velosurf.web.auth
Class AuthenticationFilter

java.lang.Object
  velosurf.web.auth.AuthenticationFilter

All Implemented Interfaces:

javax.servlet.Filter

public class AuthenticationFilter
extends java.lang.Object
implements javax.servlet.Filter

This class is a servlet filter used to protect web pages behind an authentication mechanism. When a non-authenticated user requests a private page, (s)he is redirected towards the login page and thereafter, if (s)he logged in successfully, towards his(her) initially requested page.

Authentication is performed via a CRAM (challenge-response authentication mechanism). Passwords are encrypted using the method given as parameter to the Authenticator tool in toolbox.xml. The provided Javascript file /src/javascript/md5.js implements the HmacMD5 method on the client side.

This filter works in conjunction with an Authenticator object that must be present in the session scope of the toolbox and with a javascript password encryption function.

To use it, you just have to map private urls (and especially, the target of the login form, this is very important for the authentication to work properly!) to go through this filter, as in :

<filter> <filter-name>authentication</filter-name> <filter-class>auth.AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>authentication</filter-name> <url-pattern>/auth/*</url-pattern> </filter-mapping>

The password is encrypted in an irreversible manner into an answer, and to check the login, the answer that the client sends back to the server is compared to the correct awaited answer.

The filter expect the login to be present in the HTTP 'login' form field, and the answer in the 'answer' form field (which should be all right if you use the login.vjs as is). The action of the form is never used (since the filter will redirect the user towards the page asked before the login), but it must be catched by an url-pattern of this filter. You can for instance define a mapping towards "/process_login".

The logged state is materialized by the presence of a user Object in the session under the user key. This user object in the one returned by the abstract method Authenticator.getUser(login).

This filter will search for an occurrence of a localizer tool in the session toolbox to resolve some values. The presence of this localizer is optional.

Optional configuration parameters:

• login-field: name of the login form field (default: login).
• password-field: name of the password field (default: password).
• login-key: name of the session key used to store the login of the logged user.
• user-key: name of the session key used to store a reference to the logged user object.
• max-inactive: delay upon which an inactive user is disconnected in seconds. The default value is one hour.
• login-page: the login page URI. The "@" pattern applies as well. Default is '/login.html'.
• authenticated-index-page: the default page once authenticated. The "@" pattern applies as well. Default is '/logged.html'.
• bad-login-message: the message to be displayed in case of bad login. If this parameter is not specified, the filter will try to get a reference from the localizer tool and ask it for a "badLogin" message, and if this fails, it will simply use "Bad login or password.".
• disconnected-message: the message to be displayed when the user is disconnected after a period of inactivity on the site. Same remark if this parameter is not supplied: the filter will search for a "disconnected" message in the localizer tool if present, and otherwise display "You have been disconnected."
• allow-guest: allow the login "guest" (false by default) - the password is not checked, the "guest" user must exist in the database. The only allowed uri is the login page, and it can be used from VTL:
  #macro (redirect $url) $response.sendRedirect($url) #end #redirect("/login.do?login=guest&password=whatever")
  you can also include a "redirect=" parameter
• use-login-referer: (sorry for reproducing the bugguy syntax from the HTTP RFC, it should be 'referrer' :-) ) use the HTTP request referrer after login if there is no saved request (default: no).

Author:

Claude Brisson

Field Summary

private boolean	allowGuest Should we use the referer to login.do?
private java.lang.String	authenticatedIndexPage Index of the authenticated zone.
private java.lang.String	badLoginMessage Message in case of bad login.
private java.lang.String	badLoginMsgKey Message key in case of bad login.
private javax.servlet.FilterConfig	config Filter config.
private static java.lang.String	defaultBadLoginMessage Default bad login message.
private static java.lang.String	defaultDisconnectedMessage Default message in case of disconnection.
private java.lang.String	disconnectedMessage Message in case of disconnection.
private java.lang.String	disconnectedMsgKey Message key in case of disconnection.
private java.lang.String	LOGIN Session key used to store logged user login
private java.lang.String	loginField Login field.
private java.lang.String	loginPage Login page.
private int	maxInactive Max inactive interval.
private java.lang.String	passwordField Password field.
static java.lang.String	REQUEST Session key used to store original pre-login request
private boolean	useLoginReferer Should we use the referer to login.do?
private java.lang.String	USER Session key used to store logged user object

Constructor Summary

AuthenticationFilter()

Method Summary

protected void	badLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
void	destroy() Destroy the filter.
void	doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) Filtering.
protected void	doLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
protected void	doLogout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
protected void	doProcessAuthentified(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
protected void	doRedirect(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
protected java.lang.String	getAuthenticatedIndexPage(javax.servlet.http.HttpSession session)
protected java.lang.String	getMessage(Localizer localizer, java.lang.String key, java.lang.String defaultMessage) Message getter.
protected void	goodLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
void	init(javax.servlet.FilterConfig config) Initialization.
protected void	refreshUserInstance(javax.servlet.http.HttpSession session)
protected java.lang.String	resolveLocalizedUri(javax.servlet.http.HttpServletRequest request, java.lang.String uri)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

config

private javax.servlet.FilterConfig config

Filter config.

maxInactive

private int maxInactive

Max inactive interval.

loginField

private java.lang.String loginField

Login field.

passwordField

private java.lang.String passwordField

Password field.

loginPage

private java.lang.String loginPage

Login page.

authenticatedIndexPage

private java.lang.String authenticatedIndexPage

Index of the authenticated zone.

badLoginMessage

private java.lang.String badLoginMessage

Message in case of bad login.

badLoginMsgKey

private java.lang.String badLoginMsgKey

Message key in case of bad login.

defaultBadLoginMessage

private static final java.lang.String defaultBadLoginMessage

Default bad login message.

See Also:

Constant Field Values

disconnectedMessage

private java.lang.String disconnectedMessage

Message in case of disconnection.

disconnectedMsgKey

private java.lang.String disconnectedMsgKey

Message key in case of disconnection.

defaultDisconnectedMessage

private static final java.lang.String defaultDisconnectedMessage

Default message in case of disconnection.

See Also:

Constant Field Values

LOGIN

private java.lang.String LOGIN

Session key used to store logged user login

USER

private java.lang.String USER

Session key used to store logged user object

REQUEST

public static final java.lang.String REQUEST

Session key used to store original pre-login request

See Also:

Constant Field Values

useLoginReferer

private boolean useLoginReferer

Should we use the referer to login.do?

allowGuest

private boolean allowGuest

Should we use the referer to login.do?

Constructor Detail

AuthenticationFilter

public AuthenticationFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException

Initialization.

Specified by:

init in interface javax.servlet.Filter

Parameters:

config - filter config

Throws:

javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Filtering.

Specified by:

doFilter in interface javax.servlet.Filter

Parameters:

servletRequest - request

servletResponse - response

chain - filter chain

Throws:

java.io.IOException

javax.servlet.ServletException

refreshUserInstance

protected void refreshUserInstance(javax.servlet.http.HttpSession session)

doRedirect

protected void doRedirect(javax.servlet.http.HttpServletRequest request,
                          javax.servlet.http.HttpServletResponse response,
                          javax.servlet.FilterChain chain)
                   throws java.io.IOException,
                          javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

doLogin

protected void doLogin(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response,
                       javax.servlet.FilterChain chain)
                throws java.io.IOException,
                       javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

goodLogin

protected void goodLogin(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response,
                         javax.servlet.FilterChain chain)
                  throws java.io.IOException,
                         javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

badLogin

protected void badLogin(javax.servlet.http.HttpServletRequest request,
                        javax.servlet.http.HttpServletResponse response,
                        javax.servlet.FilterChain chain)
                 throws java.io.IOException,
                        javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

doProcessAuthentified

protected void doProcessAuthentified(javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response,
                                     javax.servlet.FilterChain chain)
                              throws java.io.IOException,
                                     javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

doLogout

protected void doLogout(javax.servlet.http.HttpServletRequest request,
                        javax.servlet.http.HttpServletResponse response,
                        javax.servlet.FilterChain chain)
                 throws java.io.IOException,
                        javax.servlet.ServletException

Throws:

java.io.IOException

javax.servlet.ServletException

resolveLocalizedUri

protected java.lang.String resolveLocalizedUri(javax.servlet.http.HttpServletRequest request,
                                               java.lang.String uri)

getAuthenticatedIndexPage

protected java.lang.String getAuthenticatedIndexPage(javax.servlet.http.HttpSession session)

getMessage

protected java.lang.String getMessage(Localizer localizer,
                                      java.lang.String key,
                                      java.lang.String defaultMessage)

Message getter.

Parameters:

localizer - localizer

key - key

defaultMessage - default message

Returns:

localized message or default message

destroy

public void destroy()

Destroy the filter.

Specified by:

destroy in interface javax.servlet.Filter