Skip to content

Credentials

Jump to bottom
Geert Bevin edited this page Mar 21, 2023 · 2 revisions

Authentication is very common in web applications and RIFE2 provides a solution that is both flexible and easy to adopt.

The authentication features are split up into two main categories:

  • managers that verify credentials and handle authentication sessions
  • elements that protect sections of your site by relying on these managers

Either of these can be configured, tweaked and customized to make the authentication features fit many custom scenarios.

Everything starts from the Credentials interface, which is essentially a marker interface that merely extends the Validated interface, meaning that credentials should be able to validate their own data elements using RIFE2's validation features. A CredentialsManager is then able to verify a particular type of credentials. It's expected that a concrete credentials manager only works with a particular credentials class.

Credentials are what is verified to authorize access. They are typically checked against stored user account information and submitted through an HTML form.

RoleUser credentials

RIFE2 implements the common login and password credentials in the RoleUser class. This optionally also supports a role so that certain sections of a site can only be accessible to certain roles, and a flag that indicates whether the authorization should be automatically remembered for auto-login.

The MemoryUsers and DatabaseUsers managers verify RoleUser credentials and manage the stored user account information.

Let's take a look at how you could use MemoryUsers in an application:

var users = new MemoryUsers()
    .addRole("admin")
    .addRole("editor")
    .addUser("testUser1", new RoleUserAttributes()
        .password("SHA:HN1CttNGdVN90QMCSJLYWCgNfCM=")) // testPassword1
    .addUser("testUser2", new RoleUserAttributes()
        .password("SHA:urlTD8iRgLJuY6il1vRTXDdhSIo=")  // testPassword2
        .roles("admin", "editor"))
    .setPasswordEncryptor(StringEncryptor.SHA);

This created a new MemoryUsers instance, adds the admin and editor roles, and sets up two test users. The second user has those two roles, while the first one doesn't.

Password encryption

You'll also notice that the passwords have been encrypted but the clear text versions have been added as comments for this example. Finally, a StringEncryptor has been set to encrypt any clear passwords that are added to the user manager.

RIFE2 knows that a string is already encrypted by checking if the prefix is one of the supported string encryption algorithms. You can manually encrypt any string by using the rife.tools.StringEncryptor on the command line.

For instance:

java -cp rife2-*.jar rife.tools.StringEncryptor SHA:testPassword2

Results in:

SHA:urlTD8iRgLJuY6il1vRTXDdhSIo=

Calling the same without arguments gives the instructions:

java -cp rife2-*.jar rife.tools.StringEncryptor
Usage : java rife.tools.StringEncryptor [-edc] string {encrypted}
Encrypts strings for usage with RIFE2.
  -e  encrypt a string (default)
  -d  decrypt a string if the algorithm support it
  -c  check the validity of the string against an encrypted version

You can find a list of supported encryption algorithms in the StringEncryptor documentation.

Only the OBF (obfuscation) encryption algorithm supports decryption. All the others (SHA, MD5, WRP, ...) are one-way algorithms that can only be used to verify if the provided encrypted password matches the stored encrypted one, but the clear text version can not be reconstituted once they are encrypted.

Next learn more about Authentication Sessions

Clone this wiki locally