01: /*
02: * JBoss, Home of Professional Open Source.
03: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
04: * as indicated by the @author tags. See the copyright.txt file in the
05: * distribution for a full listing of individual contributors.
06: *
07: * This is free software; you can redistribute it and/or modify it
08: * under the terms of the GNU Lesser General Public License as
09: * published by the Free Software Foundation; either version 2.1 of
10: * the License, or (at your option) any later version.
11: *
12: * This software is distributed in the hope that it will be useful,
13: * but WITHOUT ANY WARRANTY; without even the implied warranty of
14: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15: * Lesser General Public License for more details.
16: *
17: * You should have received a copy of the GNU Lesser General Public
18: * License along with this software; if not, write to the Free
19: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21: */
22: package org.jboss.web.tomcat.security;
23:
24: import java.security.acl.Group;
25:
26: import javax.security.auth.login.LoginException;
27: import javax.security.jacc.PolicyContext;
28: import javax.security.jacc.PolicyContextException;
29: import javax.servlet.http.HttpServletRequest;
30:
31: import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
32:
33: /**
34: * An abstract subclass of UsernamePasswordLoginModule that makes the
35: * HttpServletRequest from the client attempting to login available to the Login
36: * Module.
37: *
38: * You could invoke the getHttpServletRequest() inside your getUsersPassword()
39: * method implementation, allowing you to access information from the
40: * HttpServletRequest from the client, to perform things like denying access to
41: * certain IP addresses, or to disallow a maximun number of login retries per IP
42: * address, inserting attempts into a database.
43: *
44: * @see #getHttpServletRequest
45: *
46: * @author Ricardo Arguello (ricardoarguello@users.sourceforge.net)
47: * @author Scott.Stark@jboss.org
48: * @version $Revision: 57206 $
49: */
50: public abstract class HttpServletRequestLoginModule extends
51: UsernamePasswordLoginModule {
52: /** Client's HttpServletRequest. */
53: protected HttpServletRequest request;
54:
55: /**
56: * Obtains the HttpServletRequest of the user attempting to authenticate
57: * using the JACC HttpServletRequest policy context handler.
58: *
59: * You could use this information to deny access when a number of login
60: * retries per IP address has been attempted.
61: *
62: * @return the IP address of the user attempting to authenticate.
63: */
64: protected HttpServletRequest getHttpServletRequest()
65: throws PolicyContextException {
66: request = (HttpServletRequest) PolicyContext
67: .getContext("javax.servlet.http.HttpServletRequest");
68: return request;
69: }
70:
71: /**
72: * Get the expected password for the current username available via the
73: * getUsername() method. This is called from within the login() method after
74: * the CallbackHandler has returned the username and candidate password.
75: * <p>
76: * You could use getHttpServletRequest() inside this method.
77: *
78: * @see org.jboss.security.auth.spi.UsernamePasswordLoginModule#getUsersPassword()
79: *
80: * @return the valid password String
81: */
82: protected abstract String getUsersPassword() throws LoginException;
83:
84: /**
85: * @see org.jboss.security.auth.spi.AbstractServerLoginModule#getRoleSets()
86: */
87: protected abstract Group[] getRoleSets() throws LoginException;
88: }
|