Package edu.cornell.mannlib.vitro.webapp.controller.authenticate

Class Authenticator

  • Direct Known Subclasses:
    BasicAuthenticator, RestrictedAuthenticator
    public abstract class Authenticator
extends Object
    The tool that a login process will use to interface with the user records in the model (or wherever). This needs to be based on a HttpSession, because things like the UserDAO are tied to the session. It seemed easier to base it on a HttpServletRequest, which we can use to get the session. TODO: Wouldn't it be cool if we could remove the LoginNotPermitted exception? Perhaps we could have a sub-object called an Authenticator.ForUser, and you call a getAuthenticatorForUser() method which returns null if your login has been disabled. Then, that object would provide these methods: accountRequiresEditing(), getAssociatedIndividualUris(), isCurrentPassword(), recordLoginAgainstUserAccount(), recordNewPassword(). If you didn't have such an object, you couldn't even call these methods.

    • Field Detail

      • LOGGED_IN_TIMEOUT_INTERVAL

        public static final int LOGGED_IN_TIMEOUT_INTERVAL
        Maximum inactive interval for a ordinary logged-in session, in seconds.
        See Also:
        Constant Field Values

      • PRIVILEGED_TIMEOUT_INTERVAL

        public static final int PRIVILEGED_TIMEOUT_INTERVAL
        Maximum inactive interval for a editor (or better) session, in seconds.
        See Also:
        Constant Field Values

    • Constructor Detail

      • Authenticator

        public Authenticator()

    • Method Detail

      • getInstance

        public static Authenticator getInstance​(javax.servlet.http.HttpServletRequest request)
        Ask the currently configured AuthenticatorFactory to give us an Authenticator for this request. If there is no factory, configure a Basic one.

      • getAccountForExternalAuth

        public abstract UserAccount getAccountForExternalAuth​(String externalAuthId)
        Get the UserAccount for this external ID, or null if there is none.

      • getAccountForInternalAuth

        public abstract UserAccount getAccountForInternalAuth​(String emailAddress)
        Get the UserAccount for this email address, or null if there is none.

      • isUserPermittedToLogin

        public abstract boolean isUserPermittedToLogin​(UserAccount userAccount)
        Is this user permitted to login? Some Authenticators might disable logins for certain users. Behavior when userAccount is null depends on the particular Authenticator. An answer of "true" presumably means that the user will be permitted to login and create an account on the fly. Note that this method may rely on the HttpServletRequest object that was provided to the factory when this instance was created.

      • isCurrentPassword

        public abstract boolean isCurrentPassword​(UserAccount userAccount,
                                          String clearTextPassword)
        Internal: does this UserAccount have this password? False if the userAccount is null.

      • isCurrentPasswordArgon2

        public abstract boolean isCurrentPasswordArgon2​(UserAccount userAccount,
                                                String clearTextPassword)
        Does this UserAccount have this Argon2 password? False if the userAccount is null.

      • md5HashIsNull

        public abstract boolean md5HashIsNull​(UserAccount userAccount)
        Checks if the user still has got an MD5 Password

      • recordNewPassword

        public abstract void recordNewPassword​(UserAccount userAccount,
                                       String newClearTextPassword)
        Internal: record a new password for the user. Takes no action if the userAccount is null.

      • accountRequiresEditing

        public abstract boolean accountRequiresEditing​(UserAccount userAccount)
        Is a change in name or email required when the user logs in?

      • getAssociatedIndividualUris

        public abstract List<String> getAssociatedIndividualUris​(UserAccount userAccount)
        Get the URIs of all individuals associated with this user, whether by a self-editing property like cornellEmailNetid, or by mayEditAs.

      • recordLoginAgainstUserAccount

        public abstract void recordLoginAgainstUserAccount​(UserAccount userAccount,
                                                   LoginStatusBean.AuthenticationSource authSource)
                                            throws Authenticator.LoginNotPermitted
         Record that the user has logged in, with all of the housekeeping that
 goes with it:
 - update the user record
 - set login status and timeout limit in the session
 - refresh the Identifiers on the request
 - record the user in the session map
 - notify other users of the model
        Throws:
        Authenticator.LoginNotPermitted - if the Authenticator denies this user the ability to login. This should be thrown if and only if isUserPermittedToLogin() returns false.

      • recordUserIsLoggedOut

        public abstract void recordUserIsLoggedOut()
         Record that the current user has logged out: - notify other users of the
 model.
 - invalidate the session.

      • applyMd5Encoding

        public static String applyMd5Encoding​(String raw)
        Apply MD5 to this string, and encode as a string of hex digits. Just right for storing passwords in the database, or hashing the password link.

      • applyArgon2iEncoding

        public static String applyArgon2iEncoding​(String raw)
        Applies Argon2i hashing on a string. Obtains the argon2i parameters from the configuration properties specified in the runtime.properties through this class "Authenticator".

      • verifyArgon2iHash

        public static boolean verifyArgon2iHash​(String hash,
                                        String raw)
        Verifies the string against the Argon2i hash stored for a user account

      • isValidEmailAddress

        public static boolean isValidEmailAddress​(String emailAddress)
        Check whether the form of the emailAddress is syntactically correct. Does not allow multiple addresses. Does not allow local addresses (without a hostname). Does not confirm that the host actually exists, or has a mailbox by that name.

      • getIdsForUserAccount

        public static IdentifierBundle getIdsForUserAccount​(javax.servlet.http.HttpServletRequest req,
                                                    UserAccount userAccount)
        Get the IDs that would be created for this userAccount, if this user were to log in.