public final class ServerAuthenticationContext extends Object implements AutoCloseable
There are various effective states, described as follows:
When an instance of this class is first constructed, it is in the inactive state. In this state, the context retains a captured identity and contains a reference to a MechanismConfigurationSelector. The captured identity may be used for various context-sensitive authorization decisions. Additional mechanism information can be supplied to this state so that when authentication begins an appropriate MechanismConfiguration can be selected.
Once authentication commences the state will automatically transition to the initial state. In this state, the context retains an captured identity and a mechanism configuration which was resolved from the information supplied to the inactive state. The captured identity may be used for various context-sensitive authorization decisions. The mechanism configuration is used to associate an authentication mechanism-specific configuration, including rewriters, mechanism realms, server credential factories, and more.
When an authentication mechanism is "realm-aware" (that is, it has a notion of realms that is specific to that particular
authentication mechanism, e.g. the DIGEST-MD5 SASL mechanism), it
is necessary for the mechanism to relay the realm selection. This is done by way of the setMechanismRealmName()
method. Calling this method in the initial state causes a transition to the realm-assigned state,
in which the method may be reinvoked idempotently as long as it is called with the same name (calling the method with
a different name will result in an exception).
The realm-assigned state is nearly identical to the initial state, except that from this state, the mechanism realm-specific configuration is applied to all subsequent operation.
From these unassigned states, several possible actions may be taken, depending on the necessary progression of the authentication:
setAuthenticationName(String)
method. The name is
rewritten and mapped to a realm according to the
domain settings, the mechanism configuration, and/or the mechanism realm configuration. The
realm that is the resultant target of the mapping is queried for a
realm identity. The realm identity may or may not be
existent; this status will affect the outcome of certain operations in subsequent states (as described below).
After the realm identity is selected, any final rewrite operations which are configured are applied,
and the resultant name is transformed into a NamePrincipal
, and associated as the
authentication principal which may subsequently be queried.
setAuthenticationPrincipal(Principal)
method. The
principal is decoded according to the configuration of the security domain (see
the method documentation for input requirements and failure conditions). Once a name is decoded from the
principal, it is assigned as described above.
SecurityIdentity
instance is examined to determine whether it can be used to complete an implicit
authentication operation which would yield an authorized identity. The SecurityIdentity
may
be from the same domain or from a different one.
If the identity being imported is from the same security domain as this context, then the identity is implicitly authorized for usage, entering the authorized state described below.
If the identity being imported is not from the same security domain, then the principal is extracted
from the identity and used to assign a realm identity in the same manner as setAuthenticationPrincipal(Principal)
.
The domain is then queried
to determine whether the target identity's source domain is trusted. If so, a normal
authorization is carried out as described below for the assigned state, resulting in an
authorized-authenticated state. If not, then the realm of the realm identity is
compared against the realm of the identity being imported. If they are the same, the
identity is imported and a normal authorization is carried out as described below.
authorizeAnonymous()
method.
If the anonymous identity has the
LoginPermission
granted to it, the context will transition into the anonymous-authorized
state; otherwise no state transition occurs.
authorize()
method. The
captured identity (which may be anonymous) is queried for the presence of the
LoginPermission
; if present, the context will transition into the authorized or
anonymous-authorized state (depending on whether the captured identity is anonymous);
otherwise no state transition occurs.
authorize(String)
method.
First, the given name is rewritten in the same manner as the setAuthenticationName(String)
method. Then, the captured identity (which may be anonymous) is queried for the presence of a
RunAsPrincipalPermission
for the target name. If present, the authentication name is assigned
as described above, and the resultant realm identity is queried for LoginPermission
. If present,
the context will transition to the authorized-authenticated state. If any step fails, no state transition
occurs.
fail()
method. This method will dispose
of all authentication resources and transition to the failed state.
In the name-assigned (or, for brevity, assigned) state, the following actions may be performed:
authorize()
method. If the selected realm identity
possesses the LoginPermission
, then the context transitions to the authorized-authenticated state,
otherwise no state transition occurs.
authorize(String)
method.
First, the given name is rewritten in the same manner as the setAuthenticationName(String)
method.
The current identity is then authorized as described above, and then the authorized identity
is tested for a RunAsPrincipalPermission
for the rewritten target name. If authorized,
the context transitions to the authorized state for the realm identity corresponding to the
rewritten name; otherwise no state transition occurs.
fail()
method. This method will dispose
of all authentication resources and transition to the failed state.
There are three states related to authorization: the anonymous-authorized state, the authorized state, and the authorized-authenticated state. In all three states, the following actions may be taken:
authorize()
method. Since the identity is
always authorized, this is generally a no-op.
authorize(String)
method. The given
name is rewritten as previously described, and then the authorized identity
is tested for a RunAsPrincipalPermission
for the rewritten target name. If authorized,
the context transitions to the authorized state for the realm identity corresponding to the
rewritten name; otherwise no state transition occurs.
succeed()
method. This method will
dispose of all authentication resources and transition to the complete state.
fail()
method. This method will dispose
of all authentication resources and transition to the failed state.
The complete state has only one capability: the retrieval of the final authorized identity by way
of the getAuthorizedIdentity()
method.
The failed state has no capabilities and retains no reference to any identities or objects used during authentication.
Modifier and Type | Method and Description |
---|---|
void |
addPrivateCredential(Credential credential)
Add a private credential to the identity being authenticated.
|
void |
addPublicCredential(Credential credential)
Add a public credential to the identity being authenticated.
|
<C extends Credential,R> |
applyToCredential(Class<C> credentialType,
Function<C,R> function)
Apply the given function to the acquired credential, if it is set and of the given type.
|
<C extends Credential,R> |
applyToCredential(Class<C> credentialType,
String algorithmName,
AlgorithmParameterSpec parameterSpec,
Function<C,R> function)
Apply the given function to the acquired credential, if it is set and of the given type and algorithm.
|
<C extends Credential,R> |
applyToCredential(Class<C> credentialType,
String algorithmName,
Function<C,R> function)
Apply the given function to the acquired credential, if it is set and of the given type and algorithm.
|
boolean |
authorize()
Attempt to authorize an authentication attempt.
|
boolean |
authorize(Principal principal)
Attempt to authorize a change to a new user (possibly including an authentication attempt).
|
boolean |
authorize(String name)
Attempt to authorize a change to a new user (possibly including an authentication attempt).
|
boolean |
authorizeAnonymous()
Set the authentication to anonymous, completing the authentication process.
|
boolean |
authorizeAnonymous(boolean requireLoginPermission)
Set the authentication to anonymous, completing the authentication process.
|
void |
close()
Close the server authentication context, failing any in-progress authentication and releasing any
associated resources.
|
boolean |
exists()
Determine if the current authentication identity actually exists in the realm.
|
void |
fail()
Mark this authentication as "failed".
|
Principal |
getAuthenticationPrincipal()
Get the principal associated with the current authentication name.
|
SecurityIdentity |
getAuthorizedIdentity()
Get the authorized identity result of this authentication.
|
<C extends Credential> |
getCredential(Class<C> credentialType)
Acquire a credential of the given type.
|
<C extends Credential> |
getCredential(Class<C> credentialType,
String algorithmName)
Acquire a credential of the given type.
|
<C extends Credential> |
getCredential(Class<C> credentialType,
String algorithmName,
AlgorithmParameterSpec parameterSpec)
Acquire a credential of the given type.
|
SupportLevel |
getCredentialAcquireSupport(Class<? extends Credential> credentialType)
Determine whether a given credential is definitely obtainable, possibly obtainable, or definitely not obtainable.
|
SupportLevel |
getCredentialAcquireSupport(Class<? extends Credential> credentialType,
String algorithmName)
Determine whether a given credential is definitely obtainable, possibly obtainable, or definitely not obtainable.
|
SupportLevel |
getCredentialAcquireSupport(Class<? extends Credential> credentialType,
String algorithmName,
AlgorithmParameterSpec parameterSpec)
Determine whether a given credential is definitely obtainable, possibly obtainable, or definitely not obtainable.
|
SupportLevel |
getEvidenceVerifySupport(Class<? extends Evidence> evidenceType)
Determine whether a given piece of evidence is definitely verifiable, possibly verifiable, or definitely not verifiable.
|
SupportLevel |
getEvidenceVerifySupport(Class<? extends Evidence> evidenceType,
String algorithmName)
Determine whether a given piece of evidence is definitely verifiable, possibly verifiable, or definitely not verifiable.
|
boolean |
importIdentity(SecurityIdentity identity)
Attempt to import the given security identity as a trusted identity.
|
boolean |
isDone()
Determine if authentication was already completed on this context.
|
boolean |
isSameName(String name)
Determine if the given name refers to the same identity as the currently set authentication name.
|
boolean |
isSamePrincipal(Principal principal)
Determine if the given principal refers to the same identity as the currently set authentication name.
|
void |
setAuthenticationName(String name)
Set the authentication name for this authentication.
|
void |
setAuthenticationName(String name,
boolean exclusive)
Set the authentication name for this authentication.
|
void |
setAuthenticationPrincipal(Principal principal)
Set the authentication principal for this authentication.
|
void |
setAuthenticationPrincipal(Principal principal,
boolean exclusive)
Set the authentication principal for this authentication.
|
void |
setMechanismInformation(MechanismInformation mechanismInformation)
Set information about the current mechanism and request for this authentication attempt.
|
void |
setMechanismRealmName(String realmName)
Set the mechanism realm name to be equal to the given name.
|
void |
succeed()
Mark this authentication as "successful".
|
void |
updateCredential(Credential credential)
Update the credential for the current authentication identity.
|
boolean |
verifyEvidence(Evidence evidence)
Verify the given evidence.
|
public void setMechanismInformation(MechanismInformation mechanismInformation) throws IllegalStateException
mechanismInformation
- the mechanism information about the current authentication attempt.IllegalStateException
- if the mechanism information about the current authentication attempt cannot be
resolved to a mechanism configurationpublic SecurityIdentity getAuthorizedIdentity() throws IllegalStateException
IllegalStateException
- if the authentication is incompletepublic boolean authorizeAnonymous() throws IllegalStateException
IllegalStateException
- if the authentication is already completepublic boolean authorizeAnonymous(boolean requireLoginPermission) throws IllegalStateException
requireLoginPermission
- true
if LoginPermission
is required and false
otherwiseIllegalStateException
- if the authentication is already completepublic void setAuthenticationName(String name) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException
name
- the authentication nameIllegalArgumentException
- if the name is syntactically invalidRealmUnavailableException
- if the realm is not availableIllegalStateException
- if the authentication name was already set and there is a mismatchpublic void setAuthenticationName(String name, boolean exclusive) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException
name
- the authentication nameexclusive
- true
if exclusive access to the backing identity is requiredIllegalArgumentException
- if the name is syntactically invalidRealmUnavailableException
- if the realm is not available or if exclusive access to the backing identity
is required but could not be grantedIllegalStateException
- if the authentication name was already set and there is a mismatchpublic void setAuthenticationPrincipal(Principal principal) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException
principal
- the authentication principalIllegalArgumentException
- if the principal cannot be mapped to a name, or the mapped name is syntactically invalidRealmUnavailableException
- if the realm is not availableIllegalStateException
- if the authentication name was already setpublic void setAuthenticationPrincipal(Principal principal, boolean exclusive) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException
principal
- the authentication principalexclusive
- true
if exclusive access to the backing identity is requiredIllegalArgumentException
- if the principal cannot be mapped to a name, or the mapped name is syntactically invalidRealmUnavailableException
- if the realm is not availableIllegalStateException
- if the authentication name was already setpublic boolean isSameName(String name) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException
name
- the authentication nametrue
if the name matches the current identity, false
otherwiseIllegalArgumentException
- if the name is syntactically invalidRealmUnavailableException
- if the realm is not availableIllegalStateException
- if the authentication name was already setpublic boolean isSamePrincipal(Principal principal) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException
principal
- the authentication nametrue
if the name matches the current identity, false
otherwiseIllegalArgumentException
- if the name is syntactically invalidRealmUnavailableException
- if the realm is not availableIllegalStateException
- if the authentication name was already setpublic boolean exists() throws RealmUnavailableException, IllegalStateException
true
if the identity exists, false
otherwiseRealmUnavailableException
- if the realm failed to access the identityIllegalStateException
- if there is no authentication name setpublic void fail() throws IllegalStateException
IllegalStateException
- if no authentication has been initiated or authentication is already completedpublic boolean authorize() throws RealmUnavailableException, IllegalStateException
true
is returned and
the context is placed in the "authorized" state with the new authorization identity. If the authorization fails,
false
is returned and the state of the context is unchanged.true
if the authorization succeeded, false
otherwiseRealmUnavailableException
- if the realm is not availableIllegalStateException
- if the authentication name was not set or authentication was already completepublic boolean authorize(String name) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException
true
is returned and the context is placed in the "authorized" state with the new authorization
identity. If the authorization fails, false
is returned and the state of the context is unchanged.name
- the authorization name (must not be null
)true
if the authorization succeeded, false
otherwiseIllegalArgumentException
- if the name is syntactically invalidRealmUnavailableException
- if the realm is not availableIllegalStateException
- if the authentication name was not set or authentication was already completepublic boolean authorize(Principal principal) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException
true
is returned and the context is placed in the "authorized" state with the new authorization
identity. If the authorization fails, false
is returned and the state of the context is unchanged.principal
- the authorization principal (must not be null
)true
if the authorization succeeded, false
otherwiseIllegalArgumentException
- if the principal is syntactically invalidRealmUnavailableException
- if the realm is not availableIllegalStateException
- if the authentication principal was not set or authentication was already completepublic void succeed() throws IllegalStateException, RealmUnavailableException
getAuthorizedIdentity()
method. If no
authentication actually happened, then authentication will complete anonymously.IllegalStateException
- if authentication is already completedRealmUnavailableException
- if the realm is not able to handle requests for any reasonpublic boolean isDone()
true
if authentication was completed; false
otherwisepublic Principal getAuthenticationPrincipal()
IllegalStateException
- if no authentication has been initiated or authentication is already completedpublic SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException
credentialType
- the credential type class (must not be null
)algorithmName
- the algorithm name, or null
if any algorithm is acceptable or the credential type does
not support algorithm namesparameterSpec
- the algorithm parameters to match, or null
if any parameters are acceptable or the credential type
does not support algorithm parametersRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName) throws RealmUnavailableException
credentialType
- the credential type class (must not be null
)algorithmName
- the algorithm name, or null
if any algorithm is acceptable or the credential type does
not support algorithm namesRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType) throws RealmUnavailableException
credentialType
- the credential type class (must not be null
)RealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName) throws RealmUnavailableException
evidenceType
- the evidence type class (must not be null
)algorithmName
- the algorithm name, or null
if any algorithm is acceptable or the evidence type does
not support algorithm namesRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType) throws RealmUnavailableException
evidenceType
- the evidence type class (must not be null
)RealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic <C extends Credential> C getCredential(Class<C> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException
Class
and an optional algorithmName
. If the
algorithm name is not given, then the query is performed for any algorithm of the given type.C
- the credential typecredentialType
- the credential type class (must not be null
)algorithmName
- the algorithm name, or null
if any algorithm is acceptable or the credential type does
not support algorithm namesparameterSpec
- the algorithm parameters to match, or null
if any parameters are acceptable or the credential type
does not support algorithm parametersnull
if the principal has no credential of that typeRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic <C extends Credential> C getCredential(Class<C> credentialType, String algorithmName) throws RealmUnavailableException
Class
and an optional algorithmName
. If the
algorithm name is not given, then the query is performed for any algorithm of the given type.C
- the credential typecredentialType
- the credential type class (must not be null
)algorithmName
- the algorithm name, or null
if any algorithm is acceptable or the credential type does
not support algorithm namesnull
if the principal has no credential of that typeRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic <C extends Credential> C getCredential(Class<C> credentialType) throws RealmUnavailableException
Class
and an optional algorithmName
. If the
algorithm name is not given, then the query is performed for any algorithm of the given type.C
- the credential typecredentialType
- the credential type class (must not be null
)null
if the principal has no credential of that typeRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic <C extends Credential,R> R applyToCredential(Class<C> credentialType, Function<C,R> function) throws RealmUnavailableException
C
- the credential typeR
- the return typecredentialType
- the credential type class (must not be null
)function
- the function to apply (must not be null
)null
if the criteria are not metRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic <C extends Credential,R> R applyToCredential(Class<C> credentialType, String algorithmName, Function<C,R> function) throws RealmUnavailableException
C
- the credential typeR
- the return typecredentialType
- the credential type class (must not be null
)algorithmName
- the algorithm namefunction
- the function to apply (must not be null
)null
if the criteria are not metRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic <C extends Credential,R> R applyToCredential(Class<C> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec, Function<C,R> function) throws RealmUnavailableException
C
- the credential typeR
- the return typecredentialType
- the credential type class (must not be null
)algorithmName
- the algorithm nameparameterSpec
- the algorithm parameters to match, or null
if any parameters are acceptable or the credential type
does not support algorithm parametersfunction
- the function to apply (must not be null
)null
if the criteria are not metRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException
evidence
- the evidence to verifytrue
if verification was successful, false
otherwiseRealmUnavailableException
- if the realm is not able to handle requests for any reasonIllegalStateException
- if no authentication has been initiated or authentication is already completedpublic void addPublicCredential(Credential credential)
credential
- the credential to add (must not be null
)public void addPrivateCredential(Credential credential)
credential
- the credential to add (must not be null
)public boolean importIdentity(SecurityIdentity identity) throws RealmUnavailableException
true
,
the context will be in an authorized state, and the new identity can be retrieved.identity
- the identity to import (must not be null
)true
if the identity is authorized, false
otherwiseRealmUnavailableException
- if the realm is not able to handle requests for any reasonpublic void setMechanismRealmName(String realmName) throws IllegalStateException, IllegalArgumentException
realmName
- the selected realm nameIllegalStateException
- if a realm name was already selected or it is too late to choose a realmIllegalArgumentException
- if the selected realm name was not offeredpublic void updateCredential(Credential credential) throws RealmUnavailableException
credential
- the new credential (must not be null
)RealmUnavailableException
- if the realm is not able to handle requests for any reasonpublic void close()
close
in interface AutoCloseable
Copyright © 2019 JBoss by Red Hat. All rights reserved.