PasswordConverterProvider (Alternet Security 1.0 API)

Skip navigation links

All Classes

Summary:
Nested |
Field |
Constr |
Method

Detail:
Field |
Constr |
Method

java.lang.Object
- ml.alternet.security.web.PasswordConverterProvider

All Implemented Interfaces:

javax.ws.rs.ext.ParamConverterProvider
```
@Provider
public class PasswordConverterProvider
extends Object
implements javax.ws.rs.ext.ParamConverterProvider
```
JAX-RS provider that converts a form parameter or a header parameter to a secure password (query parameter are not handled by this converter since it would be a security flaw to send a password in the URI).
```
 @POST
 public String login
       ( @FormParam("username") String userName,
         @FormParam("password") Password pwd) {
     // ...
 }
 
```
If the pwd field is multivalued, don't use List<Password>, use instead :
```
 @POST
 public String registerNewUser
       ( @FormParam("username") String userName,
         @FormParam("password") PasswordParam pwd) {
     // ...
 }
 
```
As a Provider, this class has to be registered to the application manually, or by setting on the lookup mechanism of the underlying JAX-RS implementation. Note that at the invocation stage, the password string passed to the converter is a dummy string not involved in the conversion process.
Author:

Philippe Poulard

See Also:

FormParam, HeaderParam, QueryParam

Constructor Summary

Constructors
Constructor and Description

PasswordConverterProvider()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`<T> javax.ws.rs.ext.ParamConverter<T>`	`getConverter(Class<T> rawType, Type genericType, Annotation[] annotations)`
`protected void`	`processQueryParam(javax.ws.rs.QueryParam passwordFieldAnnotation)` This method is called during annotation processing when a password field is annotated with `@QueryParam`, and throws a security exception.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - PasswordConverterProvider
```
public PasswordConverterProvider()
```
- Method Detail
  - getConverter
```
public <T> javax.ws.rs.ext.ParamConverter<T> getConverter(Class<T> rawType,
                                                          Type genericType,
                                                          Annotation[] annotations)
```
    Specified by:
    
    getConverter in interface javax.ws.rs.ext.ParamConverterProvider
  - processQueryParam
```
protected void processQueryParam(javax.ws.rs.QueryParam passwordFieldAnnotation)
                          throws SecurityException
```
    This method is called during annotation processing when a password field is annotated with @QueryParam, and throws a security exception. Sending a password field in the request URI is a security flaw and MUST NOT be handled by an application. By default, a security exception will be thrown and the underlying Web application won't be available, which force the developer to fix the application. This method can be override if this default behavior is too severe. Instead of throwing an exception this method can do nothing : in this case the Web application will be available and a warning will be logged only when processing the query param.
    
    Parameters:
    
    passwordFieldAnnotation - The annotation.
    
    Throws:
    
    SecurityException - By default, this implementation throw a security exception

Skip navigation links

All Classes

Summary:
Nested |
Field |
Constr |
Method

Detail:
Field |
Constr |
Method

Copyright © 2018 Alternet. All rights reserved.