com.atlassian.crowd.integration.springsecurity

Class CrowdAuthenticationProvider

java.lang.Object

com.atlassian.crowd.integration.springsecurity.CrowdAuthenticationProvider

All Implemented Interfaces:

org.springframework.security.authentication.AuthenticationProvider

Direct Known Subclasses:

RemoteCrowdAuthenticationProvider

public abstract class CrowdAuthenticationProvider
extends Object
implements org.springframework.security.authentication.AuthenticationProvider

The CrowdAuthenticationProvider can be used in both SSO and non-SSO mode. When coupled with the CrowdSSOAuthenticationProcessingFilter, single-sign on is establish via the Crowd server and Crowd SSO tokens. When coupled with the Spring Security AuthenticationProcessingFilter, centralised authentication is established via the Crowd server.

Author:

Shihab Hamid

Constructor Summary

Constructors

Constructor and Description
CrowdAuthenticationProvider()

Method Summary

Modifier and Type	Method and Description
org.springframework.security.core.Authentication	authenticate(org.springframework.security.core.Authentication authentication) Performs authentication with the same contract as org.springframework.security.AuthenticationManager#authenticate(org.springframework.security.Authentication).
protected abstract String	authenticate(String username, String password, List<com.atlassian.crowd.model.authentication.ValidationFactor> validationFactors) Authenticate a remote user and return the Crowd SSO token string.
protected org.springframework.security.core.Authentication	authenticateCrowdSSO(CrowdSSOAuthenticationToken ssoToken) Attempts to authenticate based on an existing Crowd token and validation factors from a HttpServletRequest.
protected org.springframework.security.core.Authentication	authenticateUsernamePassword(org.springframework.security.authentication.UsernamePasswordAuthenticationToken passwordToken) Attempts to authenticate a login request based on username (principal), password (credentials), and (optional) ValidationFactor[]s (details).
protected abstract boolean	isAuthenticated(String token, List<com.atlassian.crowd.model.authentication.ValidationFactor> validationFactors) Determine if a remote user is authenticated via SSO based on the supplied SSO token string and validation factors.
protected abstract CrowdUserDetails	loadUserByToken(String token) Retrieve a user from Crowd by looking up the principal by their authenticated Crowd token.
protected abstract CrowdUserDetails	loadUserByUsername(String username) Retreive the user details for a user based on their username.
boolean	supports(org.springframework.security.authentication.AbstractAuthenticationToken authenticationToken)
boolean	supports(Class<?> authentication) Returns true if this AuthenticationProvider supports the indicated Authentication object.
protected org.springframework.security.core.AuthenticationException	translateException(Exception e) Converts Crowd-specific exceptions to Spring Security-friendly exceptions.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CrowdAuthenticationProvider

public CrowdAuthenticationProvider()

Method Detail

authenticate

public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication)
                                                              throws org.springframework.security.core.AuthenticationException

Performs authentication with the same contract as org.springframework.security.AuthenticationManager#authenticate(org.springframework.security.Authentication). This AuthenticationProvider supports UsernamePasswordAuthenticationTokens for login operations where a username, password and possiblyy validation factors (for SSO) are provided. It also supports CrowdSSOAuthenticationToken for authentication verification operations, where the SSO token and validation factors are provided for SSO authentication. See CrowdAuthenticationProvider.authenticateUsernamePassword() and CrowdAuthenticationProvider.authenticateCrowdSSO() for more specific information on the authentication process.

Specified by:

authenticate in interface org.springframework.security.authentication.AuthenticationProvider

Parameters:

authentication - the authentication request object.

Returns:

a fully authenticated object including credentials. May return null if the AuthenticationProvider is unable to support authentication of the passed Authentication object. In such a case, the next AuthenticationProvider that supports the presented Authentication class will be tried.

Throws:

org.springframework.security.AuthenticationException - if authentication fails.

org.springframework.security.core.AuthenticationException

authenticateUsernamePassword

protected org.springframework.security.core.Authentication authenticateUsernamePassword(org.springframework.security.authentication.UsernamePasswordAuthenticationToken passwordToken)
                                                                                 throws org.springframework.security.core.AuthenticationException

Attempts to authenticate a login request based on username (principal), password (credentials), and (optional) ValidationFactor[]s (details). The returned Authentication will be either: - a UsernamePasswordAuthenticationToken, if the request has no ValidationFactor[]s and hence is not SSO. The credentials will be the password. - a CrowdSSOAuthenticationToken, if the request does have ValidationFactor[]s. The credentials will be set to the SSO token string. The principal will be set to the UserDetails object corresponding to the username. The granted authorities will be UserDetails.getAuthorities().

Parameters:

passwordToken - authentication token containing the username, password and (optiona) ValidationFactor[]s.

Returns:

an authenticated Authentication token.

Throws:

org.springframework.security.core.AuthenticationException - if there was a problem authenticating the username/password combination.

isAuthenticated

protected abstract boolean isAuthenticated(String token,
                                           List<com.atlassian.crowd.model.authentication.ValidationFactor> validationFactors)
                                    throws OperationFailedException,
                                           InvalidAuthenticationException,
                                           ApplicationPermissionException

Determine if a remote user is authenticated via SSO based on the supplied SSO token string and validation factors.

Parameters:

token - Crowd SSO token.

validationFactors - validation factors.

Returns:

true iff the remote user is authenticated.

Throws:

OperationFailedException

InvalidAuthenticationException

ApplicationPermissionException

authenticate

protected abstract String authenticate(String username,
                                       String password,
                                       List<com.atlassian.crowd.model.authentication.ValidationFactor> validationFactors)
                                throws InactiveAccountException,
                                       ExpiredCredentialException,
                                       ApplicationPermissionException,
                                       InvalidAuthenticationException,
                                       OperationFailedException,
                                       ApplicationAccessDeniedException

Authenticate a remote user and return the Crowd SSO token string.

Parameters:

username - username of the remote user.

password - password of the remote user.

validationFactors - validation factors from the remote user.

Returns:

Crowd SSO token string

Throws:

InvalidAuthorizationTokenException - invalid application client.

InvalidAuthenticationException - invalid username/password.

InactiveAccountException

ExpiredCredentialException

ApplicationPermissionException

OperationFailedException

ApplicationAccessDeniedException

loadUserByUsername

protected abstract CrowdUserDetails loadUserByUsername(String username)
                                                throws org.springframework.security.core.userdetails.UsernameNotFoundException,
                                                       org.springframework.dao.DataAccessException

Retreive the user details for a user based on their username.

Parameters:

username - username of user.

Returns:

user details of user.

Throws:

org.springframework.security.core.userdetails.UsernameNotFoundException - user with supplied username does not exist.

org.springframework.dao.DataAccessException - error retrieving user.

loadUserByToken

protected abstract CrowdUserDetails loadUserByToken(String token)
                                             throws CrowdSSOTokenInvalidException,
                                                    org.springframework.dao.DataAccessException

Retrieve a user from Crowd by looking up the principal by their authenticated Crowd token.

Parameters:

token - Crowd SSO token string.

Returns:

CrowdUserDetails corresponding to the principal.

Throws:

CrowdSSOTokenInvalidException - if the provided token is invalid.

org.springframework.dao.DataAccessException - error retrieveing user.

authenticateCrowdSSO

protected org.springframework.security.core.Authentication authenticateCrowdSSO(CrowdSSOAuthenticationToken ssoToken)
                                                                         throws org.springframework.security.core.AuthenticationException

Attempts to authenticate based on an existing Crowd token and validation factors from a HttpServletRequest. The credentials of the ssoToken must be set to the String representation of the Crowd SSO token, the details must be set to the ValidationFactor[]s from the request. The returned authentication will be a CrowdSSOAuthenticationToken with the same SSO token string credential. The principal will be set to the UserDetails object corresponding to the username. The granted authorities will be UserDetails.getAuthorities().

Parameters:

ssoToken - ssoToken containing the token string credential and validation factors as details.

Returns:

an authenticated Authentication token.

Throws:

org.springframework.security.core.AuthenticationException - if there was a problem verifying the existing token is valid.

translateException

protected org.springframework.security.core.AuthenticationException translateException(Exception e)

Converts Crowd-specific exceptions to Spring Security-friendly exceptions.

Parameters:

e - Crowd-specific exception.

Returns:

Spring Security-friendly exception.

supports

public boolean supports(Class<?> authentication)

Returns true if this AuthenticationProvider supports the indicated Authentication object.

The CrowdAuthenticationProvider supports UsernamePasswordAuthenticationTokens and CrowdSSOAuthenticationTokens.

Specified by:

supports in interface org.springframework.security.authentication.AuthenticationProvider

supports

public boolean supports(org.springframework.security.authentication.AbstractAuthenticationToken authenticationToken)