UsernamePasswordToken

A simple username/password authentication token to support the most widely-used authentication mechanism. This class also : the {@link RememberMeAuthenticationToken RememberMeAuthenticationToken} interface to support "Remember Me" services across user sessions as well as the {@link hunt.shiro.authc.HostAuthenticationToken HostAuthenticationToken} interface to retain the host name or IP address location from where the authentication attempt is occurring. "Remember Me" authentications are disabled by default, but if the application developer wishes to allow it for a login attempt, all that is necessary is to call {@link #setRememberMe setRememberMe(true)}. If the underlying <tt>SecurityManager</tt> implementation also supports <tt>RememberMe</tt> services, the user's identity will be remembered across sessions. Note that this class stores a password as[] a char instead of a string (which may seem more logical). This is because Strings are immutable and their internal value cannot be overwritten - meaning even a nulled string instance might be accessible in memory at a later time (e.g. memory dump). This is not good for sensitive information such as passwords. For more information, see the <a href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx"> Java Cryptography Extension Reference Guide</a>. To avoid this possibility of later memory access, the application developer should always call {@link #clear() clear()} after using the token to perform a login attempt.

}

Constructors

this this(): JavaBeans compatible no-arg constructor.
this this(string username, char[] password): Constructs a new UsernamePasswordToken encapsulating the username and password submitted during an authentication attempt, with a <tt>null</tt> {@link #getHost() host} and a <tt>rememberMe</tt> default of <tt>false</tt>.
this this(string username, string password): Constructs a new UsernamePasswordToken encapsulating the username and password submitted during an authentication attempt, with a <tt>null</tt> {@link #getHost() host} and a <tt>rememberMe</tt> default of <tt>false</tt> This is a convenience constructor and maintains the password internally via a character array, i.e. <tt>password.toCharArray();</tt>. Note that storing a password as a string in your code could have possible security implications as noted in the class JavaDoc.
this this(string username, char[] password, string host): Constructs a new UsernamePasswordToken encapsulating the username and password submitted, the inetAddress from where the attempt is occurring, and a default <tt>rememberMe</tt> value of <tt>false</tt>
this this(string username, string password, string host): Constructs a new UsernamePasswordToken encapsulating the username and password submitted, the inetAddress from where the attempt is occurring, and a default <tt>rememberMe</tt> value of <tt>false</tt> This is a convenience constructor and maintains the password internally via a character array, i.e. <tt>password.toCharArray();</tt>. Note that storing a password as a string in your code could have possible security implications as noted in the class JavaDoc.
this this(string username, char[] password, bool rememberMe): Constructs a new UsernamePasswordToken encapsulating the username and password submitted, as well as if the user wishes their identity to be remembered across sessions.
this this(string username, string password, bool rememberMe): Constructs a new UsernamePasswordToken encapsulating the username and password submitted, as well as if the user wishes their identity to be remembered across sessions. This is a convenience constructor and maintains the password internally via a character array, i.e. <tt>password.toCharArray();</tt>. Note that storing a password as a string in your code could have possible security implications as noted in the class JavaDoc.
this this(string username, char[] password, bool rememberMe, string host): Constructs a new UsernamePasswordToken encapsulating the username and password submitted, if the user wishes their identity to be remembered across sessions, and the inetAddress from where the attempt is occurring.
this this(string username, string password, bool rememberMe, string host): Constructs a new UsernamePasswordToken encapsulating the username and password submitted, if the user wishes their identity to be remembered across sessions, and the inetAddress from where the attempt is occurring. This is a convenience constructor and maintains the password internally via a character array, i.e. <tt>password.toCharArray();</tt>. Note that storing a password as a string in your code could have possible security implications as noted in the class JavaDoc.

Members

Functions

clear void clear(): Clears out (nulls) the username, password, rememberMe, and inetAddress. The password bytes are explicitly set to <tt>0x00</tt> before nulling to eliminate the possibility of memory access at a later time.
getCredentials char[] getCredentials(): Returns the {@link #getPassword() password} char array.
getHost string getHost(): Returns the host name or IP string from where the authentication attempt occurs. May be <tt>null</tt> if the host name/IP is unknown or explicitly omitted. It is up to the Authenticator implementation processing this token if an authentication attempt without a host is valid or not. (Shiro's default Authenticator allows <tt>null</tt> hosts to support localhost and proxy server environments).
getPassword char[] getPassword(): Returns the password submitted during an authentication attempt as a character array.
getPrincipal string getPrincipal(): Simply returns {@link #getUsername() getUsername()}.
getUsername string getUsername(): Returns the username submitted during an authentication attempt.
isRememberMe bool isRememberMe(): Returns <tt>true</tt> if the submitting user wishes their identity (principal(s)) to be remembered across sessions, <tt>false</tt> otherwise. Unless overridden, this value is <tt>false</tt> by default.
name string name(): Undocumented in source. Be warned that the author may not have intended to support it.
name void name(string value): Undocumented in source. Be warned that the author may not have intended to support it.
setHost void setHost(string host): Sets the host name or IP string from where the authentication attempt occurs. It is up to the Authenticator implementation processing this token if an authentication attempt without a host is valid or not. (Shiro's default Authenticator allows <tt>null</tt> hosts to allow localhost and proxy server environments).
setPassword void setPassword(char[] password): Sets the password for submission during an authentication attempt.
setRememberMe void setRememberMe(bool rememberMe): Sets if the submitting user wishes their identity (principal(s)) to be remembered across sessions. Unless overridden, the default value is <tt>false</tt>, indicating not to be remembered across sessions.
setUsername void setUsername(string username): Sets the username for submission during an authentication attempt.
toString string toString(): Returns the string representation. It does not include the password in the resulting string for security reasons to prevent accidentally printing out a password that might be widely viewable).

Inherited Members

From HostAuthenticationToken

getHost string getHost(): Returns the host name of the client from where the authentication attempt originates or if the Shiro environment cannot or chooses not to resolve the hostname to improve performance, this method returns the string representation of the client's IP address. When used in web environments, this value is usually the same as the {@code ServletRequest.getRemoteHost()} value.

From RememberMeAuthenticationToken

isRememberMe bool isRememberMe(): Returns {@code true} if the submitting user wishes their identity (principal(s)) to be remembered across sessions, {@code false} otherwise.