Class MyPersistentLoginManager

  • All Implemented Interfaces:
    Serializable, org.securityfilter.authenticator.persistent.PersistentLoginManagerInterface

    public class MyPersistentLoginManager
    extends org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
    Class responsible for remembering the login information between requests. It uses (encrypted) cookies for this. The encryption key is stored in xwiki.cfg, xwiki.authentication.encryptionKey parameter. The cookies used are:
    username
    The logged in username
    password
    The password
    rememberme
    Whether or not the authentication information should be preserved across sessions
    validation
    Token used for validating the cookie information. It contains hashed information about the other cookies and a secret paramete, optionally binding with the current IP of the user (so that the cookie cannot be reused on another computer). This binding is enabled by the parameter xwiki.authentication.useip . The secret parameter is specified in xwiki.authentication.validationKey
    Version:
    $Id: 25f2bfe9d9f3a893f3823f6f80b8a0101df94c57 $
    See Also:
    Serialized Form
    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected String[] cookieDomains
      The domain generalization for which the cookies are active.
      protected String cookiePath
      The path for which the cookies are active.
      protected String cookiePrefix
      The prefix that should be used for cookie names.
      • Fields inherited from class org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager

        cipherParameters, COOKIE_PASSWORD, COOKIE_REMEMBERME, COOKIE_USERNAME, COOKIE_VALIDATION, cookieLife, encryptionAlgorithm, encryptionKey, encryptionMode, encryptionPadding, protection, PROTECTION_ALL, PROTECTION_ENCRYPTION, PROTECTION_NONE, PROTECTION_VALIDATION, secretKey, useIP, validationKey, valueAfterMD5, valueBeforeMD5
    • Field Detail

      • cookieDomains

        protected String[] cookieDomains
        The domain generalization for which the cookies are active. Configured by the xwiki.authentication.cookiedomains parameter. If a request comes from a host not in this list, then the cookie is valid only for the requested domain. If a request comes from a host that partially matches a domain in this list (meaning that the value in the list is contained in the requested domain), then the cookie is set for the more general value found in the list. This is useful for using the same account across multiple virtual wikis, for example.
      • cookiePath

        protected String cookiePath
        The path for which the cookies are active. By default the cookie is active for all paths in the configured domains.
      • cookiePrefix

        protected String cookiePrefix
        The prefix that should be used for cookie names.
    • Method Detail

      • setCookieDomains

        public void setCookieDomains​(String[] cdlist)
        Setter for the cookieDomains parameter.
        Parameters:
        cdlist - The new value for cookieDomains. The list is processed, so that any value not starting with a dot is prefixed with one, to respect the RFC 2109.
        See Also:
        cookieDomains
      • setupCookie

        @Deprecated
        public void setupCookie​(javax.servlet.http.Cookie cookie,
                                boolean sessionCookie,
                                String cookieDomain,
                                javax.servlet.http.HttpServletResponse response)
        Deprecated.
        Setup a cookie: expiration date, path, domain + send it to the response.
        Parameters:
        cookie - The cookie to setup.
        sessionCookie - Whether the cookie is only for this session, or for a longer period.
        cookieDomain - The domain for which the cookie is set.
        response - The servlet response.
      • rememberLogin

        public void rememberLogin​(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response,
                                  String username,
                                  String password)
        Remember a specific login using cookies.
        Specified by:
        rememberLogin in interface org.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
        Overrides:
        rememberLogin in class org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
        Parameters:
        request - The servlet request.
        response - The servlet response.
        username - The username that's being remembered.
        password - The password that's being remembered.
      • encryptText

        public String encryptText​(String clearText)
        Encrypt a string. The encryption is password-based. The password can be configured using the xwiki.authentication.encryptionKey parameter.
        Parameters:
        clearText - The text to be encrypted.
        Returns:
        clearText, encrypted.
      • forgetLogin

        public void forgetLogin​(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response)
        Forget a login by removing the authentication cookies.
        Specified by:
        forgetLogin in interface org.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
        Overrides:
        forgetLogin in class org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
        Parameters:
        request - The servlet request.
        response - The servlet response.
      • getRememberedUsername

        public String getRememberedUsername​(javax.servlet.http.HttpServletRequest request,
                                            javax.servlet.http.HttpServletResponse response)
        Get the username stored (in a cookie) in the request. Also checks the validity of the cookie.
        Specified by:
        getRememberedUsername in interface org.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
        Overrides:
        getRememberedUsername in class org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
        Parameters:
        request - The servlet request.
        response - The servlet response.
        Returns:
        The username value, or null if not found or the cookie isn't valid.
      • getRememberedPassword

        public String getRememberedPassword​(javax.servlet.http.HttpServletRequest request,
                                            javax.servlet.http.HttpServletResponse response)
        Get the password stored (in a cookie) in the request. Also checks the validity of the cookie.
        Specified by:
        getRememberedPassword in interface org.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
        Overrides:
        getRememberedPassword in class org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
        Parameters:
        request - The servlet request.
        response - The servlet response.
        Returns:
        The password value, or null if not found or the cookie isn't valid.
      • rememberingLogin

        public boolean rememberingLogin​(javax.servlet.http.HttpServletRequest request)
        Specified by:
        rememberingLogin in interface org.securityfilter.authenticator.persistent.PersistentLoginManagerInterface
        Overrides:
        rememberingLogin in class org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager
      • getClientIP

        protected String getClientIP​(javax.servlet.http.HttpServletRequest request)
        Returns the original client IP. Needed because request.getRemoteAddr returns the address of the last requesting host, which can be either the real client, or a proxy. The original method prevents logging in when using a cluster of reverse proxies in front of XWiki.
        Parameters:
        request - The servlet request.
        Returns:
        The IP of the actual client.