- java.lang.Object
-
- HttpServlet
-
- uk.ac.ed.epcc.webapp.servlet.WebappServlet
-
- uk.ac.ed.epcc.webapp.servlet.RemoteAuthServlet
-
public class RemoteAuthServlet extends WebappServlet
This servlet is to support authentication from the container. This servlet should be configured with server level authentication and the user redirects through this servlet to either login based on the remote username or to change their remote username if the servlet is visited after logging in.The property remote_auth.realm (which may be set as a servlet parameter) defines the name realm used by the servlet. Multiple types of external authentication can be supported by including the servlet at multiple paths, one for each realm.
This servlet also supports the use of a remote authentication server rather than expecting the name to be provided by the container. This should only be needed for methods the container cannot support directly. In this mode the user is redirected to a remote server. A session token will be included as the url parameter token. The server should authenticate the user and (if successful) redirect back to this servlet setting the auth_name parameter to the authenticated user. The response should also contain the check_token parameter which should be a hex encoded hash value calculated from the concatenation of the user-name, the-token and a secret-value shared between the two servers. Optionally the server can pre-pend the response with a salt string. In this case the salt should also be returned as a parameter named salt. Adding a salt to the check_token may make it harder for a malicious user to reverse engineer the check_token as the unknown parts of the input vary each call. This should not be required for a well implemented hash function.
- remote_auth_server.url A URL of a remote server the user will be redirected to.
- remote_auth_server.secret The shared secret.
- remote_auth_server.hash The name of the
Hashto use defaults to SHA512 - remote_auth_server.token_len The length of the session token defaults to 64
-
-
Field Summary
Fields Modifier and Type Field and Description static java.lang.StringREGISTER_IDENTITY_DEFAULT_TEXTstatic java.lang.StringREMOTE_AUTH_REALM_PROPProperty name to use for the authentication realm.static java.lang.StringSERVICE_WEB_LOGIN_UPDATE_TEXTstatic FeatureWEB_LOGIN_FEATUREFeature to allow external auth logins as alternative mechanism via specific servlets linked from the login page.-
Fields inherited from class uk.ac.ed.epcc.webapp.servlet.WebappServlet
ARGS, CONFIRM_NO, CONFIRM_POST_URL, CONFIRM_TYPE, CONFIRM_YES, EXTRA_HTML, MESSAGE_EXTRA_ATTR, MESSAGE_TYPE_ATTR, MESSAGES_JSP_URL, SCRIPTS_CONFIRM_JSP
-
-
Constructor Summary
Constructors Constructor and Description RemoteAuthServlet()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method and Description static booleancanLogin(AppContext conn, java.lang.String realm)static booleancanRegisterNewUser(AppContext conn)Test if the bind external id should be offered ie is there an existing session user or a stored newly registered user.protected voiddoPost(HttpServletRequest req, HttpServletResponse res, AppContext conn)Method that does the actual workstatic booleanregisterNewUser(AppContext conn, AppUser user)Set the user that should be registered (and logged in) if the external authentication succeeds.static voidsetNextResult(SessionService<?> sess, SerializableFormResult next)set a result to go to after re-authentication/register-
Methods inherited from class uk.ac.ed.epcc.webapp.servlet.WebappServlet
badInputCheck, checkBadInput, confirm, confirm, doGet, doPost, doPut, doPut, encodeCGI, getLogger, handleFormResult, message, message, messageWithArgs, sendMessageWithArgs
-
-
-
-
Field Detail
-
REMOTE_AUTH_REALM_PROP
public static final java.lang.String REMOTE_AUTH_REALM_PROP
Property name to use for the authentication realm. Note that this is also the property used byDefaultServletServiceandRegisterServletif global external authentication is supported.- See Also:
- Constant Field Values
-
SERVICE_WEB_LOGIN_UPDATE_TEXT
public static final java.lang.String SERVICE_WEB_LOGIN_UPDATE_TEXT
- See Also:
- Constant Field Values
-
REGISTER_IDENTITY_DEFAULT_TEXT
public static final java.lang.String REGISTER_IDENTITY_DEFAULT_TEXT
- See Also:
- Constant Field Values
-
WEB_LOGIN_FEATURE
public static final Feature WEB_LOGIN_FEATURE
Feature to allow external auth logins as alternative mechanism via specific servlets linked from the login page. Multiple alternative mechanisms can be supported this way.
-
-
Method Detail
-
doPost
protected void doPost(HttpServletRequest req, HttpServletResponse res, AppContext conn) throws ServletException, java.io.IOExceptionDescription copied from class:WebappServletMethod that does the actual work- Specified by:
doPostin classWebappServlet- Throws:
ServletExceptionjava.io.IOException
-
registerNewUser
public static boolean registerNewUser(AppContext conn, AppUser user)
Set the user that should be registered (and logged in) if the external authentication succeeds. This is for when a user registers and id given an opportunity to bind an existing id. If the binding succeeds the user has a proven id (even though the email is not verified) and can be logged in if the external auth succeeds. If the session already contains a user this user must match the supplied arguement.- Parameters:
conn-user-- Returns:
- true if binding should be offered.
-
canRegisterNewUser
public static boolean canRegisterNewUser(AppContext conn)
Test if the bind external id should be offered ie is there an existing session user or a stored newly registered user.- Parameters:
conn-- Returns:
-
canLogin
public static boolean canLogin(AppContext conn, java.lang.String realm)
-
setNextResult
public static void setNextResult(SessionService<?> sess, SerializableFormResult next)
set a result to go to after re-authentication/register- Parameters:
sess-next-
-
-