loginUser Method

The LoginUser Web service calls the loginUser method in the underlying atg.userprofiling.ProfileServices implementation. The loginUser method behaves the same way as the handleLogin method in the ProfileFormHandler (see The ProfileForm Class). Note that loginUser should be called only in the context of an HTTP request; otherwise an error occurs.

loginUser takes the supplied login name and password and uses them to locate a valid profile. To do this, it calls the following methods:

  • preLoginUser(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse)

  • doLoginUser(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse)

  • postLoginUser(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse)

The preLoginUser and postLoginUser methods are similar to the ProfileFormHandler’s preLoginUser and postLoginUser methods, which are stubs designed to allow subclasses to control login logic before and after the login process. You can write extensions to this code by overriding these methods with your own custom subclasses.

Unlike the ProfileFormHandler, the loginUser Web service immediately propagates to the caller any errors that occur during processing. Errors are not stored and shown to the user because the caller in this case is an RPC client that does not have access to a request/response pair. (The ProfileFormHandler, by contrast, expects to have its errors shown on an HTML page where the user can correct them and resubmit.) This error-handling behavior is used by all profile-related Web services that mimic ProfileFormHandler functionality.

The loginUser method acts as follows:

  1. If pIsPasswordEncrypted is true, the loginUser method checks to see if a valid password encryption conversation has occurred in this session. If not, a ServletException is thrown.

  2. loginUser calls the preLoginUser method, which checks that the session associated with the current profile is not transient and then does the following:

    • If the current profile’s login does not match the login that was passed to the Web service, the current profile is logged out, and its session is expired.

    • If the login and password given to the Web service match those in the current profile, it is assumed that the same user is logging in again. In this case, an exception is thrown so that login events and profile cookies are not resent. In addition, the securityStatus of the profile is reset to the login securityStatus (if securityStatus is enabled).

    • If the password passed to the Web service does not match the password stored for the given login name, a ServletException is thrown.

  3. loginUser calls doLoginUser, which attempts to authenticate the user based on the given credentials. It forward-hashes the stored password for the given user with a hashKey initialized during the password encryption conversation and compares it to the password argument. If this check succeeds, the RepositoryItem for that user is set as the current profile’s data source, and repository properties are copied and/or added from the guest user’s profile to the authenticated user’s profile.

  4. The profile ID is returned for the user who just logged in.

  5. If the password encryption comparison fails, indicating that either the login name or the password was invalid, null is returned by doLoginUser.

  6. The loginUser method calls the postLoginUser method, which sends a login event if configured to do so (set generateLoginEvents to true in the ProfileServices component). It also sends profile cookies if necessary, sets the security status for the logged-in profile, and changes the request locale to reflect the logged-in profile’s locale.

Copyright © 1997, 2018 Oracle and/or its affiliates. All rights reserved. Legal Notices