com.jivesoftware.base
Class AuthFactory

java.lang.Object
  com.jivesoftware.base.AuthFactory

public abstract class AuthFactory
extends java.lang.Object

An abstract class that defines a framework for providing authentication services in Jive. The static getAuthToken(String, String), getAuthToken(HttpServletRequest, HttpServletResponse), and getAnonymousAuthToken() methods should be called directly from applications using Jive in order to obtain an AuthToken.

Users of Jive that wish to change the AuthFactory implementation used to generate tokens can set the AuthFactory.className Jive property. For example, if you have altered Jive to use LDAP for user information, you'd want to write a custom implementation of AuthFactory to make LDAP authToken queries. After changing the AuthFactory.className Jive property, you must restart your application server.

The getAuthToken method that takes servlet request and response objects as arguments can be used to implement single sign-on. Additionally, two helper methods are provided for securely encrypting and decrypting login information so that it can be stored as a cookie value to implement auto-login.

Nested Class Summary

static class

AuthFactory.SystemAuthToken

Field Summary

static long	ANONYMOUS_USER_ID Defines the id used for anonymous users.
static java.lang.String	AUTH_PROVIDER_KEY
protected static com.jivesoftware.util.EncryptionUtil	cipher
static java.lang.String	COOKIE_AUTOLOGIN Name of the cookie used to store user info for auto-login purposes.
static java.lang.String	KEY_AUTO_LOGIN Name of the user property key used to auto login random key.
static java.lang.String	KEY_LAST_LOGGED_IN Name of the user property key used to store the last logged in date of a user
static java.lang.String	SESSION_AUTHORIZATION Name of the key in a user's session that AuthToken tokens are customarily stored at.

Constructor Summary

AuthFactory()

Method Summary

static void	checkAuthorization(AuthToken authToken, javax.servlet.http.HttpServletRequest request) Checks if the specified AuthToken is authorized.
protected void	clearSessionUserInfo(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Concrete subclasses may wish to override this method to destroy session info as appropriate.
static void	copyAuthProviderConfigToLDAP()
static void	copyLdapConfigToAuthProvider()
protected AuthToken	createAnonymousAuthToken() Creates anonymous AuthToken tokens.
protected AuthToken	createAuthToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Creates AuthToken tokens based on information from servlet request and response objects.
protected AuthToken	createAuthToken(java.lang.String username, java.lang.String password) Creates AuthToken tokens based on a username.
protected AuthToken	createSessionUserInfo(java.lang.String username, java.lang.String password, boolean autoLogin, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Concrete subclasses may wish to override this method to create session info as appropriate.
static java.lang.String[]	decryptAuthInfo(java.lang.String value) Utility method that decrypts a String built by the encryptAuthInfo method containing a username and password.
static void	destroyAuthFactory() Method used internally by Jive.
static java.lang.String	encryptAuthInfo(java.lang.String username, java.lang.String password) Utility method that builds an encrypted String containing a username and password, which is useful for storing as a cookie.
static void	forceReload()
static AuthToken	getAnonymousAuthToken() Returns an anonymous user AuthToken.
com.jivesoftware.spi.user.AuthenticationProvider	getAuthenticationProvider()
static AuthToken	getAuthToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Returns the AuthToken token associated with the information in a servlet request and response object.
static AuthToken	getAuthToken(java.lang.String username, java.lang.String password) Returns the AuthToken token associated with the specified username and password.
static AuthToken	getSessionAuthToken(javax.servlet.http.HttpServletRequest request) Returns the authToken in the session, if one does not exist an anonymous authToken will be returned.
static User	getSessionUser(javax.servlet.http.HttpServletRequest request) Returns the currently logged in user.
static AuthToken	getSystemAuthToken()
static AuthToken	loginUser(java.lang.String username, java.lang.String password, boolean autoLogin, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) This method is a method for logging a user in and creating the appropriate session variables and/or cookies to keep state.
static void	logoutUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) This method is a method for logging a user out and destroying or resetting the appropriate session variables and/or cookies to keep state.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ANONYMOUS_USER_ID

public static final long ANONYMOUS_USER_ID

Defines the id used for anonymous users.

See Also:

Constant Field Values

SESSION_AUTHORIZATION

public static final java.lang.String SESSION_AUTHORIZATION

Name of the key in a user's session that AuthToken tokens are customarily stored at.

See Also:

Constant Field Values

COOKIE_AUTOLOGIN

public static final java.lang.String COOKIE_AUTOLOGIN

Name of the cookie used to store user info for auto-login purposes.

See Also:

Constant Field Values

KEY_LAST_LOGGED_IN

public static final java.lang.String KEY_LAST_LOGGED_IN

Name of the user property key used to store the last logged in date of a user

See Also:

Constant Field Values

KEY_AUTO_LOGIN

public static final java.lang.String KEY_AUTO_LOGIN

Name of the user property key used to auto login random key.

See Also:

Constant Field Values

AUTH_PROVIDER_KEY

public static final java.lang.String AUTH_PROVIDER_KEY

See Also:

Constant Field Values

cipher

protected static com.jivesoftware.util.EncryptionUtil cipher

Constructor Detail

AuthFactory

public AuthFactory()

Method Detail

getAuthToken

public static AuthToken getAuthToken(java.lang.String username,
                                     java.lang.String password)
                              throws UnauthorizedException

Returns the AuthToken token associated with the specified username and password. If the username and password do not match the record of any user in the system, the method throws an UnauthorizedException.

When using most implementations of this class, authToken tokens should be cached. A convenient place to store a token is often in the HttpSession.

Parameters:

username - the username to create an AuthToken with.

password - the password to create an AuthToken with.

Returns:

an AuthToken token if the username and password are correct.

Throws:

UnauthorizedException - if the username and password do not match any existing user.

getAuthToken

public static AuthToken getAuthToken(javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response)
                              throws UnauthorizedException

Returns the AuthToken token associated with the information in a servlet request and response object. This is useful for systems that store login information in a user's session or as a cookie, and can also be used to implement single sign-on in Jive. If no authentication information is found, the method throws an UnauthorizedException.

Parameters:

request - a HttpServletRequest object.

response - a HttpServletResponse object.

Returns:

the AuthToken token associated with the information in a servlet request and response object.

Throws:

UnauthorizedException - if no authToken information is found.

getAnonymousAuthToken

public static AuthToken getAnonymousAuthToken()

Returns an anonymous user AuthToken.

Returns:

an anonymous AuthToken token.

getSystemAuthToken

public static AuthToken getSystemAuthToken()

encryptAuthInfo

public static java.lang.String encryptAuthInfo(java.lang.String username,
                                               java.lang.String password)

Utility method that builds an encrypted String containing a username and password, which is useful for storing as a cookie. This is a cryptographically secure algorithm that uses a 56-bit DES key. The standard cookie name used by Jive for this information is stored in AuthFactory.COOKIE_AUTOLOGIN.

Parameters:

username - the username to encode.

password - the password to encode.

Returns:

an encrypted String containing the input parameters.

decryptAuthInfo

public static java.lang.String[] decryptAuthInfo(java.lang.String value)
                                          throws javax.crypto.IllegalBlockSizeException

Utility method that decrypts a String built by the encryptAuthInfo method containing a username and password. This is a cryptographically secure algorithm that uses a 56-bit DES key. The standard cookie name used by Jive for this information is stored in AuthFactory.COOKIE_AUTOLOGIN.

Parameters:

value - the encrypted String.

Returns:

String[] containing the username at index 0 and the password at index 1, or { null, null } if value equals null or the empty string.

Throws:

javax.crypto.IllegalBlockSizeException - if a decryption error occurs

createAuthToken

protected AuthToken createAuthToken(java.lang.String username,
                                    java.lang.String password)

Creates AuthToken tokens based on a username.

Returns:

an AuthToken

Throws:

UnauthorizedException - if no authToken information is found.

createAuthToken

protected AuthToken createAuthToken(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response)
                             throws UnauthorizedException

Creates AuthToken tokens based on information from servlet request and response objects. This method is optionally implemented by concrete subclasses of AuthFactory.

If this method is not overwriten by a concrete subclass of AuthFactory, then the following default behavior will be used to search for login information:

Look for an AuthToken object in the session using the session name AuthFactory.SESSION_AUTHORIZATION. Return it if found.

Look for encrypted login information at the cookie value named AuthFactory.COOKIE_AUTOLOGIN. Return an AuthToken object built using that info if found.

Throw an UnauthorizedException if the previous two steps failed or if the authToken returned would be anonymous.

Parameters:

request - a HttpServletRequest object.

response - a HttpServletResponse object.

Returns:

an AuthToken

Throws:

UnauthorizedException - if no authToken information is found.

createAnonymousAuthToken

protected AuthToken createAnonymousAuthToken()

Creates anonymous AuthToken tokens. This method must be implemented by concrete subclasses AuthFactory.

Returns:

an anonymous AuthToken token.

loginUser

public static AuthToken loginUser(java.lang.String username,
                                  java.lang.String password,
                                  boolean autoLogin,
                                  javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response)
                           throws UnauthorizedException

This method is a method for logging a user in and creating the appropriate session variables and/or cookies to keep state. An AuthToken is returned upon a successful login, an UnauthorizedException is thrown is the login was not successful.

Parameters:

username - the username to create an AuthToken with.

password - the password to create an AuthToken with.

autoLogin - whether autoLogin capability is requested or not.

request - a HttpServletRequest object.

response - a HttpServletResponse object.

Returns:

an AuthToken token if the username and password are correct.

Throws:

UnauthorizedException - if the username and password do not match any existing user.

createSessionUserInfo

protected AuthToken createSessionUserInfo(java.lang.String username,
                                          java.lang.String password,
                                          boolean autoLogin,
                                          javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response)
                                   throws UnauthorizedException

Concrete subclasses may wish to override this method to create session info as appropriate. For instance, a subclass may override this method to set the appropriate single sign-on cookie.

Parameters:

username - the username to create an AuthToken with.

autoLogin - whether autoLogin capability is requested or not.

request - a HttpServletRequest object.

response - a HttpServletResponse object.

Returns:

an AuthToken token if the username and password are correct.

Throws:

UnauthorizedException - if the username and password do not match any existing user.

checkAuthorization

public static void checkAuthorization(AuthToken authToken,
                                      javax.servlet.http.HttpServletRequest request)
                               throws UnauthorizedException

Checks if the specified AuthToken is authorized. If the AuthToken is not authorized, this method will throw an UnauthorizedException. An AuthToken that has not been validated or that has been banned from logging into the system will not be authorized. This method can be extended to provide additional AuthToken authorization.

Parameters:

authToken - the auth token to check

request - the current request

Throws:

UnauthorizedException - if the auth token is not authorized

logoutUser

public static void logoutUser(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response)

This method is a method for logging a user out and destroying or resetting the appropriate session variables and/or cookies to keep state.

Parameters:

request - a HttpServletRequest object.

response - a HttpServletResponse object.

getSessionAuthToken

public static AuthToken getSessionAuthToken(javax.servlet.http.HttpServletRequest request)

Returns the authToken in the session, if one does not exist an anonymous authToken will be returned.

Parameters:

request - The current servlet request.

Returns:

The authToken from the session if one exists, else an anonymous authToken.

Since:

1.7

getSessionUser

public static User getSessionUser(javax.servlet.http.HttpServletRequest request)

Returns the currently logged in user. Null will be returned if the request is not made by a user with a session.

Parameters:

request - The request of the user.

Returns:

The request's logged in user, else null if not logged in

Since:

1.7

clearSessionUserInfo

protected void clearSessionUserInfo(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response)

Concrete subclasses may wish to override this method to destroy session info as appropriate. For instance, a subclass may override this method to set the appropriate single sign-on cookie to denote that the user is no longer logged in.

Parameters:

request - a HttpServletRequest object.

response - a HttpServletResponse object.

destroyAuthFactory

public static void destroyAuthFactory()

Method used internally by Jive. Do NOT use this method. Allows the class to be re-initialized.

getAuthenticationProvider

public com.jivesoftware.spi.user.AuthenticationProvider getAuthenticationProvider()

copyLdapConfigToAuthProvider

public static void copyLdapConfigToAuthProvider()

copyAuthProviderConfigToLDAP

public static void copyAuthProviderConfigToLDAP()

forceReload

public static void forceReload()