Examples of org.nemesis.forum.Authorization

• org.nemesis.forum.Authorization
  Proves that a user has successfully logged in. The existence of an Authorization object indicates that a person has logged in correctly and has authentication to act as the user associated with the authentication. An instance of this object can be obtained from an AuthorizationFactory and must be passed in to to get an intstance of ForumFactory.

  In the case of using the core forum services through a web interface, the expected behavior is to have a user login and then store the Authorization object in their session.

  (Note by Matt) It's my opinion that this authorization method needs better security. At the moment, this method is certainly ok if forum skins can be trusted. However, the security goal has always been to protect as much as possible against malicious skins. Therefore, the implementation of this class will be changed in the near future to use signed objects. Some thought will have to be given to a public/private key management system, so I'm going to delay implementing it for now. This means -- be sure you can trust your skins!! @see AuthorizationFactory @see ForumFactory

  public static Authorization getUserAuthorization(HttpServletRequest request, HttpServletResponse response, boolean checkCookie) {
    // we can get the session object from the request object:
    HttpSession session = request.getSession();

    // Check 1: check for the  authentication token in the user's session.
    Authorization authToken = (Authorization) session.getAttribute(AUTH_TOKEN);
    if (authToken != null) {
      return authToken;
    }

    // Check 2: check the  cookie for username and password, if we're allowing that

    String username,
    String password,
    boolean autoLogin)
    throws NotFoundException, UnauthorizedException {
    HttpSession session = request.getSession();
    Authorization authToken = AuthorizationFactory.getAuthorization(username, password);
    session.setAttribute(AUTH_TOKEN, authToken);

    if (autoLogin) {
      CookieManager.setCookie(response, AUTOLOGIN_COOKIE, CookieManager.encodePasswordCookie(username, password), CookieManager.MAX_COOKIE_AGE);
    }

  protected void authenticate(HttpServletRequest request, String login, String pass) throws UserNotLoggedException {

    try {

      Authorization token = AuthorizationFactory.getAuthorization(login, pass);

      boolean isBOUser =
        SecurityTools.isSystemAdmin(token)
          || SecurityTools.isForumAdmin(token)
          || SecurityTools.isGroupAdmin(token)