Package rife.authentication

Interface SessionValidator<C extends CredentialsManager,S extends SessionManager,R extends RememberManager>

All Known Implementing Classes:

AbstractSessionValidator, BasicSessionValidator, DatabaseSessionValidator, MemorySessionValidator

public interface SessionValidator<C extends CredentialsManager,S extends SessionManager,R extends RememberManager>

This interface defines the methods that classes with SessionValidator functionalities have to implement.

A SessionValidator is essentially a bridge between a CredentialsManager and a SessionManager. The validity of a session is often dependent on external attributes which define the context for a valid session that goes beyond a valid session id.

Typical uses can be:

• a user can become blocked during an active session,
• a user is a member of different groups (roles) and only has access to certain resources when being part of a particular group,
• a user needs to provide information at the first valid log-in, without providing this information the user can't access any of the resources in the application.

All these scenarios require additional information and additional processing that are often specific to each implementation of a CredentialsManager.

Since any CredentialsManager can be combined with any SessionManager, performance would often not be optimal.

For example, if the credentials and the session information are stored in the same database. Completely isolating all functionalities would cause more database queries to be executed than what's really needed. By implementing the combined functionality of verifying a valid authentication session in a bridge class that implements the SessionValidator interface, only one query can be used to provide the same results. Thus, dramatically increasing performance.

Since:

1.0

See Also:

• AbstractSessionValidator
• SessionAttributes
• CredentialsManager
• SessionManager

Method Summary

Modifier and Type	Method	Description
C	getCredentialsManager()	Retrieves the currently used CredentialsManager.
R	getRememberManager()	Retrieves the currently used RememberManager.
S	getSessionManager()	Retrieves the currently used SessionManager.
boolean	isAccessAuthorized(int id)	Indicates if the provided validity identifier is considered as valid and that the access to the secured resource is thus authorized.
void	setCredentialsManager(C credentialsManager)	Sets the CredentialsManager that will be used.
void	setRememberManager(R rememberManager)	Sets the RememberManager that will be used.
void	setSessionManager(S sessionManager)	Sets the SessionManager that will be used.
int	validateSession(String authId, String authData, SessionAttributes attributes)	Validates an existing session according to a set of attributes that define the context in which this validation occurs.

Method Details

validateSession

int validateSession(String authId,
 String authData,
 SessionAttributes attributes)
             throws SessionValidatorException

Validates an existing session according to a set of attributes that define the context in which this validation occurs.

This method is typically executed for each access to a secured resource, performance is thus of critical importance.

The implementation of this method should be optimal for the combination of the used CredentialsManager and SessionManager. Specific code that combines the features of both managers should be written, instead of relying on the abstracted api of each manager. Paying attention to the implementation of this method can dramatically reduce the overhead of securing resources.

Parameters:

authId - The unique id of the authentication session that needs to be validated.

authData - Data that was associated with the session

attributes - Access to the attributes that define that context in which the session has to be validated.

Returns:

A number that indicates the validation state of the session. This allows the application to go beyond valid or invalid. Additional states like for example : blocked, initial login and disabled, can be used by using different numbers.

Throws:

SessionValidatorException - An undefined number of exceptional cases or error situations can occur when a session is validated. They are all indicated by throwing an instance of SessionValidatorException. It's up to the implementations of this interface to give more specific meanings to these exceptions.

Since:

1.0

isAccessAuthorized

boolean isAccessAuthorized(int id)

Indicates if the provided validity identifier is considered as valid and that the access to the secured resource is thus authorized.

Normally, specific business logic is only required for the situations in which access was prohibited. This method is used to make it possible to provide automatic access to the secured resource.

Parameters:

id - The numeric identifier that is returned by the validateSession method.

Returns:

true if access to the secured resource was authorized; or

false if access was prohibited.

Since:

1.0

setCredentialsManager

void setCredentialsManager(C credentialsManager)

Sets the CredentialsManager that will be used.

Parameters:

credentialsManager - The new CredentialsManager.

Since:

1.0

getCredentialsManager

C getCredentialsManager()

Retrieves the currently used CredentialsManager.

Returns:

The current CredentialsManager.

Since:

1.0

setSessionManager

void setSessionManager(S sessionManager)

Sets the SessionManager that will be used.

Parameters:

sessionManager - The new SessionManager.

Since:

1.0

getSessionManager

S getSessionManager()

Retrieves the currently used SessionManager.

Returns:

The current SessionManager.

Since:

1.0

setRememberManager

void setRememberManager(R rememberManager)

Sets the RememberManager that will be used.

Parameters:

rememberManager - The new RememberManager.

Since:

1.0

getRememberManager

R getRememberManager()

Retrieves the currently used RememberManager.

Returns:

The current RememberManager.

Since:

1.0