com.ecyrd.jspwiki.auth

Class AuthenticationManager

java.lang.Object

com.ecyrd.jspwiki.auth.AuthenticationManager

public final class AuthenticationManager
extends java.lang.Object

Manages authentication activities for a WikiEngine: user login, logout, and credential refreshes. This class uses JAAS to determine how users log in.

The login procedure is protected in addition by a mechanism which prevents a hacker to try and force-guess passwords by slowing down attempts to log in into the same account. Every login attempt is recorded, and stored for a while (currently ten minutes), and each login attempt during that time incurs a penalty of 2^login attempts milliseconds - that is, 10 login attempts incur a login penalty of 1.024 seconds. The delay is currently capped to 20 seconds.

Since:

2.3

Author:

Andrew Jaquith, Erik Bunn

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	COOKIE_AUTHENTICATION_MODULE The name of the built-in cookie authentication module
static java.lang.String	COOKIE_MODULE The name of the built-in cookie assertion module
protected static java.util.Map<java.lang.String,java.lang.String>	EMPTY_MAP Empty Map passed to JAAS doJAASLogin(Class, CallbackHandler, Map) method.
protected java.lang.Class<? extends javax.security.auth.spi.LoginModule>	m_loginModuleClass Class (of type LoginModule) to use for custom authentication.
protected java.util.Map<java.lang.String,java.lang.String>	m_loginModuleOptions Options passed to LoginModule.initialize(Subject, CallbackHandler, Map, Map); initialized by initialize(WikiEngine, Properties).
protected static java.lang.String	PREFIX_LOGIN_MODULE_OPTIONS Prefix for LoginModule options key/value pairs.
protected static java.lang.String	PROP_ALLOW_COOKIE_ASSERTIONS If this jspwiki.properties property is true, allow cookies to be used to assert identities.
static java.lang.String	PROP_ALLOW_COOKIE_AUTH If this jspwiki.properties property is true, allow cookies to be used for authentication.
protected static java.lang.String	PROP_LOGIN_MODULE The LoginModule to use for custom authentication.
static java.lang.String	PROP_LOGIN_THROTTLING Whether logins should be throttled to limit brute-forcing attempts.
static java.lang.String	PROP_SECURITY Deprecated.
static java.lang.String	PROP_STOREIPADDRESS If this jspwiki.properties property is true, logs the IP address of the editor on saving.
protected static java.lang.String	SECURITY_CONTAINER Deprecated. use SECURITY_OFF instead
static java.lang.String	SECURITY_JAAS Value specifying that the user wants to use the built-in JAAS-based system
static java.lang.String	SECURITY_OFF Value specifying that the user wants to use the container-managed security, just like in JSPWiki 2.2.

Constructor Summary

Constructors

Constructor and Description
AuthenticationManager()

Method Summary

Modifier and Type	Method and Description
void	addWikiEventListener(WikiEventListener listener) Registers a WikiEventListener with this instance.
boolean	allowsCookieAssertions() Determines whether this WikiEngine allows users to assert identities using cookies instead of passwords.
boolean	allowsCookieAuthentication() Determines whether this WikiEngine allows users to authenticate using cookies instead of passwords.
protected java.util.Set<java.security.Principal>	doJAASLogin(java.lang.Class<? extends javax.security.auth.spi.LoginModule> clazz, javax.security.auth.callback.CallbackHandler handler, java.util.Map<java.lang.String,java.lang.String> options) Instantiates and executes a single JAAS LoginModule, and returns a Set of Principals that results from a successful login.
protected static java.net.URL	findConfigFile(WikiEngine engine, java.lang.String name) Looks up and obtains a configuration file inside the WEB-INF folder of a wiki webapp.
protected void	fireEvent(int type, java.security.Principal principal, java.lang.Object target) Fires a WikiSecurityEvent of the provided type, Principal and target Object to all registered listeners.
protected java.security.Principal	getLoginPrincipal(java.util.Set<java.security.Principal> principals) Returns the first Principal in a set that isn't a Role or GroupPrincipal.
void	initialize(WikiEngine engine, java.util.Properties props) Creates an AuthenticationManager instance for the given WikiEngine and the specified set of properties.
boolean	isContainerAuthenticated() Returns true if this WikiEngine uses container-managed authentication.
static boolean	isRolePrincipal(java.security.Principal principal) Determines whether the supplied Principal is a "role principal".
static boolean	isUserPrincipal(java.security.Principal principal) Determines whether the supplied Principal is a "user principal".
boolean	login(HttpServletRequest request) Logs in the user by attempting to populate a WikiSession Subject from a web servlet request by examining the request for the presence of container credentials and user cookies.
boolean	login(WikiSession session, HttpServletRequest request, java.lang.String username, java.lang.String password) Attempts to perform a WikiSession login for the given username/password combination using JSPWiki's custom authentication mode.
boolean	login(WikiSession session, java.lang.String username, java.lang.String password) Deprecated. use login(WikiSession, HttpServletRequest, String, String) instead
void	logout(HttpServletRequest request) Logs the user out by retrieving the WikiSession associated with the HttpServletRequest and unbinding all of the Subject's Principals, except for Role.ALL, Role.ANONYMOUS.
void	removeWikiEventListener(WikiEventListener listener) Un-registers a WikiEventListener with this instance.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

COOKIE_MODULE

public static final java.lang.String COOKIE_MODULE

The name of the built-in cookie assertion module

COOKIE_AUTHENTICATION_MODULE

public static final java.lang.String COOKIE_AUTHENTICATION_MODULE

The name of the built-in cookie authentication module

PROP_STOREIPADDRESS

public static final java.lang.String PROP_STOREIPADDRESS

If this jspwiki.properties property is true, logs the IP address of the editor on saving.

See Also:

Constant Field Values

PROP_ALLOW_COOKIE_AUTH

public static final java.lang.String PROP_ALLOW_COOKIE_AUTH

If this jspwiki.properties property is true, allow cookies to be used for authentication.

See Also:

Constant Field Values

PROP_SECURITY

public static final java.lang.String PROP_SECURITY

Deprecated.

This property determines whether we use JSPWiki authentication or not. Possible values are AUTH_JAAS or AUTH_CONTAINER.

Setting this is now deprecated - we do not guarantee that it works.

See Also:

Constant Field Values

SECURITY_OFF

public static final java.lang.String SECURITY_OFF

Value specifying that the user wants to use the container-managed security, just like in JSPWiki 2.2.

See Also:

Constant Field Values

SECURITY_JAAS

public static final java.lang.String SECURITY_JAAS

Value specifying that the user wants to use the built-in JAAS-based system

See Also:

Constant Field Values

PROP_LOGIN_THROTTLING

public static final java.lang.String PROP_LOGIN_THROTTLING

Whether logins should be throttled to limit brute-forcing attempts. Defaults to true.

See Also:

Constant Field Values

PREFIX_LOGIN_MODULE_OPTIONS

protected static final java.lang.String PREFIX_LOGIN_MODULE_OPTIONS

Prefix for LoginModule options key/value pairs.

See Also:

Constant Field Values

PROP_ALLOW_COOKIE_ASSERTIONS

protected static final java.lang.String PROP_ALLOW_COOKIE_ASSERTIONS

If this jspwiki.properties property is true, allow cookies to be used to assert identities.

See Also:

Constant Field Values

PROP_LOGIN_MODULE

protected static final java.lang.String PROP_LOGIN_MODULE

The LoginModule to use for custom authentication.

See Also:

Constant Field Values

EMPTY_MAP

protected static final java.util.Map<java.lang.String,java.lang.String> EMPTY_MAP

Empty Map passed to JAAS doJAASLogin(Class, CallbackHandler, Map) method.

m_loginModuleClass

protected java.lang.Class<? extends javax.security.auth.spi.LoginModule> m_loginModuleClass

Class (of type LoginModule) to use for custom authentication.

m_loginModuleOptions

protected java.util.Map<java.lang.String,java.lang.String> m_loginModuleOptions

Options passed to LoginModule.initialize(Subject, CallbackHandler, Map, Map); initialized by initialize(WikiEngine, Properties).

SECURITY_CONTAINER

protected static final java.lang.String SECURITY_CONTAINER

Deprecated. use SECURITY_OFF instead

Just to provide compatibility with the old versions. The same as SECURITY_OFF.

See Also:

Constant Field Values

Constructor Detail

AuthenticationManager

public AuthenticationManager()

Method Detail

initialize

public final void initialize(WikiEngine engine,
                             java.util.Properties props)
                      throws WikiException

Creates an AuthenticationManager instance for the given WikiEngine and the specified set of properties. All initialization for the modules is done here.

Parameters:

engine - the wiki engine

props - the properties used to initialize the wiki engine

Throws:

WikiException - if the AuthenticationManager cannot be initialized

isContainerAuthenticated

public final boolean isContainerAuthenticated()

Returns true if this WikiEngine uses container-managed authentication. This method is used primarily for cosmetic purposes in the JSP tier, and performs no meaningful security function per se. Delegates to WebContainerAuthorizer.isContainerAuthorized(), if used as the external authorizer; otherwise, returns false.

Returns:

true if the wiki's authentication is managed by the container, false otherwise

login

public final boolean login(HttpServletRequest request)
                    throws WikiSecurityException

Logs in the user by attempting to populate a WikiSession Subject from a web servlet request by examining the request for the presence of container credentials and user cookies. The processing logic is as follows:

• If the WikiSession had previously been unauthenticated, check to see if user has subsequently authenticated. To be considered "authenticated," the request must supply one of the following (in order of preference): the container userPrincipal, container remoteUser, or authentication cookie. If the user is authenticated, this method fires event WikiSecurityEvent.LOGIN_AUTHENTICATED with two parameters: a Principal representing the login principal, and the current WikiSession. In addition, if the authorizer is of type WebContainerAuthorizer, this method iterates through the container roles returned by WebContainerAuthorizer.getRoles(), tests for membership in each one, and adds those that pass to the Subject's principal set.
• If, after checking for authentication, the WikiSession is still Anonymous, this method next checks to see if the user has "asserted" an identity by supplying an assertion cookie. If the user is found to be asserted, this method fires event WikiSecurityEvent.LOGIN_ASSERTED with two parameters: WikiPrincipal(cookievalue), and the current WikiSession.
• If, after checking for authenticated and asserted status, the WikiSession is still anonymous, this method fires event WikiSecurityEvent.LOGIN_ANONYMOUS with two parameters: WikiPrincipal(remoteAddress), and the current WikiSession

Parameters:

request - servlet request for this user

Returns:

always returns true (because anonymous login, at least, will always succeed)

Throws:

WikiSecurityException - if the user cannot be logged in for any reason

Since:

2.3

login

public final boolean login(WikiSession session,
                           java.lang.String username,
                           java.lang.String password)
                    throws WikiSecurityException

Deprecated. use login(WikiSession, HttpServletRequest, String, String) instead

Attempts to perform a WikiSession login for the given username/password combination using JSPWiki's custom authentication mode. This method is identical to login(WikiSession, String, String), except that user's HTTP request is not made available to LoginModules via the HttpRequestCallback.

Parameters:

session - the current wiki session; may not be null.

username - The user name. This is a login name, not a WikiName. In most cases they are the same, but in some cases, they might not be.

password - the password

Returns:

true, if the username/password is valid

Throws:

WikiSecurityException - if the Authorizer or UserManager cannot be obtained

login

public final boolean login(WikiSession session,
                           HttpServletRequest request,
                           java.lang.String username,
                           java.lang.String password)
                    throws WikiSecurityException

Attempts to perform a WikiSession login for the given username/password combination using JSPWiki's custom authentication mode. In order to log in, the JAAS LoginModule supplied by the WikiEngine property PROP_LOGIN_MODULE will be instantiated, and its LoginModule.initialize(Subject, CallbackHandler, Map, Map) method will be invoked. By default, the UserDatabaseLoginModule class will be used. When the LoginModule's initialize method is invoked, an options Map populated by properties keys prefixed by PREFIX_LOGIN_MODULE_OPTIONS will be passed as a parameter.

Parameters:

session - the current wiki session; may not be null.

request - the user's HTTP request. This parameter may be null, but the configured LoginModule will not have access to the HTTP request in this case.

username - The user name. This is a login name, not a WikiName. In most cases they are the same, but in some cases, they might not be.

password - the password

Returns:

true, if the username/password is valid

Throws:

WikiSecurityException - if the Authorizer or UserManager cannot be obtained

logout

public final void logout(HttpServletRequest request)

Logs the user out by retrieving the WikiSession associated with the HttpServletRequest and unbinding all of the Subject's Principals, except for Role.ALL, Role.ANONYMOUS. is a cheap-and-cheerful way to do it without invoking JAAS LoginModules. The logout operation will also flush the JSESSIONID cookie from the user's browser session, if it was set.

Parameters:

request - the current HTTP request

allowsCookieAssertions

public final boolean allowsCookieAssertions()

Determines whether this WikiEngine allows users to assert identities using cookies instead of passwords. This is determined by inspecting the WikiEngine property PROP_ALLOW_COOKIE_ASSERTIONS.

Returns:

true if cookies are allowed

allowsCookieAuthentication

public final boolean allowsCookieAuthentication()

Determines whether this WikiEngine allows users to authenticate using cookies instead of passwords. This is determined by inspecting the WikiEngine property PROP_ALLOW_COOKIE_AUTH.

Returns:

true if cookies are allowed for authentication

Since:

2.5.62

isRolePrincipal

public static final boolean isRolePrincipal(java.security.Principal principal)

Determines whether the supplied Principal is a "role principal".

Parameters:

principal - the principal to test

Returns:

true if the Principal is of type GroupPrincipal or Role, false otherwise

isUserPrincipal

public static final boolean isUserPrincipal(java.security.Principal principal)

Determines whether the supplied Principal is a "user principal".

Parameters:

principal - the principal to test

Returns:

false if the Principal is of type GroupPrincipal or Role, true otherwise

doJAASLogin

protected java.util.Set<java.security.Principal> doJAASLogin(java.lang.Class<? extends javax.security.auth.spi.LoginModule> clazz,
                                                             javax.security.auth.callback.CallbackHandler handler,
                                                             java.util.Map<java.lang.String,java.lang.String> options)
                                                      throws WikiSecurityException

Instantiates and executes a single JAAS LoginModule, and returns a Set of Principals that results from a successful login. The LoginModule is instantiated, then its LoginModule.initialize(Subject, CallbackHandler, Map, Map) method is called. The parameters passed to initialize is a dummy Subject, an empty shared-state Map, and an options Map the caller supplies.

Parameters:

clazz - the LoginModule class to instantiate

handler - the callback handler to supply to the LoginModule

options - a Map of key/value strings for initializing the LoginModule

Returns:

the set of Principals returned by the JAAS method Subject.getPrincipals()

Throws:

WikiSecurityException - if the LoginModule could not be instantiated for any reason

findConfigFile

protected static final java.net.URL findConfigFile(WikiEngine engine,
                                                   java.lang.String name)

Looks up and obtains a configuration file inside the WEB-INF folder of a wiki webapp.

Parameters:

engine - the wiki engine

name - the file to obtain, e.g., jspwiki.policy

Returns:

the URL to the file

getLoginPrincipal

protected java.security.Principal getLoginPrincipal(java.util.Set<java.security.Principal> principals)

Returns the first Principal in a set that isn't a Role or GroupPrincipal.

Parameters:

principals - the principal set

Returns:

the login principal

addWikiEventListener

public final void addWikiEventListener(WikiEventListener listener)

Registers a WikiEventListener with this instance. This is a convenience method.

Parameters:

listener - the event listener

removeWikiEventListener

public final void removeWikiEventListener(WikiEventListener listener)

Un-registers a WikiEventListener with this instance. This is a convenience method.

Parameters:

listener - the event listener

fireEvent

protected final void fireEvent(int type,
                               java.security.Principal principal,
                               java.lang.Object target)

Fires a WikiSecurityEvent of the provided type, Principal and target Object to all registered listeners.

Parameters:

type - the event type to be fired

principal - the subject of the event, which may be null

target - the changed Object, which may be null

See Also:

WikiSecurityEvent