com.bea.p13n.security
Class Authentication

java.lang.Object
  com.bea.p13n.security.Authentication

public final class Authentication
extends Object

Central place to handle authentication issues. Use this class to handle login, logout, and authentication of users. Can also do some basic tests on Subjects and Principals. In many cases, the methods in this class are thin wrappers over similar functionality available in other WebLogic classes. This class centralizes these functions and allows some convenience groupings for particular usages.

Field Summary

static com.bea.p13n.i18n.AuthenticationExceptionTextFormatter

formatter Text formatter for i18n.

Method Summary

static Subject	authenticate(String username, String password) Authenticate a user and return the authenticated Subject.
static Subject	getAnonymousSubject() Get a Subject representing an Anonymous user
static Subject	getCurrentSubject() Get the current logged in user.
static Principal	getUserPrincipal(Subject subject) Get the Principal representing the given Subject.
static boolean	isAdministrator(Subject subject) Test if the given Subject represents a server Administrator
static boolean	isAnonymous(Principal principal) Test if the given Principal represents the Anonymous user
static boolean	isAnonymous(Subject subject) Test if the given Subject represents an Anonymous user
static void	login(String username, String password, javax.servlet.http.HttpServletRequest request) Deprecated in favor of login(String, String, HttpServletRequest, HttpServletResponse)
static void	login(String username, String password, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Log in the user to a webapp.
static void	logout(javax.servlet.http.HttpServletRequest request) Same as logout( request, true )
static void	logout(javax.servlet.http.HttpServletRequest request, boolean invalidateSessions) Logout the user.
static Object	runAs(Subject subject, PrivilegedAction action) Execute a PrivilegedAction as a particular user.
static Object	runAs(Subject subject, PrivilegedExceptionAction action) Execute a PrivilegedExceptionAction as a particular user.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

formatter

public static final com.bea.p13n.i18n.AuthenticationExceptionTextFormatter formatter

Text formatter for i18n.

Method Detail

login

@Deprecated
public static void login(String username,
                                    String password,
                                    javax.servlet.http.HttpServletRequest request)
                  throws LoginException

Deprecated in favor of login(String, String, HttpServletRequest, HttpServletResponse)

Log in the user to a webapp. This authenticates the user and sets the authentication information in the user's Servlet Session so the server knows who they are when they come back on the next request. The user is pushed onto this thread so that further operations invoked by this thread are executed as this user. Note that this only does authentication and does not check authorization (that is, if the user is in a particular role or group). The Principal for the newly logged in user can be obtained by calling request.getUserPrincipal().

Parameters

username - The username of the user to login

password - The password for that user (as cleartext)

request - The HttpServletRequest containing the session to be logged in

Throws

LoginException - if the authentication failed

login

public static void login(String username,
                         String password,
                         javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
                  throws LoginException

Log in the user to a webapp. This authenticates the user and sets the authentication information in the user's Servlet Session so the server knows who they are when they come back on the next request. The user is pushed onto this thread so that further operations invoked by this thread are executed as this user. Note that this only does authentication and does not check authorization (that is, if the user is in a particular role or group). The Principal for the newly logged in user can be obtained by calling request.getUserPrincipal().

Parameters

username - The username of the user to login

password - The password for that user (as cleartext)

request - The HttpServletRequest containing the session to be logged in

response - The HttpServletResponse containing data sent back to client

Throws

LoginException - if the authentication failed

logout

public static void logout(javax.servlet.http.HttpServletRequest request,
                          boolean invalidateSessions)

Logout the user. This causes the user to be removed from Servlet Session (on all single-signon webapps) as well as from the thread. If the invalidateSession flag is true, then the user's sessions (on all single-signon webapps) are invalidated. Otherwise, only the authentication information is removed from the sessions but other session data is left intact. Note that if you want to logout and invalidate only this webapp's session (not other single-signon webapps), you can call logout(request,false), then call request.getSession().invalidate().

Parameters

request - the HttpServletRequest that contains the session to be logged out.

invalidateSessions - if true, the session is invalidated (on all single-signon webapps). Otherwise the session and its data are left intact (except for authentication information used internally by the server).

logout

public static void logout(javax.servlet.http.HttpServletRequest request)

Same as logout( request, true )

See Also

logout(HttpServletRequest,boolean)

authenticate

public static Subject authenticate(String username,
                                   String password)
                            throws LoginException

Authenticate a user and return the authenticated Subject.

Parameters

username - The username of the user to authenticate

password - The password for that user (as cleartext)

Returns

the Subject representing the authenticated user

Throws

LoginException - if the user is not valid

runAs

public static Object runAs(Subject subject,
                           PrivilegedAction action)

Execute a PrivilegedAction as a particular user. Subject.doAs() changes the Java 2 identity as described in Java 2 spec. This runAs method sets the WebLogic identity. The two identities are not related except that they both use a Subject to specify the user.

runAs

public static Object runAs(Subject subject,
                           PrivilegedExceptionAction action)
                    throws PrivilegedActionException

Execute a PrivilegedExceptionAction as a particular user. Subject.doAs() changes the Java 2 identity as described in Java 2 spec. This runAs method sets the WebLogic identity. The two identities are not related except that they both use a Subject to specify the user.

Throws

PrivilegedActionException

getCurrentSubject

public static Subject getCurrentSubject()

Get the current logged in user. You should use HttpServletRequest.getUserPrincipal or EJBContext.getCallerPrincipal where possible. But if you need a Subject or can not access the ServletRequest or EJBContext, you can use this method. To see if a user is logged in, test isAnonymous( getCurrentSubject ).

getAnonymousSubject

public static Subject getAnonymousSubject()

Get a Subject representing an Anonymous user

getUserPrincipal

public static Principal getUserPrincipal(Subject subject)

Get the Principal representing the given Subject.

isAnonymous

public static boolean isAnonymous(Subject subject)

Test if the given Subject represents an Anonymous user

isAnonymous

public static boolean isAnonymous(Principal principal)

Test if the given Principal represents the Anonymous user

isAdministrator

public static boolean isAdministrator(Subject subject)

Test if the given Subject represents a server Administrator