- All Implemented Interfaces:
public class PasswordService extends java.lang.Object implements AbstractPasswordService
This class implements password authentication.
Like all service classes, this class holds only configuration state. Thus, once configured, it can be safely shared between multiple sessions since its state (the configuration) is read-only.
Passwords are (usually) saved in the database using salted hash functions. The process of
computing new hashes, and verifying them is delegated to an
The authentication class may be configured to enable password attempt throttling. This provides protection against brute force guessing of passwords. When throttling is enabled, new password attempts are refused until the throttling period is finished.
Password strength validation of a new user-chosen password may be implemented by setting an AbstractStrengthValidator.
Nested Class Summary
Nested Classes Modifier and Type Class Description
static interfaceAbstract password hash computation and verification class.
Constructors Constructor Description
Modifier and Type Method Description
User user)(Returns the delay for this user for a next authentication attempt.
()Returns the basic authentication service.
(int failedAttempts)Returns how much throttle should be given considering a number of failed authentication attempts.
()Returns the password strength validator.
()Returns the password verifier.
()Returns whether password attempt throttling is enabled.
(boolean enabled)Configures password attempt throttling.
AbstractPasswordService.AbstractStrengthValidator validator)(Sets a validator which computes password strength.
PasswordService.AbstractVerifier verifier)(Sets a password verifier which computes authorization checks.
User user, java.lang.String password)(Sets a new password for the given user.
User user, java.lang.String password)(Verifies a password for a given user.
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
PasswordServicepublic PasswordService(AuthService baseAuth)Constructor.
Creates a new password authentication service, which depends on the passed basic authentication service.
getBaseAuthpublic AuthService getBaseAuth()Description copied from interface:
AbstractPasswordServiceReturns the basic authentication service.
setVerifierpublic void setVerifier(PasswordService.AbstractVerifier verifier)Sets a password verifier which computes authorization checks.
The password verifier has as task to verify an entered password against a password hash stored in the database, and also to create or update a user's password hash.
The default password verifier is
The service takes ownership of the verifier.
getVerifierpublic PasswordService.AbstractVerifier getVerifier()Returns the password verifier.
setStrengthValidatorpublic void setStrengthValidator(AbstractPasswordService.AbstractStrengthValidator validator)Sets a validator which computes password strength.
The default password strength validator is
The service takes ownership of the validator.
getStrengthValidatorpublic AbstractPasswordService.AbstractStrengthValidator getStrengthValidator()Returns the password strength validator.
- Specified by:
- See Also:
setAttemptThrottlingEnabledpublic void setAttemptThrottlingEnabled(boolean enabled)Configures password attempt throttling.
When password throttling is enabled, new password verification attempts will be refused when the user has had too many unsuccessful authentication attempts in a row.
The exact back-off schema can be customized by specializing
isAttemptThrottlingEnabledpublic boolean isAttemptThrottlingEnabled()Returns whether password attempt throttling is enabled.
delayForNextAttemptpublic int delayForNextAttempt(User user)Returns the delay for this user for a next authentication attempt.
If password attempt throttling is enabled, then this returns the number of seconds this user must wait for a new authentication attempt, presumably because of a number of failed attempts.
verifyPasswordVerifies a password for a given user.
The supplied password is verified against the user's credentials stored in the database. If password account throttling is enabled, it may also refuse an authentication attempt.
updatePasswordpublic void updatePassword(User user, java.lang.String password)Description copied from interface:
AbstractPasswordServiceSets a new password for the given user.
This stores a new password for the user in the database.
getPasswordThrottleprotected int getPasswordThrottle(int failedAttempts)Returns how much throttle should be given considering a number of failed authentication attempts.
The returned value is in seconds.
The default implementation returns the following:
- failedAttempts == 0: 0
- failedAttempts == 1: 1
- failedAttempts == 2: 5
- failedAttempts == 3: 10
- failedAttempts > 3: 25