weblogic.servlet.security
Class ServletAuthentication

java.lang.Object
  weblogic.servlet.security.ServletAuthentication

public final class ServletAuthentication
extends Object

ServletAuthentication allows both form-based authentication and programmatic authentication in servlets. It performs the authentication call through the Realm and sets the user information into the session. The weak() methods are for password authentication and the strong() methods are for certificate-based authentication. The latter is available only via two-way SSL connections, based on the client certificate chain. In order to avoid a type of attack called "session fixation," you should change the user's session ID at login. To do this, call the generateNewSessionID method after you call the login method.

AUTHENTICATED

public static final int AUTHENTICATED

Returns the value of a successful authentication.

See Also:

Constant Field Values

FAILED_AUTHENTICATION

public static final int FAILED_AUTHENTICATION

Returns the value of an unsuccessful authentication.

See Also:

Constant Field Values

NEEDS_CREDENTIALS

public static final int NEEDS_CREDENTIALS

Returns the value of an unsuccessful authentication due to no credentials.

See Also:

Constant Field Values

ServletAuthentication

public ServletAuthentication(String usernameField,
                             String passwordField)

Constructs a ServletAuthentication object that looks for specific form fields inside the HttpRequest for the username and password.

done

public static void done(HttpServletRequest request)

"Logs out" the user in the session by removing the pertinent data from the sessions the user has logged into and also from the webserver, without losing other session data. (This method is functionally equivalent to logout().)

Parameters:

request - HttpServletRequest which contains the session

logout

public static boolean logout(HttpServletRequest req)

Deprecated. as of 12c - use HttpServletRequest.logout()

"Logs out" the user in the session by removing the pertinent data from the sessions the user has logged into and also from the webserver, without losing other session data.

Parameters:

req - HttpServletRequest

logout

public static boolean logout(HttpSession session)

Deprecated. as of 12c - use HttpServletRequest.logout()

"Logs out" the user in the session by removing the pertinent data from the sessions the user has logged into and also from the webserver, without losing other session data.

Parameters:

session - HttpSession

invalidateAll

public static boolean invalidateAll(HttpServletRequest req)

Invalidates all the sessions for the current user only (that is, the current cookie), and since the cookie is no longer required, kills the cookie too.

Parameters:

req - HttpServletRequest

killCookie

public static void killCookie(HttpServletRequest req)

Kills the current cookie.

Parameters:

req - HttpServletRequest which contains the session

strong

public static int strong(HttpServletRequest request,
                         HttpServletResponse response)
                  throws ServletException,
                         IOException

Strong authentication using the client-side certificate chain as the credential for authentication against the "weblogic" (default) realm.

Parameters:

request - HttpServletRequest

response - HttpServletResponse

Returns:

int authentication value

Throws:

ServletException

IOException

strong

public static int strong(HttpServletRequest request,
                         HttpServletResponse response,
                         String realmName)
                  throws ServletException,
                         IOException

Strong authentication using the client-side certificate chain as the credential for authentication.

Parameters:

request - HttpServletRequest

response - HttpServletResponse

realmName - String name of the realm to authenticate against

Returns:

int authentication value

Throws:

ServletException

IOException

assertIdentity

public static int assertIdentity(HttpServletRequest request,
                                 HttpServletResponse response,
                                 String realmName)
                          throws ServletException,
                                 IOException,
                                 LoginException

Strong authentication using the client-side certificate chain as the credential for authentication. This method is similar to "strong" except that it propogates the LoginException back to the caller.

Parameters:

request - HttpServletRequest

response - HttpServletResponse

realmName - String name of the realm to authenticate against

Returns:

int authentication value

Throws:

ServletException

IOException

LoginException

assertIdentity

public static int assertIdentity(HttpServletRequest request,
                                 HttpServletResponse response,
                                 String realmName,
                                 AppContext appContext)
                          throws ServletException,
                                 IOException,
                                 LoginException

Strong authentication using the client-side certificate chain as the credential for authentication. This method is similar to "strong" except that it propogates the LoginException back to the caller. This method also takes in an AppContext so that callers can pass in additional context information that can be used by the security providers. The AppContext is passed onto the security providers as is. It is the responsibility of the caller to add request and response objects to the AppContext if required.

Parameters:

request - HttpServletRequest

response - HttpServletResponse

realmName - String name of the realm to authenticate against

appContext - AppContext to use when asserting identity

Returns:

int authentication value

Throws:

ServletException

IOException

LoginException

weak

public int weak(HttpServletRequest request,
                HttpServletResponse response)
         throws ServletException,
                IOException

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after pulling the username and password from the request, authenticating the user and setting it into the session.

This weak() method, unlike the others, is not static. It requires that the ServletAuthentication object be instantiated with the field names for the username and password inside the form.

Parameters:

request - HttpServletRequest

response - HttpServletResponse

Returns:

int authentication value

Throws:

ServletException

IOException

weak

public static int weak(String username,
                       String password,
                       HttpServletRequest request)

Deprecated. since 9.0; use weak(String, String, HttpServletRequest, HttpServletResponse);

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and password to authenticate the user and setting that user information into the session.

Parameters:

username - String

password - String

request - HttpServletRequest

Returns:

int authentication value

weak

public static int weak(String username,
                       String password,
                       HttpServletRequest request,
                       HttpServletResponse response)

Deprecated. as of 12c - use HttpServletRequest.login(java.lang.String, java.lang.String)

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and password to authenticate the user and setting that user information into the session.

Parameters:

username - String

password - String

request - HttpServletRequest

response - HttpServletResponse

Returns:

int authentication value

login

public static int login(String username,
                        String password,
                        HttpServletRequest request,
                        HttpServletResponse response)
                 throws LoginException

Deprecated. as of 12c - use HttpServletRequest.login(java.lang.String, java.lang.String)

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and password to authenticate the user and setting that user information into the session. This method is similar to "weak", except that the LoginException is propogated to caller. To avoid a type of attack called "session fixation," you should change the user's session ID at login. To do this, call the generateNewSessionID method after you call the login method.

Parameters:

username - String

password - String

request - HttpServletRequest

response - HttpServletResponse

Returns:

int authentication value

Throws:

LoginException

weak

public static int weak(String username,
                       String password,
                       HttpSession session)

Deprecated. 

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and password to authenticate the user and setting that user information into the session. Note: This method has been deprecated. Use weak(username, password, request) instead.

Parameters:

username - String

password - String

session - HttpSession

Returns:

int authentication value

authObject

public static int authObject(String username,
                             Object credential,
                             HttpServletRequest request)

Deprecated. 

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and credential object to authenticate the user and setting that user information into the session. This method has been deprecated. Use authenticate(CallbackHandler, HttpServletRequest) instead.

Parameters:

username - String

credential - String

request - HttpServletRequest

Returns:

int authentication value

authObject

public static int authObject(String username,
                             Object credential,
                             HttpSession session,
                             HttpServletRequest request)

Deprecated. 

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after using the username and credential object to authenticate the user and setting that user information into the session. This method has been deprecated. Use authenticate(CallbackHandler, HttpServletRequest) instead.

Parameters:

username - String

credential - String

session - HttpSession

Returns:

int authentication value

authenticate

public static int authenticate(CallbackHandler handler,
                               HttpServletRequest request)

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION. This method is expected to be used when you have plugged in custom LoginModules. If the custom LoginModule is expecting the LoginException to be propogated back, then use the "login" method instead of "authenticate". The callback handler that you supply here should be able to handle the callbacks generated by your LoginModule. This method creates a session if a session doesn't exist already. To avoid a type of attack called "session fixation," you should change the user's session ID at login. To do this, call the generateNewSessionID method after you call the login method.

Parameters:

handler - javax.security.auth.callback.CallbackHandler

request - HttpServletRequest

Returns:

int authentication value

login

public static int login(CallbackHandler handler,
                        HttpServletRequest request)
                 throws LoginException

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION. This method is expected to be used when you have plugged in custom LoginModules. This is similar to the "authenticate" method, except that this throws a LoginException back to the caller when authentication fails. The callback handler that you supply here should be able to handle the callbacks generated by your LoginModule. This method creates a session if a session doesn't exist already.

Parameters:

handler - javax.security.auth.callback.CallbackHandler

request - HttpServletRequest

Returns:

int authentication value

Throws:

LoginException

generateNewSessionID

public static void generateNewSessionID(HttpServletRequest request)

Moves all current session information into a completely different session ID and re-associates this session with this new ID. If a session cookie does not exist at this point, one is created.

Parameters:

request - HttpServletRequest

getSessionCookie

public static Cookie getSessionCookie(HttpServletRequest request,
                                      HttpServletResponse response)

Allows you to get a handle on the session cookie itself. Returns null if there is no session or if session cookies have been turned off in the servlet engine.

Parameters:

response - HttpServletResponse

Returns:

Session Cookie if it exists, null otherwise

runAs

public static void runAs(Subject subject,
                         HttpServletRequest request)

With a given subject, this method sets the current thread identity and current session identity. This method is used for logging in when you already have a subject.

Parameters:

subject - javax.security.auth.Subject

request - HttpServletRequest

getTargetURLForFormAuthentication

public static String getTargetURLForFormAuthentication(HttpSession session)

Returns the target URL stored in the first step of Form based authentication. This allows users to handle the login process programmatically.

Parameters:

session - HttpSession

Returns:

Target URL for form based authentication

getTargetURIForFormAuthentication

public static String getTargetURIForFormAuthentication(HttpSession session)

Returns the target URI stored in the first step of Form based authentication. This allows users to handle the login process programmatically.

Parameters:

session - HttpSession

Returns:

Target URI for form based authentication