Package org.wildfly.security.auth.server

Class SecurityIdentity

java.lang.Object
org.wildfly.security.auth.server.SecurityIdentity
All Implemented Interfaces:
Supplier<SecurityIdentity>, Scoped, PermissionMappable, PermissionVerifier
public final class SecurityIdentity extends Object implements PermissionVerifier, PermissionMappable, Supplier<SecurityIdentity>, Scoped
A loaded and authenticated security identity.
Author:
David M. Lloyd

  • Method Details

    • runAs

      @Deprecated public <T> T runAs(PrivilegedAction<T> action)
      Deprecated.
      Use Scoped.runAsSupplier(Supplier) instead.
      Run an action under this identity.
      Type Parameters:
      T - the action return type
      Parameters:
      action - the action to run
      Returns:
      the action result (may be null)

    • runAs

      @Deprecated public <T> T runAs(PrivilegedExceptionAction<T> action) throws PrivilegedActionException
      Deprecated.
      Use Scoped.runAsSupplierEx(ExceptionSupplier) instead.
      Run an action under this identity.
      Type Parameters:
      T - the action return type
      Parameters:
      action - the action to run
      Returns:
      the action result (may be null)
      Throws:
      PrivilegedActionException - if the action fails

    • runAs

      @Deprecated public <T, P> T runAs(P parameter, ParametricPrivilegedAction<T,P> action)
      Deprecated.
      Use Scoped.runAsFunction(Function, Object) instead.
      Run an action under this identity.
      Type Parameters:
      T - the action return type
      P - the action parameter type
      Parameters:
      parameter - the parameter to pass to the action
      action - the action to run
      Returns:
      the action result (may be null)

    • runAs

      @Deprecated public <T, P> T runAs(P parameter, ParametricPrivilegedExceptionAction<T,P> action) throws PrivilegedActionException
      Deprecated.
      Use Scoped.runAsFunctionEx(ExceptionFunction, Object) instead.
      Run an action under this identity.
      Type Parameters:
      T - the action return type
      P - the action parameter type
      Parameters:
      parameter - the parameter to pass to the action
      action - the action to run
      Returns:
      the action result (may be null)
      Throws:
      PrivilegedActionException - if the action fails

    • runAsFunction

      public <T, U, R> R runAsFunction(BiFunction<T,U,R> action, T parameter1, U parameter2)
      Run an action under this identity.
      Specified by:
      runAsFunction in interface Scoped
      Type Parameters:
      R - the action return type
      T - the action first parameter type
      U - the action second parameter type
      Parameters:
      parameter1 - the first parameter to pass to the action
      parameter2 - the second parameter to pass to the action
      action - the action to run
      Returns:
      the action result (may be null)

    • runAsConsumer

      public <T, U> void runAsConsumer(BiConsumer<T,U> action, T parameter1, U parameter2)
      Run an action under this identity.
      Specified by:
      runAsConsumer in interface Scoped
      Type Parameters:
      T - the action first parameter type
      U - the action second parameter type
      Parameters:
      parameter1 - the first parameter to pass to the action
      parameter2 - the second parameter to pass to the action
      action - the action to run

    • runAsObjIntConsumer

      public <T> void runAsObjIntConsumer(ObjIntConsumer<T> action, T parameter1, int parameter2)
      Run an action under this identity.
      Specified by:
      runAsObjIntConsumer in interface Scoped
      Type Parameters:
      T - the action first parameter type
      Parameters:
      parameter1 - the first parameter to pass to the action
      parameter2 - the second parameter to pass to the action
      action - the action to run

    • runAsFunctionEx

      public <T, U, R, E extends Exception> R runAsFunctionEx(ExceptionBiFunction<T,U,R,E> action, T parameter1, U parameter2) throws E
      Run an action under this identity.
      Specified by:
      runAsFunctionEx in interface Scoped
      Type Parameters:
      R - the action return type
      T - the action first parameter type
      U - the action second parameter type
      E - the action exception type
      Parameters:
      parameter1 - the first parameter to pass to the action
      parameter2 - the second parameter to pass to the action
      action - the action to run
      Returns:
      the action result (may be null)
      Throws:
      E - if the action throws this exception

    • runAsConsumerEx

      public <T, U, E extends Exception> void runAsConsumerEx(ExceptionBiConsumer<T,U,E> action, T parameter1, U parameter2) throws E
      Run an action under this identity.
      Specified by:
      runAsConsumerEx in interface Scoped
      Type Parameters:
      T - the action first parameter type
      U - the action second parameter type
      E - the action exception type
      Parameters:
      parameter1 - the first parameter to pass to the action
      parameter2 - the second parameter to pass to the action
      action - the action to run
      Throws:
      E - if the action throws this exception

    • runAsObjIntConsumerEx

      public <T, E extends Exception> void runAsObjIntConsumerEx(ExceptionObjIntConsumer<T,E> action, T parameter1, int parameter2) throws E
      Run an action under this identity.
      Specified by:
      runAsObjIntConsumerEx in interface Scoped
      Type Parameters:
      T - the action first parameter type
      E - the action exception type
      Parameters:
      parameter1 - the first parameter to pass to the action
      parameter2 - the second parameter to pass to the action
      action - the action to run
      Throws:
      E - if the action throws this exception

    • runAsBiPredicate

      public <T, U> boolean runAsBiPredicate(BiPredicate<T,U> action, T parameter1, U parameter2)
      Run an action under this identity.
      Specified by:
      runAsBiPredicate in interface Scoped
      Type Parameters:
      T - the action first parameter type
      U - the action second parameter type
      Parameters:
      parameter1 - the first parameter to pass to the action
      parameter2 - the second parameter to pass to the action
      action - the action to run
      Returns:
      the action result (may be null)

    • runAsExBiPredicate

      public <T, U, E extends Exception> boolean runAsExBiPredicate(ExceptionBiPredicate<T,U,E> action, T parameter1, U parameter2) throws E
      Run an action under this identity.
      Specified by:
      runAsExBiPredicate in interface Scoped
      Type Parameters:
      T - the action first parameter type
      U - the action second parameter type
      E - the action exception type
      Parameters:
      parameter1 - the first parameter to pass to the action
      parameter2 - the second parameter to pass to the action
      action - the action to run
      Returns:
      the action result (may be null)
      Throws:
      E - if the action throws this exception

    • runAsAll

      public static <T> T runAsAll(PrivilegedExceptionAction<T> action, SecurityIdentity... identities) throws PrivilegedActionException
      Run an action under a series of identities.
      Type Parameters:
      T - the action return type
      Parameters:
      action - the action to run
      identities - the identities to set up
      Returns:
      the action result (may be null)
      Throws:
      PrivilegedActionException - if the action fails

    • getRoles

      public Roles getRoles()
      Get the roles associated with this identity.
      Returns:
      the roles associated with this identity

    • getRoles

      public Roles getRoles(String category)
      Get the mapped roles associated with this identity. If no role mapping exists for the given category, an empty role set is returned.
      Parameters:
      category - the role mapping category
      Returns:
      the category roles

    • withSecurityIdentitySupplier

      public SecurityIdentity withSecurityIdentitySupplier(Supplier<SecurityIdentity[]> securityIdentities)
      Attempt to create a new identity that is the same as this identity but with a Supplier<SecurityIdentity[]> to supply identities that will be associated with all 'run' calls. Any existing individual identities associated with this identity will be dropped. The supplier will be called for each run call so were possible should handle it's own optimisation.
      Parameters:
      securityIdentities - a Supplier<SecurityIdentity[]> for identities to be associated with every run call.
      Returns:
      the new identity
      Throws:
      IllegalArgumentException - if the supplied identity

    • withSecurityIdentity

      public SecurityIdentity withSecurityIdentity(SecurityIdentity securityIdentity)
      Attempt to create a new identity that is the same as this identity but with an additional identity from a different security domain that will be associated with all 'run' calls. If a Supplier<SecurityIdentity[]> has previously been associated with this identity it will be dropped.
      Parameters:
      securityIdentity - the SecurityIdentity to also be associated with all run calls made to this identity.
      Returns:
      the new identity
      Throws:
      IllegalArgumentException - if the supplied identity

    • getRoles

      public Roles getRoles(String category, boolean fallbackToDefault)
      Get the mapped roles associated with this identity.
      Parameters:
      category - the role mapping category
      fallbackToDefault - true if the default roles associated with this identity should be returned if no role mapping exists for the given category, false otherwise
      Returns:
      the category roles

    • withRoleMapper

      public SecurityIdentity withRoleMapper(String category, RoleMapper roleMapper)
      Attempt to create a new identity which replaces a role mapper category on the current identity. If the given role mapper is already set on the current identity, the current identity is returned.
      Parameters:
      category - the category name
      roleMapper - the role mapper to use
      Returns:
      the new identity
      Throws:
      SecurityException - if the calling class is not granted the ChangeRoleMapperPermission for the given category name

    • withDefaultRoleMapper

      public SecurityIdentity withDefaultRoleMapper(RoleMapper roleMapper)
      Attempt to create a new identity which wraps the default roles with a default role mapper.
      Parameters:
      roleMapper - the roleMapper to map the roles.
      Returns:
      the new identity
      Throws:
      SecurityException - if the calling class is not granted the withDefaultRoleMapper permission.

    • createRunAsIdentity

      public SecurityIdentity createRunAsIdentity(String name) throws SecurityException
      Attempt to create a new identity that can be used to run as a user with the given name. If the current identity is not authorized to run as a user with the given name, an exception is thrown. Calling with enabled security manager requires setRunAsPrincipal ElytronPermission. Regardless security manager is enabled, RunAsPrincipalPermission for given name is required.
      Parameters:
      name - the name to attempt to run as
      Returns:
      the new security identity
      Throws:
      SecurityException - if the operation authorization failed for any reason

    • createRunAsIdentity

      public SecurityIdentity createRunAsIdentity(String name, boolean authorize) throws SecurityException
      Attempt to create a new identity that can be used to run as a user with the given name. Calling with enabled security manager requires setRunAsPrincipal ElytronPermission.
      Parameters:
      name - the name to attempt to run as
      authorize - whether to check the current identity is authorized to run as a user with the given principal (has RunAsPrincipalPermission)
      Returns:
      the new security identity
      Throws:
      SecurityException - if the caller does not have the setRunAsPrincipal ElytronPermission or if the operation authorization failed for any other reason

    • createRunAsIdentity

      public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException
      Attempt to create a new identity that can be used to run as a user with the given principal. Calling with enabled security manager requires setRunAsPrincipal ElytronPermission.
      Parameters:
      principal - the principal to attempt to run as
      authorize - whether to check the current identity is authorized to run as a user with the given principal (has RunAsPrincipalPermission)
      Returns:
      the new security identity
      Throws:
      SecurityException - if the caller does not have the setRunAsPrincipal ElytronPermission or if the operation authorization failed for any other reason

    • createRunAsAnonymous

      public SecurityIdentity createRunAsAnonymous() throws SecurityException
      Attempt to create a new identity that can be used to run as an anonymous user. If the current identity is not authorized to run as an anonymous user, an exception is thrown. Calling with enabled security manager requires setRunAsPrincipal ElytronPermission. LoginPermission granted to the anonymous identity will be required.
      Returns:
      the new security identity
      Throws:
      SecurityException - if the operation authorization failed for any reason

    • createRunAsAnonymous

      public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException
      Attempt to create a new identity that can be used to run as an anonymous user Calling with enabled security manager requires setRunAsPrincipal ElytronPermission.
      Parameters:
      authorize - whether to check the anonymous identity is authorized to log in (has LoginPermission)
      Returns:
      the new security identity
      Throws:
      SecurityException - if the caller does not have the setRunAsPrincipal ElytronPermission or if the operation authorization failed for any other reason

    • intersectWith

      public SecurityIdentity intersectWith(PermissionVerifier verifier)
      Create a new security identity which is the same as this one, but which limits authorization privileges to the intersection of the current privileges and the given verifier.
      Parameters:
      verifier - the restricted verifier (must not be null)
      Returns:
      the restricted identity

    • implies

      public boolean implies(Permission permission)
      Description copied from interface: PermissionVerifier
      Determine if the permission is verified by this object.
      Specified by:
      implies in interface PermissionVerifier
      Parameters:
      permission - the permission to verify (must not be null)
      Returns:
      true if the permission is implied by this verifier, false otherwise

    • getAttributes

      public Attributes getAttributes()
      Get the attributes associated with this identity.
      Specified by:
      getAttributes in interface PermissionMappable
      Returns:
      a read-only instance of Attributes with all attributes associated with this identity

    • getPrincipal

      public Principal getPrincipal()
      Get the principal of this identity.
      Specified by:
      getPrincipal in interface PermissionMappable
      Returns:
      the principal of this identity

    • getCreationTime

      public Instant getCreationTime()
      Get the creation time of this identity, which is the time that the initial authentication occurred.
      Specified by:
      getCreationTime in interface PermissionMappable
      Returns:
      the creation time of this identity (not null)

    • getPublicCredentials

      public IdentityCredentials getPublicCredentials()
      Get the public credentials of this identity.
      Specified by:
      getPublicCredentials in interface PermissionMappable
      Returns:
      the public credentials of this identity (not null)

    • isAnonymous

      public boolean isAnonymous()
      Convenience method to determine if this identity is anonymous.
      Returns:
      true if the identity is anonymous, false otherwise

    • withPublicCredential

      public SecurityIdentity withPublicCredential(Credential credential)
      Create a new security identity which is the same as this one, but which includes the given credential as a public credential.
      Parameters:
      credential - the credential (must not be null)
      Returns:
      the new identity

    • withPublicCredentials

      public SecurityIdentity withPublicCredentials(IdentityCredentials credentials)
      Create a new security identity which is the same as this one, but which includes the given credentials as public credentials.
      Parameters:
      credentials - the credential set (must not be null)
      Returns:
      the new identity

    • withPrivateCredential

      public SecurityIdentity withPrivateCredential(Credential credential)
      Create a new security identity which is the same as this one, but which includes the given credential as a private credential.
      Parameters:
      credential - the credential (must not be null)
      Returns:
      the new identity

    • withPrivateCredentials

      public SecurityIdentity withPrivateCredentials(IdentityCredentials credentials)
      Create a new security identity which is the same as this one, but which includes the given credentials as private credentials.
      Parameters:
      credentials - the credential set (must not be null)
      Returns:
      the new identity

    • withRuntimeAttributes

      public SecurityIdentity withRuntimeAttributes(Attributes runtimeAttributes)
      Create a new security identity which is the same as this one, but which includes the given runtime attributes.
      Parameters:
      runtimeAttributes - the runtime attributes (must not be null)
      Returns:
      the new identity

    • getPrivateCredentials

      public IdentityCredentials getPrivateCredentials()
      Get the private credentials of this identity. The caller must have the getPrivateCredentials ElytronPermission.
      Returns:
      the private credentials of this identity (not null)

    • get

      public SecurityIdentity get()
      Get this identity.
      Specified by:
      get in interface Supplier<SecurityIdentity>
      Returns:
      this identity

    • createFlexibleAssociation

      public FlexibleIdentityAssociation createFlexibleAssociation()
      Create a new flexible identity association, initializing it with this identity.
      Returns:
      the new flexible identity association (not null)

    • toString

      public String toString()
      Overrides:
      toString in class Object