Credentials
Authentication is very common in web applications and RIFE2 provides a solution that is both flexible and easy to adopt.
The authentication features are split up into two main categories:
- managers that verify credentials and handle authentication sessions
- elements that protect sections of your site by relying on these managers
Either of these can be configured, tweaked and customized to make the authentication features fit many custom scenarios.
Everything starts from the Credentials
interface, which is essentially a
marker interface that merely extends the Validated
interface, meaning that
credentials should be able to validate their own data elements using RIFE2's
validation features. A CredentialsManager
is then able to
verify a particular type of credentials. It's expected that a concrete
credentials manager only works with a particular credentials class.
Credentials are what is verified to authorize access. They are typically checked against stored user account information and submitted through an HTML form.
RIFE2 implements the common login and password credentials in the RoleUser
class. This optionally also supports a role so that certain sections of a
site can only be accessible to certain roles, and a flag that indicates whether
the authorization should be automatically remembered for auto-login.
The MemoryUsers
and DatabaseUsers
managers verify RoleUser
credentials and
manage the stored user account information.
Let's take a look at how you could use MemoryUsers
in an application:
var users = new MemoryUsers()
.addRole("admin")
.addRole("editor")
.addUser("testUser1", new RoleUserAttributes()
.password("SHA:HN1CttNGdVN90QMCSJLYWCgNfCM=")) // testPassword1
.addUser("testUser2", new RoleUserAttributes()
.password("SHA:urlTD8iRgLJuY6il1vRTXDdhSIo=") // testPassword2
.roles("admin", "editor"))
.setPasswordEncryptor(StringEncryptor.SHA);
This created a new MemoryUsers
instance, adds the admin
and editor
roles,
and sets up two test users. The second user has those two roles, while the first
one doesn't.
You'll also notice that the passwords have been encrypted but the clear text
versions have been added as comments for this example. Finally, a
StringEncryptor
has been set to encrypt any clear passwords that are added
to the user manager.
RIFE2 knows that a string is already encrypted by checking if the prefix is one
of the supported string encryption algorithms. You can manually encrypt any
string by using the rife.tools.StringEncryptor
on the command line.
For instance:
java -cp rife2-*.jar rife.tools.StringEncryptor SHA:testPassword2
Results in:
SHA:urlTD8iRgLJuY6il1vRTXDdhSIo=
Calling the same without arguments gives the instructions:
java -cp rife2-*.jar rife.tools.StringEncryptor
Usage : java rife.tools.StringEncryptor [-edc] string {encrypted}
Encrypts strings for usage with RIFE2.
-e encrypt a string (default)
-d decrypt a string if the algorithm support it
-c check the validity of the string against an encrypted version
You can find a list of supported encryption algorithms in the StringEncryptor
documentation.
Only the OBF (obfuscation) encryption algorithm supports decryption. All the others (SHA, MD5, WRP, ...) are one-way algorithms that can only be used to verify if the provided encrypted password matches the stored encrypted one, but the clear text version can not be reconstituted once they are encrypted.
Next learn more about Authentication Sessions