org.dspace.authenticate

Class IPAuthentication

java.lang.Object

org.dspace.authenticate.IPAuthentication

All Implemented Interfaces:

AuthenticationMethod

public class IPAuthentication
extends Object
implements AuthenticationMethod

Adds users to special groups based on IP address. Configuration parameter form is:

authentication.ip.<GROUPNAME> = <IPRANGE>[, <IPRANGE> ...]

e.g. authentication.ip.MIT = 18., 192.25.0.0/255.255.0.0

Negative matches can be included by prepending the range with a '-'. For example if you want to include all of a class B network except for users of a contained class c network, you could use:

111.222,-111.222.333.

For supported IP ranges see IPMatcher.

Version:

$Revision$

Author:

Robert Tansley

Field Summary

Fields

Modifier and Type	Field and Description
protected GroupService	groupService
protected Map<IPMatcher,UUID>	ipMatcherGroupIDs Maps IPMatchers to group IDs (Integers) where we know the group DB ID
protected Map<IPMatcher,String>	ipMatcherGroupNames Maps IPMatchers to group names when we don't know group DB ID yet.
protected List<IPMatcher>	ipMatchers All the IP matchers
protected List<IPMatcher>	ipNegativeMatchers All the negative IP matchers
protected static Boolean	useProxies Whether to look for x-forwarded headers for logging IP addresses

Fields inherited from interface org.dspace.authenticate.AuthenticationMethod

BAD_ARGS, BAD_CREDENTIALS, CERT_REQUIRED, NO_SUCH_USER, SUCCESS

Constructor Summary

Constructors

Constructor and Description
IPAuthentication() Initialize an IP authenticator, reading in the configuration.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	addMatchers(String groupName, String[] ipRanges) Add matchers for the given comma-delimited IP ranges and group.
boolean	allowSetPassword(Context context, javax.servlet.http.HttpServletRequest request, String username) Should (or can) we allow the user to change their password.
int	authenticate(Context context, String username, String password, String realm, javax.servlet.http.HttpServletRequest request) Authenticate the given or implicit credentials.
boolean	canSelfRegister(Context context, javax.servlet.http.HttpServletRequest request, String username) Predicate, whether to allow new EPerson to be created.
List<Group>	getSpecialGroups(Context context, javax.servlet.http.HttpServletRequest request) Get list of extra groups that user implicitly belongs to.
void	initEPerson(Context context, javax.servlet.http.HttpServletRequest request, EPerson eperson) Initialize a new EPerson record for a self-registered new user.
boolean	isImplicit() Predicate, is this an implicit authentication method.
String	loginPageTitle(Context context) Get title of login page to which to redirect.
String	loginPageURL(Context context, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Get login page to which to redirect.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

useProxies

protected static Boolean useProxies

Whether to look for x-forwarded headers for logging IP addresses

ipMatchers

protected List<IPMatcher> ipMatchers

All the IP matchers

ipNegativeMatchers

protected List<IPMatcher> ipNegativeMatchers

All the negative IP matchers

groupService

protected GroupService groupService

ipMatcherGroupNames

protected Map<IPMatcher,String> ipMatcherGroupNames

Maps IPMatchers to group names when we don't know group DB ID yet. When the DB ID is known, the IPMatcher is moved to ipMatcherGroupIDs and then points to the DB ID.

ipMatcherGroupIDs

protected Map<IPMatcher,UUID> ipMatcherGroupIDs

Maps IPMatchers to group IDs (Integers) where we know the group DB ID

Constructor Detail

IPAuthentication

public IPAuthentication()

Initialize an IP authenticator, reading in the configuration. Note this will never fail if the configuration is bad -- a warning will be logged.

Method Detail

addMatchers

protected void addMatchers(String groupName,
               String[] ipRanges)

Add matchers for the given comma-delimited IP ranges and group.

Parameters:

groupName - name of group

ipRanges - IP ranges

canSelfRegister

public boolean canSelfRegister(Context context,
                      javax.servlet.http.HttpServletRequest request,
                      String username)
                        throws SQLException

Description copied from interface: AuthenticationMethod

Predicate, whether to allow new EPerson to be created. The answer determines whether a new user is created when the credentials describe a valid entity but there is no corresponding EPerson in DSpace yet. The EPerson is only created if authentication succeeds.

Specified by:

canSelfRegister in interface AuthenticationMethod

Parameters:

context - DSpace context

request - HTTP request, in case it's needed. May be null.

username - Username, if available. May be null.

Returns:

true if new ePerson should be created.

Throws:

SQLException - if database error

initEPerson

public void initEPerson(Context context,
               javax.servlet.http.HttpServletRequest request,
               EPerson eperson)
                 throws SQLException

Description copied from interface: AuthenticationMethod

Initialize a new EPerson record for a self-registered new user. Set any data in the EPerson that is specific to this authentication method.

Specified by:

initEPerson in interface AuthenticationMethod

Parameters:

context - DSpace context

request - HTTP request, in case it's needed. May be null.

eperson - newly created EPerson record - email + information from the registration form will have been filled out.

Throws:

SQLException - if database error

allowSetPassword

public boolean allowSetPassword(Context context,
                       javax.servlet.http.HttpServletRequest request,
                       String username)
                         throws SQLException

Description copied from interface: AuthenticationMethod

Should (or can) we allow the user to change their password. Note that this means the password stored in the EPerson record, so if any method in the stack returns true, the user is allowed to change it.

Specified by:

allowSetPassword in interface AuthenticationMethod

Parameters:

context - DSpace context

request - HTTP request, in case it's needed. May be null.

username - Username, if available. May be null.

Returns:

true if this method allows user to change ePerson password.

Throws:

SQLException - if database error

isImplicit

public boolean isImplicit()

Description copied from interface: AuthenticationMethod

Predicate, is this an implicit authentication method. An implicit method gets credentials from the environment (such as an HTTP request or even Java system properties) rather than the explicit username and password. For example, a method that reads the X.509 certificates in an HTTPS request is implicit.

Specified by:

isImplicit in interface AuthenticationMethod

Returns:

true if this method uses implicit authentication.

getSpecialGroups

public List<Group> getSpecialGroups(Context context,
                           javax.servlet.http.HttpServletRequest request)
                             throws SQLException

Description copied from interface: AuthenticationMethod

Get list of extra groups that user implicitly belongs to. Note that this method will be invoked regardless of the authentication status of the user (logged-in or not) e.g. a group that depends on the client network-address.

It might make sense to implement this method by itself in a separate authentication method that just adds special groups, if the code doesn't belong with any existing auth method. The stackable authentication system was designed expressly to separate functions into "stacked" methods to keep your site-specific code modular and tidy.

Specified by:

getSpecialGroups in interface AuthenticationMethod

Parameters:

context - A valid DSpace context.

request - The request that started this operation, or null if not applicable.

Returns:

array of EPerson-group IDs, possibly 0-length, but never null.

Throws:

SQLException - if database error

authenticate

public int authenticate(Context context,
               String username,
               String password,
               String realm,
               javax.servlet.http.HttpServletRequest request)
                 throws SQLException

Description copied from interface: AuthenticationMethod

Authenticate the given or implicit credentials. This is the heart of the authentication method: test the credentials for authenticity, and if accepted, attempt to match (or optionally, create) an EPerson. If an EPerson is found it is set in the Context that was passed.

Specified by:

authenticate in interface AuthenticationMethod

Parameters:

context - DSpace context, will be modified (ePerson set) upon success.

username - Username (or email address) when method is explicit. Use null for implicit method.

password - Password for explicit auth, or null for implicit method.

realm - Realm is an extra parameter used by some authentication methods, leave null if not applicable.

request - The HTTP request that started this operation, or null if not applicable.

Returns:

One of: SUCCESS, BAD_CREDENTIALS, CERT_REQUIRED, NO_SUCH_USER, BAD_ARGS

Meaning:
SUCCESS - authenticated OK.
BAD_CREDENTIALS - user exists, but credentials (e.g. passwd) don't match
CERT_REQUIRED - not allowed to login this way without X.509 cert.
NO_SUCH_USER - user not found using this method.
BAD_ARGS - user/pw not appropriate for this method

Throws:

SQLException - if database error

loginPageURL

public String loginPageURL(Context context,
                  javax.servlet.http.HttpServletRequest request,
                  javax.servlet.http.HttpServletResponse response)

Description copied from interface: AuthenticationMethod

Get login page to which to redirect. Returns URL (as string) to which to redirect to obtain credentials (either password prompt or e.g. HTTPS port for client cert.); null means no redirect.

Specified by:

loginPageURL in interface AuthenticationMethod

Parameters:

context - DSpace context, will be modified (ePerson set) upon success.

request - The HTTP request that started this operation, or null if not applicable.

response - The HTTP response from the servlet method.

Returns:

fully-qualified URL or null

loginPageTitle

public String loginPageTitle(Context context)

Description copied from interface: AuthenticationMethod

Get title of login page to which to redirect. Returns a message key that gets translated into the title or label for "login page" (or null, if not implemented) This title may be used to identify the link to the login page in a selection menu, when there are multiple ways to login.

Specified by:

loginPageTitle in interface AuthenticationMethod

Parameters:

context - DSpace context, will be modified (ePerson set) upon success.

Returns:

title text.