com.atlassian.seraph.config

Class SecurityConfigImpl

java.lang.Object

com.atlassian.seraph.config.SecurityConfigImpl

All Implemented Interfaces:

SecurityConfig, Serializable

public class SecurityConfigImpl
extends Object
implements Serializable, SecurityConfig

The main implementation of Seraph's configuration - reads from seraph-config.xml.

This class is a Singleton, access it using SecurityConfigFactory.getInstance().

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static String	DEFAULT_CONFIG_LOCATION

Fields inherited from interface com.atlassian.seraph.config.SecurityConfig

BASIC_AUTH, STORAGE_KEY

Constructor Summary

Constructors

Constructor and Description
SecurityConfigImpl(String configFileLocation)

Method Summary

Modifier and Type	Method and Description
void	addInterceptor(Interceptor interceptor) Do not use in production! Only used in tests, will be removed.
protected void	configureRedirectPolicy(Element rootEl)
void	destroy()
AuthenticationContext	getAuthenticationContext()
Authenticator	getAuthenticator()
String	getAuthType()
int	getAutoLoginCookieAge()
SecurityController	getController()
ElevatedSecurityGuard	getElevatedSecurityGuard()
<T extends Interceptor> List<T>	getInterceptors(Class<T> desiredInterceptorClass)
List<String>	getInvalidateSessionExcludeList() When sessions are invalidated upon login, sometimes there are session attributes that should be excluded from the new session.
List<String>	getInvalidateWebsudoSessionExcludeList() When sessions are invalidated upon websudo, sometimes there are session attributes that should be excluded from the new session.
String	getLinkLoginURL()
String	getLoginCookieKey() The name of the remember me cookie
String	getLoginCookiePath()
String	getLoginForwardPath() Returns the login forward path.
String	getLoginURL()
String	getLoginURL(boolean forUserRole, boolean forPageCaps)
String	getLogoutURL()
String	getOriginalURLKey()
RedirectPolicy	getRedirectPolicy() Returns the configured RedirectPolicy, or the default if none is configured.
RememberMeService	getRememberMeService()
RoleMapper	getRoleMapper()
List<SecurityService>	getServices()
String	getWebsudoRequestKey() The name of the websudo request
boolean	isInsecureCookie() returns true if the remember me cookie should never be set to secure
boolean	isInvalidateSessionOnLogin() Whether the session (and the JSESSIONID) should be thrown away and replaced on successful login to prevent session fixation.
boolean	isInvalidateSessionOnWebsudo() Whether the session (and the JSESSIONID) should be thrown away and replaced on successful websudo to prevent session fixation.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_CONFIG_LOCATION

public static final String DEFAULT_CONFIG_LOCATION

See Also:

Constant Field Values

Constructor Detail

SecurityConfigImpl

public SecurityConfigImpl(String configFileLocation)
                   throws ConfigurationException

Throws:

ConfigurationException

Method Detail

configureRedirectPolicy

protected void configureRedirectPolicy(Element rootEl)
                                throws ConfigurationException

Throws:

ConfigurationException

destroy

public void destroy()

Specified by:

destroy in interface SecurityConfig

addInterceptor

public void addInterceptor(Interceptor interceptor)

Do not use in production! Only used in tests, will be removed.

Parameters:

interceptor - the Interceptor to add

getServices

public List<SecurityService> getServices()

Specified by:

getServices in interface SecurityConfig

getLoginURL

public String getLoginURL()

Specified by:

getLoginURL in interface SecurityConfig

getLoginURL

public String getLoginURL(boolean forUserRole,
                          boolean forPageCaps)

Specified by:

getLoginURL in interface SecurityConfig

getLoginForwardPath

public String getLoginForwardPath()

Description copied from interface: SecurityConfig

Returns the login forward path. This is the path to forward to when the user tries to POST to a protected resource (rather than clicking on an explicit login link). Note that this is done using a servlet FORWARD, not a redirect. Information about the original request can be gotten from the javax.servlet.forward.* request attributes.

At this point you will probably want to save the user's POST params so he can log in again and retry the POST.

Defaults to null, in which case Seraph will just do a redirect instead of a FORWARD.

Specified by:

getLoginForwardPath in interface SecurityConfig

Returns:

a String containing the login forward path, or null

getLinkLoginURL

public String getLinkLoginURL()

Specified by:

getLinkLoginURL in interface SecurityConfig

getLogoutURL

public String getLogoutURL()

Specified by:

getLogoutURL in interface SecurityConfig

getOriginalURLKey

public String getOriginalURLKey()

Specified by:

getOriginalURLKey in interface SecurityConfig

getAuthenticator

public Authenticator getAuthenticator()

Specified by:

getAuthenticator in interface SecurityConfig

Returns:

the Authenticator in play

getAuthenticationContext

public AuthenticationContext getAuthenticationContext()

Specified by:

getAuthenticationContext in interface SecurityConfig

Returns:

the AuthenticationContext in play

getController

public SecurityController getController()

Specified by:

getController in interface SecurityConfig

Returns:

the SecurityController in play

getRoleMapper

public RoleMapper getRoleMapper()

Specified by:

getRoleMapper in interface SecurityConfig

Returns:

the RoleMapper in play

getRedirectPolicy

public RedirectPolicy getRedirectPolicy()

Description copied from interface: SecurityConfig

Returns the configured RedirectPolicy, or the default if none is configured. Will never return null.

Specified by:

getRedirectPolicy in interface SecurityConfig

Returns:

The configured RedirectPolicy, or the default if none is configured.

getInterceptors

public <T extends Interceptor> List<T> getInterceptors(Class<T> desiredInterceptorClass)

Specified by:

getInterceptors in interface SecurityConfig

getLoginCookiePath

public String getLoginCookiePath()

Specified by:

getLoginCookiePath in interface SecurityConfig

Returns:

the path that should be applied to the cookie

getLoginCookieKey

public String getLoginCookieKey()

Description copied from interface: SecurityConfig

The name of the remember me cookie

Specified by:

getLoginCookieKey in interface SecurityConfig

getWebsudoRequestKey

public String getWebsudoRequestKey()

Description copied from interface: SecurityConfig

The name of the websudo request

Specified by:

getWebsudoRequestKey in interface SecurityConfig

getAuthType

public String getAuthType()

Specified by:

getAuthType in interface SecurityConfig

isInsecureCookie

public boolean isInsecureCookie()

Description copied from interface: SecurityConfig

returns true if the remember me cookie should never be set to secure

Specified by:

isInsecureCookie in interface SecurityConfig

getAutoLoginCookieAge

public int getAutoLoginCookieAge()

Specified by:

getAutoLoginCookieAge in interface SecurityConfig

Returns:

the maximum age of the remember me cookie

getElevatedSecurityGuard

public ElevatedSecurityGuard getElevatedSecurityGuard()

Specified by:

getElevatedSecurityGuard in interface SecurityConfig

Returns:

the ElevatedSecurityGuard in play

getRememberMeService

public RememberMeService getRememberMeService()

Specified by:

getRememberMeService in interface SecurityConfig

Returns:

a NON NULL RememberMeService implementation

isInvalidateSessionOnLogin

public boolean isInvalidateSessionOnLogin()

Description copied from interface: SecurityConfig

Whether the session (and the JSESSIONID) should be thrown away and replaced on successful login to prevent session fixation.

Specified by:

isInvalidateSessionOnLogin in interface SecurityConfig

Returns:

true only if Seraph has been explicitly configured to turn on session invalidation on login.

isInvalidateSessionOnWebsudo

public boolean isInvalidateSessionOnWebsudo()

Description copied from interface: SecurityConfig

Whether the session (and the JSESSIONID) should be thrown away and replaced on successful websudo to prevent session fixation.

Specified by:

isInvalidateSessionOnWebsudo in interface SecurityConfig

Returns:

true only if Seraph has been explicitly configured to turn on session invalidation on login.

getInvalidateSessionExcludeList

public List<String> getInvalidateSessionExcludeList()

Description copied from interface: SecurityConfig

When sessions are invalidated upon login, sometimes there are session attributes that should be excluded from the new session. List any session attribute keys here that should be excluded from the new session after login.

Specified by:

getInvalidateSessionExcludeList in interface SecurityConfig

Returns:

a list of session attribute keys to be excluded from the newly invalidated session.

getInvalidateWebsudoSessionExcludeList

public List<String> getInvalidateWebsudoSessionExcludeList()

Description copied from interface: SecurityConfig

When sessions are invalidated upon websudo, sometimes there are session attributes that should be excluded from the new session. List any session attribute keys here that should be excluded from the new session after websudo.

Specified by:

getInvalidateWebsudoSessionExcludeList in interface SecurityConfig

Returns:

a list of session attribute keys to be excluded from the newly invalidated session.