com.zeevbelkin.web.filter.access
Class Yaaf.SessionSecurityInfo

java.lang.Object
  com.zeevbelkin.web.filter.access.Yaaf.SessionSecurityInfo

All Implemented Interfaces:

Yaaf.RoleResolver, java.io.Serializable, java.security.Principal

Enclosing class:

Yaaf

public static class Yaaf.SessionSecurityInfo
extends java.lang.Object
implements java.security.Principal, Yaaf.RoleResolver, java.io.Serializable

The filter keeps info about the user identity, and additional info required to organize the login process, in this session bean that implements also Principal interface. This bean may be obtained by the getUserPrincipal request method call, or by the name "SessionSecurityInfo". Yet one, very important role of this bean is that it has a special method setExplicitLogin to mark the login process as "explicit" or "on demand" (by default, the filter means that the login is on demand one).

See Also:

Serialized Form

Constructor Summary

Yaaf.SessionSecurityInfo()

Method Summary

void	bye(javax.servlet.http.HttpServletRequest rq, javax.servlet.http.HttpServletResponse rsp) Logs the user out.
void	completeLogin(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
java.lang.Object	getLock() Gets the bean locking object (the object that owns the thread sychronization monitor) for the login/logout operations.
java.lang.String	getName()
Yaaf.RoleResolver	getRoleResolver() Getter for property roleResolver.
java.lang.String	getSavedRequestID() Returns login request ID.
int	hashCode()
void	invalidate() marks the session as a session with unauthenticated user
boolean	isExplicitLogin() Getter of the explicitLogin property
boolean	isSavedRequestValid(javax.servlet.http.HttpServletRequest rq) Compares the actual login request ID with the ID passed as a request parameter (referer parameter) with name yaacfiRqId, returns true if both the values are the same.
boolean	isUserInRole(java.lang.String role) checks if a user has a role
void	saveLogin(javax.servlet.http.HttpServletRequest rq, javax.servlet.http.HttpServletResponse rsp, int days) Saves login info in a cookie if a saved login handler SavedLoginHandler has been specified in the filter configuration.
void	setExplicitLogin(boolean explicitLogin) Marks the current login process as an explicit or on demand one.
void	setName(java.lang.String userId) sets a remote user name to the session.
void	setRoleResolver(Yaaf.RoleResolver roleResolver) Setter for property roleResolver.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.security.Principal

equals, toString

Constructor Detail

Yaaf.SessionSecurityInfo

public Yaaf.SessionSecurityInfo()

Method Detail

getName

public java.lang.String getName()

Specified by:

getName in interface java.security.Principal

Returns:

setName

public void setName(java.lang.String userId)

sets a remote user name to the session. The user is authenticated since this method call. Also, the authenticating servlet should call setRoleResolver to provide info about the user roles to the filter.

Parameters:

userId - remote user name

invalidate

public void invalidate()

marks the session as a session with unauthenticated user

hashCode

public int hashCode()

Specified by:

hashCode in interface java.security.Principal

Overrides:

hashCode in class java.lang.Object

Returns:

isUserInRole

public boolean isUserInRole(java.lang.String role)

checks if a user has a role

Specified by:

isUserInRole in interface Yaaf.RoleResolver

Parameters:

role - the role to check

Returns:

true if the user has the role

getRoleResolver

public Yaaf.RoleResolver getRoleResolver()

Getter for property roleResolver.

Returns:

Value of property roleResolver.

setRoleResolver

public void setRoleResolver(Yaaf.RoleResolver roleResolver)

Setter for property roleResolver.

Parameters:

roleResolver - New value of property roleResolver.

saveLogin

public void saveLogin(javax.servlet.http.HttpServletRequest rq,
                      javax.servlet.http.HttpServletResponse rsp,
                      int days)

Saves login info in a cookie if a saved login handler SavedLoginHandler has been specified in the filter configuration. The filter will sign in a user by an automatic ways if he/she has a valid saved login info and the filter is configured to work with a saved login handler.

Parameters:

days - time in days to keep the login

bye

public void bye(javax.servlet.http.HttpServletRequest rq,
                javax.servlet.http.HttpServletResponse rsp)

Logs the user out. If there is a saved login it will be destroyed too.

getSavedRequestID

public java.lang.String getSavedRequestID()

Returns login request ID. The filer assigns this ID when it begins a login on demand conversation. The ID is intended to be used to avoid situation when a user begins a login conversation in a window, then begins a new login conversation in other windows and then tries to finish the conversation in the first window. Each time when a user begins a new conversation, a new ID will be assigned. The filter customer can track a login request ID with a request parameter to prevent a user from completing of a login process in a window where login conversation was interrupted for a login conversation in other window (the filter keeps only one login context each time).

Returns:

login request ID

See Also:

isSavedRequestValid(javax.servlet.http.HttpServletRequest)

isSavedRequestValid

public boolean isSavedRequestValid(javax.servlet.http.HttpServletRequest rq)

Compares the actual login request ID with the ID passed as a request parameter (referer parameter) with name yaacfiRqId, returns true if both the values are the same.

Returns:

true if both the values are the same

See Also:

getSavedRequestID()

getLock

public java.lang.Object getLock()

Gets the bean locking object (the object that owns the thread sychronization monitor) for the login/logout operations.

Returns:

the bean locking object

completeLogin

public void completeLogin(javax.servlet.ServletRequest request,
                          javax.servlet.ServletResponse response)

isExplicitLogin

public boolean isExplicitLogin()

Getter of the explicitLogin property

Returns:

Value of property explicitLogin.

setExplicitLogin

public void setExplicitLogin(boolean explicitLogin)

Marks the current login process as an explicit or on demand one. If a web-application implements both types of login, it must call this method. For example, a JSP that implements a cookie login struts action may look like this (cookie login is always on demand):

 <bean:cookie name="test_user" id="test_user" value=""/>
 <bean:cookie name="test_secret" id="test_secret"  value=""/>
 <bean:define id="ssi" name="SessionSecurityInfo" scope="session" type="Yaaf.SessionSecurityInfo"/>
 
 <!-- 
   Mark this login procedure as "login on demand".
   It is necessary to do this because a user can begin and not to finish
   successfuly an explicit login process and then begin
   the login on demand process (that starts with a cookie login).
 -->
 <jsp:setProperty name="ssi" property="explicitLogin" value="false"/>
 <%
 //
 // Here is one hardcoded username "pupkin" with a right secret "right_secret".
 //Real applications ordinary check the user names/cookie secrets with a
 //database.
 //
   if ("pupkin".equals(test_user.getValue())&&"right_secret".equals(test_secret.getValue())) {
      // We authenticate the user by cookie,
      // no need in any user interaction
 
     ssi.setName("pupkin");
     ssi.completeLogin(request,response);
 
     return;
  }
 %>
 <logic:forward name="loginScreen"/>
 

Parameters:

explicitLogin - New value of property explicitLogin.