public final class SecurityDomain extends Object
Modifier and Type | Class and Description |
---|---|
static class |
SecurityDomain.Builder
A builder for creating new security domains.
|
static class |
SecurityDomain.RealmBuilder
A builder for a realm within a security domain.
|
Modifier and Type | Method and Description |
---|---|
SecurityIdentity |
authenticate(Evidence evidence)
Perform an authentication based on
Evidence alone. |
SecurityIdentity |
authenticate(Principal principal,
Evidence evidence)
|
SecurityIdentity |
authenticate(String name,
Evidence evidence)
Perform an authentication based on
Evidence for the specified identity name. |
static SecurityDomain.Builder |
builder()
Create a new security domain builder.
|
SecurityIdentity |
createAdHocIdentity(Principal principal)
Create an empty ad-hoc identity.
|
SecurityIdentity |
createAdHocIdentity(String name)
Create an empty ad-hoc identity.
|
ServerAuthenticationContext |
createNewAuthenticationContext()
Create a new authentication context for this security domain which can be used to carry out a single authentication
operation.
|
ServerAuthenticationContext |
createNewAuthenticationContext(MechanismConfigurationSelector mechanismConfigurationSelector)
Create a new authentication context for this security domain which can be used to carry out a single authentication
operation.
|
static SecurityDomain |
forIdentity(SecurityIdentity identity)
Get the security domain associated with the given identity.
|
SecurityIdentity |
getAnonymousSecurityIdentity()
Get the anonymous security identity for this realm.
|
SupportLevel |
getCredentialAcquireSupport(Class<? extends Credential> credentialType)
Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for
some identities), or definitely not obtainable.
|
SupportLevel |
getCredentialAcquireSupport(Class<? extends Credential> credentialType,
String algorithmName)
Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for
some identities), or definitely not obtainable.
|
SupportLevel |
getCredentialAcquireSupport(Class<? extends Credential> credentialType,
String algorithmName,
AlgorithmParameterSpec parameterSpec)
Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for
some identities), or definitely not obtainable.
|
static SecurityDomain |
getCurrent()
Get the
SecurityDomain associated with the context class loader of the calling Thread or null if one is
not associated. |
SecurityIdentity |
getCurrentSecurityIdentity()
Get the current security identity for this domain.
|
SupportLevel |
getEvidenceVerifySupport(Class<? extends Evidence> evidenceType)
Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities),
or definitely not verifiable.
|
SupportLevel |
getEvidenceVerifySupport(Class<? extends Evidence> evidenceType,
String algorithmName)
Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities),
or definitely not verifiable.
|
RealmIdentity |
getIdentity(Principal principal)
Look up a
RealmIdentity by principal. |
RealmIdentity |
getIdentity(String name)
Look up a
RealmIdentity by name by wrapping the name in a NamePrincipal and calling getIdentity(Principal) . |
ModifiableRealmIdentity |
getIdentityForUpdate(Principal principal)
Look up a
ModifiableRealmIdentity by principal. |
org.wildfly.common.function.ExceptionFunction<Principal,ModifiableRealmIdentity,RealmUnavailableException> |
getIdentityLookupForUpdateFunction()
Get a function which can be used to look up principals for update without a security manager permission check.
|
org.wildfly.common.function.ExceptionFunction<Principal,RealmIdentity,RealmUnavailableException> |
getIdentityLookupFunction()
Get a function which can be used to look up principals without a security manager permission check.
|
static ScheduledExecutorService |
getScheduledExecutorService()
Gets
ScheduledExecutorService for authentication related scheduled task (like authentication timeout). |
void |
handleSecurityEvent(SecurityEvent securityEvent)
Handle a
SecurityEvent . |
void |
registerWithClassLoader(ClassLoader classLoader)
Register this
SecurityDomain with the specified ClassLoader . |
static void |
unregisterClassLoader(ClassLoader classLoader)
Unregister any
SecurityDomain associated with the specified ClassLoader . |
public void registerWithClassLoader(ClassLoader classLoader)
SecurityDomain
with the specified ClassLoader
.
Registration with enabled security manager requires registerSecurityDomain
ElytronPermission
.classLoader
- the non null
ClassLoader
to associate this SecurityDomain
with.IllegalStateException
- If a SecurityDomain
is already associated with the specified ClassLoader
.public static SecurityDomain getCurrent()
SecurityDomain
associated with the context class loader of the calling Thread or null
if one is
not associated.
Obtaining security domain with enabled security manager requires getSecurityDomain
ElytronPermission
.SecurityDomain
associated with the context class loader of the calling Thread or null
if one
is not associated.public static SecurityDomain forIdentity(SecurityIdentity identity)
getSecurityDomain
ElytronPermission
.identity
- the security identity (must not be null
)null
)public static void unregisterClassLoader(ClassLoader classLoader)
SecurityDomain
associated with the specified ClassLoader
.
Unregistration with enabled security manager requires unregisterSecurityDomain
ElytronPermission
.classLoader
- the non null
ClassLoader
to clear any SecurityDomain
association.public static SecurityDomain.Builder builder()
public ServerAuthenticationContext createNewAuthenticationContext()
createServerAuthenticationContext
ElytronPermission
.public ServerAuthenticationContext createNewAuthenticationContext(MechanismConfigurationSelector mechanismConfigurationSelector)
createServerAuthenticationContext
ElytronPermission
.mechanismConfigurationSelector
- the selector to use to obtain the mechanism configurationpublic SecurityIdentity authenticate(Evidence evidence) throws RealmUnavailableException, SecurityException
Evidence
alone.
Note: It is the caller's responsibility to destroy any evidence passed into this method.evidence
- the Evidence
to use for authentication.RealmUnavailableException
- if the requires SecurityRealm
is not available.SecurityException
- if authentication fails.public SecurityIdentity authenticate(String name, Evidence evidence) throws RealmUnavailableException, SecurityException
Evidence
for the specified identity name.
Note: It is the caller's responsibility to destroy any evidence passed into this method.name
- the name of the identity to authenticate or null
if the identity is to be derived from the evidence.evidence
- the Evidence
to use for authentication.RealmUnavailableException
- if the requires SecurityRealm
is not available.SecurityException
- if authentication fails.public SecurityIdentity authenticate(Principal principal, Evidence evidence) throws RealmUnavailableException, SecurityException
Evidence
for the specified identity Principal
.
Note: It is the caller's responsibility to destroy any evidence passed into this method.
Calling with enabled security manager requires authenticate
ElytronPermission
.principal
- the principal of the identity to authenticate or null
if the identity is to be derived from the evidence.evidence
- the Evidence
to use for authentication.RealmUnavailableException
- if the requires SecurityRealm
is not available.SecurityException
- if authentication fails.public RealmIdentity getIdentity(String name) throws RealmUnavailableException
RealmIdentity
by name by wrapping the name in a NamePrincipal
and calling getIdentity(Principal)
.
The returned identity must be disposed.name
- the name to map (must not be null
)null
, may be non-existent)RealmUnavailableException
- if the realm is not able to perform the mappingIllegalArgumentException
- if the name is not validSecurityException
- if the caller is not authorized to perform the operationpublic RealmIdentity getIdentity(Principal principal) throws RealmUnavailableException, IllegalArgumentException
RealmIdentity
by principal.
The returned identity must be disposed.
Calling with enabled security manager requires getIdentity
ElytronPermission
.principal
- the principal to map (must not be null
)null
, may be non-existent)IllegalArgumentException
- if the principal could not be successfully decoded to a nameRealmUnavailableException
- if the realm is not able to perform the mappingSecurityException
- if the caller is not authorized to perform the operationpublic ModifiableRealmIdentity getIdentityForUpdate(Principal principal) throws RealmUnavailableException, IllegalArgumentException
ModifiableRealmIdentity
by principal.
The returned identity must be disposed.
Calling with enabled security manager requires getIdentityForUpdate
ElytronPermission
.principal
- the principal to map (must not be null
)null
, may be non-existent)IllegalArgumentException
- if the principal could not be successfully decoded to a nameRealmUnavailableException
- if the realm is not able to perform the mappingSecurityException
- if the caller is not authorized to perform the operationpublic org.wildfly.common.function.ExceptionFunction<Principal,RealmIdentity,RealmUnavailableException> getIdentityLookupFunction()
getIdentity
ElytronPermission
.null
)SecurityException
- if the caller is not authorized to perform the operationpublic org.wildfly.common.function.ExceptionFunction<Principal,ModifiableRealmIdentity,RealmUnavailableException> getIdentityLookupForUpdateFunction()
getIdentityForUpdate
ElytronPermission
.null
)SecurityException
- if the caller is not authorized to perform the operationpublic SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec)
SupportLevel.SUPPORTED
, if it is supported by all realms of the domain.
Credential is SupportLevel.POSSIBLY_SUPPORTED
if it is supported or possibly supported by at least one realm of the domain.
Otherwise it is SupportLevel.UNSUPPORTED
.credentialType
- the exact credential type (must not be null
)algorithmName
- the algorithm name, or null
if any algorithm is acceptable or the credential type does
not support algorithm namesparameterSpec
- the algorithm parameters to match, or null
if any parameters are acceptable or the credential type
does not support algorithm parameterspublic SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName)
SupportLevel.SUPPORTED
, if it is supported by all realms of the domain.
Credential is SupportLevel.POSSIBLY_SUPPORTED
if it is supported or possibly supported by at least one realm of the domain.
Otherwise it is SupportLevel.UNSUPPORTED
.credentialType
- the exact credential type (must not be null
)algorithmName
- the algorithm name, or null
if any algorithm is acceptable or the credential type does
not support algorithm namespublic SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType)
SupportLevel.SUPPORTED
, if it is supported by all realms of the domain.
Credential is SupportLevel.POSSIBLY_SUPPORTED
if it is supported or possibly supported by at least one realm of the domain.
Otherwise it is SupportLevel.UNSUPPORTED
.credentialType
- the exact credential type (must not be null
)public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName)
SupportLevel.SUPPORTED
, if it is supported by all realms of the domain.
Evidence is SupportLevel.POSSIBLY_SUPPORTED
if it is supported or possibly supported by at least one realm of the domain.
Otherwise it is SupportLevel.UNSUPPORTED
.evidenceType
- the type of evidence to be verified (must not be null
)algorithmName
- the algorithm name, or null
if any algorithm is acceptable or the evidence type does
not support algorithm namespublic SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType)
SupportLevel.SUPPORTED
, if it is supported by all realms of the domain.
Evidence is SupportLevel.POSSIBLY_SUPPORTED
if it is supported or possibly supported by at least one realm of the domain.
Otherwise it is SupportLevel.UNSUPPORTED
.evidenceType
- the type of evidence to be verified (must not be null
)public SecurityIdentity getCurrentSecurityIdentity()
SecurityIdentity.runAs*
methods.null
)public SecurityIdentity getAnonymousSecurityIdentity()
null
)public SecurityIdentity createAdHocIdentity(String name)
name
- the identity name (must not be null
)public SecurityIdentity createAdHocIdentity(Principal principal)
createAdHocIdentity
ElytronPermission
.principal
- the identity principal (must not be null
)public void handleSecurityEvent(SecurityEvent securityEvent)
SecurityEvent
.
Calling with enabled security manager requires handleSecurityEvent
ElytronPermission
.securityEvent
- SecurityEvent
to be handledSecurityDomain.Builder.setSecurityEventListener(Consumer)
public static ScheduledExecutorService getScheduledExecutorService()
ScheduledExecutorService
for authentication related scheduled task (like authentication timeout).Copyright © 2021 JBoss by Red Hat. All rights reserved.