Custom Authenticator and CustomLogin

From Resin 3.0

Jump to: navigation, search


When your application wants to save and restore login information from a custom cookie, or wants to access the request and response during the login, you can create a custom Login to go with your authenticator.

  • Login - Servlet-aware class responsible for extracting credentials (passwords) and issuing challenges (http responses)
  • Authenticator - general class responsible for verifying a password for a user

Since cookies are part of the servlet capabilities, they belong in a custom Login.

Contents

Example

The example uses a custom Login to create a cookie named "test-save" with the user's name.

When the user accesses the site, the login() method will check for the cookie and log the user in automatically if it exists.

If the user isn't logged in, the login() method will default to the FormLogin behavior. On success, it will save the username in the cookie.

Warning: a real system would generate random cookie values instead of the username.

WEB-INF/resin-web.xml

  <web-app xmlns="http://caucho.com/ns/resin"
        xmlns:resin="urn:java:com.caucho.resin"
        xmlns:qa="urn:java:qa">

   <qa:MyAuthenticator/>

   <qa:MyLogin form-login-page="/login.jsp"
                    form-error-page="/error.jsp"/>

   <resin:Allow url-pattern="/admin/*">
     <resin:IfUserInRole role="admin"/>
   </resin:Allow>
 </web-app>

test.MyAuthenticator

package qa;

import java.security.*;

import com.caucho.security.*;

public class TestAuthenticator extends AbstractAuthenticator {
  @Override
  public Principal authenticate(Principal principal, char []password)
  {
    if (principal.getName().equals("harry")
        && "quidditch".equals(new String(password))) {
      return new MyPrincipal("harry");
    }
    else {
      return null;
    }
  }

  @Override
  public boolean isUserInRole(Principal user, String role)
  {
    return "admin".equals(role)
           && user != null && user.getName().equals("harry");
  }
}

MyLogin.java

package qa;

import java.security.*;

import javax.servlet.*;
import javax.servlet.http.*;

import com.caucho.security.*;

public class MyLogin extends FormLogin {
  @Override
  protected Principal login(HttpServletRequest request,
                            HttpServletResponse response)
  {
    if (request.getCookies() != null) {
      for (Cookie cookie : request.getCookies()) {
        if (cookie.getName().equals("test-save"))
          return new MyPrincipal(cookie.getValue());
      }
    }

    Principal user = super.login(request, response);

   if (user != null)
      response.addCookie(new Cookie("test-save", user.getName()));

    return user;
  }
}

login.jsp

<html>
<form url='j_security_check'>
User: <input type='text' name='j_username'><br>
Password: <input type='password' name='j_password'><br>
<input type='submit'>
</form>
</html>

error.jsp

 <html>
 <h1>failed login</h1>
User: <input type='text' name='j_username'><br>
Password: <input type='password' name='j_password'><br>
<input type='submit'>
</form>
</html>
Personal tools