public interface Authenticator
One possible implementation relies on the use of a thread local variable to store the current user's identity. The application is responsible for calling setCurrentUser() as soon as possible after each HTTP request is received. The value of getCurrentUser() is used in several other places in this API. This eliminates the need to pass a user object to methods throughout the library. For example, all of the logging, access control, and exception calls need access to the currently logged in user.
The goal is to minimize the responsibility of the developer for authentication. In this example, the user simply calls authenticate with the current request and the name of the parameters containing the username and password. The implementation should verify the password if necessary, create a session if necessary, and set the user as the current user.
public void doPost(ServletRequest request, ServletResponse response) { try { User user = ESAPI.authenticator().login(request, response); // continue with authenticated user } catch (AuthenticationException e) { // handle failed authentication (it's already been logged) }
Modifier and Type | Method and Description |
---|---|
void |
changePassword(User user,
String currentPassword,
String newPassword,
String newPassword2)
Changes the password for the specified user.
|
void |
clearCurrent()
Clears the current User.
|
User |
createUser(String accountName,
String password1,
String password2)
Creates a new User with the information provided.
|
boolean |
exists(String accountName)
Determine if the account exists.
|
String |
generateStrongPassword()
Generate a strong password.
|
String |
generateStrongPassword(User user,
String oldPassword)
Generate strong password that takes into account the user's information and old password.
|
User |
getCurrentUser()
Returns the currently logged in User.
|
User |
getUser(long accountId)
Returns the User matching the provided accountId.
|
User |
getUser(String accountName)
Returns the User matching the provided accountName.
|
Set |
getUserNames()
Gets a collection containing all the existing user names.
|
String |
hashPassword(String password,
String accountName)
Returns a string representation of the hashed password, using the
accountName as the salt.
|
User |
login()
Calls login with the *current* request and response.
|
User |
login(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
This method should be called for every HTTP request, to login the current user either from the session of HTTP
request.
|
void |
logout()
Logs out the current user.
|
void |
removeUser(String accountName)
Removes the account of the specified accountName.
|
void |
setCurrentUser(User user)
Sets the currently logged in User.
|
void |
verifyAccountNameStrength(String accountName)
Ensures that the account name passes site-specific complexity requirements, like minimum length.
|
boolean |
verifyPassword(User user,
String password)
Verify that the supplied password matches the password for this user.
|
void |
verifyPasswordStrength(String oldPassword,
String newPassword,
User user)
Ensures that the password meets site-specific complexity requirements, like length or number
of character sets.
|
void clearCurrent()
User login() throws AuthenticationException
User
if login is successful.AuthenticationException
HTTPUtilities.setCurrentHTTP(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
User login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException
request
- the current HTTP requestresponse
- the HTTP responseAuthenticationException
- if the credentials are not verified, or if the account is disabled, locked, expired, or timed outboolean verifyPassword(User user, String password)
hashPassword(password, accountName)
method in this class, however see WARNING
the hashPassword
method.
This method is typically used for "reauthentication" for the most sensitive functions, such as transactions, changing email address, and changing other account information.
user
- the user who requires verificationpassword
- the hashed user-supplied passwordhashPassword(String password, String accountName)
void logout()
User createUser(String accountName, String password1, String password2) throws AuthenticationException
WARNING: The implementation of this method as defined in the
default reference implementation class, FileBasedAuthenticator
,
uses a password hash algorthim that is known to be weak. You are advised
to replace the default reference implementation class with your own custom
implementation that uses a stronger password hashing algorithm.
See class comments in * FileBasedAuthenticator
for further details.
accountName
- the account name of the new userpassword1
- the password of the new userpassword2
- the password of the new user. This field is to encourage user interface designers to include two password fields in their forms.AuthenticationException
- if user creation fails due to any of the qualifications listed in this method's descriptionString generateStrongPassword()
String generateStrongPassword(User user, String oldPassword)
user
- the user whose information to use when generating passwordoldPassword
- the old password to use when verifying strength of new password. The new password may be checked for fragments of oldPassword.void changePassword(User user, String currentPassword, String newPassword, String newPassword2) throws AuthenticationException
user
- the user to change the password forcurrentPassword
- the current password for the specified usernewPassword
- the new password to usenewPassword2
- a verification copy of the new passwordAuthenticationException
- if any errors occurUser getUser(long accountId)
accountId
- the account idUser getUser(String accountName)
accountName
- the account nameSet getUserNames()
User getCurrentUser()
void setCurrentUser(User user)
user
- the user to set as the current userString hashPassword(String password, String accountName) throws EncryptionException
WARNING: The implementation of this method as defined in the
default reference implementation class, FileBasedAuthenticator
,
is know to be extremely weak. The reference implementation class was
meant to be an example implementation and generally should be avoided
and replaced with your own implementation. See class comments in
FileBasedAuthenticator
for further details.
password
- the password to hashaccountName
- the account name to use as the saltEncryptionException
FileBasedAuthenticator,
the default reference implementation of this interface.
void removeUser(String accountName) throws AuthenticationException
accountName
- the account name to removeAuthenticationException
- the authentication exception if user does not existvoid verifyAccountNameStrength(String accountName) throws AuthenticationException
accountName
- the account nameAuthenticationException
- if account name does not meet complexity requirementsvoid verifyPasswordStrength(String oldPassword, String newPassword, User user) throws AuthenticationException
oldPassword
- the old passwordnewPassword
- the new passworduser
- the userAuthenticationException
- if newPassword is too similar to oldPassword or if newPassword does not meet complexity requirementsboolean exists(String accountName)
accountName
- the account nameCopyright © 2021 The Open Web Application Security Project (OWASP). All rights reserved.