Class FessLoginAssist
- All Implemented Interfaces:
org.lastaflute.web.login.LoginManager,org.lastaflute.web.login.PrimaryLoginManager
public class FessLoginAssist
extends org.lastaflute.web.login.TypicalLoginAssist<String,org.codelibs.fess.mylasta.action.FessUserBean,FessUser>
implements org.lastaflute.web.login.PrimaryLoginManager
The assist for login handling in the Fess application.
This class extends TypicalLoginAssist to provide Fess-specific login functionality
including user authentication, permission checking, and login history management.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classA resolver for login credentials that wraps the standard credential resolver to provide SSO authentication support.Nested classes/interfaces inherited from class org.lastaflute.web.login.TypicalLoginAssist
org.lastaflute.web.login.TypicalLoginAssist.CredentialChecker, org.lastaflute.web.login.TypicalLoginAssist.CredentialDeterminer<CREDENTIAL extends org.lastaflute.web.login.credential.LoginCredential,USER_ENTITY>, org.lastaflute.web.login.TypicalLoginAssist.CredentialEntityFinder<CREDENTIAL extends org.lastaflute.web.login.credential.LoginCredential, USER_ENTITY>, org.lastaflute.web.login.TypicalLoginAssist.CredentialResolver, org.lastaflute.web.login.TypicalLoginAssist.RememberMeCookieAgent -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voidcheckCredential(org.lastaflute.web.login.TypicalLoginAssist<String, org.codelibs.fess.mylasta.action.FessUserBean, FessUser>.org.lastaflute.web.login.TypicalLoginAssist.CredentialChecker checker) Checks the credential using the provided credential checker.protected voidcheckPermission(org.lastaflute.web.login.LoginHandlingResource resource) Checks if the current user has permission to access the given resource.booleancheckUserLoginable(org.lastaflute.web.login.credential.LoginCredential credential) Checks if a user can login with the given credential.protected org.codelibs.fess.mylasta.action.FessUserBeancreateUserBean(FessUser user) Creates a user bean from the given user entity.protected org.dbflute.optional.OptionalEntity<FessUser> doAuthenticateLocal(String username, String plainPassword) Authenticates a local user by username and plaintext password using thePasswordHashHelper(BCrypt with legacy hex-digest fallback) and performs best-effort lazy re-hashing for credentials stored in an older format.protected org.dbflute.optional.OptionalEntity<FessUser> doFindLoginUser(String username) Finds a login user by username.protected org.dbflute.optional.OptionalEntity<FessUser> doFindLoginUser(String username, String cipheredPassword) Deprecated.encryptPassword(String plainText) Overrides the default cipher-based encryption to delegate toPasswordHashHelper.encode(java.lang.String).protected org.dbflute.optional.OptionalThing<String> Gets the cookie remember-me key for persistent login.protected Class<?> Gets the login action type class.protected Class<org.codelibs.fess.mylasta.action.FessUserBean> Gets the user bean type class.protected voidinsertLogin(Object member) Inserts a login record for the given member.protected voidlazyUpgradePassword(String username, String plainPassword, String currentStored, PasswordHashHelper passwordHashHelper) Best-effort upgrade of a legacy or obsolete-cost password hash to the currently configured algorithm/parameters.protected voidresolveCredential(org.lastaflute.web.login.TypicalLoginAssist<String, org.codelibs.fess.mylasta.action.FessUserBean, FessUser>.org.lastaflute.web.login.TypicalLoginAssist.CredentialResolver resolver) Resolves login credentials using various authentication methods.protected voidsaveLoginHistory(FessUser user, org.codelibs.fess.mylasta.action.FessUserBean userBean, org.lastaflute.web.login.option.LoginSpecifiedOption option) Saves the login history for the given user.protected StringtoTypedUserId(String userKey) Converts a user key to a typed user ID.Methods inherited from class org.lastaflute.web.login.TypicalLoginAssist
adjustRegisteredRememberMeCookie, asLoginRequired, asNonLoginRequired, assertGivenEntityRequired, assertLoginAccountRequired, assertLoginPasswordRequired, assertUserEntityRequired, assertUserIdRequired, buildRememberMeCookieValue, checkLoginRequired, clearLoginRedirectBean, convertCookieUserKeyToUserId, createLoginOption, createLoginRedirectBean, createRememberMeKey, createRememberMeLoginOption, delegateRememberMe, doDelegateRememberMe, doLogin, doLoginByGivenEntity, doLoginByIdentity, doRememberMe, doSaveRememberMeCookie, doTryAlreadyLogin, doTryRememberMe, findLoginSessionSyncCheckUser, findLoginUser, findLoginUser, findRememberMeCookie, formatForRememberMeExpireDate, generateLoginRedirectBeanKey, getAllowAnyoneAccessAnnotationType, getLoginRedirectBean, getLoginRedirectBeanType, getLoginSessionSyncCheckInterval, getRedirectLoginActionType, getRememberMeAccessTokenExpireDays, getRememberMeCookieAgent, getRememberMeDelimiter, getSavedUserBean, getSaveKeyUserBeanType, getSessionUserBean, getUserBeanKey, givenLogin, handleLoginFailure, handleLoginSessionSyncCheckSuccess, handleLoginSuccess, handleRememberMeCookie, handleRememberMeInvalidCookie, handleUnknownLoginCredential, hasAnnotation, hasAnnotationOnClass, hasAnnotationOnMethod, identityLogin, inheritUserBeanAdditionalInfo, isExplicitAllowAnyoneAccessAction, isImplicitEverybodyOpenAction, isLoginAction, isLoginActionOrRedirectLoginAction, isLoginRedirectBeanKeptAction, isLoginRequiredAction, isRedirectLoginAction, isSilentlyWhenRememberMe, isSuppressLogoutInvalidate, isSuppressRememberMeOfNonLoginRequired, isUpdateTokenWhenRememberMe, isValidRememberMeCookie, login, loginRedirect, logout, needsLoginSessionSyncCheck, needsSavingRequestedLoginRedirect, newLoginFailureException, processOnBrightLogin, processOnSilentLogin, redirectToLoginAction, regenerateSessionId, registerRememberMeCookie, rememberMe, removeRememberMeCookie, reselectSessionUserBeanIfExists, saveLoginInfoToSession, saveRememberMeKeyToCookie, saveRequestedLoginRedirectInfo, switchToRequestedActionIfExists, syncCheckLoginSessionIfNeeds, throwLoginRequiredException, tryAlreadyLoginOrRememberMeMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.lastaflute.web.login.LoginManager
checkLoginRequired, clearLoginRedirectBean, findLoginUser, findLoginUser, getLoginRedirectBean, getSavedUserBean, getSaveKeyUserBeanType, getSessionUserBean, givenLogin, identityLogin, isLoginAction, isLoginRequiredAction, login, loginRedirect, logout, redirectToLoginAction, rememberMe, reselectSessionUserBeanIfExists, saveRequestedLoginRedirectInfo, switchToRequestedActionIfExists
-
Constructor Details
-
FessLoginAssist
public FessLoginAssist()Default constructor.
-
-
Method Details
-
checkUserLoginable
public boolean checkUserLoginable(org.lastaflute.web.login.credential.LoginCredential credential) Checks if a user can login with the given credential. This method is not supported in the Fess implementation.- Specified by:
checkUserLoginablein interfaceorg.lastaflute.web.login.LoginManager- Overrides:
checkUserLoginablein classorg.lastaflute.web.login.TypicalLoginAssist<String,org.codelibs.fess.mylasta.action.FessUserBean, FessUser> - Parameters:
credential- the login credential to check- Returns:
- true if the user can login, false otherwise
- Throws:
UnsupportedOperationException- always thrown as this method is not supported
-
checkCredential
protected void checkCredential(org.lastaflute.web.login.TypicalLoginAssist<String, org.codelibs.fess.mylasta.action.FessUserBean, FessUser>.org.lastaflute.web.login.TypicalLoginAssist.CredentialChecker checker) Checks the credential using the provided credential checker. This method is not supported in the Fess implementation.- Specified by:
checkCredentialin classorg.lastaflute.web.login.TypicalLoginAssist<String,org.codelibs.fess.mylasta.action.FessUserBean, FessUser> - Parameters:
checker- the credential checker to use- Throws:
UnsupportedOperationException- always thrown as this method is not supported
-
doFindLoginUser
Finds a login user by username. -
createUserBean
Creates a user bean from the given user entity. -
getCookieRememberMeKey
Gets the cookie remember-me key for persistent login. Currently returns empty as remember-me functionality is not enabled. -
saveLoginHistory
protected void saveLoginHistory(FessUser user, org.codelibs.fess.mylasta.action.FessUserBean userBean, org.lastaflute.web.login.option.LoginSpecifiedOption option) Saves the login history for the given user. This operation is performed asynchronously. -
insertLogin
Inserts a login record for the given member. Currently this method does nothing.- Parameters:
member- the member to insert a login record for
-
checkPermission
protected void checkPermission(org.lastaflute.web.login.LoginHandlingResource resource) throws org.lastaflute.web.login.exception.LoginRequiredException Checks if the current user has permission to access the given resource. For admin actions, verifies that the user has appropriate admin roles or meets the secured annotation requirements.- Overrides:
checkPermissionin classorg.lastaflute.web.login.TypicalLoginAssist<String,org.codelibs.fess.mylasta.action.FessUserBean, FessUser> - Parameters:
resource- the login handling resource to check permission for- Throws:
org.lastaflute.web.login.exception.LoginRequiredException- if login is requiredUserRoleLoginException- if the user doesn't have required roles
-
getUserBeanType
Gets the user bean type class. -
getLoginActionType
Gets the login action type class. -
toTypedUserId
Converts a user key to a typed user ID. In this implementation, returns the user key as-is. -
resolveCredential
protected void resolveCredential(org.lastaflute.web.login.TypicalLoginAssist<String, org.codelibs.fess.mylasta.action.FessUserBean, FessUser>.org.lastaflute.web.login.TypicalLoginAssist.CredentialResolver resolver) Resolves login credentials using various authentication methods. This method handles local user authentication, LDAP authentication, and SSO authentication through configured authenticators. -
doAuthenticateLocal
protected org.dbflute.optional.OptionalEntity<FessUser> doAuthenticateLocal(String username, String plainPassword) Authenticates a local user by username and plaintext password using thePasswordHashHelper(BCrypt with legacy hex-digest fallback) and performs best-effort lazy re-hashing for credentials stored in an older format.Timing-attack countermeasure: every failure path must pay approximately one BCrypt verification worth of CPU, regardless of whether the user exists and regardless of the stored hash format. When
PasswordHashHelper.matches(java.lang.String, java.lang.String)already consumed a BCrypt cost (stored value carries a{bcrypt}prefix), no additional padding is applied — otherwise the failure branch would pay two BCrypt costs and become distinguishable from unknown-user failures.- Parameters:
username- the login name to look upplainPassword- the raw, user-supplied password- Returns:
- an optional entity containing the found user on success, or empty otherwise
-
lazyUpgradePassword
protected void lazyUpgradePassword(String username, String plainPassword, String currentStored, PasswordHashHelper passwordHashHelper) Best-effort upgrade of a legacy or obsolete-cost password hash to the currently configured algorithm/parameters. A failure here never fails the login and never propagates an exception to the caller.Logs only the username (never the plaintext or hash values).
- Parameters:
username- the user whose stored hash is being upgradedplainPassword- the plaintext password (already verified to match)currentStored- the currently stored hash valuepasswordHashHelper- the password manager to use
-
encryptPassword
Overrides the default cipher-based encryption to delegate toPasswordHashHelper.encode(java.lang.String). This override exists solely so that any internal LastaFlute login path that still callsencryptPasswordproduces a hash in the new{bcrypt}$2a$...format. All Fess write paths (user creation, password change, initial admin bootstrap) callPasswordHashHelper.encode(String)directly viaComponentUtil.getPasswordHashHelper(); do not add new callers of this method from outside the login framework.- Specified by:
encryptPasswordin interfaceorg.lastaflute.web.login.LoginManager- Overrides:
encryptPasswordin classorg.lastaflute.web.login.TypicalLoginAssist<String,org.codelibs.fess.mylasta.action.FessUserBean, FessUser> - Parameters:
plainText- the plaintext password- Returns:
- the encoded (hashed) password with prefix
-
doFindLoginUser
@Deprecated protected org.dbflute.optional.OptionalEntity<FessUser> doFindLoginUser(String username, String cipheredPassword) Deprecated.UsedoAuthenticateLocal(String, String)with the plaintext password. BCrypt uses per-record salts, so an exact-match DB lookup on a hashed value is no longer meaningful. Retained for any subclass or legacy caller.Finds a login user by username and encrypted password.- Parameters:
username- the username to search forcipheredPassword- ignored; retained only for source-level backward compatibility. Local authentication now goes throughdoAuthenticateLocal(String, String).- Returns:
- an optional entity containing the found user when the stored password exactly matches the supplied ciphered value, otherwise empty
-
doAuthenticateLocal(String, String)with the plaintext password.