Class LoginAuthenticator

All Implemented Interfaces:
Direct Known Subclasses:
BasicAuthenticator, ClientCertAuthenticator, ConfigurableSpnegoAuthenticator, DigestAuthenticator, FormAuthenticator, JaspiAuthenticator, OpenIdAuthenticator, SslClientCertAuthenticator

public abstract class LoginAuthenticator extends Object implements Authenticator
  • Field Details

  • Constructor Details

    • LoginAuthenticator

      protected LoginAuthenticator()
  • Method Details

    • prepareRequest

      public void prepareRequest(jakarta.servlet.ServletRequest request)
      Description copied from interface: Authenticator
      Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.
      Specified by:
      prepareRequest in interface Authenticator
      request - the request to manipulate
    • login

      public UserIdentity login(String username, Object password, jakarta.servlet.ServletRequest servletRequest)
      If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.
      username - the username of the client to be authenticated
      password - the user's credential
      servletRequest - the inbound request that needs authentication
    • logout

      public void logout(jakarta.servlet.ServletRequest request)
    • setConfiguration

      public void setConfiguration(Authenticator.AuthConfiguration configuration)
      Description copied from interface: Authenticator
      Configure the Authenticator
      Specified by:
      setConfiguration in interface Authenticator
      configuration - the configuration
    • getLoginService

      public LoginService getLoginService()
    • renewSession

      protected jakarta.servlet.http.HttpSession renewSession(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Change the session id. The session is changed to a new instance with a new ID if and only if:
      request - the request
      response - the response
      The new session.