diff --git a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
index 288ce23910..a863be2387 100644
--- a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
@@ -22,6 +22,7 @@ import net.sf.acegisecurity.BadCredentialsException;
import net.sf.acegisecurity.DisabledException;
import net.sf.acegisecurity.providers.AuthenticationProvider;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
+import net.sf.acegisecurity.providers.dao.cache.NullUserCache;
import net.sf.acegisecurity.providers.dao.event.AuthenticationFailureDisabledEvent;
import net.sf.acegisecurity.providers.dao.event.AuthenticationFailurePasswordEvent;
import net.sf.acegisecurity.providers.dao.event.AuthenticationSuccessEvent;
@@ -36,32 +37,26 @@ import org.springframework.context.ApplicationContextAware;
import org.springframework.dao.DataAccessException;
-import java.util.Date;
-
/**
* An {@link AuthenticationProvider} implementation that retrieves user details
* from an {@link AuthenticationDao}.
*
*
- * This AuthenticationProvider is capable of validating {@link
+ * This AuthenticationProvider is capable of validating {@link
* UsernamePasswordAuthenticationToken} requests contain the correct username,
* password and the user is not disabled.
*
*
*
- * Upon successful validation, a DaoAuthenticationToken will be
- * created and returned to the caller. This token will be signed with the key
- * configured by {@link #getKey()} and expire {@link
- * #getRefreshTokenInterval()} milliseconds into the future. The token will be
- * assumed to remain valid whilstever it has not expired, and no requests of
- * the AuthenticationProvider will need to be made. Once the
- * token has expired, the relevant AuthenticationProvider will be
- * called again to provide an updated enabled/disabled status, and list of
- * granted authorities. It should be noted the credentials will not be
- * revalidated, as the user presented correct credentials in the originial
- * UsernamePasswordAuthenticationToken. This avoids complications
- * if the user changes their password during the session.
+ * Upon successful validation, a
+ * UsernamePasswordAuthenticationToken will be created and
+ * returned to the caller. In addition, the {@link User} will be placed in the
+ * {@link UserCache} so that subsequent requests with the same username can be
+ * validated without needing to query the {@link AuthenticationDao}. It should
+ * be noted that if a user appears to present an incorrect password, the
+ * {@link AuthenticationDao} will be queried to confirm the most up-to-date
+ * password was used for comparison.
*
*
*
@@ -83,8 +78,7 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
private AuthenticationDao authenticationDao;
private PasswordEncoder passwordEncoder = new PlaintextPasswordEncoder();
private SaltSource saltSource;
- private String key;
- private long refreshTokenInterval = 60000; // 60 seconds
+ private UserCache userCache = new NullUserCache();
//~ Methods ================================================================
@@ -101,14 +95,6 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
return authenticationDao;
}
- public void setKey(String key) {
- this.key = key;
- }
-
- public String getKey() {
- return key;
- }
-
/**
* Sets the PasswordEncoder instance to be used to encode and validate
* passwords. If not set, {@link PlaintextPasswordEncoder} will be used by
@@ -124,22 +110,6 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
return passwordEncoder;
}
- public void setRefreshTokenInterval(long refreshTokenInterval) {
- this.refreshTokenInterval = refreshTokenInterval;
- }
-
- /**
- * Indicates the number of seconds a created
- * DaoAuthenticationToken will remain valid for. Whilstever
- * the token is valid, the DaoAuthenticationProvider will
- * only check it presents the expected key hash code.
- *
- * @return Returns the refreshTokenInterval.
- */
- public long getRefreshTokenInterval() {
- return refreshTokenInterval;
- }
-
/**
* The source of salts to use when decoding passwords. null
* is a valid value, meaning the DaoAuthenticationProvider
@@ -157,46 +127,36 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
return saltSource;
}
+ public void setUserCache(UserCache userCache) {
+ this.userCache = userCache;
+ }
+
+ public UserCache getUserCache() {
+ return userCache;
+ }
+
public void afterPropertiesSet() throws Exception {
if (this.authenticationDao == null) {
throw new IllegalArgumentException(
"An Authentication DAO must be set");
}
- if ((this.key == null) || "".equals(key)) {
- throw new IllegalArgumentException("A key must be set");
+ if (this.userCache == null) {
+ throw new IllegalArgumentException("A user cache must be set");
}
}
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
- // If an existing DaoAuthenticationToken, check we created it and it hasn't expired
- if (authentication instanceof DaoAuthenticationToken) {
- if (this.key.hashCode() == ((DaoAuthenticationToken) authentication)
- .getKeyHash()) {
- if (((DaoAuthenticationToken) authentication).getExpires()
- .after(new Date())) {
- return authentication;
- }
- } else {
- throw new BadCredentialsException(
- "The presented DaoAuthenticationToken does not contain the expected key");
- }
+ boolean cacheWasUsed = true;
+ User user = this.userCache.getUserFromCache(authentication.getPrincipal()
+ .toString());
+
+ if (user == null) {
+ cacheWasUsed = false;
+ user = getUserFromBackend(authentication);
}
- // We need to authenticate or refresh the token
- User user = null;
-
- try {
- user = this.authenticationDao.loadUserByUsername(authentication.getPrincipal()
- .toString());
- } catch (UsernameNotFoundException notFound) {
- throw new BadCredentialsException("Bad credentials presented");
- } catch (DataAccessException repositoryProblem) {
- throw new AuthenticationServiceException(repositoryProblem
- .getMessage(), repositoryProblem);
- }
-
if (!user.isEnabled()) {
if (this.ctx != null) {
ctx.publishEvent(new AuthenticationFailureDisabledEvent(
@@ -206,16 +166,14 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
throw new DisabledException("User is disabled");
}
- if (!(authentication instanceof DaoAuthenticationToken)) {
- // Must validate credentials, as this is not simply a token refresh
- Object salt = null;
-
- if (this.saltSource != null) {
- salt = this.saltSource.getSalt(user);
+ if (!isPasswordCorrect(authentication, user)) {
+ // Password incorrect, so ensure we're using most current password
+ if (cacheWasUsed) {
+ cacheWasUsed = false;
+ user = getUserFromBackend(authentication);
}
- if (!passwordEncoder.isPasswordValid(user.getPassword(),
- authentication.getCredentials().toString(), salt)) {
+ if (!isPasswordCorrect(authentication, user)) {
if (this.ctx != null) {
ctx.publishEvent(new AuthenticationFailurePasswordEvent(
authentication, user));
@@ -225,24 +183,50 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
}
}
- Date expiry = new Date(new Date().getTime()
- + this.getRefreshTokenInterval());
+ if (!cacheWasUsed) {
+ // Put into cache
+ this.userCache.putUserInCache(user);
- if (this.ctx != null) {
- ctx.publishEvent(new AuthenticationSuccessEvent(authentication, user));
+ // As this appears to be an initial login, publish the event
+ if (this.ctx != null) {
+ ctx.publishEvent(new AuthenticationSuccessEvent(
+ authentication, user));
+ }
}
- return new DaoAuthenticationToken(this.getKey(), expiry,
- user.getUsername(), user.getPassword(), user.getAuthorities());
+ return new UsernamePasswordAuthenticationToken(user.getUsername(),
+ user.getPassword(), user.getAuthorities());
}
public boolean supports(Class authentication) {
if (UsernamePasswordAuthenticationToken.class.isAssignableFrom(
- authentication)
- || (DaoAuthenticationToken.class.isAssignableFrom(authentication))) {
+ authentication)) {
return true;
} else {
return false;
}
}
+
+ private boolean isPasswordCorrect(Authentication authentication, User user) {
+ Object salt = null;
+
+ if (this.saltSource != null) {
+ salt = this.saltSource.getSalt(user);
+ }
+
+ return passwordEncoder.isPasswordValid(user.getPassword(),
+ authentication.getCredentials().toString(), salt);
+ }
+
+ private User getUserFromBackend(Authentication authentication) {
+ try {
+ return this.authenticationDao.loadUserByUsername(authentication.getPrincipal()
+ .toString());
+ } catch (UsernameNotFoundException notFound) {
+ throw new BadCredentialsException("Bad credentials presented");
+ } catch (DataAccessException repositoryProblem) {
+ throw new AuthenticationServiceException(repositoryProblem
+ .getMessage(), repositoryProblem);
+ }
+ }
}
diff --git a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationToken.java b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationToken.java
deleted file mode 100644
index b9cbc4ec54..0000000000
--- a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationToken.java
+++ /dev/null
@@ -1,156 +0,0 @@
-/* Copyright 2004 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package net.sf.acegisecurity.providers.dao;
-
-import net.sf.acegisecurity.GrantedAuthority;
-import net.sf.acegisecurity.providers.AbstractAuthenticationToken;
-
-import java.io.Serializable;
-
-import java.util.Date;
-
-
-/**
- * Represents a successful DAO-based Authentication.
- *
- * @author Ben Alex
- * @version $Id$
- */
-public class DaoAuthenticationToken extends AbstractAuthenticationToken
- implements Serializable {
- //~ Instance fields ========================================================
-
- private Date expires;
- private Object credentials;
- private Object principal;
- private GrantedAuthority[] authorities;
- private int keyHash;
-
- //~ Constructors ===========================================================
-
- /**
- * Constructor.
- *
- * @param key to identify if this object made by a given {@link
- * DaoAuthenticationProvider}
- * @param expires when the token is due to expire
- * @param principal the username from the {@link User} object
- * @param credentials the password from the {@link User} object
- * @param authorities the authorities granted to the user, from the {@link
- * User} object
- *
- * @throws IllegalArgumentException if a null was passed
- */
- public DaoAuthenticationToken(String key, Date expires, Object principal,
- Object credentials, GrantedAuthority[] authorities) {
- if ((key == null) || ("".equals(key)) || (expires == null)
- || (principal == null) || "".equals(principal)
- || (credentials == null) || "".equals(credentials)
- || (authorities == null)) {
- throw new IllegalArgumentException(
- "Cannot pass null or empty values to constructor");
- }
-
- for (int i = 0; i < authorities.length; i++) {
- if (authorities[i] == null) {
- throw new IllegalArgumentException("Granted authority element "
- + i
- + " is null - GrantedAuthority[] cannot contain any null elements");
- }
- }
-
- this.keyHash = key.hashCode();
- this.expires = expires;
- this.principal = principal;
- this.credentials = credentials;
- this.authorities = authorities;
- }
-
- protected DaoAuthenticationToken() {
- throw new IllegalArgumentException("Cannot use default constructor");
- }
-
- //~ Methods ================================================================
-
- /**
- * Ignored (always true).
- *
- * @param isAuthenticated ignored
- */
- public void setAuthenticated(boolean isAuthenticated) {
- // ignored
- }
-
- /**
- * Always returns true.
- *
- * @return true
- */
- public boolean isAuthenticated() {
- return true;
- }
-
- public GrantedAuthority[] getAuthorities() {
- return this.authorities;
- }
-
- public Object getCredentials() {
- return this.credentials;
- }
-
- public Date getExpires() {
- return this.expires;
- }
-
- public int getKeyHash() {
- return this.keyHash;
- }
-
- public Object getPrincipal() {
- return this.principal;
- }
-
- public boolean equals(Object obj) {
- if (!super.equals(obj)) {
- return false;
- }
-
- if (obj instanceof DaoAuthenticationToken) {
- DaoAuthenticationToken test = (DaoAuthenticationToken) obj;
-
- if (this.getKeyHash() != test.getKeyHash()) {
- return false;
- }
-
- // expires never null due to constructor
- if (this.getExpires() != test.getExpires()) {
- return false;
- }
-
- return true;
- }
-
- return false;
- }
-
- public String toString() {
- StringBuffer sb = new StringBuffer();
- sb.append(super.toString());
- sb.append("; Expires: " + this.expires.toString());
-
- return sb.toString();
- }
-}
diff --git a/core/src/main/java/org/acegisecurity/providers/dao/UserCache.java b/core/src/main/java/org/acegisecurity/providers/dao/UserCache.java
new file mode 100644
index 0000000000..9daa3fc2c8
--- /dev/null
+++ b/core/src/main/java/org/acegisecurity/providers/dao/UserCache.java
@@ -0,0 +1,53 @@
+/* Copyright 2004 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.sf.acegisecurity.providers.dao;
+
+/**
+ * Provides a cache of {@link User} objects.
+ *
+ *
+ * Implementations should provide appropriate methods to set their cache
+ * parameters (eg time-to-live) and/or force removal of entities before their
+ * normal expiration. These are not part of the UserCache
+ * interface contract because they vary depending on the type of caching
+ * system used (eg in-memory vs disk vs cluster vs hybrid).
+ *
+ *
+ * @author Ben Alex
+ * @version $Id$
+ */
+public interface UserCache {
+ //~ Methods ================================================================
+
+ /**
+ * Obtains a {@link User} from the cache.
+ *
+ * @param username the {@link User#getUsername()} used to place the user in
+ * the cache
+ *
+ * @return the populated User or null if the user
+ * could not be found or if the cache entry has expired
+ */
+ public User getUserFromCache(String username);
+
+ /**
+ * Places a {@link User} in the cache. The username is the key
+ * used to subsequently retrieve the User.
+ *
+ * @param user the fully populated User to place in the cache
+ */
+ public void putUserInCache(User user);
+}
diff --git a/core/src/main/java/org/acegisecurity/providers/dao/cache/EhCacheBasedUserCache.java b/core/src/main/java/org/acegisecurity/providers/dao/cache/EhCacheBasedUserCache.java
new file mode 100644
index 0000000000..7f248667ed
--- /dev/null
+++ b/core/src/main/java/org/acegisecurity/providers/dao/cache/EhCacheBasedUserCache.java
@@ -0,0 +1,135 @@
+/* Copyright 2004 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.sf.acegisecurity.providers.dao.cache;
+
+import net.sf.acegisecurity.providers.dao.User;
+import net.sf.acegisecurity.providers.dao.UserCache;
+
+import net.sf.ehcache.Cache;
+import net.sf.ehcache.CacheException;
+import net.sf.ehcache.CacheManager;
+import net.sf.ehcache.Element;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.beans.factory.DisposableBean;
+import org.springframework.beans.factory.InitializingBean;
+
+import org.springframework.dao.DataRetrievalFailureException;
+
+
+/**
+ * Caches User objects using EHCACHE.
+ *
+ * @author Ben Alex
+ * @version $Id$
+ */
+public class EhCacheBasedUserCache implements UserCache, InitializingBean,
+ DisposableBean {
+ //~ Static fields/initializers =============================================
+
+ private static final Log logger = LogFactory.getLog(EhCacheBasedUserCache.class);
+ private static final String CACHE_NAME = "ehCacheBasedUserCache";
+
+ //~ Instance fields ========================================================
+
+ private Cache cache;
+ private CacheManager manager;
+ private int minutesToIdle = 5;
+
+ //~ Methods ================================================================
+
+ public void setMinutesToIdle(int minutesToIdle) {
+ this.minutesToIdle = minutesToIdle;
+ }
+
+ /**
+ * Specifies how many minutes an entry will remain in the cache from when
+ * it was last accessed. This is effectively the session duration.
+ *
+ *
+ * Defaults to 5 minutes.
+ *
+ *
+ * @return Returns the minutes an element remains in the cache
+ */
+ public int getMinutesToIdle() {
+ return minutesToIdle;
+ }
+
+ public User getUserFromCache(String username) {
+ Element element = null;
+
+ try {
+ element = cache.get(username);
+ } catch (CacheException cacheException) {
+ throw new DataRetrievalFailureException("Cache failure: "
+ + cacheException.getMessage());
+ }
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("Cache hit: " + (element != null) + "; username: "
+ + username);
+ }
+
+ if (element == null) {
+ return null;
+ } else {
+ return (User) element.getValue();
+ }
+ }
+
+ public void afterPropertiesSet() throws Exception {
+ if (CacheManager.getInstance().cacheExists(CACHE_NAME)) {
+ CacheManager.getInstance().removeCache(CACHE_NAME);
+ }
+
+ manager = CacheManager.create();
+
+ // Cache name, max memory, overflowToDisk, eternal, timeToLive, timeToIdle
+ cache = new Cache(CACHE_NAME, Integer.MAX_VALUE, false, false,
+ minutesToIdle * 60, minutesToIdle * 60);
+ manager.addCache(cache);
+ }
+
+ public void destroy() throws Exception {
+ manager.removeCache(CACHE_NAME);
+ }
+
+ public void putUserInCache(User user) {
+ Element element = new Element(user.getUsername(), user);
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("Cache put: " + element.getKey());
+ }
+
+ cache.put(element);
+ }
+
+ public void removeUserFromCache(User user) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Cache remove: " + user.getUsername());
+ }
+
+ this.removeUserFromCache(user.getUsername());
+ }
+
+ public void removeUserFromCache(String username) {
+ cache.remove(username);
+ }
+}
diff --git a/core/src/main/java/org/acegisecurity/providers/dao/cache/NullUserCache.java b/core/src/main/java/org/acegisecurity/providers/dao/cache/NullUserCache.java
new file mode 100644
index 0000000000..26357d959e
--- /dev/null
+++ b/core/src/main/java/org/acegisecurity/providers/dao/cache/NullUserCache.java
@@ -0,0 +1,36 @@
+/* Copyright 2004 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.sf.acegisecurity.providers.dao.cache;
+
+import net.sf.acegisecurity.providers.dao.User;
+import net.sf.acegisecurity.providers.dao.UserCache;
+
+
+/**
+ * Does not perform any caching.
+ *
+ * @author Ben Alex
+ * @version $Id$
+ */
+public class NullUserCache implements UserCache {
+ //~ Methods ================================================================
+
+ public User getUserFromCache(String username) {
+ return null;
+ }
+
+ public void putUserInCache(User user) {}
+}
diff --git a/core/src/main/java/org/acegisecurity/providers/dao/cache/package.html b/core/src/main/java/org/acegisecurity/providers/dao/cache/package.html
new file mode 100644
index 0000000000..b59b1e93f2
--- /dev/null
+++ b/core/src/main/java/org/acegisecurity/providers/dao/cache/package.html
@@ -0,0 +1,5 @@
+
+
+Caches User objects for the DaoAuthenticationProvider.
+
+
diff --git a/core/src/test/java/org/acegisecurity/adapters/adaptertest-valid.xml b/core/src/test/java/org/acegisecurity/adapters/adaptertest-valid.xml
index 7f0c51c608..38a23ee9ca 100644
--- a/core/src/test/java/org/acegisecurity/adapters/adaptertest-valid.xml
+++ b/core/src/test/java/org/acegisecurity/adapters/adaptertest-valid.xml
@@ -36,7 +36,6 @@