|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
public interface Authenticator
The Authenticator interface defines a set of methods for generating and handling account credentials and session identifiers. The goal of this interface is to encourage developers to protect credentials from disclosure to the maximum extent possible.
One possible implementation relies on the use of a thread local variable to store the current user's identity. The application is responsible for calling setCurrentUser() as soon as possible after each HTTP request is received. The value of getCurrentUser() is used in several other places in this API. This eliminates the need to pass a user object to methods throughout the library. For example, all of the logging, access control, and exception calls need access to the currently logged in user.
The goal is to minimize the responsibility of the developer for authentication. In this example, the user simply calls authenticate with the current request and the name of the parameters containing the username and password. The implementation should verify the password if necessary, create a session if necessary, and set the user as the current user.
public void doPost(ServletRequest request, ServletResponse response) { try { User user = ESAPI.authenticator().login(request, response); // continue with authenticated user } catch (AuthenticationException e) { // handle failed authentication (it's already been logged) }
Method Summary | |
---|---|
void |
changePassword(User user,
java.lang.String currentPassword,
java.lang.String newPassword,
java.lang.String newPassword2)
Changes the password for the specified user. |
void |
clearCurrent()
Clears the current User. |
User |
createUser(java.lang.String accountName,
java.lang.String password1,
java.lang.String password2)
Creates a new User with the information provided. |
boolean |
exists(java.lang.String accountName)
Determine if the account exists. |
java.lang.String |
generateStrongPassword()
Generate a strong password. |
java.lang.String |
generateStrongPassword(User user,
java.lang.String oldPassword)
Generate strong password that takes into account the user's information and old password. |
User |
getCurrentUser()
Returns the currently logged in User. |
User |
getUser(long accountId)
Returns the User matching the provided accountId. |
User |
getUser(java.lang.String accountName)
Returns the User matching the provided accountName. |
java.util.Set |
getUserNames()
Gets a collection containing all the existing user names. |
java.lang.String |
hashPassword(java.lang.String password,
java.lang.String accountName)
Returns a string representation of the hashed password, using the accountName as the salt. |
User |
login()
Calls login with the *current* request and response. |
User |
login(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
This method should be called for every HTTP request, to login the current user either from the session of HTTP request. |
void |
logout()
Logs out the current user. |
void |
removeUser(java.lang.String accountName)
Removes the account of the specified accountName. |
void |
setCurrentUser(User user)
Sets the currently logged in User. |
void |
verifyAccountNameStrength(java.lang.String accountName)
Ensures that the account name passes site-specific complexity requirements, like minimum length. |
boolean |
verifyPassword(User user,
java.lang.String password)
Verify that the supplied password matches the password for this user. |
void |
verifyPasswordStrength(java.lang.String oldPassword,
java.lang.String newPassword,
User user)
Ensures that the password meets site-specific complexity requirements, like length or number of character sets. |
Method Detail |
---|
void clearCurrent()
User login() throws AuthenticationException
User
if login is successful.
AuthenticationException
HTTPUtilities.setCurrentHTTP(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
User login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException
request
- the current HTTP requestresponse
- the HTTP response
AuthenticationException
- if the credentials are not verified, or if the account is disabled, locked, expired, or timed outboolean verifyPassword(User user, java.lang.String password)
user
- the user who requires verificationpassword
- the hashed user-supplied password
void logout()
User createUser(java.lang.String accountName, java.lang.String password1, java.lang.String password2) throws AuthenticationException
accountName
- the account name of the new userpassword1
- the password of the new userpassword2
- the password of the new user. This field is to encourage user interface designers to include two password fields in their forms.
AuthenticationException
- if user creation fails due to any of the qualifications listed in this method's descriptionjava.lang.String generateStrongPassword()
java.lang.String generateStrongPassword(User user, java.lang.String oldPassword)
user
- the user whose information to use when generating passwordoldPassword
- the old password to use when verifying strength of new password. The new password may be checked for fragments of oldPassword.
void changePassword(User user, java.lang.String currentPassword, java.lang.String newPassword, java.lang.String newPassword2) throws AuthenticationException
user
- the user to change the password forcurrentPassword
- the current password for the specified usernewPassword
- the new password to usenewPassword2
- a verification copy of the new password
AuthenticationException
- if any errors occurUser getUser(long accountId)
accountId
- the account id
User getUser(java.lang.String accountName)
accountName
- the account name
java.util.Set getUserNames()
User getCurrentUser()
void setCurrentUser(User user)
user
- the user to set as the current userjava.lang.String hashPassword(java.lang.String password, java.lang.String accountName) throws EncryptionException
password
- the password to hashaccountName
- the account name to use as the salt
EncryptionException
void removeUser(java.lang.String accountName) throws AuthenticationException
accountName
- the account name to remove
AuthenticationException
- the authentication exception if user does not existvoid verifyAccountNameStrength(java.lang.String accountName) throws AuthenticationException
accountName
- the account name
AuthenticationException
- if account name does not meet complexity requirementsvoid verifyPasswordStrength(java.lang.String oldPassword, java.lang.String newPassword, User user) throws AuthenticationException
oldPassword
- the old passwordnewPassword
- the new passworduser
- the user
AuthenticationException
- if newPassword is too similar to oldPassword or if newPassword does not meet complexity requirementsboolean exists(java.lang.String accountName)
accountName
- the account name
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |