Module org.bzdev.ejws

Package org.bzdev.ejws

Class EjwsBasicAuthenticator

java.lang.Object

com.sun.net.httpserver.Authenticator

com.sun.net.httpserver.BasicAuthenticator

org.bzdev.ejws.EjwsAuthenticator<EjwsBasicAuthenticator>

org.bzdev.ejws.EjwsBasicAuthenticator

public class EjwsBasicAuthenticator
extends EjwsAuthenticator<EjwsBasicAuthenticator>

Implementation of BasicAuthenticator using either an in-memory table of user names and passwords or a user-supplied table.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	EjwsBasicAuthenticator.Entry	User entry.

Nested classes/interfaces inherited from class org.bzdev.ejws.EjwsAuthenticator

EjwsAuthenticator.AddStatus, EjwsAuthenticator.BiConsumer1, EjwsAuthenticator.BiConsumer2, EjwsAuthenticator.GPGKeyIDs, EjwsAuthenticator.UserInfo

Nested classes/interfaces inherited from class com.sun.net.httpserver.Authenticator

Authenticator.Failure, Authenticator.Result, Authenticator.Retry, Authenticator.Success

Field Summary

Fields inherited from class org.bzdev.ejws.EjwsAuthenticator

authFunction, loginFunction, logoutFunction, onAccountActive, onAccountPending, onAccountRemoval, onAccountRequest, tracer

Fields inherited from class com.sun.net.httpserver.BasicAuthenticator

realm

Constructor Summary

Constructors

Constructor	Description
EjwsBasicAuthenticator(EmbeddedWebServer ews, String realm)	Constructor.
EjwsBasicAuthenticator(EmbeddedWebServer ews, String realm, Map<String,EjwsBasicAuthenticator.Entry> map)	Constructor providing a map.

Method Summary

Modifier and Type	Method	Description
void	add(String username, String password)	Add a user name and password for this authenticator's HTTP realm.
void	add(String username, String password, Set<String> roles)	Add a user name, the user's password and the user's roles for this authenticator's HTTP realm.
void	add(EjwsAuthenticator.UserInfo info)	Add a user specified by an instance of EjwsAuthenticator.UserInfo.
Authenticator.Result	authenticate(HttpExchange t)	Authenticate an HTTP request.
boolean	checkCredentials(String username, String password)	Check credentials.
protected Map<String,? extends EjwsAuthenticator.Entry>	getAuthMap()	Get the authentication map association user names with authentication data..
SecureBasicUtilities.Mode	getMode()	Get the mode.
byte[]	getSBL(String user)	Get the SBL file for a user
Set<String>	getUsers()	Get the names of all users known to this authenticator.
Set<String>	getUsers(boolean active)	Get selected users known to this authenticator.
EjwsUserTable<EjwsBasicAuthenticator,EjwsBasicAuthenticator.Entry>	getUserTable()	Get this authenticator's user table
void	handleError(HttpExchange t, Exception e)	Handle exceptions by sending an error response
boolean	isActive(String user)	Determine if a user is currently active.
boolean	isSBLCompressed(String user)	Determine if the SBL file is compresssed using GZIP.
EjwsBasicAuthenticator	loadFromDirs()	Load user-account data obtained from GPG or an SBL directory
boolean	makeUserActive(String name)	Make a user active.
boolean	makeUserActive(String name, boolean gpg)	Make a user active, specifying if the user is one for whom GPG is used to provide the data needed to log in.
protected boolean	makeUserActiveInMap(String name)	Make a user active, modifying only the authenticator's map.
boolean	makeUserPending(String name)	Make a user pendijng.
boolean	makeUserPending(String name, boolean gpg)	Make a user pending, specifying if the user is one for whom GPG is used to provide the data needed to log in.
protected boolean	makeUserPendingInMap(String name)	Make a user pending, modifying only the authenticator's map.
void	prune()	Remove cached passwords whose timeout has expired.
void	removePWInfo(String username)	Remove an entry from the password map.
boolean	removeUser(String name)	Remove a user.
boolean	removeUser(String name, boolean gpg)	Remove a user.
protected boolean	removeUserFromMap(String name)	Remove a user, modifying only the authenticator's map.
EjwsBasicAuthenticator	setTimeLimit(int passphraseTimeout)	Set the time limit for a passphrase/password.
EjwsBasicAuthenticator	setTimeLimits(int lowerTimeDiffLimit, int upperTimeDiffLimit, int passphraseTimeout)	Set time-offset limits.
EjwsBasicAuthenticator	setUserTable(EjwsUserTable<EjwsBasicAuthenticator,EjwsBasicAuthenticator.Entry> utable)	Set this authenticator's user table.

Methods inherited from class org.bzdev.ejws.EjwsAuthenticator

addToAdminMap, addToDeleteSet, closeSBLStore, createAuthCode, createAuthCookie, createServerCookie, createUser, createUser, createUser, createUser, createUser, deleteWithFingerprint, findAuthServerCookie, findServerCookie, generateAdminURI, generateRequestURI, getActiveGPGUsers, getAdminFingerprint, getAdminUsers, getAuthCode, getCanAddAccount, getFingerprint, getGPGUsers, getLoginAlias, getLoginPath, getPendingGPGUsers, getReverseProxy, getSBLStore, getSBLUsers, getTrustedKeyIDs, getUserNameFromSBL, getUsersExcept, getUserStatus, gpghome, hasGPGKey, inDeleteSet, isActiveDefault, isEmailAddress, isTrustedKey, processAdminRequests, readSBLData, removeFromDeleteSet, requestFromUser, setAllowLoopback, setAuthorizedFunction, setCanAddAccount, setCookie, setDefaultActive, setGPGHome, setLoginFunction, setLogoutFunction, setOnAccountActive, setOnAccountPending, setOnAccountRemoval, setOnAccountRequest, setReverseProxy, setSBLStore, setSBLStore, setSelfSigned, setThisObject, setTracer, setTruststore, setTruststorePW, setupKeySigner, setUserStatusFunction, showGPGKey, signKey, signKey, storeGPGKey, storeSBLData, trustGPGKey, validGPGUser

Methods inherited from class com.sun.net.httpserver.BasicAuthenticator

getRealm

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

EjwsBasicAuthenticator

public EjwsBasicAuthenticator(EmbeddedWebServer ews,
 String realm)

Constructor.

Parameters:

realm - the HTTP realm

EjwsBasicAuthenticator

public EjwsBasicAuthenticator(EmbeddedWebServer ews,
 String realm,
 Map<String,EjwsBasicAuthenticator.Entry> map)

Constructor providing a map. A user-supplied map can be implemented so as to allow one to obtain passwords and roles from a database or some other form of persistent storage. If entries can be added while a server using this authenticator is running, the map should have a thread-safe implementation.

Parameters:

realm - the HTTP realm

map - a map associating a user name with a table entry.

Method Details

isActive

public boolean isActive(String user)

Determine if a user is currently active. The authenticator's internal tables are tested, not values in persistent storage.

Specified by:

isActive in class EjwsAuthenticator<EjwsBasicAuthenticator>

Returns:

true if the user exists and is active; false otherwise

getAuthMap

protected Map<String,? extends EjwsAuthenticator.Entry> getAuthMap()

Get the authentication map association user names with authentication data..

Specified by:

getAuthMap in class EjwsAuthenticator<EjwsBasicAuthenticator>

Returns:

the map

getUsers

public Set<String> getUsers()

Get the names of all users known to this authenticator. The value returned is an unmodifiable set.

Specified by:

getUsers in class EjwsAuthenticator<EjwsBasicAuthenticator>

Returns:

the users

getUsers

public Set<String> getUsers(boolean active)

Get selected users known to this authenticator.

Specified by:

getUsers in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

active - true if the users are active; false if they are not active

getSBL

public byte[] getSBL(String user)

Get the SBL file for a user

Specified by:

getSBL in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

user - the user

Returns:

the SBL file as a byte array; null if there is none

isSBLCompressed

public boolean isSBLCompressed(String user)

Determine if the SBL file is compresssed using GZIP.

Specified by:

isSBLCompressed in class EjwsAuthenticator<EjwsBasicAuthenticator>

Returns:

true if the SBL file is compressed; false otherwise

See Also:

• EjwsAuthenticator.getSBL(String)

setTimeLimit

public EjwsBasicAuthenticator setTimeLimit(int passphraseTimeout)
                                    throws IllegalArgumentException

Set the time limit for a passphrase/password.

Parameters:

passphraseTimeout - the time interval in seconds for which a password is valid (the default is 1200); 0 to disable the timeout

Returns:

this authenticator

Throws:

IllegalArgumentException - if the argument is less than zero.

setTimeLimits

public EjwsBasicAuthenticator setTimeLimits(int lowerTimeDiffLimit,
 int upperTimeDiffLimit,
 int passphraseTimeout)
                                     throws IllegalArgumentException

Set time-offset limits. For the modes SecureBasicUtilities.Mode.DIGEST, SecureBasicUtilities.Mode.SIGNATURE_WITH_CERT, and SecureBasicUtilities.Mode.SIGNATURE_WITHOUT_CERT, each password that is generated contains a time stamp in units of seconds. The time difference is the difference between the current time and the time stamp associated with a password.

The first argument will generally be negative to handle the case in which the clock for the client generating the password is ahead of the server's clock. The second argument will generally be positive to handle the case in which the client's clock is behind the server's clock and to additionally account for propagation delay and to limit the number of times a password has to be recomputed. To allow for software that does not implement secure basic authentication, the value should be above the expected maximum length of a user's session.

The lowerTimeDiffLimit and upperTImeDiffLimit arguments are used for the admin account, not other accounts.

Parameters:

lowerTimeDiffLimit - the lower limit for the time difference in seconds (the default is -10 seconds).

upperTimeDiffLimit - the upper limit for the time difference in seconds (the default is 150 seconds)

passphraseTimeout - the time interval in seconds for which a password is valid (the default is 1200); 0 to disable this timeout

Returns:

this authenticator

Throws:

IllegalArgumentException - if the first argument is larger than zero, if the second argument is less than zero, or if the third argument, when not zero, is less than the second argument

add

public void add(String username,
 String password)
         throws UnsupportedOperationException,
IllegalStateException

Add a user name and password for this authenticator's HTTP realm. The new entry will use password authentication.

Parameters:

username - the user name

password - the password

Throws:

UnsupportedOperationException - if the map does not allow entries to be added (the default map does not throw this exception)

IllegalStateException - if the map already contains the user

add

public void add(String username,
 String password,
 Set<String> roles)
         throws UnsupportedOperationException,
IllegalStateException

Add a user name, the user's password and the user's roles for this authenticator's HTTP realm. The new entry will use password authentication.

Parameters:

username - the user name

password - the user's password

roles - the user's roles

Throws:

UnsupportedOperationException - if the map does not allow entries to be added (the default map does not throw this exception)

IllegalStateException - if the map already contains the user

setUserTable

public EjwsBasicAuthenticator setUserTable(EjwsUserTable<EjwsBasicAuthenticator,EjwsBasicAuthenticator.Entry> utable)

Set this authenticator's user table.

Parameters:

utable - the user table

Returns:

this authenticator

getUserTable

public EjwsUserTable<EjwsBasicAuthenticator,EjwsBasicAuthenticator.Entry> getUserTable()

Get this authenticator's user table

Specified by:

getUserTable in class EjwsAuthenticator<EjwsBasicAuthenticator>

Returns:

the user table.

add

public void add(EjwsAuthenticator.UserInfo info)
         throws IllegalStateException

Add a user specified by an instance of EjwsAuthenticator.UserInfo.

Specified by:

add in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

info - the user data

Throws:

IllegalStateException

removeUser

public boolean removeUser(String name,
 boolean gpg)

Remove a user.

Specified by:

removeUser in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the user name

gpg - true to delete GPG permanent entries; false for SBL permanent entries

removeUser

public boolean removeUser(String name)

Remove a user.

Specified by:

removeUser in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the name of the user

makeUserActive

public boolean makeUserActive(String name,
 boolean gpg)

Make a user active, specifying if the user is one for whom GPG is used to provide the data needed to log in.

Specified by:

makeUserActive in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the user's name

gpg - true if GPG is used; false if an SBL directory is used

makeUserActiveInMap

protected boolean makeUserActiveInMap(String name)

Make a user active, modifying only the authenticator's map.

Specified by:

makeUserActiveInMap in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the user name

Returns:

true on success; false if there is no such user

makeUserPending

public boolean makeUserPending(String name)

Make a user pendijng.

Specified by:

makeUserPending in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the user's name

makeUserPending

public boolean makeUserPending(String name,
 boolean gpg)

Make a user pending, specifying if the user is one for whom GPG is used to provide the data needed to log in.

Specified by:

makeUserPending in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the user's name

gpg - true if GPG is used; false if an SBL directory is used

makeUserPendingInMap

protected boolean makeUserPendingInMap(String name)

Make a user pending, modifying only the authenticator's map.

Specified by:

makeUserPendingInMap in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the user name

Returns:

true on success; false if there is no such user

removeUserFromMap

protected boolean removeUserFromMap(String name)

Remove a user, modifying only the authenticator's map.

Specified by:

removeUserFromMap in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the user name

Returns:

true on success; false if there is no such user

makeUserActive

public boolean makeUserActive(String name)

Make a user active.

Specified by:

makeUserActive in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

name - the user's name

loadFromDirs

public EjwsBasicAuthenticator loadFromDirs()
                                    throws UnsupportedOperationException

Load user-account data obtained from GPG or an SBL directory

Overrides:

loadFromDirs in class EjwsAuthenticator<EjwsBasicAuthenticator>

Returns:

this object

Throws:

UnsupportedOperationException

See Also:

• EjwsAuthenticator.gpghome()
• EjwsAuthenticator.setGPGHome(File)
• EjwsAuthenticator.getSBLStore()
• EjwsAuthenticator.setSBLStore(File)

handleError

public void handleError(HttpExchange t,
 Exception e)
                 throws IOException

Handle exceptions by sending an error response

Parameters:

t - the HttpExchange being processed

e - an exception that is being handled

Throws:

IOException

authenticate

public Authenticator.Result authenticate(HttpExchange t)

Authenticate an HTTP request.

Overrides:

authenticate in class BasicAuthenticator

Parameters:

t - the HTTP exchange object

Returns:

the authentication result

See Also:

• Authenticator.authenticate(HttpExchange)

removePWInfo

public void removePWInfo(String username)

Remove an entry from the password map. This is called when logging out.

Overrides:

removePWInfo in class EjwsAuthenticator<EjwsBasicAuthenticator>

Parameters:

username - the user name

getMode

public SecureBasicUtilities.Mode getMode()

Get the mode.

Specified by:

getMode in class EjwsAuthenticator<EjwsBasicAuthenticator>

Returns:

SecureBasicUtilities.Mode.PASSWORD

prune

public void prune()

Remove cached passwords whose timeout has expired. The method can be called periodically to eliminate passwords when a user has not explicitly logged out.

checkCredentials

public boolean checkCredentials(String username,
 String password)

Check credentials. This method is called for each incoming request to verify the given name and password in the context of this Authenticator's realm.

Specified by:

checkCredentials in class BasicAuthenticator

Parameters:

username - the user name

password - the password