org.picketlink.authentication.web

Class TokenAuthenticationScheme

java.lang.Object

org.picketlink.authentication.web.TokenAuthenticationScheme

All Implemented Interfaces:

HTTPAuthenticationScheme

@ApplicationScoped
public class TokenAuthenticationScheme
extends Object
implements HTTPAuthenticationScheme

A custom HTTPAuthenticationScheme that knows how to extract a header from the request containing a token to authenticate/re-authenticate an user.

Tokens are issued by providing specific credentials for the primary authentication scheme. This scheme will be used to validate user's credentials (eg.: username/password over BASIC) and if successful, issue a token.

By default, the primary authentication scheme is BasicAuthenticationScheme. In order to change it, subclasses may override the getPrimaryAuthenticationScheme method.

Once a token is issued, it will be written to the HttpServletResponse using a JSON format. In order to change how tokens are returned to clients, subclasses may override the issueToken method.

The authentication is stateless, which means that security state is discarded once the request finishes. The token must be always provided in order to create the security context for a request and provide access to protected resources.

This scheme is used by the AuthenticationFilter, which is configured in the web application deployment descriptor(web.xml).

Author:

Pedro Igor

Field Summary

Fields

Modifier and Type	Field and Description
static String	AUTHENTICATION_SCHEME_NAME
static String	AUTHORIZATION_TOKEN_HEADER_NAME
static String	REQUIRES_AUTHENTICATION_HEADER_NAME

Constructor Summary

Constructors

Constructor and Description
TokenAuthenticationScheme()

Method Summary

Methods

Modifier and Type	Method and Description
void	challengeClient(HttpServletRequest request, HttpServletResponse response) We use a 401 http status code to sinalize to clients that authentication is required.
void	extractCredential(HttpServletRequest request, DefaultLoginCredentials creds) Extracts the credentials from the given HttpServletRequest and populates the DefaultLoginCredentials with them.
protected void	extractTokenFromRequest(HttpServletRequest request, DefaultLoginCredentials creds) Extracts the token from the HttpServletRequest and populates the given DefaultLoginCredentials with the proper credentials.
protected DefaultLoginCredentials	getCredentials() Returns the current DefaultLoginCredentials associated with the request.
protected Identity	getIdentity() Returns the current Identity associated with the request.
protected HTTPAuthenticationScheme	getPrimaryAuthenticationScheme() Returns the primary HTTPAuthenticationScheme used to validate user's credential before issuing a new token..
void	initialize(FilterConfig config) Called one time by the AuthenticationFilter after the CDI initialization has completed, but before any other methods from this interface are invoked.
boolean	isProtected(HttpServletRequest request) We only initiate the authentication process if any credential is present in the request.
protected void	issueToken(HttpServletRequest request, HttpServletResponse response) Writes to the response the token after a successful authentication.
boolean	postAuthentication(HttpServletRequest request, HttpServletResponse response) Performs any post-authentication logic regarding of the authentication result.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

AUTHORIZATION_TOKEN_HEADER_NAME

public static final String AUTHORIZATION_TOKEN_HEADER_NAME

See Also:

Constant Field Values

AUTHENTICATION_SCHEME_NAME

public static final String AUTHENTICATION_SCHEME_NAME

See Also:

Constant Field Values

REQUIRES_AUTHENTICATION_HEADER_NAME

public static final String REQUIRES_AUTHENTICATION_HEADER_NAME

See Also:

Constant Field Values

Constructor Detail

TokenAuthenticationScheme

public TokenAuthenticationScheme()

Method Detail

initialize

public void initialize(FilterConfig config)

Description copied from interface: HTTPAuthenticationScheme

Called one time by the AuthenticationFilter after the CDI initialization has completed, but before any other methods from this interface are invoked.

Specified by:

initialize in interface HTTPAuthenticationScheme

Parameters:

config - the configuration of AuthenticationFilter from web.xml. Never null.

extractCredential

public void extractCredential(HttpServletRequest request,
                     DefaultLoginCredentials creds)

Description copied from interface: HTTPAuthenticationScheme

Extracts the credentials from the given HttpServletRequest and populates the DefaultLoginCredentials with them. If the request is not an authentication attempt (as defined by the implementation), then creds is not affected.

Specified by:

extractCredential in interface HTTPAuthenticationScheme

Parameters:

request - The current request, to examine for authentication information.

creds - The credentials instance that will be populated with the credentials found in the request, if any.

challengeClient

public void challengeClient(HttpServletRequest request,
                   HttpServletResponse response)
                     throws IOException

We use a 401 http status code to sinalize to clients that authentication is required.

We only challenge clients if the authentication failed. In other words, if there is a token in the request bu it is invalid.

Specified by:

challengeClient in interface HTTPAuthenticationScheme

Parameters:

request -

response -

Throws:

IOException

postAuthentication

public boolean postAuthentication(HttpServletRequest request,
                         HttpServletResponse response)
                           throws IOException

Description copied from interface: HTTPAuthenticationScheme

Performs any post-authentication logic regarding of the authentication result.

Specified by:

postAuthentication in interface HTTPAuthenticationScheme

Parameters:

request - The current request, which may be used to obtain a RequestDispatcher if needed.

response - The current response, which can be used to send an HTTP response, or a redirect.

Returns:

true if the processing of the filter chain should continue, false if the processing should stop (typically because this filter has already sent a response).

Throws:

IOException - if reading the request or writing the response fails.

isProtected

public boolean isProtected(HttpServletRequest request)

We only initiate the authentication process if any credential is present in the request.

Specified by:

isProtected in interface HTTPAuthenticationScheme

Parameters:

request -

Returns:

getCredentials

protected DefaultLoginCredentials getCredentials()

Returns the current DefaultLoginCredentials associated with the request.

Returns:

getIdentity

protected Identity getIdentity()

Returns the current Identity associated with the request.

Returns:

getPrimaryAuthenticationScheme

protected HTTPAuthenticationScheme getPrimaryAuthenticationScheme()

Returns the primary HTTPAuthenticationScheme used to validate user's credential before issuing a new token..

Returns:

extractTokenFromRequest

protected void extractTokenFromRequest(HttpServletRequest request,
                           DefaultLoginCredentials creds)

Extracts the token from the HttpServletRequest and populates the given DefaultLoginCredentials with the proper credentials.

Subclasses can override this method to customize how tokens are extracted from the request and how a TokenCredential is built.

Parameters:

request -

creds -

issueToken

protected void issueToken(HttpServletRequest request,
              HttpServletResponse response)

Writes to the response the token after a successful authentication.

Subclasses can override this method in order to customize how tokens are written to the response.

Parameters:

request -

response -