blackboard.platform.security.authentication
Class BaseAuthenticationModule

java.lang.Object
  blackboard.platform.security.authentication.BaseAuthenticationModule

All Implemented Interfaces:

HttpAuthModule

Direct Known Subclasses:

LDAPAuthModule

public class BaseAuthenticationModule
extends java.lang.Object
implements HttpAuthModule

Implementation class for the default authentication provider for Blackboard Learning System, also known as RDBMS Authentication. This class can be used as the base class for implementations that will use the Blackboard database as the user directory.

Version:

$Revision: #1 $ $Date: 2005/06/27 $

See Also:

HttpAuthModule

Field Summary

protected static java.lang.String	_authTypeDisplayStr Used internally by this module.
protected HttpAuthConfig	_config Member variable used to access HttpAuthConfig information.
protected LogService	_logger Member variable to write log message to the LogService.
static java.lang.String	IMPL_CLASS_KEY Used internally by this module.
static java.lang.String	USE_CHALLENGE_KEY Used internally by this module.

Constructor Summary

BaseAuthenticationModule()
Simple default constructor.

Method Summary

protected void	assertRequestAuthenticate() Wrapper for any assertions that should be made before authentication request.
protected java.lang.String	authenticate(java.lang.String userName, java.lang.String userToken, SessionStub sessionStub, boolean useChallenge) Method to support native authentication.
protected java.lang.String	doAuthenticate(java.util.Hashtable authenticateParams, SessionStub sessionStub, boolean useChallenge) Implementation specific version of doAuthenticate which does additional checking before calling authenticate.
java.lang.String	doAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Performs the work of authentication.
void	doLogout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Implementation method.
java.lang.String	getAuthType() Returns a String identifier for the authentication type for a given implementation of HttpAuthModule
protected BbResourceBundle	getBundle()
protected java.lang.String	getConfigErrs() Collects errors from loading configuration properties for this authentication type.
boolean	getCreateAccountAllowed(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) getCreateAccountAllowed() Determines based on configuration information, whether users may create new accounts.
static java.lang.String	getDefaultAuthType() Return the default authentication type
protected java.util.Hashtable	getDoAuthenticateParams(javax.servlet.http.HttpServletRequest request) Gets the authentication parameters from the request object.
java.lang.String[]	getPropKeys() Returns a String array of the keys to this authentication module's configuration properties file.
protected java.lang.String	getRequestAuthenticateUri(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) getRequestAuthenticateURI Indicates the target resource that should receive the current request.
protected java.util.Hashtable	getSecondaryDoAuthenticateParams(javax.servlet.http.HttpServletRequest request) Gets the authentication parameters from the request object.
protected java.lang.String	getSubConfigErrs() Collects errors from loading nested configuration properties for this authentication type.
boolean	getUseChallenge() Determines based on configuration information, whether to use challenge-response authentication.
void	init(ConfigurationService cfg) Initializes authentication module.
boolean	isAuthenticated(javax.servlet.http.HttpServletRequest request) Deprecated.
boolean	isExternalAuth() Can be used by subclasses to determine whether or not the authentication module is an external authentication module.
void	requestAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Implementation method.
void	setConfig(HttpAuthConfig config) Sets the configuration properties for this authentication type.
protected void	setGlobalKeys(javax.servlet.http.HttpServletRequest request) Set whatever key-value pairs need to be stored for the current session.
protected void	validateConfig() Validates that the configuration properties for this authentication type have been loaded correctly.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

_authTypeDisplayStr

protected static java.lang.String _authTypeDisplayStr

Used internally by this module.

IMPL_CLASS_KEY

public static final java.lang.String IMPL_CLASS_KEY

Used internally by this module.

See Also:

Constant Field Values

USE_CHALLENGE_KEY

public static final java.lang.String USE_CHALLENGE_KEY

Used internally by this module.

See Also:

Constant Field Values

_logger

protected LogService _logger

Member variable to write log message to the LogService. Can be used by subclasses that need to write log messages.

_config

protected HttpAuthConfig _config

Member variable used to access HttpAuthConfig information. Can be used by subclasses that need information from this object.

Constructor Detail

BaseAuthenticationModule

public BaseAuthenticationModule()

Simple default constructor. This constructor must be public because HttpAuthManager calls Class.newInstance().

Method Detail

getBundle

protected BbResourceBundle getBundle()

init

public void init(ConfigurationService cfg)

Initializes authentication module.

Specified by:

init in interface HttpAuthModule

Parameters:

cfg - The ConfigurationService for this installation.

setConfig

public void setConfig(HttpAuthConfig config)

Sets the configuration properties for this authentication type.

Specified by:

setConfig in interface HttpAuthModule

Parameters:

config - The HttpAuthConfig object containing all authentication properties for this authentication type.

validateConfig

protected void validateConfig()
                       throws BbInsufficientArgs

Validates that the configuration properties for this authentication type have been loaded correctly.

Throws:

BbInsufficientArgs

getConfigErrs

protected java.lang.String getConfigErrs()

Collects errors from loading configuration properties for this authentication type.

getSubConfigErrs

protected java.lang.String getSubConfigErrs()

Collects errors from loading nested configuration properties for this authentication type.

getPropKeys

public java.lang.String[] getPropKeys()

Returns a String array of the keys to this authentication module's configuration properties file.

Specified by:

getPropKeys in interface HttpAuthModule

isExternalAuth

public boolean isExternalAuth()

Can be used by subclasses to determine whether or not the authentication module is an external authentication module. This implementation returns false.

isAuthenticated

public boolean isAuthenticated(javax.servlet.http.HttpServletRequest request)
                        throws BbSecurityException

Deprecated.

Stub implementation to satisfy interface. This implementation always returns true. Subclasses should not override this method.

Specified by:

isAuthenticated in interface HttpAuthModule

Parameters:

request - the request to validate

Returns:

true if the session token is present

Throws:

BbSecurityException - never thrown by this implementation. Included here for completeness

BbSecurityException

See Also:

blackboard.platform.session.BbSession.isAuthenticated

doAuthenticate

public java.lang.String doAuthenticate(javax.servlet.http.HttpServletRequest request,
                                       javax.servlet.http.HttpServletResponse response)
                                throws BbSecurityException,
                                       BbAuthenticationFailedException,
                                       BbCredentialsNotFoundException

Performs the work of authentication. Parses the Authorization string out of the request, calls doAuthenticate( Hashtable, SessionStub, boolean) which submits username and password to the authenticate method.

Specified by:

doAuthenticate in interface HttpAuthModule

Parameters:

request - the request containing auth credentials

response - the response object associated with the current HTTP transaction. This object is not used in this implementation

Returns:

Current user key

Throws:

BbSecurityException - thrown if an external error prevents authentication from occurring.

BbAuthenticationFailedException - thrown if authentication failed (i.e., wrong password)

BbCredentialsNotFoundException - thrown if no credentials were found in the request

doAuthenticate

protected java.lang.String doAuthenticate(java.util.Hashtable authenticateParams,
                                          SessionStub sessionStub,
                                          boolean useChallenge)
                                   throws BbSecurityException,
                                          BbAuthenticationFailedException,
                                          BbCredentialsNotFoundException

Implementation specific version of doAuthenticate which does additional checking before calling authenticate.

Parameters:

authParams - -- a Hashtable of request parameter names and values

sessionStub - -- Session information

useChallenge - -- boolean to signify whether or not authentication is configured for challenge-response

Throws:

BbSecurityException

BbAuthenticationFailedException

BbCredentialsNotFoundException

getDoAuthenticateParams

protected java.util.Hashtable getDoAuthenticateParams(javax.servlet.http.HttpServletRequest request)

Gets the authentication parameters from the request object.

Parameters:

getAuthenticateParams -

Returns:

Hashtable Returns authenticate parameters, extracted from the request object.

getSecondaryDoAuthenticateParams

protected java.util.Hashtable getSecondaryDoAuthenticateParams(javax.servlet.http.HttpServletRequest request)

Gets the authentication parameters from the request object.

Parameters:

getAuthenticateParams -

Returns:

Hashtable Returns authenticate parameters, extracted from the request object.

requestAuthenticate

public void requestAuthenticate(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response)
                         throws BbSecurityException

Implementation method. Stores the requested URL in session for the login JSP to forward. The request is typically redirected to the URI /webapps/login/login.jsp.

Specified by:

requestAuthenticate in interface HttpAuthModule

Parameters:

request - The current HTTP request object. Used to get the session object

response - The response on which to set SC_UNAUTHORIZED

Throws:

BbSecurityException - thrown if a run-time error prevents the method from completing.

BbSecurityException

See Also:

HttpServletResponse.SC_UNAUTHORIZED

assertRequestAuthenticate

protected void assertRequestAuthenticate()
                                  throws BbSecurityException

Wrapper for any assertions that should be made before authentication request. Checks to make sure the configuration has been set.

Throws:

BbSecurityException - if the configuration has not been set

getRequestAuthenticateUri

protected java.lang.String getRequestAuthenticateUri(javax.servlet.http.HttpServletRequest request,
                                                     javax.servlet.http.HttpServletResponse response)
                                              throws java.io.IOException,
                                                     java.lang.SecurityException,
                                                     java.io.FileNotFoundException,
                                                     PersistenceException

getRequestAuthenticateURI Indicates the target resource that should receive the current request. This implementation returns the default login URI for the installation.

Throws:

java.io.IOException

java.lang.SecurityException

java.io.FileNotFoundException

PersistenceException

doLogout

public void doLogout(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response)
              throws BbSecurityException

Implementation method. Clears the authentication token from the session.

Specified by:

doLogout in interface HttpAuthModule

Parameters:

request - the current HTTP request. Used to obtain a session handle.

response - the current HTTP response. Passed for completeness, not used.

Throws:

blackboard.platform.security.authentication.BbSecurityExceptionincluded - for completeness. --This implementation will never throw this exception

BbSecurityException - thrown if an error occurs performing the implementation-specific invalidation

authenticate

protected java.lang.String authenticate(java.lang.String userName,
                                        java.lang.String userToken,
                                        SessionStub sessionStub,
                                        boolean useChallenge)
                                 throws BbAuthenticationFailedException,
                                        BbSecurityException

Method to support native authentication. Uses credentials to look up a user's key in the database. If the system is configured to use the challenge-response protocol, the password provided by the caller is expected to be a hexadecimal string representing the message digest of the string M(M(password) + server token) where M is the hashing algorithm (MD5), password is the clear text password entered by the user, and server token is a digested string generated as a pseudo-random server variable. The comparison is done by taking all of the corresponding values stored on the server and re-generating the string. If the hashed version from the client matches the version calcualated by the server, the login is successful. If challenge-response is not used, the processing is greatly simplified: the password is in clear text. The method digests it and compares it against the hashed value stored in the database.

Parameters:

userName - User name

userToken - this should be either clear text password or hash, depending on the result from RDBMSAuthUtil.useChallenge().

Returns:

User key used to load user.

Throws:

blackboard.platform.security.BbAuthenticationFailedException

BbAuthenticationFailedException

BbSecurityException

getCreateAccountAllowed

public boolean getCreateAccountAllowed(javax.servlet.http.HttpServletRequest request,
                                       javax.servlet.http.HttpServletResponse response)

getCreateAccountAllowed() Determines based on configuration information, whether users may create new accounts.

getUseChallenge

public boolean getUseChallenge()

Determines based on configuration information, whether to use challenge-response authentication.

getAuthType

public java.lang.String getAuthType()

Returns a String identifier for the authentication type for a given implementation of HttpAuthModule

Specified by:

getAuthType in interface HttpAuthModule

getDefaultAuthType

public static java.lang.String getDefaultAuthType()

Return the default authentication type

setGlobalKeys

protected void setGlobalKeys(javax.servlet.http.HttpServletRequest request)
                      throws PersistenceException

Set whatever key-value pairs need to be stored for the current session. Subclasses should override this method only if needed. This module provides a null implementation of this method.

Throws:

PersistenceException