| This class is a servlet filter used to protect web pages behind an authentication mechanism. When a
non-authenticated user requests a private page, (s)he is redirected towards the login page and thereafter,
if (s)he loggued in successfully, towards his(her) initially requested page.
Authentication is performed via a CRAM (challenge-response authentication mechanism).
Passwords are encrypted using the method given as parameter to the Authenticator tool in toolbox.xml. The provided
Javascript file /src/javascript/md5.js implements the HmacMD5 method on the client side.
This filter works in conjunction with an Authenticator object that must be present in the session scope
of the toolbox and with a javascript password encryption function.
To use it, you just have to map private urls (and especially, the target of the login form, this is
very important for the authentication to work properly!) to go through this filter, as in :
<![CDATA[
<filter>
<filter-name>authentication</filter-name>
<filter-class>auth.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>authentication</filter-name>
<url-pattern>/auth/*</url-pattern>
</filter-mapping>
]]>
The password is encrypted in an irreversible manner into an answer, and to check the login,
the answer that the client sends back to the server is compared to the correct awaited answer.
The javascript file login.js.vtl contains the necessary encryption functions. It uses
the bignum.js library file. You will find those files in /src/resources/auth
or in the auth-l10n sample webapp.
The filter expect the login to be present in the HTTP 'login' form field, and the answer in
the 'answer' form field (which should be all right if you use the login.js.vtl as is). The action of the form
is never used (since the filter will redirect the user towards the page asked before the login), but it must
be catched by an url-pattern of this filter. You can for instance define a mapping towards "/process_login".
The loggued state is materialized by the presence of a user Object in the session under
the user key. This user object in the one returned by the abstract method Authenticator.getUser(login).
This filter will search for an occurrence of a localizer tool in the session toolbox to resolve some values.
The presence of this localizer is optional.
Optional configuration parameters:
login-field: name of the login form field.password-field: name of the password field.max-inactive: delay upon which an inactive user is disconnected in seconds.
The default value is one hour.login-page: the login page URI. The "@" pattern applies as well. Default is '/login.html'.authenticated-index-page: the default page once authenticated. The "@" pattern applies as well.
Default is '/loggued.html'.bad-login-message: the message to be displayed in case of bad login. If this parameter is not
specified, the filter will try to get a reference from the localizer tool and ask it for a "badLogin"
message, and if this fails, it will simply use "Bad login or password.".disconnected-message: the message to be displayed when the user is disconnected after a period
of inactivity on the site. Same remark if this parameter is not supplied: the filter will search
for a "disconnected" message in the localizer tool if present, and otherwise display "You have been disconnected."
author:
Claude Brisson | 