AuthenticationFilter (velosurf 2.0 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

velosurf.web.auth
Class AuthenticationFilter

java.lang.Object
  velosurf.web.auth.AuthenticationFilter

All Implemented Interfaces:: javax.servlet.Filter

public class AuthenticationFilter
extends java.lang.Object
implements javax.servlet.Filter
extends java.lang.Object
implements javax.servlet.Filter

This class is a servlet filter used to protect web pages behind an authentication mechanism. When a non-authenticated user requests a protected page, (s)he is redirected towards the login page and thereafter, if (s)he loggued in successfully, towards his(her) initially requested page.

Authentication is performed via a CRAM (challenge-response authentication mechanism). Passwords are encrypted using the method given as parameter to the Authenticator tool in toolbox.xml. The provided Javascript file /src/javascript/md5.js implements the HmacMD5 method on the client side.

This filter works in conjunction with an Authenticator object that must be present in the session scope of the toolbox and with a javascript password encryption function.

To use it, you just have to map protected urls (and especially, the target of the login form, this is very important for the authentication to work properly!) to go through this filter, as in :

<filter> <filter-name>authentication</filter-name> <filter-class>auth.AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>authentication</filter-name> <url-pattern>/auth/*</url-pattern> </filter-mapping>

The password is encrypted in an irreversible manner into an answer, and to check the login, the answer that the client sends back to the server is compared to the correct awaited answer.

The javascript file login.js.vtl contains the necessary encryption functions. It uses the bignum.js library file. You will find those files in /src/resources/auth or in the auth-l10n sample webapp.

The filter expect the login to be present in the HTTP 'login' form field, and the answer in the 'answer' form field (which should be all right if you use the login.js.vtl as is). The action of the form is never used (since the filter will redirect the user towards the page asked before the login), but it must be catched by an url-pattern of this filter. You can for instance define a mapping towards "/process_login".

The loggued state is materialized by the presence of a user Object in the session under the user key. This user object in the one returned by the abstract method Authenticator.getUser(login).

This filter will search for an occurrence of a localizer tool in the session toolbox to resolve some values. The presence of this localizer is optional.

Optional configuration parameters:

max-inactive: delay upon which an inactive user is disconnected in seconds. The default value is one hour.
login-page: the login page URI. The "@" pattern applies as well. Default is '/login.html'.
authenticated-index-page: the default page once authenticated. The "@" pattern applies as well. Default is '/loggued.html'.
bad-login-message: the message to be displayed in case of bad login. If this parameter is not specified, the filter will try to get a reference from the localizer tool and ask it for a "badLogin" message, and if this fails, it will simply use "Bad login or password.".
disconnected-message: the message to be displayed when the user is disconnected after a period of inactivity on the site. Same remark if this parameter is not supplied: the filter will search for a "disconnected" message in the localizer tool if present, and otherwise display "You have been disconnected."

Author:: Claude Brisson

Field Summary
`protected java.lang.String`	`_authenticatedIndexPage`
`protected java.lang.String`	`_badLoginMessage`
`protected java.lang.String`	`_badLoginMsgKey`
`protected javax.servlet.FilterConfig`	`_config`
`protected static java.lang.String`	`_defaultBadLoginMessage`
`protected static java.lang.String`	`_defaultDisconnectedMessage`
`protected java.lang.String`	`_disconnectedMessage`
`protected java.lang.String`	`_disconnectedMsgKey`
`protected java.lang.String`	`_loginPage`
`protected int`	`_maxInactive`
`protected boolean`	`_resolveLocale` Whether _indexPage, _loginPage or _authenticatedIndexPage contains a @ to be resolved.

Constructor Summary
`AuthenticationFilter()`

Method Summary
`void`	`destroy()`
`void`	`doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain)`
`protected java.lang.String`	`getMessage(Localizer localizer, java.lang.String key, java.lang.String defaultMessage)`
`void`	`init(javax.servlet.FilterConfig config)`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

_config

protected javax.servlet.FilterConfig _config

_maxInactive

protected int _maxInactive

_loginPage

protected java.lang.String _loginPage

_authenticatedIndexPage

protected java.lang.String _authenticatedIndexPage

_badLoginMessage

protected java.lang.String _badLoginMessage

_badLoginMsgKey

protected java.lang.String _badLoginMsgKey

_defaultBadLoginMessage

protected static final java.lang.String _defaultBadLoginMessage

See Also:: Constant Field Values

_disconnectedMessage

protected java.lang.String _disconnectedMessage

_disconnectedMsgKey

protected java.lang.String _disconnectedMsgKey

_defaultDisconnectedMessage

protected static final java.lang.String _defaultDisconnectedMessage

See Also:: Constant Field Values

_resolveLocale

protected boolean _resolveLocale

Whether _indexPage, _loginPage or _authenticatedIndexPage contains a @ to be resolved.

Constructor Detail