Wt  4.0.2
Classes | Public Member Functions | Protected Member Functions | List of all members
Wt::Auth::PasswordService Class Reference

Password authentication service. More...

#include <Wt/Auth/PasswordService.h>

Inheritance diagram for Wt::Auth::PasswordService:
Inheritance graph
[legend]

Classes

class  AbstractVerifier
 Abstract password hash computation and verification class. More...
 

Public Member Functions

 PasswordService (const AuthService &baseAuth)
 Constructor. More...
 
virtual ~PasswordService ()
 Destructor.
 
virtual const AuthServicebaseAuth () const override
 Returns the basic authentication service.
 
void setVerifier (std::unique_ptr< AbstractVerifier > verifier)
 Sets a password verifier which computes authorization checks. More...
 
AbstractVerifierverifier () const
 Returns the password verifier. More...
 
void setStrengthValidator (std::unique_ptr< AbstractStrengthValidator > validator)
 Sets a validator which computes password strength. More...
 
virtual AbstractStrengthValidatorstrengthValidator () const override
 Returns the password strength validator. More...
 
void setAttemptThrottlingEnabled (bool enabled)
 Configures password attempt throttling. More...
 
virtual bool attemptThrottlingEnabled () const override
 Returns whether password attempt throttling is enabled. More...
 
virtual int delayForNextAttempt (const User &user) const override
 Returns the delay for this user for a next authentication attempt. More...
 
virtual PasswordResult verifyPassword (const User &user, const WString &password) const override
 Verifies a password for a given user. More...
 
virtual void updatePassword (const User &user, const WString &password) const override
 Sets a new password for the given user. More...
 
- Public Member Functions inherited from Wt::Auth::AbstractPasswordService
virtual ~AbstractPasswordService ()
 Destructor.
 

Protected Member Functions

virtual int getPasswordThrottle (int failedAttempts) const
 Returns how much throttle should be given considering a number of failed authentication attempts. More...
 

Detailed Description

Password authentication service.

This class implements password authentication.

Like all service classes, this class holds only configuration state. Thus, once configured, it can be safely shared between multiple sessions since its state (the configuration) is read-only. A "const PasswordService" object is thus thread-safe.

Passwords are (usually) saved in the database using salted hash functions. The process of computing new hashes, and verifying them is delegated to an AbstractVerifier.

The authentication class may be configured to enable password attempt throttling. This provides protection against brute force guessing of passwords. When throttling is enabled, new password attempts are refused until the throttling period is finished.

Password strength validation of a new user-chosen password may be implemented by setting an AbstractStrengthValidator.

Constructor & Destructor Documentation

Wt::Auth::PasswordService::PasswordService ( const AuthService baseAuth)

Constructor.

Creates a new password authentication service, which depends on the passed basic authentication service.

Member Function Documentation

virtual bool Wt::Auth::PasswordService::attemptThrottlingEnabled ( ) const
overridevirtual

Returns whether password attempt throttling is enabled.

See also
setAttemptThrottlingEnabled()

Implements Wt::Auth::AbstractPasswordService.

int Wt::Auth::PasswordService::delayForNextAttempt ( const User user) const
overridevirtual

Returns the delay for this user for a next authentication attempt.

If password attempt throttling is enabled, then this returns the number of seconds this user must wait for a new authentication attempt, presumably because of a number of failed attempts.

See also
attemptThrottlingEnabled()
setAttemptThrottlingEnabled(), getPasswordThrottle()

Implements Wt::Auth::AbstractPasswordService.

int Wt::Auth::PasswordService::getPasswordThrottle ( int  failedAttempts) const
protectedvirtual

Returns how much throttle should be given considering a number of failed authentication attempts.

The returned value is in seconds.

The default implementation returns the following:

  • failedAttempts == 0: 0
  • failedAttempts == 1: 1
  • failedAttempts == 2: 5
  • failedAttempts == 3: 10
  • failedAttempts > 3: 25
void Wt::Auth::PasswordService::setAttemptThrottlingEnabled ( bool  enabled)

Configures password attempt throttling.

When password throttling is enabled, new password verification attempts will be refused when the user has had too many unsuccessful authentication attempts in a row.

The exact back-off schema can be customized by specializing getPasswordThrottle().

void Wt::Auth::PasswordService::setStrengthValidator ( std::unique_ptr< AbstractStrengthValidator validator)

Sets a validator which computes password strength.

The default password strength validator is 0.

void Wt::Auth::PasswordService::setVerifier ( std::unique_ptr< AbstractVerifier verifier)

Sets a password verifier which computes authorization checks.

The password verifier has as task to verify an entered password against a password hash stored in the database, and also to create or update a user's password hash.

The default password verifier is 0.

See also
verifyPassword(), updatePassword()
virtual AbstractStrengthValidator* Wt::Auth::PasswordService::strengthValidator ( ) const
overridevirtual

Returns the password strength validator.

See also
setStrengthValidator()

Implements Wt::Auth::AbstractPasswordService.

void Wt::Auth::PasswordService::updatePassword ( const User user,
const WString password 
) const
overridevirtual

Sets a new password for the given user.

This stores a new password for the user in the database.

Implements Wt::Auth::AbstractPasswordService.

AbstractVerifier* Wt::Auth::PasswordService::verifier ( ) const

Returns the password verifier.

See also
setVerifier()
PasswordResult Wt::Auth::PasswordService::verifyPassword ( const User user,
const WString password 
) const
overridevirtual

Verifies a password for a given user.

The supplied password is verified against the user's credentials stored in the database. If password account throttling is enabled, it may also refuse an authentication attempt.

See also
setVerifier(), setAttemptThrottlingEnabled()
setVerifier(), setAttemptThrottlingEnabled()

Implements Wt::Auth::AbstractPasswordService.


Generated on Fri Nov 24 2017 for the C++ Web Toolkit (Wt) by doxygen 1.8.11