Class LoginAuthenticator

    • Constructor Detail

      • LoginAuthenticator

        protected LoginAuthenticator()
    • Method Detail

      • prepareRequest

        public void prepareRequest​(javax.servlet.ServletRequest request)
        Description copied from interface: Authenticator
        Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.
        Specified by:
        prepareRequest in interface Authenticator
        request - the request to manipulate
      • login

        public UserIdentity login​(java.lang.String username,
                                  java.lang.Object password,
                                  javax.servlet.ServletRequest servletRequest)
        If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.
        username - the username of the client to be authenticated
        password - the user's credential
        servletRequest - the inbound request that needs authentication
      • logout

        public void logout​(javax.servlet.ServletRequest request)
      • renewSession

        protected javax.servlet.http.HttpSession renewSession​(javax.servlet.http.HttpServletRequest request,
                                                              javax.servlet.http.HttpServletResponse response)
        Change the session id. The session is changed to a new instance with a new ID if and only if:
        request - the request
        response - the response
        The new session.