Package org.ametys.core.authentication
Class AuthenticateAction
java.lang.Object
org.apache.avalon.framework.logger.AbstractLogEnabled
org.apache.cocoon.acting.AbstractAction
org.apache.cocoon.acting.ServiceableAction
org.ametys.core.authentication.AuthenticateAction
- All Implemented Interfaces:
Initializable
,Component
,LogEnabled
,Serviceable
,ThreadSafe
,Action
- Direct Known Subclasses:
AdminAuthenticateAction
,AuthenticateAction
,AuthenticateAction
,BlockingCredentialProviderAction
,FrontAuthenticateAction
,WebAuthenticateAction
Cocoon action to perform authentication.
The
Finally, the Users instance extract the Principal corresponding to the
The
CredentialProvider
define the authentication method and retrieves Credentials
.Finally, the Users instance extract the Principal corresponding to the
Credentials
.-
Nested Class Summary
Modifier and TypeClassDescriptionprotected static enum
The token mode of this authentication action -
Field Summary
Modifier and TypeFieldDescriptionprotected Collection<Pattern>
url requires for authenticationprotected AuthenticationTokenManager
The authentication token managerprotected CurrentUserProvider
The current user providerprotected ObservationManager
The observation managerprotected PopulationContextHelper
The helper for the associations population/contextprotected UserManager
The user managerprotected UserPopulationDAO
The DAO for user populationsstatic final String
The header parameter that can be set to handle the tokenprotected static final String
The sitemap parameter holding the tokenprotected static final String
The sitemap parameter holding the token contextstatic final String
The request attribute name for indicating that the authentication process has been made.static final String
The request attribute name for transmitting the list of user populationsprotected static final String
The request attribute name for transmitting the list of contextsprotected static final String
The request attribute name for transmitting the index in the list of chosen credential providerprotected static final String
The request attribute name for transmitting a boolean that tell if there is a list of credential provider to choosestatic final String
The request attribute meaning that the request was not authenticated but grantedstatic final String
The request attribute to allow internal action from an internal request.protected static final String
The request attribute name for transmitting the potential list of user populations to the login screen .static final String
The request attribute name for transmitting the login page urlprotected static final String
The request attribute name to know if user population list should be proposedstatic final String
The request attribute name for transmitting the currently chosen user populationstatic final String
Name of the credential provider index HTML fieldstatic final String
Name of the user population HTML fieldstatic final String
The request parameter holding the tokenstatic final String
The request parameter holding the token contextprotected static final String
The session attribute name for storing the credential provider index of the authentication (during connection process)protected static final String
The session attribute name for storing the last known credential provider index of the authentication (during connection process)protected static final String
The session attribute name for storing the credential provider mode of the authentication: non-blocking=>false, blocking=>true (during connection process)protected static final String
The session attribute name for storing the id of the user population (during connection process)protected static final String
The session attribute name for storing the credential provider of the authenticationprotected static final String
The session attribute name for storing the credential provider mode of the authentication: non-blocking=>false, blocking=>truestatic final String
The session attribute name for storing the identity of the connected userprotected static final String
The sitemap parameter to set the token mode of the actionFields inherited from class org.apache.cocoon.acting.ServiceableAction
manager
Fields inherited from class org.apache.cocoon.acting.AbstractAction
EMPTY_MAP
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
_acceptedUrl
(Request request) Determine if the request is one of the authentication process (except the credential providers)protected boolean
_doProcess
(Request request, boolean runningBlockingkMode, CredentialProvider runningCredentialProvider, Redirector redirector, List<UserPopulation> userPopulations) Try to authenticate with this credential provider in this mode_getAvailableUserPopulationsIds
(Request request, List<String> contexts) Get the available populations for the given contextsprotected String
_getChosenUserPopulationId
(Request request, List<UserPopulation> availableUserPopulations) Get the population for the given context_getContexts
(Request request, Parameters parameters) Get the authentication contextprotected CredentialProvider
_getCredentialProviderFromSession
(Request request) Get the credential provider used for the current connectionprotected Boolean
Get the credential provider mode used for the current connectionprotected int
_getCurrentCredentialProviderIndex
(Request request, List<CredentialProvider> availableCredentialProviders) Get the current credential provider index or -1 if there no running providerprotected Integer
Get the current credential provider index or -1 if there no running provider FROM REQUEST PARAMETERprotected String
_getTokenFromRequest
(Request request) Get the token from the requestprotected UserIdentity
_getUserIdentity
(List<UserPopulation> userPopulations, UserIdentity potentialUserIdentity, Redirector redirector, boolean runningBlockingkMode, CredentialProvider runningCredentialProvider) Check the authentications of the authentication managerprotected UserIdentity
_getUserIdentityFromSession
(Request request) Get the user identity of the connected user from the sessionprotected boolean
_handleAuthenticationToken
(Request request, Parameters parameters) Authenticate a user using the token in request (if configured so)protected boolean
_handleLogout
(Redirector redirector, Map objectModel, String source, Parameters parameters) Test if user wants to logout and handle itprotected void
_handleWeakPassord
(Request request, Redirector redirector, UserIdentity userIdentity) Handle weak password exceptionprotected boolean
_hasCredentialProviders
(List<UserPopulation> userPopulations) Determine if there is a list of credential providers to useprotected boolean
_internalRequest
(Request request) Determine if the request is internal and do not need authenticationprotected boolean
If there is a running credential provider, was it in non-blocking or blocking mode?protected void
_logLoginEvent
(CredentialProvider credentialProvider, UserIdentity userIdentity) Log login eventprotected void
_logLogoutEvent
(UserIdentity userIdentity) Log logout eventprotected boolean
_preFlightCheck
(Redirector redirector, SourceResolver resolver, Map objectModel, String source, Parameters parameters) Prepare authenticationprotected boolean
_prepareUserPopulationsAndCredentialProviders
(Request request, Parameters parameters, Redirector redirector, List<UserPopulation> chosenUserPopulations, List<CredentialProvider> credentialProviders) Fill the list of available users populations and credential providersprotected boolean
_process
(Request request, boolean runningBlockingkMode, CredentialProvider runningCredentialProvider, int runningCredentialProviderIndex, Redirector redirector, List<UserPopulation> userPopulations) Try to authenticate with this credential provider in this mode.protected static void
_resetConnectingStateToSession
(Request request) Reset the connecting information in sessionprotected void
_saveConnectingStateToSession
(Request request, int runningCredentialProviderIndex, boolean runningBlockingkMode) When the process end successfully, save the stateprotected void
_setUserIdentityInSession
(Request request, UserIdentity userIdentity, CredentialProvider credentialProvider, boolean blockingMode) Save user identity in requestprotected boolean
_validateCurrentlyConnectedUser
(Request request, Redirector redirector, Parameters parameters) This method ensure that there is a currently connected user and that it is still validprotected void
_validateCurrentlyConnectedUserIsInAuthorizedPopulation
(UserIdentity userCurrentlyConnected, Request request, Parameters parameters) This method is the second part of the process that ensure that there is a currently connected user and that it is still validprotected UserIdentity
_validateToken
(String token, String context) Validate the given tokenact
(Redirector redirector, SourceResolver resolver, Map objectModel, String source, Parameters parameters) static CredentialProvider
getCredentialProviderFromSession
(Request request) Get the credential provider used for the current connectionstatic Boolean
Get the credential provider mode used for the current connectionprotected String
getLoginURL
(Request request) Get the url for the redirector to display the login screenprotected String
getLoginURLParameters
(Request request, String baseURL) Get the url for the redirector to display the login screenprotected String
getLogoutURL
(Request request) Get the url for the redirector to display the logout screenstatic UserIdentity
getUserIdentityFromSession
(Request request) Get the user identity of the connected user from the sessionvoid
static Session
renewSession
(Request request) Change the session id (for security purposes)static void
setUserIdentityInSession
(Request request, UserIdentity userIdentity, CredentialProvider credentialProvider, boolean blockingMode) Save user identity in requeststatic void
skipCurrentCredentialProvider
(Request request) Call this to skip the currently used credential provider and proceed to the next one.Methods inherited from class org.apache.cocoon.acting.ServiceableAction
service
Methods inherited from class org.apache.avalon.framework.logger.AbstractLogEnabled
enableLogging, getLogger, setupLogger, setupLogger, setupLogger
-
Field Details
-
REQUEST_ATTRIBUTE_INTERNAL_ALLOWED
The request attribute to allow internal action from an internal request.- See Also:
-
REQUEST_ATTRIBUTE_GRANTED
The request attribute meaning that the request was not authenticated but granted- See Also:
-
REQUEST_ATTRIBUTE_AVAILABLE_USER_POPULATIONS_LIST
The request attribute name for transmitting the list of user populations- See Also:
-
REQUEST_ATTRIBUTE_USER_POPULATION_ID
The request attribute name for transmitting the currently chosen user population- See Also:
-
REQUEST_ATTRIBUTE_LOGIN_URL
The request attribute name for transmitting the login page url- See Also:
-
SESSION_USERIDENTITY
The session attribute name for storing the identity of the connected user- See Also:
-
REQUEST_PARAMETER_POPULATION_NAME
Name of the user population HTML field- See Also:
-
REQUEST_PARAMETER_CREDENTIALPROVIDER_INDEX
Name of the credential provider index HTML field- See Also:
-
REQUEST_ATTRIBUTE_AUTHENTICATED
The request attribute name for indicating that the authentication process has been made.- See Also:
-
REQUEST_PARAMETER_TOKEN
The request parameter holding the token- See Also:
-
REQUEST_PARAMETER_TOKEN_CONTEXT
The request parameter holding the token context- See Also:
-
HEADER_TOKEN
The header parameter that can be set to handle the token- See Also:
-
PARAMETERS_PARAMETER_TOKEN
The sitemap parameter holding the token- See Also:
-
PARAMETERS_PARAMETER_TOKEN_CONTEXT
The sitemap parameter holding the token context- See Also:
-
REQUEST_ATTRIBUTE_CREDENTIAL_PROVIDER_LIST
The request attribute name for transmitting a boolean that tell if there is a list of credential provider to choose- See Also:
-
REQUEST_ATTRIBUTE_CREDENTIAL_PROVIDER_INDEX
The request attribute name for transmitting the index in the list of chosen credential provider- See Also:
-
REQUEST_ATTRIBUTE_SHOULD_DISPLAY_USER_POPULATIONS_LIST
The request attribute name to know if user population list should be proposed- See Also:
-
REQUEST_ATTRIBUTE_INVALID_POPULATION
The request attribute name for transmitting the potential list of user populations to the login screen .- See Also:
-
REQUEST_ATTRIBUTE_CONTEXTS
The request attribute name for transmitting the list of contexts- See Also:
-
SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX
The session attribute name for storing the credential provider index of the authentication (during connection process)- See Also:
-
SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX_LASTBLOCKINGKNOWN
The session attribute name for storing the last known credential provider index of the authentication (during connection process)- See Also:
-
SESSION_CONNECTING_CREDENTIALPROVIDER_MODE
The session attribute name for storing the credential provider mode of the authentication: non-blocking=>false, blocking=>true (during connection process)- See Also:
-
SESSION_CONNECTING_USERPOPULATION_ID
The session attribute name for storing the id of the user population (during connection process)- See Also:
-
SESSION_CREDENTIALPROVIDER
The session attribute name for storing the credential provider of the authentication- See Also:
-
SESSION_CREDENTIALPROVIDER_MODE
The session attribute name for storing the credential provider mode of the authentication: non-blocking=>false, blocking=>true- See Also:
-
SITEMAP_PARAMETER_TOKEN_MODE
The sitemap parameter to set the token mode of the action- See Also:
-
_userPopulationDAO
The DAO for user populations -
_userManager
The user manager -
_populationContextHelper
The helper for the associations population/context -
_currentUserProvider
The current user provider -
_acceptedUrlPatterns
url requires for authentication -
_authenticateTokenManager
The authentication token manager -
_observationManager
The observation manager
-
-
Constructor Details
-
AuthenticateAction
public AuthenticateAction()
-
-
Method Details
-
initialize
- Specified by:
initialize
in interfaceInitializable
- Throws:
Exception
-
act
public Map act(Redirector redirector, SourceResolver resolver, Map objectModel, String source, Parameters parameters) throws Exception -
_preFlightCheck
protected boolean _preFlightCheck(Redirector redirector, SourceResolver resolver, Map objectModel, String source, Parameters parameters) throws Exception Prepare authentication- Parameters:
redirector
- The redirectorresolver
- The source resolverobjectModel
- The object modelsource
- The sourceparameters
- The action parameters- Returns:
true
if a user was authenticated,false
otherwise- Throws:
Exception
- if failed to prepare the authentication
-
_handleAuthenticationToken
Authenticate a user using the token in request (if configured so)- Parameters:
request
- The requestparameters
- The action parameters- Returns:
- true if the user was authenticated
-
_getTokenFromRequest
Get the token from the request- Parameters:
request
- The request- Returns:
- The token from the request or null
-
_validateToken
Validate the given token- Parameters:
token
- The non empty token to validatecontext
- the context on which the token should be validated- Returns:
- The corresponding user identity or null
-
_prepareUserPopulationsAndCredentialProviders
protected boolean _prepareUserPopulationsAndCredentialProviders(Request request, Parameters parameters, Redirector redirector, List<UserPopulation> chosenUserPopulations, List<CredentialProvider> credentialProviders) throws ProcessingException, IOException Fill the list of available users populations and credential providers- Parameters:
request
- The requestparameters
- The action parametersredirector
- The cocoon redirectorchosenUserPopulations
- An empty non-null list to fill with with chosen populationscredentialProviders
- An empty non-null list to fill with chosen credential providers- Returns:
- true, if the population was determined, false if a redirection was required to choose
- Throws:
IOException
- If an error occurredProcessingException
- If an error occurred
-
getLoginURL
Get the url for the redirector to display the login screen- Parameters:
request
- The request- Returns:
- The url. Cannot be null or empty
-
getLoginURLParameters
Get the url for the redirector to display the login screen- Parameters:
request
- The requestbaseURL
- The url to complete with parameters- Returns:
- The url. Cannot be null or empty
-
getLogoutURL
Get the url for the redirector to display the logout screen- Parameters:
request
- The request- Returns:
- The url. Cannot be null or empty
-
_hasCredentialProviders
Determine if there is a list of credential providers to use- Parameters:
userPopulations
- The list of applicable user populations- Returns:
- true if credentialproviders can be used
-
_getAvailableUserPopulationsIds
Get the available populations for the given contexts- Parameters:
request
- The requestcontexts
- The contexts- Returns:
- The non-null list of populations
-
_getChosenUserPopulationId
protected String _getChosenUserPopulationId(Request request, List<UserPopulation> availableUserPopulations) Get the population for the given context- Parameters:
request
- The requestavailableUserPopulations
- The available users populations- Returns:
- The chosen population id. Can be null.
-
_process
protected boolean _process(Request request, boolean runningBlockingkMode, CredentialProvider runningCredentialProvider, int runningCredentialProviderIndex, Redirector redirector, List<UserPopulation> userPopulations) throws Exception Try to authenticate with this credential provider in this mode. Delegates to _doProcess- Parameters:
request
- The requestrunningBlockingkMode
- false for non-blocking mode, true for blocking moderunningCredentialProvider
- the Credential provider to testrunningCredentialProviderIndex
- The index of the currently tested credential providerredirector
- The cocoon redirectoruserPopulations
- The list of possible user populations- Returns:
- false if we should try with another Credential provider, true otherwise
- Throws:
Exception
- If an error occurred
-
_doProcess
protected boolean _doProcess(Request request, boolean runningBlockingkMode, CredentialProvider runningCredentialProvider, Redirector redirector, List<UserPopulation> userPopulations) throws Exception Try to authenticate with this credential provider in this mode- Parameters:
request
- The requestrunningBlockingkMode
- false for non-blocking mode, true for blocking moderunningCredentialProvider
- the Credential provider to testredirector
- The cocoon redirectoruserPopulations
- The list of possible user populations- Returns:
- false if we should try with another Credential provider, true otherwise
- Throws:
Exception
- If an error occurred
-
_handleWeakPassord
protected void _handleWeakPassord(Request request, Redirector redirector, UserIdentity userIdentity) throws Exception Handle weak password exception- Parameters:
request
- the requestredirector
- the redirectoruserIdentity
- the user identity with a weak password- Throws:
Exception
- if an error occurred
-
_logLoginEvent
Log login event- Parameters:
credentialProvider
- the running credential provideruserIdentity
- the user identity
-
_logLogoutEvent
Log logout event- Parameters:
userIdentity
- the user identity
-
_resetConnectingStateToSession
Reset the connecting information in session- Parameters:
request
- The request
-
_saveConnectingStateToSession
protected void _saveConnectingStateToSession(Request request, int runningCredentialProviderIndex, boolean runningBlockingkMode) When the process end successfully, save the state- Parameters:
request
- The requestrunningBlockingkMode
- false for non-blocking mode, true for blocking moderunningCredentialProviderIndex
- the currently tested credential provider
-
_setUserIdentityInSession
protected void _setUserIdentityInSession(Request request, UserIdentity userIdentity, CredentialProvider credentialProvider, boolean blockingMode) Save user identity in request- Parameters:
request
- The requestuserIdentity
- The useridentity to savecredentialProvider
- The credential provider used to connectblockingMode
- The mode used for the credential provider
-
setUserIdentityInSession
public static void setUserIdentityInSession(Request request, UserIdentity userIdentity, CredentialProvider credentialProvider, boolean blockingMode) Save user identity in request- Parameters:
request
- The requestuserIdentity
- The useridentity to savecredentialProvider
- The credential provider used to connectblockingMode
- The mode used for the credential provider
-
renewSession
Change the session id (for security purposes)- Parameters:
request
- The current request- Returns:
- The new session
-
_getUserIdentityFromSession
Get the user identity of the connected user from the session- Parameters:
request
- The request- Returns:
- The connected useridentity or null
-
getUserIdentityFromSession
Get the user identity of the connected user from the session- Parameters:
request
- The request- Returns:
- The connected useridentity or null
-
_getCredentialProviderFromSession
Get the credential provider used for the current connection- Parameters:
request
- The request- Returns:
- The credential provider used or null
-
getCredentialProviderFromSession
Get the credential provider used for the current connection- Parameters:
request
- The request- Returns:
- The credential provider used or null
-
_getCredentialProviderModeFromSession
Get the credential provider mode used for the current connection- Parameters:
request
- The request- Returns:
- The credential provider mode used or null
-
getCredentialProviderModeFromSession
Get the credential provider mode used for the current connection- Parameters:
request
- The request- Returns:
- The credential provider mode used or null
-
_isCurrentCredentialProviderInBlockingMode
If there is a running credential provider, was it in non-blocking or blocking mode?- Parameters:
request
- The request- Returns:
- false if non-blocking, true if blocking
-
skipCurrentCredentialProvider
Call this to skip the currently used credential provider and proceed to the next one. Useful for non blocking- Parameters:
request
- The request
-
_getCurrentCredentialProviderIndexFromParameter
Get the current credential provider index or -1 if there no running provider FROM REQUEST PARAMETER- Parameters:
request
- The request- Returns:
- The credential provider index to use in the availablesCredentialProviders list or -1 or null
-
_getCurrentCredentialProviderIndex
protected int _getCurrentCredentialProviderIndex(Request request, List<CredentialProvider> availableCredentialProviders) Get the current credential provider index or -1 if there no running provider- Parameters:
request
- The requestavailableCredentialProviders
- The list of available credential provider- Returns:
- The credential provider index to use in the availablesCredentialProviders list or -1
-
_getContexts
Get the authentication context- Parameters:
request
- The requestparameters
- The action parameters- Returns:
- The context
- Throws:
IllegalArgumentException
- If there is no context set
-
_internalRequest
Determine if the request is internal and do not need authentication- Parameters:
request
- The request- Returns:
- true to bypass this authentication
-
_acceptedUrl
Determine if the request is one of the authentication process (except the credential providers)- Parameters:
request
- The request- Returns:
- true to bypass this authentication
-
_validateCurrentlyConnectedUser
protected boolean _validateCurrentlyConnectedUser(Request request, Redirector redirector, Parameters parameters) throws Exception This method ensure that there is a currently connected user and that it is still valid- Parameters:
request
- The requestredirector
- The cocoon redirectorparameters
- The action parameters- Returns:
- true if the user is connected and valid
- Throws:
Exception
- if an error occurred
-
_validateCurrentlyConnectedUserIsInAuthorizedPopulation
protected void _validateCurrentlyConnectedUserIsInAuthorizedPopulation(UserIdentity userCurrentlyConnected, Request request, Parameters parameters) This method is the second part of the process that ensure that there is a currently connected user and that it is still valid- Parameters:
userCurrentlyConnected
- The user to testrequest
- The requestparameters
- The action parameters
-
_handleLogout
protected boolean _handleLogout(Redirector redirector, Map objectModel, String source, Parameters parameters) throws Exception Test if user wants to logout and handle it- Parameters:
redirector
- The cocoon redirectorobjectModel
- The cocoon object modelsource
- The sitemap sourceparameters
- The sitemap parameters- Returns:
- true if the user was logged out
- Throws:
Exception
- if an error occurred
-
_getUserIdentity
protected UserIdentity _getUserIdentity(List<UserPopulation> userPopulations, UserIdentity potentialUserIdentity, Redirector redirector, boolean runningBlockingkMode, CredentialProvider runningCredentialProvider) throws Exception Check the authentications of the authentication manager- Parameters:
userPopulations
- The list of available matching populationsredirector
- The cocoon redirectorrunningBlockingkMode
- false for non-blocking mode, true for blocking moderunningCredentialProvider
- The Credential provider to testpotentialUserIdentity
- A possible user identity. Population can be null. User may not exist either.- Returns:
- The user population matching credentials or null
- Throws:
Exception
- If an error occurredAccessDeniedException
- If the user is rejected
-