public interface SecurityProvider
Modifier and Type | Interface and Description |
---|---|
static class |
SecurityProvider.SecurityProviderDeniedAuthentication |
Modifier and Type | Method and Description |
---|---|
boolean |
authenticate(javax.servlet.http.HttpServletRequest request,
java.util.function.Supplier<javax.servlet.http.HttpSession> sessionSupplierOnSuccess,
java.lang.String user,
java.lang.String pass)
Perform the authentication.
|
boolean |
isAuthenticated(javax.servlet.http.HttpSession session)
If user supplied a value session, this passes that in so the
SecurityProvider
can check whether the user has previously authenticated, e.g. |
boolean |
logout(javax.servlet.http.HttpSession session)
Will get invoked on explicit REST API callback.
|
boolean |
requiresUserPass()
whether this provider requires a user/pass; if this returns false, the framework can
send null/null as the user/pass to
#authenticate(HttpSession, String, String) ,
and should do that if user/pass info is not immediately available
(ie for things like oauth, the framework should not require basic auth if this method returns false) |
boolean isAuthenticated(@Nullable javax.servlet.http.HttpSession session)
SecurityProvider
can check whether the user has previously authenticated, e.g. via an HttpSession.setAttribute(String, Object)
done by authenticate(HttpServletRequest, Supplier, String, String)
.
Note that this will be the MultiSessionAttributeAdapter.getPreferredSession()
.
If the user didn't request a session or they requested a session which is not known here, the argument will be null.
boolean requiresUserPass()
#authenticate(HttpSession, String, String)
,
and should do that if user/pass info is not immediately available
(ie for things like oauth, the framework should not require basic auth if this method returns false)boolean authenticate(javax.servlet.http.HttpServletRequest request, java.util.function.Supplier<javax.servlet.http.HttpSession> sessionSupplierOnSuccess, java.lang.String user, java.lang.String pass) throws SecurityProvider.SecurityProviderDeniedAuthentication
requiresUserPass()
returns false, user/pass may be null;
otherwise the framework will guarantee the basic auth is in effect and these values are set.
The provider should not send a response but should throw SecurityProvider.SecurityProviderDeniedAuthentication
if a custom response is required. It can include a response in that exception,
e.g. to provide more information or supply a redirect.
It should not create a session via HttpServletRequest.getSession()
, especially if
auth is not successful (easy for DOS attack to chew up memory), and even on auth it should use
the Supplier
given here to get a session (that will create a session) to install.
(Note that this will return the MultiSessionAttributeAdapter.getPreferredSession()
,
not the request's local session.)
On successful auth this method may HttpSession.setAttribute(String, Object)
so that
isAuthenticated(HttpSession)
can return quickly on subsequent requests.
If so, see logout(HttpSession)
about clearing those values.
boolean logout(javax.servlet.http.HttpSession session)
MultiSessionAttributeAdapter
will be passed,
just as for other methods here.
Implementations here may remove any provider-specific attributes which cache authentication (although the session will be invalidated so that may be overkill).