velosurf.web.auth
Class AuthenticationFilter

java.lang.Object
  velosurf.web.auth.AuthenticationFilter

All Implemented Interfaces:

javax.servlet.Filter

public class AuthenticationFilter
extends java.lang.Object
implements javax.servlet.Filter

This class is a servlet filter used to protect web pages behind an authentication mechanism. When a non-authenticated user requests a private page, (s)he is redirected towards the login page and thereafter, if (s)he loggued in successfully, towards his(her) initially requested page.

Authentication is performed via a CRAM (challenge-response authentication mechanism). Passwords are encrypted using the method given as parameter to the Authenticator tool in toolbox.xml. The provided Javascript file /src/javascript/md5.js implements the HmacMD5 method on the client side.

This filter works in conjunction with an Authenticator object that must be present in the session scope of the toolbox and with a javascript password encryption function.

To use it, you just have to map private urls (and especially, the target of the login form, this is very important for the authentication to work properly!) to go through this filter, as in :

<filter> <filter-name>authentication</filter-name> <filter-class>auth.AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>authentication</filter-name> <url-pattern>/auth/*</url-pattern> </filter-mapping>

The password is encrypted in an irreversible manner into an answer, and to check the login, the answer that the client sends back to the server is compared to the correct awaited answer.

The javascript file login.js.vtl contains the necessary encryption functions. It uses the bignum.js library file. You will find those files in /src/resources/auth or in the auth-l10n sample webapp.

The filter expect the login to be present in the HTTP 'login' form field, and the answer in the 'answer' form field (which should be all right if you use the login.js.vtl as is). The action of the form is never used (since the filter will redirect the user towards the page asked before the login), but it must be catched by an url-pattern of this filter. You can for instance define a mapping towards "/process_login".

The loggued state is materialized by the presence of a user Object in the session under the user key. This user object in the one returned by the abstract method Authenticator.getUser(login).

This filter will search for an occurrence of a localizer tool in the session toolbox to resolve some values. The presence of this localizer is optional.

Optional configuration parameters:

• max-inactive: delay upon which an inactive user is disconnected in seconds. The default value is one hour.
• login-page: the login page URI. The "@" pattern applies as well. Default is '/login.html'.
• authenticated-index-page: the default page once authenticated. The "@" pattern applies as well. Default is '/loggued.html'.
• bad-login-message: the message to be displayed in case of bad login. If this parameter is not specified, the filter will try to get a reference from the localizer tool and ask it for a "badLogin" message, and if this fails, it will simply use "Bad login or password.".
• disconnected-message: the message to be displayed when the user is disconnected after a period of inactivity on the site. Same remark if this parameter is not supplied: the filter will search for a "disconnected" message in the localizer tool if present, and otherwise display "You have been disconnected."

Author:

Claude Brisson

Field Summary

private java.lang.String	authenticatedIndexPage Index of the authenticated zone.
private java.lang.String	badLoginMessage Message in case of bad login.
private java.lang.String	badLoginMsgKey Message key in case of bad login.
private javax.servlet.FilterConfig	config filter config.
private static java.lang.String	defaultBadLoginMessage Default bad login message.
private static java.lang.String	defaultDisconnectedMessage Default message in case of disconnection.
private java.lang.String	disconnectedMessage Message in case of disconnection.
private java.lang.String	disconnectedMsgKey Message key in case of disconnection.
private java.lang.String	loginPage Login page.
private int	maxInactive Max inactive interval.
private boolean	resolveLocale Whether indexPage, loginPage or authenticatedIndexPage contains a @ to be resolved.

Constructor Summary

AuthenticationFilter()

Method Summary

void	destroy() Destroy the filter.
void	doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) Filtering.
private java.lang.String	getMessage(Localizer localizer, java.lang.String key, java.lang.String defaultMessage) Message getter.
void	init(javax.servlet.FilterConfig config) Initialization.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

config

private javax.servlet.FilterConfig config

filter config.

maxInactive

private int maxInactive

Max inactive interval.

loginPage

private java.lang.String loginPage

Login page.

authenticatedIndexPage

private java.lang.String authenticatedIndexPage

Index of the authenticated zone.

badLoginMessage

private java.lang.String badLoginMessage

Message in case of bad login.

badLoginMsgKey

private java.lang.String badLoginMsgKey

Message key in case of bad login.

defaultBadLoginMessage

private static final java.lang.String defaultBadLoginMessage

Default bad login message.

See Also:

Constant Field Values

disconnectedMessage

private java.lang.String disconnectedMessage

Message in case of disconnection.

disconnectedMsgKey

private java.lang.String disconnectedMsgKey

Message key in case of disconnection.

defaultDisconnectedMessage

private static final java.lang.String defaultDisconnectedMessage

Default message in case of disconnection.

See Also:

Constant Field Values

resolveLocale

private boolean resolveLocale

Whether indexPage, loginPage or authenticatedIndexPage contains a @ to be resolved.

Constructor Detail

AuthenticationFilter

public AuthenticationFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException

Initialization.

Specified by:

init in interface javax.servlet.Filter

Parameters:

config - filter config

Throws:

javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Filtering.

Specified by:

doFilter in interface javax.servlet.Filter

Parameters:

servletRequest - request

servletResponse - response

chain - filter chain

Throws:

java.io.IOException

javax.servlet.ServletException

getMessage

private java.lang.String getMessage(Localizer localizer,
                                    java.lang.String key,
                                    java.lang.String defaultMessage)

Message getter.

Parameters:

localizer - localizer

key - key

defaultMessage - default message

Returns:

localized message or default message

destroy

public void destroy()

Destroy the filter.

Specified by:

destroy in interface javax.servlet.Filter