Class PasswordService
- All Implemented Interfaces:
AbstractPasswordService
This class implements password authentication.
Like all service classes, this class holds only configuration state. Thus, once configured, it can be safely shared between multiple sessions since its state (the configuration) is read-only.
Passwords are (usually) saved in the database using salted hash functions. The process of
computing new hashes, and verifying them is delegated to an PasswordService.AbstractVerifier
.
The authentication class may be configured to enable password attempt throttling. This provides protection against brute force guessing of passwords. When throttling is enabled, new password attempts are refused until the throttling period is finished.
Password strength validation of a new user-chosen password may be implemented by setting an AbstractStrengthValidator.
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic interface
Abstract password hash computation and verification class.Nested classes/interfaces inherited from interface eu.webtoolkit.jwt.auth.AbstractPasswordService
AbstractPasswordService.AbstractStrengthValidator, AbstractPasswordService.StrengthValidatorResult
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionint
delayForNextAttempt
(User user) Returns the delay for this user for a next authentication attempt.Returns the basic authentication service.protected int
getPasswordThrottle
(int failedAttempts) Returns how much throttle should be given considering a number of failed authentication attempts.Returns the password strength validator.Returns the password verifier.boolean
Returns whether password attempt throttling is enabled.void
setAttemptThrottlingEnabled
(boolean enabled) Configures password attempt throttling.void
Sets a validator which computes password strength.void
setVerifier
(PasswordService.AbstractVerifier verifier) Sets a password verifier which computes authorization checks.void
updatePassword
(User user, String password) Sets a new password for the given user.verifyPassword
(User user, String password) Verifies a password for a given user.
-
Constructor Details
-
PasswordService
Constructor.Creates a new password authentication service, which depends on the passed basic authentication service.
-
-
Method Details
-
getBaseAuth
Description copied from interface:AbstractPasswordService
Returns the basic authentication service.- Specified by:
getBaseAuth
in interfaceAbstractPasswordService
-
setVerifier
Sets a password verifier which computes authorization checks.The password verifier has as task to verify an entered password against a password hash stored in the database, and also to create or update a user's password hash.
The default password verifier is
null
. -
getVerifier
Returns the password verifier. -
setStrengthValidator
Sets a validator which computes password strength.The default password strength validator is
null
. -
getStrengthValidator
Returns the password strength validator.- Specified by:
getStrengthValidator
in interfaceAbstractPasswordService
- See Also:
-
setAttemptThrottlingEnabled
public void setAttemptThrottlingEnabled(boolean enabled) Configures password attempt throttling.When password throttling is enabled, new password verification attempts will be refused when the user has had too many unsuccessful authentication attempts in a row.
The exact back-off schema can be customized by specializing
getPasswordThrottle()
. -
isAttemptThrottlingEnabled
public boolean isAttemptThrottlingEnabled()Returns whether password attempt throttling is enabled.- Specified by:
isAttemptThrottlingEnabled
in interfaceAbstractPasswordService
- See Also:
-
delayForNextAttempt
Returns the delay for this user for a next authentication attempt.If password attempt throttling is enabled, then this returns the number of seconds this user must wait for a new authentication attempt, presumably because of a number of failed attempts.
- Specified by:
delayForNextAttempt
in interfaceAbstractPasswordService
- See Also:
-
verifyPassword
Verifies a password for a given user.The supplied password is verified against the user's credentials stored in the database. If password account throttling is enabled, it may also refuse an authentication attempt.
-
updatePassword
Description copied from interface:AbstractPasswordService
Sets a new password for the given user.This stores a new password for the user in the database.
- Specified by:
updatePassword
in interfaceAbstractPasswordService
-
getPasswordThrottle
protected int getPasswordThrottle(int failedAttempts) Returns how much throttle should be given considering a number of failed authentication attempts.The returned value is in seconds.
The default implementation returns the following:
- failedAttempts == 0: 0
- failedAttempts == 1: 1
- failedAttempts == 2: 5
- failedAttempts == 3: 10
- failedAttempts > 3: 25
-