org.jboss.security

Interface AuthenticationManager

All Superinterfaces:

BaseSecurityManager

All Known Subinterfaces:

GeneralizedAuthenticationManager, SecurityDomain, ServerAuthenticationManager, SubjectSecurityManager

All Known Implementing Classes:

JaasSecurityManagerBase, JASPIServerAuthenticationManager, JBossAuthenticationManager, JBossCachedAuthenticationManager, NoAccessSecurityManager, NullSecurityManager

public interface AuthenticationManager
extends BaseSecurityManager

The AuthenticationManager is responsible for validating credentials associated with principals.

Version:

$Revision$

Author:

Scott.Stark@jboss.org, Anil.Saldhana@jboss.org

Method Summary

Modifier and Type	Method and Description
Subject	getActiveSubject() Deprecated. Use the JACC PolicyContextHandler using key "javax.security.auth.Subject.container"
Principal	getTargetPrincipal(Principal anotherDomainPrincipal, Map<String,Object> contextMap) Trust related usecases may require translation of a principal from another domain to the current domain An implementation of this interface may need to do a backdoor contact of the external trust provider in deriving the target principal
boolean	isValid(Principal principal, Object credential) The isValid method is invoked to see if a user identity and associated credentials as known in the operational environment are valid proof of the user identity.
boolean	isValid(Principal principal, Object credential, Subject activeSubject) The isValid method is invoked to see if a user identity and associated credentials as known in the operational environment are valid proof of the user identity.
void	logout(Principal principal, Subject subject) This method must be invoked to perform the logout of the incoming principal.

Methods inherited from interface org.jboss.security.BaseSecurityManager

getSecurityDomain

Method Detail

isValid

boolean isValid(Principal principal,
                Object credential)

The isValid method is invoked to see if a user identity and associated credentials as known in the operational environment are valid proof of the user identity. Typically this is implemented as a call to isValid with a null Subject.

Parameters:

principal - - the user identity in the operation environment

credential - - the proof of user identity as known in the operation environment

Returns:

true if the principal, credential pair is valid, false otherwise.

See Also:

isValid(Principal, Object, Subject)

isValid

boolean isValid(Principal principal,
                Object credential,
                Subject activeSubject)

The isValid method is invoked to see if a user identity and associated credentials as known in the operational environment are valid proof of the user identity. This extends AuthenticationManager version to provide a copy of the resulting authenticated Subject. This allows a caller to authenticate a user and obtain a Subject whose state cannot be modified by other threads associated with the same principal.

Parameters:

principal - - the user identity in the operation environment

credential - - the proof of user identity as known in the operation environment

activeSubject - - the Subject which should be populated with the validated Subject contents. A JAAS based implementation would typically populate the activeSubject with the LoginContext.login result.

Returns:

true if the principal, credential pair is valid, false otherwise.

getActiveSubject

Subject getActiveSubject()

Deprecated. Use the JACC PolicyContextHandler using key "javax.security.auth.Subject.container"

Get the currently authenticated subject. Historically implementations of AuthenticationManager isValid methods had the side-effect of setting the active Subject. This caused problems with multi-threaded usecases where the Subject instance was being shared by multiple threads. This is now deprecated in favor of the JACC PolicyContextHandler getContext(key, data) method.

Returns:

The previously authenticated Subject if isValid succeeded, null if isValid failed or has not been called for the active thread.

See Also:

PolicyContextHandler.getContext(String, Object)

getTargetPrincipal

Principal getTargetPrincipal(Principal anotherDomainPrincipal,
                             Map<String,Object> contextMap)

Trust related usecases may require translation of a principal from another domain to the current domain An implementation of this interface may need to do a backdoor contact of the external trust provider in deriving the target principal

Parameters:

anotherDomainPrincipal - Principal that is applicable in the other domain (Can be null - in which case the contextMap is used solely to derive the target principal)

contextMap - Any context information (including information on the other domain that may be relevant in deriving the target principal). Any SAML assertions that may be relevant can be passed here.

Returns:

principal from a target security domain

logout

void logout(Principal principal,
            Subject subject)

This method must be invoked to perform the logout of the incoming principal. The Subject associated with the principal is also provided, allowing implementations to perform any special cleanup based on the information contained in the Subject.

Parameters:

principal - the Principal being logged out.

subject - the Subject associated with the principal being logged out.