com.uwyn.rife.authentication
Interface SessionValidator

All Known Implementing Classes:

AbstractSessionValidator, BasicSessionValidator, DatabaseSessionValidator

public interface SessionValidator

This interface defines the methods that classes with SessionValidator functionalities have to implement.

A SessionValidator is essentially a bridge between a CredentialsManager and a SessionManager. The validity of a session is often dependent on external attributes which define the context for a valid session that goes beyond a valid session id.

Typical uses can be:

• a user can become blocked during an active session,
• a user is a member of different groups (roles) and only has access to certain resources when being part of a particular group,
• a user needs to provide information at the first valid log-in, without providing this information the user can't access any of the resources in the application.

All these scenarios require additional information and additional processing that are often specific to each implementation of a CredentialsManager.

Since any CredentialsManager can be combined with any SessionManager, performance would often not be optimal.

For example, if the credentials and the session information are stored in the same database. Completely isolating all fuctionalities would cause more database queries to be executed than what's really needed. By implementing the combined functionality of verifying a valid authentication session in a bridge class that implements the SessionValidator interface, only one query can be used to provide the same results. Thus, dramatically increasing performance.

Since:

1.0

Version:

$Revision: 3643 $

Author:

Geert Bevin (gbevin[remove] at uwyn dot com)

See Also:

AbstractSessionValidator, SessionAttributes, CredentialsManager, SessionManager

Method Summary

CredentialsManager	getCredentialsManager() Retrieves the currently used CredentialsManager.
RememberManager	getRememberManager() Retrieves the currently used RememberManager.
SessionManager	getSessionManager() Retrieves the currently used SessionManager.
boolean	isAccessAuthorized(int id) Indicates if the provided validity identifier is considered as valid and that the access to the secured resource is thus authorized.
void	setCredentialsManager(CredentialsManager credentialsManager) Sets the CredentialsManager that will be used.
void	setRememberManager(RememberManager rememberManager) Sets the RememberManager that will be used.
void	setSessionManager(SessionManager sessionManager) Sets the SessionManager that will be used.
int	validateSession(String authId, String hostIp, SessionAttributes attributes) Validates an existing session according to a set of attributes that define the context in which this validation occurs.

Method Detail

validateSession

int validateSession(String authId,
                    String hostIp,
                    SessionAttributes attributes)
                    throws SessionValidatorException

Validates an existing session according to a set of attributes that define the context in which this validation occurs.

This method is typically executed for each access to a secured resource, performance is thus of critical importance.

The implementation of this method should be optimal for the combination of the used CredentialsManager and SessionManager. Specific code that combines the features of both managers should be written, instead of relying on the abstracted api of each manager. Paying attention to the implementation of this method can dramatically reduce the overhead of securing resources.

Parameters:

authId - The unique id of the authentication session that needs to be validated.

hostIp - The ip address of the host from which the user accesses the application.

attributes - Access to the attributes that define that context in which the session has to be validated.

Returns:

A number that indicates the validation state of the session. This allows the application to go beyond valid or invalid. Additional states like for example : blocked, initial login and disabled, can be used by using different numbers.

Throws:

SessionValidatorException - An undefined number of exceptional cases or error situations can occur when a session is validated. They are all indicated by throwing an instance of SessionValidatorException. It's up to the implementations of this interface to give more specific meanings to these exceptions.

Since:

1.0

isAccessAuthorized

boolean isAccessAuthorized(int id)

Indicates if the provided validity identifier is considered as valid and that the access to the secured resource is thus authorized.

Normally, specific business logic is only required for the situations in which access has prohibited. This method is used to make it possible to provide automatic access to the secured resource.

Parameters:

id - The numeric identifier that is returned by the validateSession method.

Returns:

true if access to the secured resource was authorized; or

false if access was prohibited.

Since:

1.0

setCredentialsManager

void setCredentialsManager(CredentialsManager credentialsManager)

Sets the CredentialsManager that will be used.

Parameters:

credentialsManager - The new CredentialsManager.

Since:

1.0

getCredentialsManager

CredentialsManager getCredentialsManager()

Retrieves the currently used CredentialsManager.

Returns:

The current CredentialsManager.

Since:

1.0

setSessionManager

void setSessionManager(SessionManager sessionManager)

Sets the SessionManager that will be used.

Parameters:

sessionManager - The new SessionManager.

Since:

1.0

getSessionManager

SessionManager getSessionManager()

Retrieves the currently used SessionManager.

Returns:

The current SessionManager.

Since:

1.0

setRememberManager

void setRememberManager(RememberManager rememberManager)

Sets the RememberManager that will be used.

Parameters:

rememberManager - The new RememberManager.

Since:

1.0

getRememberManager

RememberManager getRememberManager()

Retrieves the currently used RememberManager.

Returns:

The current RememberManager.

Since:

1.0