null in case of invalid user/password.
        Throws:
        AuthenticationException - in case there is any error checking the user and password

      • doLogout

        protected abstract void doLogout​(javax.servlet.http.HttpServletRequest request,
                                 javax.servlet.http.HttpServletResponse response)
                          throws javax.servlet.ServletException,
                                 IOException
        Method called from the logout method after clearing all session attributes. The usual process is to redirect the user to the login page
        Parameters:
        request - HTTP request object
        response - HTTP response object
        Throws:
        javax.servlet.ServletException
        IOException

      • createDBSession

        protected final String createDBSession​(javax.servlet.http.HttpServletRequest req,
                                       String strUser,
                                       String strUserAuth)

      • createDBSession

        protected final String createDBSession​(javax.servlet.http.HttpServletRequest req,
                                       String strUser,
                                       String strUserAuth,
                                       String successSessionType)

      • updateDBSession

        protected final void updateDBSession​(String sessionId,
                                     boolean sessionActive,
                                     String status)

      • useExternalLoginPage

        public boolean useExternalLoginPage()
        This method can be overridden by those subclasses that expect to retrieve the authentication result from an external login page.
        Returns:
        true if the authentication result is retrieved from an external login page. Otherwise, return false which is the value returned by default.