Package com.xpn.xwiki.user.impl.xwiki
Class MyPersistentLoginManager
- java.lang.Object
-
- org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
-
- com.xpn.xwiki.user.impl.xwiki.MyPersistentLoginManager
-
- All Implemented Interfaces:
Serializable
,org.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
public class MyPersistentLoginManager extends org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
Class responsible for remembering the login information between requests. It uses (encrypted) cookies for this. The encryption key is stored in xwiki.cfg, xwiki.authentication.encryptionKey parameter. The cookies used are:- username
- The logged in username
- password
- The password
- rememberme
- Whether or not the authentication information should be preserved across sessions
- validation
- Token used for validating the cookie information. It contains hashed information about the other cookies and a secret paramete, optionally binding with the current IP of the user (so that the cookie cannot be reused on another computer). This binding is enabled by the parameter xwiki.authentication.useip . The secret parameter is specified in xwiki.authentication.validationKey
- Version:
- $Id: be1e8da49a42cb6c03109dc8ce67b11951955211 $
- See Also:
- Serialized Form
-
-
Field Summary
Fields Modifier and Type Field Description protected String[]
cookieDomains
The domain generalization for which the cookies are active.protected String
cookiePath
The path for which the cookies are active.protected String
cookiePrefix
The prefix that should be used for cookie names.-
Fields inherited from class org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
cipherParameters, COOKIE_PASSWORD, COOKIE_REMEMBERME, COOKIE_USERNAME, COOKIE_VALIDATION, cookieLife, encryptionAlgorithm, encryptionKey, encryptionMode, encryptionPadding, protection, PROTECTION_ALL, PROTECTION_ENCRYPTION, PROTECTION_NONE, PROTECTION_VALIDATION, secretKey, useIP, validationKey, valueAfterMD5, valueBeforeMD5
-
-
Constructor Summary
Constructors Constructor Description MyPersistentLoginManager()
Default constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description String
encryptText(String clearText)
Encrypt a string.void
forgetLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Forget a login by removing the authentication cookies.protected String
getClientIP(javax.servlet.http.HttpServletRequest request)
Returns the original client IP.String
getCookiePrefix()
Getter for thecookiePrefix
parameter.String
getRememberedPassword(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Get the password stored (in a cookie) in the request.String
getRememberedUsername(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Get the username stored (in a cookie) in the request.boolean
rememberingLogin(javax.servlet.http.HttpServletRequest request)
void
rememberLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password)
Remember a specific login using cookies.void
setCookieDomains(String[] cdlist)
Setter for thecookieDomains
parameter.void
setCookiePath(String cp)
Setter for thecookiePath
parameter.void
setCookiePrefix(String prefix)
Setter for thecookiePrefix
parameter.void
setupCookie(javax.servlet.http.Cookie cookie, boolean sessionCookie, String cookieDomain, javax.servlet.http.HttpServletResponse response)
Deprecated.this shouldn't have been public, usesetupCookie(Cookie, boolean, boolean, String, HttpServletResponse)
-
-
-
Field Detail
-
cookieDomains
protected String[] cookieDomains
The domain generalization for which the cookies are active. Configured by the xwiki.authentication.cookiedomains parameter. If a request comes from a host not in this list, then the cookie is valid only for the requested domain. If a request comes from a host that partially matches a domain in this list (meaning that the value in the list is contained in the requested domain), then the cookie is set for the more general value found in the list. This is useful for using the same account across multiple virtual wikis, for example.
-
cookiePath
protected String cookiePath
The path for which the cookies are active. By default the cookie is active for all paths in the configured domains.
-
cookiePrefix
protected String cookiePrefix
The prefix that should be used for cookie names.
-
-
Constructor Detail
-
MyPersistentLoginManager
public MyPersistentLoginManager()
Default constructor. The configuration is done outside, inXWikiAuthServiceImpl.getAuthenticator(com.xpn.xwiki.XWikiContext)
, so no parameters are needed at this point.
-
-
Method Detail
-
setCookieDomains
public void setCookieDomains(String[] cdlist)
Setter for thecookieDomains
parameter.- Parameters:
cdlist
- The new value forcookieDomains
. The list is processed, so that any value not starting with a dot is prefixed with one, to respect the RFC 2109.- See Also:
cookieDomains
-
setCookiePath
public void setCookiePath(String cp)
Setter for thecookiePath
parameter.- Parameters:
cp
- The new value forcookiePath
.- See Also:
cookiePath
-
setupCookie
@Deprecated public void setupCookie(javax.servlet.http.Cookie cookie, boolean sessionCookie, String cookieDomain, javax.servlet.http.HttpServletResponse response)
Deprecated.this shouldn't have been public, usesetupCookie(Cookie, boolean, boolean, String, HttpServletResponse)
Setup a cookie: expiration date, path, domain + send it to the response.- Parameters:
cookie
- The cookie to setup.sessionCookie
- Whether the cookie is only for this session, or for a longer period.cookieDomain
- The domain for which the cookie is set.response
- The servlet response.
-
rememberLogin
public void rememberLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String username, String password)
Remember a specific login using cookies.- Specified by:
rememberLogin
in interfaceorg.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
- Overrides:
rememberLogin
in classorg.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
- Parameters:
request
- The servlet request.response
- The servlet response.username
- The username that's being remembered.password
- The password that's being remembered.
-
encryptText
public String encryptText(String clearText)
Encrypt a string. The encryption is password-based. The password can be configured using the xwiki.authentication.encryptionKey parameter.- Parameters:
clearText
- The text to be encrypted.- Returns:
- clearText, encrypted.
-
forgetLogin
public void forgetLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Forget a login by removing the authentication cookies.- Specified by:
forgetLogin
in interfaceorg.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
- Overrides:
forgetLogin
in classorg.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
- Parameters:
request
- The servlet request.response
- The servlet response.
-
getRememberedUsername
public String getRememberedUsername(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Get the username stored (in a cookie) in the request. Also checks the validity of the cookie.- Specified by:
getRememberedUsername
in interfaceorg.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
- Overrides:
getRememberedUsername
in classorg.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
- Parameters:
request
- The servlet request.response
- The servlet response.- Returns:
- The username value, or
null
if not found or the cookie isn't valid.
-
getRememberedPassword
public String getRememberedPassword(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Get the password stored (in a cookie) in the request. Also checks the validity of the cookie.- Specified by:
getRememberedPassword
in interfaceorg.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
- Overrides:
getRememberedPassword
in classorg.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
- Parameters:
request
- The servlet request.response
- The servlet response.- Returns:
- The password value, or
null
if not found or the cookie isn't valid.
-
rememberingLogin
public boolean rememberingLogin(javax.servlet.http.HttpServletRequest request)
- Specified by:
rememberingLogin
in interfaceorg.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
- Overrides:
rememberingLogin
in classorg.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
-
getClientIP
protected String getClientIP(javax.servlet.http.HttpServletRequest request)
Returns the original client IP. Needed because request.getRemoteAddr returns the address of the last requesting host, which can be either the real client, or a proxy. The original method prevents logging in when using a cluster of reverse proxies in front of XWiki.- Parameters:
request
- The servlet request.- Returns:
- The IP of the actual client.
-
setCookiePrefix
public void setCookiePrefix(String prefix)
Setter for thecookiePrefix
parameter.- Parameters:
prefix
- The new value forcookiePrefix
.- See Also:
cookiePrefix
-
getCookiePrefix
public String getCookiePrefix()
Getter for thecookiePrefix
parameter.- Returns:
- The value for
cookiePrefix
. - See Also:
cookiePrefix
-
-