org.clazzes.util.http.sec
Interface HttpLoginService


public interface HttpLoginService

An interface, which provides a login facility to an application.


Field Summary
static String LOGIN_MECHANISM_KEY
          The name of the OSGi property, which defines the login method.
 
Method Summary
 Principal checkLogin(javax.servlet.http.HttpServletRequest request)
          Get the principal associated with the HTTP session of the given request.
 boolean checkPermission(javax.servlet.http.HttpServletRequest request, String context)
          Check, whether the authenticated user of the given HttpServletRequest has permissions on the given context.
 Locale getLocale(javax.servlet.http.HttpServletRequest request)
          This method has been introduce in a later version.
 String getLoginUrl()
          Return an URL to web page, which authenticates the user, usually using a form POST.
 TimeZone getTimeZone(javax.servlet.http.HttpServletRequest request)
          This method has been introduce in a later version.
 void logout(javax.servlet.http.HttpServletRequest request)
          Remove all attributes generated during a login process from the HTTP session of the given request.
 

Field Detail

LOGIN_MECHANISM_KEY

static final String LOGIN_MECHANISM_KEY
The name of the OSGi property, which defines the login method.

See Also:
Constant Field Values
Method Detail

getLoginUrl

String getLoginUrl()

Return an URL to web page, which authenticates the user, usually using a form POST. The web page is intended to be embedded by a consuming application inside an HTML iframe element.

By convention, the application must have an invisible form named loginResultForm in which the login page at least sets the hidden fields status and principal containing the login status according to the HTTP standard and the user name.

The following status values are supported:

StatusDescription
401Unauthorized - The default status, if the HTTP session is not authenticated.
403Forbidden - The status, which will be returned by an unsuccessful authentication.
406Not Acceptable - The status, which will be returned after to many unsuccessful authentications.
200OK - The status, which will be returned by a successful authentication, the principal field will be set.

All other status values should be interpreted like 401 - Unauthorized and the user should try to login again.

A login service is exported as OSGi service using a login.mechnism service property, which allows different application to choose among several login service implementations.

  <bp:service id="loginServiceService" interface="org.clazzes.util.http.sec.HttpLoginService"
         ref="loginService">
    <bp:service-properties>
      <bp:entry key="login.mechanism" value="org.clazzes.gwt.login.jaas"/>
    </bp:service-properties>
  </bp:service>
 

Returns:
An URL to a login application, which may be started inside an iframe of a consuming application.

checkLogin

Principal checkLogin(javax.servlet.http.HttpServletRequest request)
Get the principal associated with the HTTP session of the given request.

Parameters:
request - The HTTP request to query for an associated user.
Returns:
A user principal or null, if no user has been validated for the session of this request.

getLocale

Locale getLocale(javax.servlet.http.HttpServletRequest request)
This method has been introduce in a later version. In order to robustly get a meaningful return value with implementations of older interface versions, use HttpCheckLoginHelper.getLoginLocale(HttpLoginService, HttpServletRequest).

Returns:
The locale used to log in this user or ServletRequest.getLocale(), if no login locale is known.
Since:
1.6.0

getTimeZone

TimeZone getTimeZone(javax.servlet.http.HttpServletRequest request)
This method has been introduce in a later version. In order to robustly get a meaningful return value with implementations of older interface versions, use HttpCheckLoginHelper.getLoginTimeZone(HttpLoginService, HttpServletRequest).

Returns:
The timezone used to log in this user or TimeZone.getDefault(), if no login timezone is known.
Since:
1.7.0

checkPermission

boolean checkPermission(javax.servlet.http.HttpServletRequest request,
                        String context)
Check, whether the authenticated user of the given HttpServletRequest has permissions on the given context. The context is usually a relative URL like /app/object?id=862346&action=read.

Parameters:
request - The HTTP request to check.
context - The context, usually encoded as URL.
Returns:
Whether the user associated with the request is given access to the specified context.

logout

void logout(javax.servlet.http.HttpServletRequest request)
Remove all attributes generated during a login process from the HTTP session of the given request.

Parameters:
request - A HTTP request on which to perform a logout.


Copyright © 2013. All Rights Reserved.