public class BlackholeSecurityProvider extends java.lang.Object implements SecurityProvider
SecurityProvider.SecurityProviderDeniedAuthentication
Constructor and Description |
---|
BlackholeSecurityProvider() |
Modifier and Type | Method and Description |
---|---|
boolean |
authenticate(javax.servlet.http.HttpServletRequest request,
java.util.function.Supplier<javax.servlet.http.HttpSession> sessionSupplierOnSuccess,
java.lang.String user,
java.lang.String pass)
Perform the authentication.
|
boolean |
isAuthenticated(javax.servlet.http.HttpSession session)
If user supplied a value session, this passes that in so the
SecurityProvider
can check whether the user has previously authenticated, e.g. |
boolean |
logout(javax.servlet.http.HttpSession session)
Will get invoked on explicit REST API callback.
|
boolean |
requiresUserPass()
whether this provider requires a user/pass; if this returns false, the framework can
send null/null as the user/pass to
#authenticate(HttpSession, String, String) ,
and should do that if user/pass info is not immediately available
(ie for things like oauth, the framework should not require basic auth if this method returns false) |
public boolean isAuthenticated(javax.servlet.http.HttpSession session)
SecurityProvider
SecurityProvider
can check whether the user has previously authenticated, e.g. via an HttpSession.setAttribute(String, Object)
done by SecurityProvider.authenticate(HttpServletRequest, Supplier, String, String)
.
Note that this will be the MultiSessionAttributeAdapter.getPreferredSession()
.
If the user didn't request a session or they requested a session which is not known here, the argument will be null.
isAuthenticated
in interface SecurityProvider
public boolean authenticate(javax.servlet.http.HttpServletRequest request, java.util.function.Supplier<javax.servlet.http.HttpSession> sessionSupplierOnSuccess, java.lang.String user, java.lang.String pass) throws SecurityProvider.SecurityProviderDeniedAuthentication
SecurityProvider
SecurityProvider.requiresUserPass()
returns false, user/pass may be null;
otherwise the framework will guarantee the basic auth is in effect and these values are set.
The provider should not send a response but should throw SecurityProvider.SecurityProviderDeniedAuthentication
if a custom response is required. It can include a response in that exception,
e.g. to provide more information or supply a redirect.
It should not create a session via HttpServletRequest.getSession()
, especially if
auth is not successful (easy for DOS attack to chew up memory), and even on auth it should use
the Supplier
given here to get a session (that will create a session) to install.
(Note that this will return the MultiSessionAttributeAdapter.getPreferredSession()
,
not the request's local session.)
On successful auth this method may HttpSession.setAttribute(String, Object)
so that
SecurityProvider.isAuthenticated(HttpSession)
can return quickly on subsequent requests.
If so, see SecurityProvider.logout(HttpSession)
about clearing those values.
authenticate
in interface SecurityProvider
SecurityProvider.SecurityProviderDeniedAuthentication
public boolean logout(javax.servlet.http.HttpSession session)
SecurityProvider
MultiSessionAttributeAdapter
will be passed,
just as for other methods here.
Implementations here may remove any provider-specific attributes which cache authentication (although the session will be invalidated so that may be overkill).
logout
in interface SecurityProvider
public boolean requiresUserPass()
SecurityProvider
#authenticate(HttpSession, String, String)
,
and should do that if user/pass info is not immediately available
(ie for things like oauth, the framework should not require basic auth if this method returns false)requiresUserPass
in interface SecurityProvider