© 2002 BEA Systems, Inc.

com.bea.p13n.security
Class Authentication

java.lang.Object
  |
  +--com.bea.p13n.security.Authentication
public final class Authentication
extends java.lang.Object

Central place to handle authentication issues. Use this class to handle login, logout, and authentication of users. Can also do some basic tests on Subjects and Principals. In many cases, the methods in this class are thin wrappers over similar functionality available in other WebLogic classes. This class centralizes these functions and allows some convenience groupings for particular usages.

Field Summary
static com.bea.p13n.i18n.AuthenticationExceptionTextFormatter formatter
          Text formatter for i18n.
 
Method Summary
static javax.security.auth.Subject authenticate(java.lang.String username, java.lang.String password)
          Authenticate a user and return the authenticated Subject.
static javax.security.auth.Subject getAnonymousSubject()
          Get a Subject representing an Anonymous user
static javax.security.auth.Subject getCurrentSubject()
          Get the current logged in user.
static java.security.Principal getUserPrincipal(javax.security.auth.Subject subject)
          Get the Principal representing the given Subject.
static boolean isAdministrator(javax.security.auth.Subject subject)
          Test if the given Subject represents a server Administrator
static boolean isAnonymous(java.security.Principal principal)
          Test if the given Principal represents the Anonymous user
static boolean isAnonymous(javax.security.auth.Subject subject)
          Test if the given Subject represents an Anonymous user
static void login(java.lang.String username, java.lang.String password, javax.servlet.http.HttpServletRequest request)
          Log in the user to a webapp.
static void logout(javax.servlet.http.HttpServletRequest request)
          Same as logout( request, true )
static void logout(javax.servlet.http.HttpServletRequest request, boolean invalidateSessions)
          Logout the user.
static java.lang.Object runAs(javax.security.auth.Subject subject, java.security.PrivilegedAction action)
          Execute a PrivilegedAction as a particular user.
static java.lang.Object runAs(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action)
          Execute a PrivilegedExceptionAction as a particular user.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

formatter

public static final com.bea.p13n.i18n.AuthenticationExceptionTextFormatter formatter
Text formatter for i18n.
Method Detail

login

public static void login(java.lang.String username,
                         java.lang.String password,
                         javax.servlet.http.HttpServletRequest request)
                  throws javax.security.auth.login.LoginException
Log in the user to a webapp. This authenticates the user and sets the authentication information in the user's Servlet Session so the server knows who they are when they come back on the next request. The user is pushed onto this thread so that further operations invoked by this thread are executed as this user. Note that this only does authentication and does not check authorization (that is, if the user is in a particular role or group). The Principal for the newly logged in user can be obtained by calling request.getUserPrincipal().

Parameters:
username - The username of the user to login
password - The password for that user (as cleartext)
request - The HttpServletRequest containing the session to be logged in
Throws:
javax.security.auth.login.LoginException - if the authentication failed

logout

public static void logout(javax.servlet.http.HttpServletRequest request,
                          boolean invalidateSessions)
Logout the user. This causes the user to be removed from Servlet Session (on all single-signon webapps) as well as from the thread. If the invalidateSession flag is true, then the user's sessions (on all single-signon webapps) are invalidated. Otherwise, only the authentication information is removed from the sessions but other session data is left intact. Note that if you want to logout and invalidate only this webapp's session (not other single-signon webapps), you can call logout(request,false), then call request.getSession().invalidate().

Parameters:
request - the HttpServletRequest that contains the session to be logged out.
invalidateSession - if true, the session is invalidated (on all single-signon webapps). Otherwise the session and its data are left intact (except for authentication information used internally by the server).

logout

public static void logout(javax.servlet.http.HttpServletRequest request)
Same as logout( request, true )

See Also:
logout(HttpServletRequest,boolean)

authenticate

public static javax.security.auth.Subject authenticate(java.lang.String username,
                                                       java.lang.String password)
                                                throws javax.security.auth.login.LoginException
Authenticate a user and return the authenticated Subject.

Parameters:
username - The username of the user to authenticate
password - The password for that user (as cleartext)
Returns:
the Subject representing the authenticated user
Throws:
javax.security.auth.login.LoginException - if the user is not valid

runAs

public static java.lang.Object runAs(javax.security.auth.Subject subject,
                                     java.security.PrivilegedAction action)
Execute a PrivilegedAction as a particular user. Subject.doAs() changes the Java 2 identity as described in Java 2 spec. This runAs method sets the WebLogic identity. The two identities are not related except that they both use a Subject to specify the user.

runAs

public static java.lang.Object runAs(javax.security.auth.Subject subject,
                                     java.security.PrivilegedExceptionAction action)
                              throws java.security.PrivilegedActionException
Execute a PrivilegedExceptionAction as a particular user. Subject.doAs() changes the Java 2 identity as described in Java 2 spec. This runAs method sets the WebLogic identity. The two identities are not related except that they both use a Subject to specify the user.

getCurrentSubject

public static javax.security.auth.Subject getCurrentSubject()
Get the current logged in user. You should use HttpServletRequest.getUserPrincipal or EJBContext.getCallerPrincipal where possible. But if you need a Subject or can not access the ServletRequest or EJBContext, you can use this method. To see if a user is logged in, test isAnonymous( getCurrentSubject ).

getAnonymousSubject

public static javax.security.auth.Subject getAnonymousSubject()
Get a Subject representing an Anonymous user

getUserPrincipal

public static java.security.Principal getUserPrincipal(javax.security.auth.Subject subject)
Get the Principal representing the given Subject.

isAnonymous

public static boolean isAnonymous(javax.security.auth.Subject subject)
Test if the given Subject represents an Anonymous user

isAnonymous

public static boolean isAnonymous(java.security.Principal principal)
Test if the given Principal represents the Anonymous user

isAdministrator

public static boolean isAdministrator(javax.security.auth.Subject subject)
Test if the given Subject represents a server Administrator
© 2002 BEA Systems, Inc.
Copyright © 2002 BEA Systems, Inc. All Rights Reserved