edu.cornell.mannlib.vitro.webapp.controller.authenticate

Class Authenticator

java.lang.Object

edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator

Direct Known Subclasses:

BasicAuthenticator, RestrictedAuthenticator

public abstract class Authenticator
extends Object

The tool that a login process will use to interface with the user records in the model (or wherever). This needs to be based on a HttpSession, because things like the UserDAO are tied to the session. It seemed easier to base it on a HttpServletRequest, which we can use to get the session. TODO: Wouldn't it be cool if we could remove the LoginNotPermitted exception? Perhaps we could have a sub-object called an Authenticator.ForUser, and you call a getAuthenticatorForUser() method which returns null if your login has been disabled. Then, that object would provide these methods: accountRequiresEditing(), getAssociatedIndividualUris(), isCurrentPassword(), recordLoginAgainstUserAccount(), recordNewPassword(). If you didn't have such an object, you couldn't even call these methods.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	Authenticator.AuthenticatorFactory
static class	Authenticator.LoginNotPermitted

Field Summary

Fields

Modifier and Type	Field and Description
static int	LOGGED_IN_TIMEOUT_INTERVAL Maximum inactive interval for a ordinary logged-in session, in seconds.
static int	PRIVILEGED_TIMEOUT_INTERVAL Maximum inactive interval for a editor (or better) session, in seconds.

Constructor Summary

Constructors

Constructor and Description
Authenticator()

Method Summary

Modifier and Type	Method and Description
abstract boolean	accountRequiresEditing(UserAccount userAccount) Is a change in name or email required when the user logs in?
static String	applyArgon2iEncoding(String raw) Applies Argon2i hashing on a string.
static String	applyMd5Encoding(String raw) Apply MD5 to this string, and encode as a string of hex digits.
abstract UserAccount	getAccountForExternalAuth(String externalAuthId) Get the UserAccount for this external ID, or null if there is none.
abstract UserAccount	getAccountForInternalAuth(String emailAddress) Get the UserAccount for this email address, or null if there is none.
abstract List<String>	getAssociatedIndividualUris(UserAccount userAccount) Get the URIs of all individuals associated with this user, whether by a self-editing property like cornellEmailNetid, or by mayEditAs.
static IdentifierBundle	getIdsForUserAccount(javax.servlet.http.HttpServletRequest req, UserAccount userAccount) Get the IDs that would be created for this userAccount, if this user were to log in.
static Authenticator	getInstance(javax.servlet.http.HttpServletRequest request) Ask the currently configured AuthenticatorFactory to give us an Authenticator for this request.
abstract boolean	isCurrentPassword(UserAccount userAccount, String clearTextPassword) Internal: does this UserAccount have this password? False if the userAccount is null.
abstract boolean	isCurrentPasswordArgon2(UserAccount userAccount, String clearTextPassword) Does this UserAccount have this Argon2 password? False if the userAccount is null.
abstract boolean	isUserPermittedToLogin(UserAccount userAccount) Is this user permitted to login? Some Authenticators might disable logins for certain users.
static boolean	isValidEmailAddress(String emailAddress) Check whether the form of the emailAddress is syntactically correct.
abstract boolean	md5HashIsNull(UserAccount userAccount) Checks if the user still has got an MD5 Password
abstract void	recordLoginAgainstUserAccount(UserAccount userAccount, LoginStatusBean.AuthenticationSource authSource) Record that the user has logged in, with all of the housekeeping that goes with it: - update the user record - set login status and timeout limit in the session - refresh the Identifiers on the request - record the user in the session map - notify other users of the model
abstract void	recordNewPassword(UserAccount userAccount, String newClearTextPassword) Internal: record a new password for the user.
abstract void	recordUserIsLoggedOut() Record that the current user has logged out: - notify other users of the model.
static void	setAuthenticatorFactory(Authenticator.AuthenticatorFactory factory, javax.servlet.ServletContext ctx)
static boolean	verifyArgon2iHash(String hash, String raw) Verifies the string against the Argon2i hash stored for a user account

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOGGED_IN_TIMEOUT_INTERVAL

public static final int LOGGED_IN_TIMEOUT_INTERVAL

Maximum inactive interval for a ordinary logged-in session, in seconds.

See Also:

Constant Field Values

PRIVILEGED_TIMEOUT_INTERVAL

public static final int PRIVILEGED_TIMEOUT_INTERVAL

Maximum inactive interval for a editor (or better) session, in seconds.

See Also:

Constant Field Values

Constructor Detail

Authenticator

public Authenticator()

Method Detail

getInstance

public static Authenticator getInstance(javax.servlet.http.HttpServletRequest request)

Ask the currently configured AuthenticatorFactory to give us an Authenticator for this request. If there is no factory, configure a Basic one.

setAuthenticatorFactory

public static void setAuthenticatorFactory(Authenticator.AuthenticatorFactory factory,
                                           javax.servlet.ServletContext ctx)

getAccountForExternalAuth

public abstract UserAccount getAccountForExternalAuth(String externalAuthId)

Get the UserAccount for this external ID, or null if there is none.

getAccountForInternalAuth

public abstract UserAccount getAccountForInternalAuth(String emailAddress)

Get the UserAccount for this email address, or null if there is none.

isUserPermittedToLogin

public abstract boolean isUserPermittedToLogin(UserAccount userAccount)

Is this user permitted to login? Some Authenticators might disable logins for certain users. Behavior when userAccount is null depends on the particular Authenticator. An answer of "true" presumably means that the user will be permitted to login and create an account on the fly. Note that this method may rely on the HttpServletRequest object that was provided to the factory when this instance was created.

isCurrentPassword

public abstract boolean isCurrentPassword(UserAccount userAccount,
                                          String clearTextPassword)

Internal: does this UserAccount have this password? False if the userAccount is null.

isCurrentPasswordArgon2

public abstract boolean isCurrentPasswordArgon2(UserAccount userAccount,
                                                String clearTextPassword)

Does this UserAccount have this Argon2 password? False if the userAccount is null.

md5HashIsNull

public abstract boolean md5HashIsNull(UserAccount userAccount)

Checks if the user still has got an MD5 Password

recordNewPassword

public abstract void recordNewPassword(UserAccount userAccount,
                                       String newClearTextPassword)

Internal: record a new password for the user. Takes no action if the userAccount is null.

accountRequiresEditing

public abstract boolean accountRequiresEditing(UserAccount userAccount)

Is a change in name or email required when the user logs in?

getAssociatedIndividualUris

public abstract List<String> getAssociatedIndividualUris(UserAccount userAccount)

Get the URIs of all individuals associated with this user, whether by a self-editing property like cornellEmailNetid, or by mayEditAs.

recordLoginAgainstUserAccount

public abstract void recordLoginAgainstUserAccount(UserAccount userAccount,
                                                   LoginStatusBean.AuthenticationSource authSource)
                                            throws Authenticator.LoginNotPermitted

 Record that the user has logged in, with all of the housekeeping that
 goes with it:
 - update the user record
 - set login status and timeout limit in the session
 - refresh the Identifiers on the request
 - record the user in the session map
 - notify other users of the model
 

Throws:

Authenticator.LoginNotPermitted - if the Authenticator denies this user the ability to login. This should be thrown if and only if isUserPermittedToLogin() returns false.

recordUserIsLoggedOut

public abstract void recordUserIsLoggedOut()

 Record that the current user has logged out: - notify other users of the
 model.
 - invalidate the session.
 

applyMd5Encoding

public static String applyMd5Encoding(String raw)

Apply MD5 to this string, and encode as a string of hex digits. Just right for storing passwords in the database, or hashing the password link.

applyArgon2iEncoding

public static String applyArgon2iEncoding(String raw)

Applies Argon2i hashing on a string. Obtains the argon2i parameters from the configuration properties specified in the runtime.properties through this class "Authenticator".

verifyArgon2iHash

public static boolean verifyArgon2iHash(String hash,
                                        String raw)

Verifies the string against the Argon2i hash stored for a user account

isValidEmailAddress

public static boolean isValidEmailAddress(String emailAddress)

Check whether the form of the emailAddress is syntactically correct. Does not allow multiple addresses. Does not allow local addresses (without a hostname). Does not confirm that the host actually exists, or has a mailbox by that name.

getIdsForUserAccount

public static IdentifierBundle getIdsForUserAccount(javax.servlet.http.HttpServletRequest req,
                                                    UserAccount userAccount)

Get the IDs that would be created for this userAccount, if this user were to log in.