org.hippoecm.hst.security.servlet
Class LoginServlet
java.lang.Object
javax.servlet.GenericServlet
javax.servlet.http.HttpServlet
org.hippoecm.hst.security.servlet.LoginServlet
- All Implemented Interfaces:
- Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig
public class LoginServlet
- extends javax.servlet.http.HttpServlet
LoginServlet
The LoginServlet enables form-based JAAS login.
The LoginServlet is able to processes form-based at the four different stage:
- Login::Proxy - An html form submits to this servlet with login info,
and then this servlet redirects to a protected resource, Login::Resource, which is configured in web.xml as security-constraint.
As the Login::Resource is requested, the servlet container will invoke the configured form-based login servlet path,
which is also configured in web.xml as login-config.
In this stage, this servlet stores the user's login information to be used later.
- Login::Login - Because the Login::Proxy mode redirects to the Login::Resource mode url in the previous stage,
the servlet container invokes this Login::Login mode servlet url which is configured in web.xml as login-config.
In this stage, this servlet forwards to a view page to write a hidden html form filled with the stored login information.
The hidden form will be submitted automatically to 'j_security_check', as soon as the page loaded.
- Login::Resource - After authentication succeeds, the servlet container allows the Login::Resource url to the authenticated user.
However, because the Login::Resource url was used for internal purpose only, it should redirect to somewhere.
If 'destination' parameter was used at the Login::Proxy stage, then the destination url will be used to redirect.
Otherwise, it will redirect to the root servlet context path.
- Login::Logout - A web site can provide a logout link which invoked this mode.
If 'destination' parameter was used for this url, then the destination url will be used to redirect after logout.
Otherwise, it will redirect to the root servlet context path after logout.
Example servlet configuration:
<![CDATA[
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>org.hippoecm.hst.security.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/login/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Login Resource</web-resource-name>
<url-pattern>/login/resource</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>everybody</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>HSTSITE</realm-name>
<form-login-config>
<form-login-page>/login/login</form-login-page>
<form-error-page>/WEB-INF/jsp/login-failure.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Default role for every authenticated user</description>
<role-name>everybody</role-name>
</security-role>
]]>
Note:
- To invoke login proxy url, use '/login/proxy' for the form action value. (e.g. action='/site/login/proxy')
- To invoke logout, use '/login/logout' for the link. (e.g. href='/site/login/logout')
- Version:
- $Id$
- See Also:
- Serialized Form
|
Method Summary |
protected javax.jcr.Credentials |
createSubjectRepositoryCredentials(javax.servlet.http.HttpServletRequest request)
Creates repository credentials for the subject. |
void |
doGet(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
doLoginError(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
doLoginForm(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
doLoginLogin(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
doLoginLogout(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
doLoginProxy(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
doLoginResource(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
void |
doPost(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected String |
getMode(javax.servlet.http.HttpServletRequest request)
|
void |
init(javax.servlet.ServletConfig servletConfig)
|
protected boolean |
isContextPathInUrl(javax.servlet.http.HttpServletRequest request)
This is a hook into the HstServices component manager to look up in the VirtualHosts whether the contextPath should be in the
URL. |
protected String |
normalizeDestination(String destination,
javax.servlet.http.HttpServletRequest request)
|
protected void |
renderAutoLoginPage(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
renderLoginErrorPage(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
renderLoginFormPage(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected void |
renderTemplatePage(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String templateResourcePath,
Map<String,Object> params)
|
| Methods inherited from class javax.servlet.http.HttpServlet |
doDelete, doHead, doOptions, doPut, doTrace, getLastModified, service, service |
| Methods inherited from class javax.servlet.GenericServlet |
destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
DESTINATION
public static final String DESTINATION
- See Also:
- Constant Field Values
USERNAME
public static final String USERNAME
- See Also:
- Constant Field Values
PASSWORD
public static final String PASSWORD
- See Also:
- Constant Field Values
BASE_NAME
public static final String BASE_NAME
DESTINATION_ATTR_NAME
public static final String DESTINATION_ATTR_NAME
USERNAME_ATTR_NAME
public static final String USERNAME_ATTR_NAME
PASSWORD_ATTR_NAME
public static final String PASSWORD_ATTR_NAME
DEFAULT_LOGIN_RESOURCE_PATH
public static final String DEFAULT_LOGIN_RESOURCE_PATH
- See Also:
- Constant Field Values
MODE_LOGIN_FORM
public static final String MODE_LOGIN_FORM
- See Also:
- Constant Field Values
MODE_LOGIN_PROXY
public static final String MODE_LOGIN_PROXY
- See Also:
- Constant Field Values
MODE_LOGIN_LOGIN
public static final String MODE_LOGIN_LOGIN
- See Also:
- Constant Field Values
MODE_LOGIN_RESOURCE
public static final String MODE_LOGIN_RESOURCE
- See Also:
- Constant Field Values
MODE_LOGIN_LOGOUT
public static final String MODE_LOGIN_LOGOUT
- See Also:
- Constant Field Values
MODE_LOGIN_ERROR
public static final String MODE_LOGIN_ERROR
- See Also:
- Constant Field Values
requestCharacterEncoding
protected String requestCharacterEncoding
defaultLoginFormPagePath
protected String defaultLoginFormPagePath
defaultLoginResourcePath
protected String defaultLoginResourcePath
defaultLoginSecurityCheckFormPagePath
protected String defaultLoginSecurityCheckFormPagePath
defaultLoginErrorPagePath
protected String defaultLoginErrorPagePath
LoginServlet
public LoginServlet()
init
public void init(javax.servlet.ServletConfig servletConfig)
throws javax.servlet.ServletException
- Specified by:
init in interface javax.servlet.Servlet- Overrides:
init in class javax.servlet.GenericServlet
- Throws:
javax.servlet.ServletException
doGet
public void doGet(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Overrides:
doGet in class javax.servlet.http.HttpServlet
- Throws:
IOException
javax.servlet.ServletException
doPost
public final void doPost(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Overrides:
doPost in class javax.servlet.http.HttpServlet
- Throws:
IOException
javax.servlet.ServletException
getMode
protected String getMode(javax.servlet.http.HttpServletRequest request)
doLoginForm
protected void doLoginForm(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
doLoginProxy
protected void doLoginProxy(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
doLoginLogin
protected void doLoginLogin(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
doLoginResource
protected void doLoginResource(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
doLoginLogout
protected void doLoginLogout(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
doLoginError
protected void doLoginError(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
normalizeDestination
protected String normalizeDestination(String destination,
javax.servlet.http.HttpServletRequest request)
createSubjectRepositoryCredentials
protected javax.jcr.Credentials createSubjectRepositoryCredentials(javax.servlet.http.HttpServletRequest request)
- Creates repository credentials for the subject.
This method is invoked to store a repository credentials for the subject.
By default, this method creates a repository credentials with the same user/password credentials
used during authentication.
A child class can override this method to behave differently.
- Parameters:
request -
- Returns:
renderLoginFormPage
protected void renderLoginFormPage(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
renderAutoLoginPage
protected void renderAutoLoginPage(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
renderLoginErrorPage
protected void renderLoginErrorPage(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
renderTemplatePage
protected void renderTemplatePage(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String templateResourcePath,
Map<String,Object> params)
throws IOException,
javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
isContextPathInUrl
protected boolean isContextPathInUrl(javax.servlet.http.HttpServletRequest request)
- This is a hook into the HstServices component manager to look up in the
VirtualHosts whether the contextPath should be in the
URL. Although this can be overridden per VirtualHost or Mount, this is the best we can do at this moment as we do
not have an HstRequestContext and also no ResolvedMount thus.
- Parameters:
request -
- Returns:
true when the global VirtualHosts is configured to have the contextPath in the URL
Copyright © 2008-2012 Hippo. All Rights Reserved.