Jive Forums API (5.5.20.2-oracle) Core Javadocs

com.jivesoftware.base
Class AuthFactory

java.lang.Object
  extended by com.jivesoftware.base.AuthFactory

public abstract class AuthFactory
extends java.lang.Object

An abstract class that defines a framework for providing authentication services in Jive. The static getAuthToken(String, String), getAuthToken(HttpServletRequest, HttpServletResponse), and getAnonymousAuthToken() methods should be called directly from applications using Jive in order to obtain an AuthToken.

Users of Jive that wish to change the AuthFactory implementation used to generate tokens can set the AuthFactory.className Jive property. For example, if you have altered Jive to use LDAP for user information, you'd want to write a custom implementation of AuthFactory to make LDAP authToken queries. After changing the AuthFactory.className Jive property, you must restart your application server.

The getAuthToken method that takes servlet request and response objects as arguments can be used to implement single sign-on. Additionally, two helper methods are provided for securely encrypting and decrypting login information so that it can be stored as a cookie value to implement auto-login.


Field Summary
protected static com.jivesoftware.util.EncryptionUtil cipher
           
static java.lang.String COOKIE_AUTOLOGIN
          Name of the cookie used to store user info for auto-login purposes.
static java.lang.String COOKIE_JIVE_SERVER_INFO
          Cookie used for things like akamai to tell information about a specific server.
static java.lang.String COOKIE_LOGGED_IN
          Cookie used to show that the current user is logged in.
static java.lang.String SESSION_AUTHORIZATION
          Name of the key in a user's session that AuthToken tokens are customarily stored at.
 
Constructor Summary
AuthFactory()
           
 
Method Summary
protected  void addServerInfoCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
           
protected  void checkAuthorization(AuthToken authToken, javax.servlet.http.HttpServletRequest request)
          Checks if the specified AuthToken is authorized.
static void checkIfBanned(AuthToken authToken, javax.servlet.http.HttpServletRequest request)
          This will check to see if user is banned.
protected  void clearSessionUserInfo(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Concrete subclasses may wish to override this method to destroy session info as appropriate.
protected abstract  AuthToken createAnonymousAuthToken()
          Creates anonymous AuthToken tokens.
protected  AuthToken createAuthToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Creates AuthToken tokens based on information from servlet request and response objects.
protected abstract  AuthToken createAuthToken(java.lang.String username, java.lang.String password)
          Creates AuthToken tokens for users.
protected  AuthToken createSessionUserInfo(java.lang.String username, java.lang.String password, boolean autoLogin, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Concrete subclasses may wish to override this method to create session info as appropriate.
static java.lang.String[] decryptAuthInfo(java.lang.String value)
          Utility method that decrypts a String built by the encryptAuthInfo method containing a username and password.
static java.lang.String encryptAuthInfo(java.lang.String username, java.lang.String password)
          Utility method that builds an encrypted String containing a username and password, which is useful for storing as a cookie.
static void forceReload()
          Method used internally by Jive.
static AuthToken getAnonymousAuthToken()
          Returns an anonymous user AuthToken.
static AuthToken getAuthToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Returns the AuthToken token associated with the information in a servlet request and response object.
static AuthToken getAuthToken(java.lang.String username, java.lang.String password)
          Returns the AuthToken token associated with the specified username and password.
protected static java.lang.String getServerInfoCookieProperty(javax.naming.InitialContext ctx, java.lang.String property, java.lang.String defaultVal)
          This method will see if a property for the jive.server.info cookie is on the initial context under java:comp/env/jive/{myprop} if not found there it will check jive local properties for the property under jive.server.info.
static AuthToken loginUser(java.lang.String username, java.lang.String password, boolean autoLogin, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          This method is a method for logging a user in and creating the appropriate session variables and/or cookies to keep state.
static void logoutUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          This method is a method for logging a user out and destroying or resetting the appropriate session variables and/or cookies to keep state.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SESSION_AUTHORIZATION

public static final java.lang.String SESSION_AUTHORIZATION
Name of the key in a user's session that AuthToken tokens are customarily stored at.

See Also:
Constant Field Values

COOKIE_AUTOLOGIN

public static final java.lang.String COOKIE_AUTOLOGIN
Name of the cookie used to store user info for auto-login purposes.

See Also:
Constant Field Values

COOKIE_LOGGED_IN

public static final java.lang.String COOKIE_LOGGED_IN
Cookie used to show that the current user is logged in. This is used for things such as caching for Akimai

See Also:
Constant Field Values

COOKIE_JIVE_SERVER_INFO

public static final java.lang.String COOKIE_JIVE_SERVER_INFO
Cookie used for things like akamai to tell information about a specific server.

See Also:
Constant Field Values

cipher

protected static com.jivesoftware.util.EncryptionUtil cipher
Constructor Detail

AuthFactory

public AuthFactory()
Method Detail

getAuthToken

public static AuthToken getAuthToken(java.lang.String username,
                                     java.lang.String password)
                              throws UnauthorizedException
Returns the AuthToken token associated with the specified username and password. If the username and password do not match the record of any user in the system, the method throws an UnauthorizedException.

When using most implementations of this class, authToken tokens should be cached. A convenient place to store a token is often in the HttpSession.

Parameters:
username - the username to create an AuthToken with.
password - the password to create an AuthToken with.
Returns:
an AuthToken token if the username and password are correct.
Throws:
UnauthorizedException - if the username and password do not match any existing user.

getAuthToken

public static AuthToken getAuthToken(javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response)
                              throws UnauthorizedException
Returns the AuthToken token associated with the information in a servlet request and response object. This is useful for systems that store login information in a user's session or as a cookie, and can also be used to implement single sign-on in Jive. If no authentication information is found, the method throws an UnauthorizedException.

Parameters:
request - a HttpServletRequest object.
response - a HttpServletResponse object.
Returns:
the AuthToken token associated with the information in a servlet request and response object
Throws:
UnauthorizedException - if no authToken information is found.

getAnonymousAuthToken

public static AuthToken getAnonymousAuthToken()
Returns an anonymous user AuthToken.

Returns:
an anonymous AuthToken token.

encryptAuthInfo

public static java.lang.String encryptAuthInfo(java.lang.String username,
                                               java.lang.String password)
Utility method that builds an encrypted String containing a username and password, which is useful for storing as a cookie. This is a cryptographically secure algorithm that uses a 56-bit DES key. The standard cookie name used by Jive for this information is stored in AuthFactory.COOKIE_AUTOLOGIN.

Parameters:
username - the username to encode.
password - the password to encode.
Returns:
an encrypted String containing the input parameters.

decryptAuthInfo

public static java.lang.String[] decryptAuthInfo(java.lang.String value)
                                          throws javax.crypto.IllegalBlockSizeException
Utility method that decrypts a String built by the encryptAuthInfo method containing a username and password. This is a cryptographically secure algorithm that uses a 56-bit DES key. The standard cookie name used by Jive for this information is stored in AuthFactory.COOKIE_AUTOLOGIN.

Parameters:
value - the encrypted String.
Returns:
String[] containing the username at index 0 and the password at index 1, or { null, null } if value equals null or the empty string.
Throws:
javax.crypto.IllegalBlockSizeException - if the block size isn't a valid value

createAuthToken

protected abstract AuthToken createAuthToken(java.lang.String username,
                                             java.lang.String password)
                                      throws UnauthorizedException
Creates AuthToken tokens for users. This method must be implemented by concrete subclasses of AuthFactory.

Parameters:
username - the username to create an AuthToken with.
password - the password to create an AuthToken with.
Returns:
an AuthToken token if the username and password are correct.
Throws:
UnauthorizedException - if the username and password do not match any existing user.

createAuthToken

protected AuthToken createAuthToken(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response)
                             throws UnauthorizedException
Creates AuthToken tokens based on information from servlet request and response objects. This method is optionally implemented by concrete subclasses of AuthFactory.

If this method is not overwriten by a concrete subclass of AuthFactory, then the following default behavior will be used to search for login information:

  • Look for an AuthToken object in the session using the session name AuthFactory.SESSION_AUTHORIZATION. Return it if found.
  • Look for encrypted login information at the cookie value named AuthFactory.COOKIE_AUTOLOGIN. Return an AuthToken object built using that info if found.
  • Throw an UnauthorizedException if the previous two steps failed or if the authToken returned would be anonymous.

    Parameters:
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.
    Returns:
    An AuthToken based on information in the request/response objects
    Throws:
    UnauthorizedException - if no authToken information is found.

  • createAnonymousAuthToken

    protected abstract AuthToken createAnonymousAuthToken()
    Creates anonymous AuthToken tokens. This method must be implemented by concrete subclasses AuthFactory.

    Returns:
    an anonymous AuthToken token.

    loginUser

    public static AuthToken loginUser(java.lang.String username,
                                      java.lang.String password,
                                      boolean autoLogin,
                                      javax.servlet.http.HttpServletRequest request,
                                      javax.servlet.http.HttpServletResponse response)
                               throws UnauthorizedException
    This method is a method for logging a user in and creating the appropriate session variables and/or cookies to keep state. An AuthToken is return upon a successful login, an UnauthorizedException is thrown is the login was not successful.

    Parameters:
    username - the username to create an AuthToken with.
    password - the password to create an AuthToken with.
    autoLogin - whether autoLogin capability is requested or not.
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.
    Returns:
    an AuthToken token if the username and password are correct.
    Throws:
    UnauthorizedException - if the username and password do not match any existing user.

    createSessionUserInfo

    protected AuthToken createSessionUserInfo(java.lang.String username,
                                              java.lang.String password,
                                              boolean autoLogin,
                                              javax.servlet.http.HttpServletRequest request,
                                              javax.servlet.http.HttpServletResponse response)
                                       throws UnauthorizedException
    Concrete subclasses may wish to override this method to create session info as appropriate. For instance, a subclass may override this method to set the appropriate single sign-on cookie.

    Parameters:
    username - the username to create an AuthToken with.
    password - the password to create an AuthToken with.
    autoLogin - whether autoLogin capability is requested or not.
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.
    Returns:
    an AuthToken token if the username and password are correct.
    Throws:
    UnauthorizedException - if the username and password do not match any existing user.

    addServerInfoCookie

    protected void addServerInfoCookie(javax.servlet.http.HttpServletRequest request,
                                       javax.servlet.http.HttpServletResponse response)

    checkAuthorization

    protected void checkAuthorization(AuthToken authToken,
                                      javax.servlet.http.HttpServletRequest request)
                               throws UnauthorizedException
    Checks if the specified AuthToken is authorized. If the AuthToken is not authorized, this method will throw an UnauthorizedException. An AuthToken that has not been validated or that has been banned from logging into the system will not be authorized. This method can be extended to provide additional AuthToken authorization.

    Parameters:
    authToken - the auth token to check
    request - the current request
    Throws:
    UnauthorizedException - if the auth token is not authorized

    checkIfBanned

    public static void checkIfBanned(AuthToken authToken,
                                     javax.servlet.http.HttpServletRequest request)
    This will check to see if user is banned. If not then throws an UnauthorizedException, which is a JiveRuntimeException.

    Parameters:
    authToken - the auth token
    request - the httpservlet request
    Throws:
    UnauthorizedException

    logoutUser

    public static void logoutUser(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response)
    This method is a method for logging a user out and destroying or resetting the appropriate session variables and/or cookies to keep state.

    Parameters:
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.

    forceReload

    public static void forceReload()
    Method used internally by Jive. Do NOT use this method. Allows the class to be re-initialized.


    clearSessionUserInfo

    protected void clearSessionUserInfo(javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response)
    Concrete subclasses may wish to override this method to destroy session info as appropriate. For instance, a subclass may override this method to set the appropriate single sign-on cookie to denote that the user is no longer logged in.

    Parameters:
    request - a HttpServletRequest object.
    response - a HttpServletResponse object.

    getServerInfoCookieProperty

    protected static java.lang.String getServerInfoCookieProperty(javax.naming.InitialContext ctx,
                                                                  java.lang.String property,
                                                                  java.lang.String defaultVal)
    This method will see if a property for the jive.server.info cookie is on the initial context under java:comp/env/jive/{myprop} if not found there it will check jive local properties for the property under jive.server.info.{myprop}

    Parameters:
    ctx - used to look up values in the jndi context
    property - The property to lookup
    defaultVal - The default value if no values is found
    Returns:
    The value found

    Jive Forums Project Page

    Copyright © 1999-2006 Jive Software.