Class PasswordService
- All Implemented Interfaces:
AbstractPasswordService
public class PasswordService extends java.lang.Object implements AbstractPasswordService
This class implements password authentication.
Like all service classes, this class holds only configuration state. Thus, once configured, it can be safely shared between multiple sessions since its state (the configuration) is read-only.
Passwords are (usually) saved in the database using salted hash functions. The process of
computing new hashes, and verifying them is delegated to an PasswordService.AbstractVerifier.
The authentication class may be configured to enable password attempt throttling. This provides protection against brute force guessing of passwords. When throttling is enabled, new password attempts are refused until the throttling period is finished.
Password strength validation of a new user-chosen password may be implemented by setting an AbstractStrengthValidator.
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interfacePasswordService.AbstractVerifierAbstract password hash computation and verification class.Nested classes/interfaces inherited from interface eu.webtoolkit.jwt.auth.AbstractPasswordService
AbstractPasswordService.AbstractStrengthValidator, AbstractPasswordService.StrengthValidatorResult -
Constructor Summary
Constructors Constructor Description PasswordService(AuthService baseAuth)Constructor. -
Method Summary
Modifier and Type Method Description intdelayForNextAttempt(User user)Returns the delay for this user for a next authentication attempt.AuthServicegetBaseAuth()Returns the basic authentication service.protected intgetPasswordThrottle(int failedAttempts)Returns how much throttle should be given considering a number of failed authentication attempts.AbstractPasswordService.AbstractStrengthValidatorgetStrengthValidator()Returns the password strength validator.PasswordService.AbstractVerifiergetVerifier()Returns the password verifier.booleanisAttemptThrottlingEnabled()Returns whether password attempt throttling is enabled.voidsetAttemptThrottlingEnabled(boolean enabled)Configures password attempt throttling.voidsetStrengthValidator(AbstractPasswordService.AbstractStrengthValidator validator)Sets a validator which computes password strength.voidsetVerifier(PasswordService.AbstractVerifier verifier)Sets a password verifier which computes authorization checks.voidupdatePassword(User user, java.lang.String password)Sets a new password for the given user.PasswordResultverifyPassword(User user, java.lang.String password)Verifies a password for a given user.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Constructor Details
-
PasswordService
Constructor.Creates a new password authentication service, which depends on the passed basic authentication service.
-
-
Method Details
-
getBaseAuth
Description copied from interface:AbstractPasswordServiceReturns the basic authentication service.- Specified by:
getBaseAuthin interfaceAbstractPasswordService
-
setVerifier
Sets a password verifier which computes authorization checks.The password verifier has as task to verify an entered password against a password hash stored in the database, and also to create or update a user's password hash.
The default password verifier is
null.The service takes ownership of the verifier.
-
getVerifier
Returns the password verifier. -
setStrengthValidator
Sets a validator which computes password strength.The default password strength validator is
null.The service takes ownership of the validator.
-
getStrengthValidator
Returns the password strength validator.- Specified by:
getStrengthValidatorin interfaceAbstractPasswordService- See Also:
setStrengthValidator(AbstractPasswordService.AbstractStrengthValidator validator)
-
setAttemptThrottlingEnabled
public void setAttemptThrottlingEnabled(boolean enabled)Configures password attempt throttling.When password throttling is enabled, new password verification attempts will be refused when the user has had too many unsuccessful authentication attempts in a row.
The exact back-off schema can be customized by specializing
getPasswordThrottle(). -
isAttemptThrottlingEnabled
public boolean isAttemptThrottlingEnabled()Returns whether password attempt throttling is enabled.- Specified by:
isAttemptThrottlingEnabledin interfaceAbstractPasswordService- See Also:
setAttemptThrottlingEnabled(boolean enabled)
-
delayForNextAttempt
Returns the delay for this user for a next authentication attempt.If password attempt throttling is enabled, then this returns the number of seconds this user must wait for a new authentication attempt, presumably because of a number of failed attempts.
- Specified by:
delayForNextAttemptin interfaceAbstractPasswordService- See Also:
isAttemptThrottlingEnabled(),setAttemptThrottlingEnabled(boolean enabled),getPasswordThrottle(int failedAttempts)
-
verifyPassword
Verifies a password for a given user.The supplied password is verified against the user's credentials stored in the database. If password account throttling is enabled, it may also refuse an authentication attempt.
-
updatePassword
Description copied from interface:AbstractPasswordServiceSets a new password for the given user.This stores a new password for the user in the database.
- Specified by:
updatePasswordin interfaceAbstractPasswordService
-
getPasswordThrottle
protected int getPasswordThrottle(int failedAttempts)Returns how much throttle should be given considering a number of failed authentication attempts.The returned value is in seconds.
The default implementation returns the following:
- failedAttempts == 0: 0
- failedAttempts == 1: 1
- failedAttempts == 2: 5
- failedAttempts == 3: 10
- failedAttempts > 3: 25
-