1 //
2 //  ========================================================================
3 //  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
4 //  ------------------------------------------------------------------------
5 //  All rights reserved. This program and the accompanying materials
6 //  are made available under the terms of the Eclipse Public License v1.0
7 //  and Apache License v2.0 which accompanies this distribution.
8 //
9 //      The Eclipse Public License is available at
10 //      http://www.eclipse.org/legal/epl-v10.html
11 //
12 //      The Apache License v2.0 is available at
13 //      http://www.opensource.org/licenses/apache2.0.php
14 //
15 //  You may elect to redistribute this code under either of these licenses.
16 //  ========================================================================
17 //
18 
19 
20 package org.eclipse.jetty.security.authentication;
21 
22 import java.io.IOException;
23 import java.io.ObjectInputStream;
24 import java.io.Serializable;
25 
26 import javax.servlet.http.HttpSession;
27 import javax.servlet.http.HttpSessionActivationListener;
28 import javax.servlet.http.HttpSessionBindingEvent;
29 import javax.servlet.http.HttpSessionBindingListener;
30 import javax.servlet.http.HttpSessionEvent;
31 
32 import org.eclipse.jetty.security.LoginService;
33 import org.eclipse.jetty.security.SecurityHandler;
34 import org.eclipse.jetty.server.Authentication;
35 import org.eclipse.jetty.server.UserIdentity;
36 import org.eclipse.jetty.server.UserIdentity.Scope;
37 import org.eclipse.jetty.server.session.AbstractSessionManager;
38 import org.eclipse.jetty.util.log.Log;
39 import org.eclipse.jetty.util.log.Logger;
40 
41 public class SessionAuthentication implements Authentication.User, Serializable, HttpSessionActivationListener, HttpSessionBindingListener
42 {
43     private static final Logger LOG = Log.getLogger(SessionAuthentication.class);
44 
45     private static final long serialVersionUID = -4643200685888258706L;
46 
47 
48 
49     public final static String __J_AUTHENTICATED="org.eclipse.jetty.security.UserIdentity";
50 
51     private final String _method;
52     private final String _name;
53     private final Object _credentials;
54 
55     private transient UserIdentity _userIdentity;
56     private transient HttpSession _session;
57 
SessionAuthentication(String method, UserIdentity userIdentity, Object credentials)58     public SessionAuthentication(String method, UserIdentity userIdentity, Object credentials)
59     {
60         _method = method;
61         _userIdentity = userIdentity;
62         _name=_userIdentity.getUserPrincipal().getName();
63         _credentials=credentials;
64     }
65 
getAuthMethod()66     public String getAuthMethod()
67     {
68         return _method;
69     }
70 
getUserIdentity()71     public UserIdentity getUserIdentity()
72     {
73         return _userIdentity;
74     }
75 
isUserInRole(Scope scope, String role)76     public boolean isUserInRole(Scope scope, String role)
77     {
78         return _userIdentity.isUserInRole(role, scope);
79     }
80 
readObject(ObjectInputStream stream)81     private void readObject(ObjectInputStream stream)
82         throws IOException, ClassNotFoundException
83     {
84         stream.defaultReadObject();
85 
86         SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
87         if (security==null)
88             throw new IllegalStateException("!SecurityHandler");
89         LoginService login_service=security.getLoginService();
90         if (login_service==null)
91             throw new IllegalStateException("!LoginService");
92 
93         _userIdentity=login_service.login(_name,_credentials);
94         LOG.debug("Deserialized and relogged in {}",this);
95     }
96 
logout()97     public void logout()
98     {
99         if (_session!=null && _session.getAttribute(__J_AUTHENTICATED)!=null)
100             _session.removeAttribute(__J_AUTHENTICATED);
101 
102         doLogout();
103     }
104 
doLogout()105     private void doLogout()
106     {
107         SecurityHandler security=SecurityHandler.getCurrentSecurityHandler();
108         if (security!=null)
109             security.logout(this);
110         if (_session!=null)
111             _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED);
112     }
113 
114     @Override
toString()115     public String toString()
116     {
117         return "Session"+super.toString();
118     }
119 
sessionWillPassivate(HttpSessionEvent se)120     public void sessionWillPassivate(HttpSessionEvent se)
121     {
122 
123     }
124 
sessionDidActivate(HttpSessionEvent se)125     public void sessionDidActivate(HttpSessionEvent se)
126     {
127         if (_session==null)
128         {
129             _session=se.getSession();
130         }
131     }
132 
valueBound(HttpSessionBindingEvent event)133     public void valueBound(HttpSessionBindingEvent event)
134     {
135         if (_session==null)
136         {
137             _session=event.getSession();
138         }
139     }
140 
valueUnbound(HttpSessionBindingEvent event)141     public void valueUnbound(HttpSessionBindingEvent event)
142     {
143         doLogout();
144     }
145 
146 }
147