org.hippoecm.hst.security.servlet

Class LoginServlet

java.lang.Object

javax.servlet.GenericServlet

javax.servlet.http.HttpServlet

org.hippoecm.hst.security.servlet.LoginServlet

All Implemented Interfaces:

Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

public class LoginServlet
extends javax.servlet.http.HttpServlet

LoginServlet

The LoginServlet enables form-based JAAS login. The LoginServlet is able to processes form-based at the four different stage:

• Login::Proxy - An html form submits to this servlet with login info, and then this servlet redirects to a protected resource, Login::Resource, which is configured in web.xml as security-constraint. As the Login::Resource is requested, the servlet container will invoke the configured form-based login servlet path, which is also configured in web.xml as login-config. In this stage, this servlet stores the user's login information to be used later.
• Login::Login - Because the Login::Proxy mode redirects to the Login::Resource mode url in the previous stage, the servlet container invokes this Login::Login mode servlet url which is configured in web.xml as login-config. In this stage, this servlet forwards to a view page to write a hidden html form filled with the stored login information. The hidden form will be submitted automatically to 'j_security_check', as soon as the page loaded.
• Login::Resource - After authentication succeeds, the servlet container allows the Login::Resource url to the authenticated user. However, because the Login::Resource url was used for internal purpose only, it should redirect to somewhere. If 'destination' parameter was used at the Login::Proxy stage, then the destination url will be used to redirect. Otherwise, it will redirect to the root servlet context path.
• Login::Logout - A web site can provide a logout link which invoked this mode. If 'destination' parameter was used for this url, then the destination url will be used to redirect after logout. Otherwise, it will redirect to the root servlet context path after logout.

Example servlet configuration:

 <servlet>
   <servlet-name>LoginServlet</servlet-name>
   <servlet-class>org.hippoecm.hst.security.servlet.LoginServlet</servlet-class>
 </servlet>

 <servlet-mapping>
   <servlet-name>LoginServlet</servlet-name>
   <url-pattern>/login/*</url-pattern>
 </servlet-mapping>

 <security-constraint>
   <web-resource-collection>
     <web-resource-name>Login Resource</web-resource-name>
     <url-pattern>/login/resource</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     <role-name>everybody</role-name>
   </auth-constraint>
 </security-constraint>

 <login-config>
   <auth-method>FORM</auth-method>
   <realm-name>HSTSITE</realm-name>
   <form-login-config>
     <form-login-page>/login/login</form-login-page>
     <form-error-page>/WEB-INF/jsp/login-failure.jsp</form-error-page>
   </form-login-config>
 </login-config>

 <security-role>
   <description>Default role for every authenticated user</description>
   <role-name>everybody</role-name>
 </security-role>
 

Note:

• To invoke login proxy url, use '/login/proxy' for the form action value. (e.g. action='/site/login/proxy')
• To invoke logout, use '/login/logout' for the link. (e.g. href='/site/login/logout')

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static String	BASE_NAME
static String	DEFAULT_LOGIN_RESOURCE_PATH
protected String	defaultLoginErrorPagePath
protected String	defaultLoginFormPagePath
protected String	defaultLoginResourcePath
protected String	defaultLoginSecurityCheckFormPagePath
static String	DESTINATION
static String	DESTINATION_ATTR_NAME
static String	MODE_LOGIN_ERROR
static String	MODE_LOGIN_FORM
static String	MODE_LOGIN_LOGIN
static String	MODE_LOGIN_LOGOUT
static String	MODE_LOGIN_PROXY
static String	MODE_LOGIN_RESOURCE
static String	PASSWORD
static String	PASSWORD_ATTR_NAME
protected String	requestCharacterEncoding
static String	USERNAME
static String	USERNAME_ATTR_NAME

Constructor Summary

Constructors

Constructor and Description
LoginServlet()

Method Summary

Modifier and Type	Method and Description
protected javax.jcr.Credentials	createSubjectRepositoryCredentials(javax.servlet.http.HttpServletRequest request) Creates repository credentials for the subject.
void	doGet(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	doLoginError(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	doLoginForm(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	doLoginLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	doLoginLogout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	doLoginProxy(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	doLoginResource(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
void	doPost(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
static String	getBaseURL(javax.servlet.http.HttpServletRequest request)
static String	getFullyQualifiedURL(javax.servlet.http.HttpServletRequest request, String destination)
protected String	getMode(javax.servlet.http.HttpServletRequest request)
void	init(javax.servlet.ServletConfig servletConfig)
protected boolean	isContextPathInUrl(javax.servlet.http.HttpServletRequest request) This is a hook into the HstServices component manager to look up in the VirtualHosts whether the contextPath should be in the URL.
protected String	normalizeDestination(String destination, javax.servlet.http.HttpServletRequest request)
protected void	renderAutoLoginPage(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	renderLoginErrorPage(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	renderLoginFormPage(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	renderTemplatePage(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String templateResourcePath, Map<String,Object> params)

Methods inherited from class javax.servlet.http.HttpServlet

doDelete, doHead, doOptions, doPut, doTrace, getLastModified, service, service

Methods inherited from class javax.servlet.GenericServlet

destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DESTINATION

public static final String DESTINATION

See Also:

Constant Field Values

USERNAME

public static final String USERNAME

See Also:

Constant Field Values

PASSWORD

public static final String PASSWORD

See Also:

Constant Field Values

BASE_NAME

public static final String BASE_NAME

DESTINATION_ATTR_NAME

public static final String DESTINATION_ATTR_NAME

USERNAME_ATTR_NAME

public static final String USERNAME_ATTR_NAME

PASSWORD_ATTR_NAME

public static final String PASSWORD_ATTR_NAME

DEFAULT_LOGIN_RESOURCE_PATH

public static final String DEFAULT_LOGIN_RESOURCE_PATH

See Also:

Constant Field Values

MODE_LOGIN_FORM

public static final String MODE_LOGIN_FORM

See Also:

Constant Field Values

MODE_LOGIN_PROXY

public static final String MODE_LOGIN_PROXY

See Also:

Constant Field Values

MODE_LOGIN_LOGIN

public static final String MODE_LOGIN_LOGIN

See Also:

Constant Field Values

MODE_LOGIN_RESOURCE

public static final String MODE_LOGIN_RESOURCE

See Also:

Constant Field Values

MODE_LOGIN_LOGOUT

public static final String MODE_LOGIN_LOGOUT

See Also:

Constant Field Values

MODE_LOGIN_ERROR

public static final String MODE_LOGIN_ERROR

See Also:

Constant Field Values

requestCharacterEncoding

protected String requestCharacterEncoding

defaultLoginFormPagePath

protected String defaultLoginFormPagePath

defaultLoginResourcePath

protected String defaultLoginResourcePath

defaultLoginSecurityCheckFormPagePath

protected String defaultLoginSecurityCheckFormPagePath

defaultLoginErrorPagePath

protected String defaultLoginErrorPagePath

Constructor Detail

LoginServlet

public LoginServlet()

Method Detail

init

public void init(javax.servlet.ServletConfig servletConfig)
          throws javax.servlet.ServletException

Specified by:

init in interface javax.servlet.Servlet

Overrides:

init in class javax.servlet.GenericServlet

Throws:

javax.servlet.ServletException

doGet

public void doGet(javax.servlet.http.HttpServletRequest request,
                  javax.servlet.http.HttpServletResponse response)
           throws IOException,
                  javax.servlet.ServletException

Overrides:

doGet in class javax.servlet.http.HttpServlet

Throws:

IOException

javax.servlet.ServletException

doPost

public final void doPost(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
                  throws IOException,
                         javax.servlet.ServletException

Overrides:

doPost in class javax.servlet.http.HttpServlet

Throws:

IOException

javax.servlet.ServletException

getMode

protected String getMode(javax.servlet.http.HttpServletRequest request)

doLoginForm

protected void doLoginForm(javax.servlet.http.HttpServletRequest request,
                           javax.servlet.http.HttpServletResponse response)
                    throws IOException,
                           javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

doLoginProxy

protected void doLoginProxy(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response)
                     throws IOException,
                            javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

doLoginLogin

protected void doLoginLogin(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response)
                     throws IOException,
                            javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

doLoginResource

protected void doLoginResource(javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpServletResponse response)
                        throws IOException,
                               javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

doLoginLogout

protected void doLoginLogout(javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)
                      throws IOException,
                             javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

doLoginError

protected void doLoginError(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response)
                     throws IOException,
                            javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

normalizeDestination

protected String normalizeDestination(String destination,
                                      javax.servlet.http.HttpServletRequest request)

createSubjectRepositoryCredentials

protected javax.jcr.Credentials createSubjectRepositoryCredentials(javax.servlet.http.HttpServletRequest request)

Creates repository credentials for the subject.

This method is invoked to store a repository credentials for the subject. By default, this method creates a repository credentials with the same user/password credentials used during authentication.

A child class can override this method to behave differently.

Parameters:

request -

Returns:

renderLoginFormPage

protected void renderLoginFormPage(javax.servlet.http.HttpServletRequest request,
                                   javax.servlet.http.HttpServletResponse response)
                            throws IOException,
                                   javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

renderAutoLoginPage

protected void renderAutoLoginPage(javax.servlet.http.HttpServletRequest request,
                                   javax.servlet.http.HttpServletResponse response)
                            throws IOException,
                                   javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

renderLoginErrorPage

protected void renderLoginErrorPage(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response)
                             throws IOException,
                                    javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

renderTemplatePage

protected void renderTemplatePage(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response,
                                  String templateResourcePath,
                                  Map<String,Object> params)
                           throws IOException,
                                  javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

isContextPathInUrl

protected boolean isContextPathInUrl(javax.servlet.http.HttpServletRequest request)

This is a hook into the HstServices component manager to look up in the VirtualHosts whether the contextPath should be in the URL. Although this can be overridden per VirtualHost or Mount, this is the best we can do at this moment as we do not have an HstRequestContext and also no ResolvedMount thus.

Parameters:

request -

Returns:

true when the global VirtualHosts is configured to have the contextPath in the URL

getBaseURL

public static String getBaseURL(javax.servlet.http.HttpServletRequest request)

getFullyQualifiedURL

public static String getFullyQualifiedURL(javax.servlet.http.HttpServletRequest request,
                                          String destination)