1 // 2 // ======================================================================== 3 // Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd. 4 // ------------------------------------------------------------------------ 5 // All rights reserved. This program and the accompanying materials 6 // are made available under the terms of the Eclipse Public License v1.0 7 // and Apache License v2.0 which accompanies this distribution. 8 // 9 // The Eclipse Public License is available at 10 // http://www.eclipse.org/legal/epl-v10.html 11 // 12 // The Apache License v2.0 is available at 13 // http://www.opensource.org/licenses/apache2.0.php 14 // 15 // You may elect to redistribute this code under either of these licenses. 16 // ======================================================================== 17 // 18 19 20 package org.eclipse.jetty.security.authentication; 21 22 import java.io.IOException; 23 import java.io.ObjectInputStream; 24 import java.io.Serializable; 25 26 import javax.servlet.http.HttpSession; 27 import javax.servlet.http.HttpSessionActivationListener; 28 import javax.servlet.http.HttpSessionBindingEvent; 29 import javax.servlet.http.HttpSessionBindingListener; 30 import javax.servlet.http.HttpSessionEvent; 31 32 import org.eclipse.jetty.security.LoginService; 33 import org.eclipse.jetty.security.SecurityHandler; 34 import org.eclipse.jetty.server.Authentication; 35 import org.eclipse.jetty.server.UserIdentity; 36 import org.eclipse.jetty.server.UserIdentity.Scope; 37 import org.eclipse.jetty.server.session.AbstractSessionManager; 38 import org.eclipse.jetty.util.log.Log; 39 import org.eclipse.jetty.util.log.Logger; 40 41 public class SessionAuthentication implements Authentication.User, Serializable, HttpSessionActivationListener, HttpSessionBindingListener 42 { 43 private static final Logger LOG = Log.getLogger(SessionAuthentication.class); 44 45 private static final long serialVersionUID = -4643200685888258706L; 46 47 48 49 public final static String __J_AUTHENTICATED="org.eclipse.jetty.security.UserIdentity"; 50 51 private final String _method; 52 private final String _name; 53 private final Object _credentials; 54 55 private transient UserIdentity _userIdentity; 56 private transient HttpSession _session; 57 SessionAuthentication(String method, UserIdentity userIdentity, Object credentials)58 public SessionAuthentication(String method, UserIdentity userIdentity, Object credentials) 59 { 60 _method = method; 61 _userIdentity = userIdentity; 62 _name=_userIdentity.getUserPrincipal().getName(); 63 _credentials=credentials; 64 } 65 getAuthMethod()66 public String getAuthMethod() 67 { 68 return _method; 69 } 70 getUserIdentity()71 public UserIdentity getUserIdentity() 72 { 73 return _userIdentity; 74 } 75 isUserInRole(Scope scope, String role)76 public boolean isUserInRole(Scope scope, String role) 77 { 78 return _userIdentity.isUserInRole(role, scope); 79 } 80 readObject(ObjectInputStream stream)81 private void readObject(ObjectInputStream stream) 82 throws IOException, ClassNotFoundException 83 { 84 stream.defaultReadObject(); 85 86 SecurityHandler security=SecurityHandler.getCurrentSecurityHandler(); 87 if (security==null) 88 throw new IllegalStateException("!SecurityHandler"); 89 LoginService login_service=security.getLoginService(); 90 if (login_service==null) 91 throw new IllegalStateException("!LoginService"); 92 93 _userIdentity=login_service.login(_name,_credentials); 94 LOG.debug("Deserialized and relogged in {}",this); 95 } 96 logout()97 public void logout() 98 { 99 if (_session!=null && _session.getAttribute(__J_AUTHENTICATED)!=null) 100 _session.removeAttribute(__J_AUTHENTICATED); 101 102 doLogout(); 103 } 104 doLogout()105 private void doLogout() 106 { 107 SecurityHandler security=SecurityHandler.getCurrentSecurityHandler(); 108 if (security!=null) 109 security.logout(this); 110 if (_session!=null) 111 _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED); 112 } 113 114 @Override toString()115 public String toString() 116 { 117 return "Session"+super.toString(); 118 } 119 sessionWillPassivate(HttpSessionEvent se)120 public void sessionWillPassivate(HttpSessionEvent se) 121 { 122 123 } 124 sessionDidActivate(HttpSessionEvent se)125 public void sessionDidActivate(HttpSessionEvent se) 126 { 127 if (_session==null) 128 { 129 _session=se.getSession(); 130 } 131 } 132 valueBound(HttpSessionBindingEvent event)133 public void valueBound(HttpSessionBindingEvent event) 134 { 135 if (_session==null) 136 { 137 _session=event.getSession(); 138 } 139 } 140 valueUnbound(HttpSessionBindingEvent event)141 public void valueUnbound(HttpSessionBindingEvent event) 142 { 143 doLogout(); 144 } 145 146 } 147