Package eu.webtoolkit.jwt.auth

Class PasswordService

java.lang.Object

eu.webtoolkit.jwt.auth.PasswordService

All Implemented Interfaces:

AbstractPasswordService

public class PasswordService
extends Object
implements AbstractPasswordService

Password authentication service.

This class implements password authentication.

Like all service classes, this class holds only configuration state. Thus, once configured, it can be safely shared between multiple sessions since its state (the configuration) is read-only.

Passwords are (usually) saved in the database using salted hash functions. The process of computing new hashes, and verifying them is delegated to an PasswordService.AbstractVerifier.

The authentication class may be configured to enable password attempt throttling. This provides protection against brute force guessing of passwords. When throttling is enabled, new password attempts are refused until the throttling period is finished.

Password strength validation of a new user-chosen password may be implemented by setting an AbstractStrengthValidator.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	PasswordService.AbstractVerifier	Abstract password hash computation and verification class.

Nested classes/interfaces inherited from interface eu.webtoolkit.jwt.auth.AbstractPasswordService

AbstractPasswordService.AbstractStrengthValidator, AbstractPasswordService.StrengthValidatorResult

Constructor Summary

Constructors

Constructor	Description
PasswordService(AuthService baseAuth)	Constructor.

Method Summary

Modifier and Type	Method	Description
int	delayForNextAttempt(User user)	Returns the delay for this user for a next authentication attempt.
protected int	getAuthenticationThrottle(int failedAttempts)	Returns how much throttle should be given considering a number of failed authentication attempts.
AuthService	getBaseAuth()	Returns the basic authentication service.
AuthThrottle	getPasswordThrottle()	Returns the class instance managing the throttling delay.
AbstractPasswordService.AbstractStrengthValidator	getStrengthValidator()	Returns the password strength validator.
PasswordService.AbstractVerifier	getVerifier()	Returns the password verifier.
boolean	isAttemptThrottlingEnabled()	Returns whether password attempt throttling is enabled.
void	setAttemptThrottlingEnabled(boolean enabled)	Configures password attempt throttling.
void	setPasswordThrottle(AuthThrottle delayer)	Sets the class instance managing the throttling delay.
void	setStrengthValidator(AbstractPasswordService.AbstractStrengthValidator validator)	Sets a validator which computes password strength.
void	setVerifier(PasswordService.AbstractVerifier verifier)	Sets a password verifier which computes authorization checks.
void	updatePassword(User user, String password)	Sets a new password for the given user.
PasswordResult	verifyPassword(User user, String password)	Verifies a password for a given user.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

PasswordService

public PasswordService(AuthService baseAuth)

Constructor.

Creates a new password authentication service, which depends on the passed basic authentication service.

Method Details

getBaseAuth

public AuthService getBaseAuth()

Description copied from interface: AbstractPasswordService

Returns the basic authentication service.

Specified by:

getBaseAuth in interface AbstractPasswordService

setVerifier

public void setVerifier(PasswordService.AbstractVerifier verifier)

Sets a password verifier which computes authorization checks.

The password verifier has as task to verify an entered password against a password hash stored in the database, and also to create or update a user's password hash.

The default password verifier is null.

See Also:

• verifyPassword(User user, String password)
• updatePassword(User user, String password)

getVerifier

public PasswordService.AbstractVerifier getVerifier()

Returns the password verifier.

See Also:

• setVerifier(PasswordService.AbstractVerifier verifier)

setStrengthValidator

public void setStrengthValidator(AbstractPasswordService.AbstractStrengthValidator validator)

Sets a validator which computes password strength.

The default password strength validator is null.

getStrengthValidator

public AbstractPasswordService.AbstractStrengthValidator getStrengthValidator()

Returns the password strength validator.

Specified by:

getStrengthValidator in interface AbstractPasswordService

See Also:

• setStrengthValidator(AbstractPasswordService.AbstractStrengthValidator validator)

setPasswordThrottle

public void setPasswordThrottle(AuthThrottle delayer)

Sets the class instance managing the throttling delay.

See Also:

• setAttemptThrottlingEnabled(boolean enabled)
• AuthThrottle

getPasswordThrottle

public AuthThrottle getPasswordThrottle()

Returns the class instance managing the throttling delay.

Specified by:

getPasswordThrottle in interface AbstractPasswordService

See Also:

• AbstractPasswordService.isAttemptThrottlingEnabled()

setAttemptThrottlingEnabled

public void setAttemptThrottlingEnabled(boolean enabled)

Configures password attempt throttling.

When password throttling is enabled, new password verification attempts will be refused when the user has had too many unsuccessful authentication attempts in a row.

The exact back-off schema can be customized by specializing AuthThrottle#getAuthenticationThrottle().

isAttemptThrottlingEnabled

public boolean isAttemptThrottlingEnabled()

Returns whether password attempt throttling is enabled.

Specified by:

isAttemptThrottlingEnabled in interface AbstractPasswordService

See Also:

• setAttemptThrottlingEnabled(boolean enabled)

delayForNextAttempt

public int delayForNextAttempt(User user)

Returns the delay for this user for a next authentication attempt.

The implementation of this functionality is managed by AuthThrottle.

Specified by:

delayForNextAttempt in interface AbstractPasswordService

See Also:

• isAttemptThrottlingEnabled()
• setAttemptThrottlingEnabled(boolean enabled)
• getAuthenticationThrottle(int failedAttempts)

verifyPassword

public PasswordResult verifyPassword(User user,
 String password)

Verifies a password for a given user.

The supplied password is verified against the user's credentials stored in the database. If password account throttling is enabled, it may also refuse an authentication attempt.

Specified by:

verifyPassword in interface AbstractPasswordService

See Also:

• setVerifier(PasswordService.AbstractVerifier verifier)
• setAttemptThrottlingEnabled(boolean enabled)
• setVerifier(PasswordService.AbstractVerifier verifier)
• setAttemptThrottlingEnabled(boolean enabled)

updatePassword

public void updatePassword(User user,
 String password)

Description copied from interface: AbstractPasswordService

Sets a new password for the given user.

This stores a new password for the user in the database.

Specified by:

updatePassword in interface AbstractPasswordService

getAuthenticationThrottle

protected int getAuthenticationThrottle(int failedAttempts)

Returns how much throttle should be given considering a number of failed authentication attempts.

See Also:

• AuthThrottle.getAuthenticationThrottle(int failedAttempts)