BEA Systems, Inc.
WebLogic Server 8.1 API Reference

weblogic.servlet.security
Class ServletAuthentication

java.lang.Object
  |
  +--weblogic.servlet.security.ServletAuthentication
public final class ServletAuthentication
extends java.lang.Object

ServletAuthentication allows both form-based authentication and programmatic authentication in servlets. It performs the authentication call through the Realm and sets the user information into the session. The weak() methods are for password authentication and the strong() methods are for certificate-based authentication. The later being only available through two-way SSL connections, based on the client certificate chain.

Author:
Copyright © 2002 BEA Systems, Inc. All Rights Reserved.

Field Summary
static int AUTHENTICATED
          Return value of a successful authentication
static int FAILED_AUTHENTICATION
          Return value of an unsuccessful authentication
static int NEEDS_CREDENTIALS
          Deprecated.  
 
Constructor Summary
ServletAuthentication(java.lang.String usernameField, java.lang.String passwordField)
          Constructs a ServletAuthentication object which will look for specific form fields inside the HttpRequest for the username and password.
 
Method Summary
static int authenticate(javax.security.auth.callback.CallbackHandler handler, javax.servlet.http.HttpServletRequest request)
          Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION.
static int authObject(java.lang.String username, java.lang.Object credential, javax.servlet.http.HttpServletRequest request)
          Deprecated.  
static int authObject(java.lang.String username, java.lang.Object credential, javax.servlet.http.HttpSession session, javax.servlet.http.HttpServletRequest request)
          Deprecated.  
 void done(javax.servlet.http.HttpServletRequest request)
          This "logs out" the user in the session by removing the pertinent data from the sessions the user has logged into and also from the webserver, without losing other session data.
static java.lang.String getTargetURLForFormAuthentication(javax.servlet.http.HttpSession session)
          This method returns the target URL stored in the first step of Form based authentication.
static boolean invalidateAll(javax.servlet.http.HttpServletRequest req)
          Invalidate all the sessions for the current user only (ie.
static void killCookie(javax.servlet.http.HttpServletRequest req)
          Kills the current cookie
static boolean logout(javax.servlet.http.HttpServletRequest req)
          This "logs out" the user in the session by removing the pertinent data from the sessions the user has logged into and also from the webserver, without losing other session data.
static void runAs(javax.security.auth.Subject subject, javax.servlet.http.HttpServletRequest request)
          With a given subject, this method sets the current thread identity and current session identity.
 int strong(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Strong authentication using the client-side certificate chain as the credential for authentication against the "weblogic" (default) realm.
 int strong(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String realmName)
          Strong authentication using the client-side certificate chain as the credential for authentication.
 int weak(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after pulling the username and password from the request, authenticating the user and setting it into the session.
static int weak(java.lang.String username, java.lang.String password, javax.servlet.http.HttpServletRequest request)
          Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and password to authenticate the user and setting that user information into the session.
static int weak(java.lang.String username, java.lang.String password, javax.servlet.http.HttpSession session)
          Deprecated.  
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

AUTHENTICATED

public static final int AUTHENTICATED
Return value of a successful authentication

FAILED_AUTHENTICATION

public static final int FAILED_AUTHENTICATION
Return value of an unsuccessful authentication

NEEDS_CREDENTIALS

public static final int NEEDS_CREDENTIALS
Deprecated.  
Return value of an unsuccessful authentication due to no credentials.
Constructor Detail

ServletAuthentication

public ServletAuthentication(java.lang.String usernameField,
                             java.lang.String passwordField)
Constructs a ServletAuthentication object which will look for specific form fields inside the HttpRequest for the username and password.
Method Detail

done

public void done(javax.servlet.http.HttpServletRequest request)
This "logs out" the user in the session by removing the pertinent data from the sessions the user has logged into and also from the webserver, without losing other session data.

Parameters:
request - HttpServletRequest which contains the session

logout

public static boolean logout(javax.servlet.http.HttpServletRequest req)
This "logs out" the user in the session by removing the pertinent data from the sessions the user has logged into and also from the webserver, without losing other session data.

Parameters:
request - HttpServletRequest

invalidateAll

public static boolean invalidateAll(javax.servlet.http.HttpServletRequest req)
Invalidate all the sessions for the current user only (ie. current cookie) and since the cookie is no more required, kill the cookie too.

Parameters:
request - HttpServletRequest

killCookie

public static void killCookie(javax.servlet.http.HttpServletRequest req)
Kills the current cookie

Parameters:
request - HttpServletRequest which contains the session

strong

public int strong(javax.servlet.http.HttpServletRequest request,
                  javax.servlet.http.HttpServletResponse response)
           throws javax.servlet.ServletException,
                  java.io.IOException
Strong authentication using the client-side certificate chain as the credential for authentication against the "weblogic" (default) realm.

Parameters:
request - HttpServletRequest
response - HttpServletResponse
Returns:
int authentication value
Throws:
javax.servlet.ServletException -  
java.io.IOException -  

strong

public int strong(javax.servlet.http.HttpServletRequest request,
                  javax.servlet.http.HttpServletResponse response,
                  java.lang.String realmName)
           throws javax.servlet.ServletException,
                  java.io.IOException
Strong authentication using the client-side certificate chain as the credential for authentication.

Parameters:
request - HttpServletRequest
response - HttpServletResponse
realmName - String name of the realm to authenticate against
Returns:
int authentication value
Throws:
javax.servlet.ServletException -  
java.io.IOException -  

weak

public int weak(javax.servlet.http.HttpServletRequest request,
                javax.servlet.http.HttpServletResponse response)
         throws javax.servlet.ServletException,
                java.io.IOException
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after pulling the username and password from the request, authenticating the user and setting it into the session.

This weak() method, unlike the others, is not static. It requires that the ServletAuthentication object be instantiated with the field names for the username and password inside the form.

Parameters:
request - HttpServletRequest
response - HttpServletResponse
Returns:
int authentication value
Throws:
javax.servlet.ServletException -  
java.io.IOException -  

weak

public static int weak(java.lang.String username,
                       java.lang.String password,
                       javax.servlet.http.HttpServletRequest request)
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and password to authenticate the user and setting that user information into the session.

Parameters:
username - String
password - String
request - HttpServletRequest
Returns:
int authentication value

weak

public static int weak(java.lang.String username,
                       java.lang.String password,
                       javax.servlet.http.HttpSession session)
Deprecated.  
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and password to authenticate the user and setting that user information into the session. Note: This method has been deprecated. Use weak(username, password, request) instead.

Parameters:
username - String
password - String
session - HttpSession
Returns:
int authentication value

authObject

public static int authObject(java.lang.String username,
                             java.lang.Object credential,
                             javax.servlet.http.HttpServletRequest request)
Deprecated.  
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and credential object to authenticate the user and setting that user information into the session. This method has been deprecated. Use authenticate(CallbackHandler, HttpServletRequest)

Parameters:
username - String
password - String
request - HttpServletRequest
Returns:
int authentication value

authObject

public static int authObject(java.lang.String username,
                             java.lang.Object credential,
                             javax.servlet.http.HttpSession session,
                             javax.servlet.http.HttpServletRequest request)
Deprecated.  
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and credential object to authenticate the user and setting that user information into the session. This method has been deprecated. Use authenticate(CallbackHandler, HttpServletRequest) instead.

Parameters:
username - String
password - String
session - HttpSession
Returns:
int authentication value

authenticate

public static int authenticate(javax.security.auth.callback.CallbackHandler handler,
                               javax.servlet.http.HttpServletRequest request)
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION. This method is expected to be used when you have plugged in custom LoginModules. The callback handler which you supply here should be able to handle the callbacks generated by your LoginModule. This method creates a session if session doesn't exists already.

Parameters:
handler - javax.security.auth.callback.CallbackHandler
request - HttpServletRequest
Returns:
int authentication value

runAs

public static void runAs(javax.security.auth.Subject subject,
                         javax.servlet.http.HttpServletRequest request)
With a given subject, this method sets the current thread identity and current session identity. This method will be used for logging in when you have a subject already.

Parameters:
subject - javax.security.auth.Subject
request - HttpServletRequest

getTargetURLForFormAuthentication

public static java.lang.String getTargetURLForFormAuthentication(javax.servlet.http.HttpSession session)
This method returns the target URL stored in the first step of Form based authentication. This allows users to handle the login process programmatically.

Parameters:
session - HttpSession
Returns:
Target URL for form based authentication
Documentation is available at
http://download.oracle.com/docs/cd/E13222_01/wls/docs81b