The LoginUser
Web service calls the loginUser
method in the underlying atg.userprofiling.ProfileServices
implementation. The loginUser
method behaves the same way as the handleLogin
method in the ProfileFormHandler
(see The ProfileForm Class). Note that loginUser
should be called only in the context of an HTTP request; otherwise an error occurs.
loginUser
takes the supplied login name and password and uses them to locate a valid profile. To do this, it calls the following methods:
preLoginUser(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse)
doLoginUser(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse)
postLoginUser(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse)
The preLoginUser
and postLoginUser
methods are similar to the ProfileFormHandler
’s preLoginUser
and postLoginUser
methods, which are stubs designed to allow subclasses to control login logic before and after the login process. You can write extensions to this code by overriding these methods with your own custom subclasses.
Unlike the ProfileFormHandler
, the loginUser
Web service immediately propagates to the caller any errors that occur during processing. Errors are not stored and shown to the user because the caller in this case is an RPC client that does not have access to a request/response pair. (The ProfileFormHandler
, by contrast, expects to have its errors shown on an HTML page where the user can correct them and resubmit.) This error-handling behavior is used by all profile-related Web services that mimic ProfileFormHandler
functionality.
The loginUser
method acts as follows:
If
pIsPasswordEncrypted
is true, theloginUser
method checks to see if a valid password encryption conversation has occurred in this session. If not, aServletException
is thrown.loginUser
calls thepreLoginUser
method, which checks that the session associated with the current profile is not transient and then does the following:If the current profile’s login does not match the login that was passed to the Web service, the current profile is logged out, and its session is expired.
If the login and password given to the Web service match those in the current profile, it is assumed that the same user is logging in again. In this case, an exception is thrown so that login events and profile cookies are not resent. In addition, the
securityStatus
of the profile is reset to the loginsecurityStatus
(ifsecurityStatus
is enabled).If the password passed to the Web service does not match the password stored for the given login name, a
ServletException
is thrown.
loginUser
callsdoLoginUser
, which attempts to authenticate the user based on the given credentials. It forward-hashes the stored password for the given user with ahashKey
initialized during the password encryption conversation and compares it to the password argument. If this check succeeds, theRepositoryItem
for that user is set as the current profile’s data source, and repository properties are copied and/or added from the guest user’s profile to the authenticated user’s profile.The profile ID is returned for the user who just logged in.
If the password encryption comparison fails, indicating that either the login name or the password was invalid, null is returned by
doLoginUser
.The
loginUser
method calls thepostLoginUser
method, which sends a login event if configured to do so (setgenerateLoginEvents
to true in theProfileServices
component). It also sends profile cookies if necessary, sets the security status for the logged-in profile, and changes the request locale to reflect the logged-in profile’s locale.