| Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||||
| RememberMeServices |
|
| 1.0;1 |
| 1 | /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited |
|
| 2 | * |
|
| 3 | * Licensed under the Apache License, Version 2.0 (the "License"); |
|
| 4 | * you may not use this file except in compliance with the License. |
|
| 5 | * You may obtain a copy of the License at |
|
| 6 | * |
|
| 7 | * http://www.apache.org/licenses/LICENSE-2.0 |
|
| 8 | * |
|
| 9 | * Unless required by applicable law or agreed to in writing, software |
|
| 10 | * distributed under the License is distributed on an "AS IS" BASIS, |
|
| 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
| 12 | * See the License for the specific language governing permissions and |
|
| 13 | * limitations under the License. |
|
| 14 | */ |
|
| 15 | ||
| 16 | package org.acegisecurity.ui.rememberme; |
|
| 17 | ||
| 18 | import org.acegisecurity.Authentication; |
|
| 19 | ||
| 20 | import javax.servlet.http.HttpServletRequest; |
|
| 21 | import javax.servlet.http.HttpServletResponse; |
|
| 22 | ||
| 23 | ||
| 24 | /** |
|
| 25 | * Implement by a class that is capable of providing a remember-me service. |
|
| 26 | * |
|
| 27 | * <p> |
|
| 28 | * Acegi Security filters (namely {@link |
|
| 29 | * org.acegisecurity.ui.AbstractProcessingFilter} and {@link |
|
| 30 | * org.acegisecurity.ui.rememberme.RememberMeProcessingFilter} will call |
|
| 31 | * the methods provided by an implementation of this interface. |
|
| 32 | * </p> |
|
| 33 | * |
|
| 34 | * <p> |
|
| 35 | * Implementations may implement any type of remember-me capability they wish. |
|
| 36 | * Rolling cookies (as per <a href="http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice"> |
|
| 37 | * http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice</a>) |
|
| 38 | * can be used, as can simple implementations that don't require a persistent |
|
| 39 | * store. Implementations also determine the validity period of a remember-me |
|
| 40 | * cookie. This interface has been designed to accommodate any of these |
|
| 41 | * remember-me models. |
|
| 42 | * </p> |
|
| 43 | * |
|
| 44 | * <p> |
|
| 45 | * This interface does not define how remember-me services should offer a |
|
| 46 | * "cancel all remember-me tokens" type capability, as this will be |
|
| 47 | * implementation specific and requires no hooks into Acegi Security. |
|
| 48 | * </p> |
|
| 49 | * |
|
| 50 | * @author Ben Alex |
|
| 51 | * @version $Id: RememberMeServices.java 1784 2007-02-24 21:00:24Z luke_t $ |
|
| 52 | */ |
|
| 53 | public interface RememberMeServices { |
|
| 54 | //~ Methods ======================================================================================================== |
|
| 55 | ||
| 56 | /** |
|
| 57 | * This method will be called whenever the <code>SecurityContextHolder</code> does not contain an |
|
| 58 | * <code>Authentication</code> and the Acegi Security system wishes to provide an implementation with an |
|
| 59 | * opportunity to authenticate the request using remember-me capabilities. Acegi Security makes no attempt |
|
| 60 | * whatsoever to determine whether the browser has requested remember-me services or presented a valid cookie. |
|
| 61 | * Such determinations are left to the implementation. If a browser has presented an unauthorised cookie for |
|
| 62 | * whatever reason, it should be silently ignored and invalidated using the <code>HttpServletResponse</code> |
|
| 63 | * object.<p>The returned <code>Authentication</code> must be acceptable to {@link |
|
| 64 | * org.acegisecurity.AuthenticationManager} or {@link org.acegisecurity.providers.AuthenticationProvider} defined |
|
| 65 | * by the web application. It is recommended {@link |
|
| 66 | * org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken} be used in most cases, as it has a |
|
| 67 | * corresponding authentication provider.</p> |
|
| 68 | * |
|
| 69 | * @param request to look for a remember-me token within |
|
| 70 | * @param response to change, cancel or modify the remember-me token |
|
| 71 | * |
|
| 72 | * @return a valid authentication object, or <code>null</code> if the request should not be authenticated |
|
| 73 | */ |
|
| 74 | Authentication autoLogin(HttpServletRequest request, HttpServletResponse response); |
|
| 75 | ||
| 76 | /** |
|
| 77 | * Called whenever an interactive authentication attempt was made, but the credentials supplied by the user |
|
| 78 | * were missing or otherwise invalid. Implementations should invalidate any and all remember-me tokens indicated |
|
| 79 | * in the <code>HttpServletRequest</code>. |
|
| 80 | * |
|
| 81 | * @param request that contained an invalid authentication request |
|
| 82 | * @param response to change, cancel or modify the remember-me token |
|
| 83 | */ |
|
| 84 | void loginFail(HttpServletRequest request, HttpServletResponse response); |
|
| 85 | ||
| 86 | /** |
|
| 87 | * Called whenever an interactive authentication attempt is successful. An implementation may automatically |
|
| 88 | * set a remember-me token in the <code>HttpServletResponse</code>, although this is not recommended. Instead, |
|
| 89 | * implementations should typically look for a request parameter that indicates the browser has presented an |
|
| 90 | * explicit request for authentication to be remembered, such as the presence of a HTTP POST parameter. |
|
| 91 | * |
|
| 92 | * @param request that contained the valid authentication request |
|
| 93 | * @param response to change, cancel or modify the remember-me token |
|
| 94 | * @param successfulAuthentication representing the successfully authenticated principal |
|
| 95 | */ |
|
| 96 | void loginSuccess(HttpServletRequest request, HttpServletResponse response, |
|
| 97 | Authentication successfulAuthentication); |
|
| 98 | } |