/** * Add a private credential to the identity being authenticated. This credential may be forwarded to outbound * authentication mechanisms. * * @param credential the credential to add (must not be {@code null}) */ public void addPrivateCredential(Credential credential) { Assert.checkNotNullParam("credential", credential); stateRef.get().addPrivateCredential(credential); }
void addPublicCredential(final Credential credential) { final SecurityIdentity sourceIdentity = getSourceIdentity(); final AuthorizedState newState = new AuthorizedState(sourceIdentity.withPublicCredential(credential), getAuthenticationPrincipal(), getRealmInfo(), getMechanismConfiguration(), getMechanismRealmConfiguration()); if (! stateRef.compareAndSet(this, newState)) { stateRef.get().addPublicCredential(credential); } }
@Override boolean authorize(final Principal authorizationId, final boolean authorizeRunAs) throws RealmUnavailableException { final AuthorizedAuthenticationState authzState = doAuthorization(true); if (authzState == null) { return false; } final AuthorizedState newState = authzState.authorizeRunAs(authorizationId, authorizeRunAs); if (newState == null) { return false; } final AtomicReference<State> stateRef = getStateRef(); if (! stateRef.compareAndSet(this, newState)) { return stateRef.get().authorize(authorizationId, authorizeRunAs); } if (newState != authzState) getRealmIdentity().dispose(); return true; }
if (stateRef.get().canVerifyEvidence()) { if (peerCerts != null) { log.tracef("Authentication ID is null but SSL peer certificates are available. Trying to authenticate peer"); String requestedRealm = stateRef.get().getMechanismRealmConfiguration().getRealmName(); final ServerCredentialCallback serverCredentialCallback = (ServerCredentialCallback) callback; CredentialSource serverCredentialSource = stateRef.get().getMechanismConfiguration().getServerCredentialSource(); handleOne(callbacks, idx + 1); } else if (callback instanceof AvailableRealmsCallback) { Collection<String> names = stateRef.get().getMechanismConfiguration().getMechanismRealmNames(); if (log.isTraceEnabled()) { log.tracef("Handling AvailableRealmsCallback: realms = [%s]", String.join(", ", names)); } else if (callback instanceof CachedIdentityAuthorizeCallback) { CachedIdentityAuthorizeCallback authorizeCallback = (CachedIdentityAuthorizeCallback) callback; authorizeCallback.setSecurityDomain(stateRef.get().getSecurityDomain()); SecurityIdentity authorizedIdentity = null; Principal principal = null;
if (stateRef.get().canVerifyEvidence()) { if (peerCerts != null) { log.tracef("Authentication ID is null but SSL peer certificates are available. Trying to authenticate peer"); String requestedRealm = stateRef.get().getMechanismRealmConfiguration().getRealmName(); final ServerCredentialCallback serverCredentialCallback = (ServerCredentialCallback) callback; CredentialSource serverCredentialSource = stateRef.get().getMechanismConfiguration().getServerCredentialSource(); handleOne(callbacks, idx + 1); } else if (callback instanceof AvailableRealmsCallback) { Collection<String> names = stateRef.get().getMechanismConfiguration().getMechanismRealmNames(); if (log.isTraceEnabled()) { log.tracef("Handling AvailableRealmsCallback: realms = [%s]", String.join(", ", names)); } else if (callback instanceof CachedIdentityAuthorizeCallback) { CachedIdentityAuthorizeCallback authorizeCallback = (CachedIdentityAuthorizeCallback) callback; authorizeCallback.setSecurityDomain(stateRef.get().getSecurityDomain()); SecurityIdentity authorizedIdentity = null; Principal principal = null;
if (stateRef.get().canVerifyEvidence()) { if (peerCerts != null) { log.tracef("Authentication ID is null but SSL peer certificates are available. Trying to authenticate peer"); String requestedRealm = stateRef.get().getMechanismRealmConfiguration().getRealmName(); final ServerCredentialCallback serverCredentialCallback = (ServerCredentialCallback) callback; CredentialSource serverCredentialSource = stateRef.get().getMechanismConfiguration().getServerCredentialSource(); handleOne(callbacks, idx + 1); } else if (callback instanceof AvailableRealmsCallback) { Collection<String> names = stateRef.get().getMechanismConfiguration().getMechanismRealmNames(); if (log.isTraceEnabled()) { log.tracef("Handling AvailableRealmsCallback: realms = [%s]", String.join(", ", names)); } else if (callback instanceof CachedIdentityAuthorizeCallback) { CachedIdentityAuthorizeCallback authorizeCallback = (CachedIdentityAuthorizeCallback) callback; authorizeCallback.setSecurityDomain(stateRef.get().getSecurityDomain()); SecurityIdentity authorizedIdentity = null; Principal principal = null;
/** * Determine whether a given credential is definitely obtainable, possibly obtainable, or definitely not obtainable. * * If an authentication identity is established this will be for that identity, otherwise this will be the general * level of support advertised by the security domain. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param parameterSpec the algorithm parameters to match, or {@code null} if any parameters are acceptable or the credential type * does not support algorithm parameters * @return the level of support for this credential type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredentialAcquireSupport(credentialType, algorithmName, parameterSpec); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param parameterSpec the algorithm parameters to match, or {@code null} if any parameters are acceptable or the credential type * does not support algorithm parameters * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, algorithmName, parameterSpec); }
/** * Determine whether a given credential is definitely obtainable, possibly obtainable, or definitely not obtainable. * * If an authentication identity is established this will be for that identity, otherwise this will be the general * level of support advertised by the security domain. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param parameterSpec the algorithm parameters to match, or {@code null} if any parameters are acceptable or the credential type * does not support algorithm parameters * @return the level of support for this credential type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredentialAcquireSupport(credentialType, algorithmName, parameterSpec); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param parameterSpec the algorithm parameters to match, or {@code null} if any parameters are acceptable or the credential type * does not support algorithm parameters * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, algorithmName, parameterSpec); }
/** * Determine whether a given credential is definitely obtainable, possibly obtainable, or definitely not obtainable. * * If an authentication identity is established this will be for that identity, otherwise this will be the general * level of support advertised by the security domain. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param parameterSpec the algorithm parameters to match, or {@code null} if any parameters are acceptable or the credential type * does not support algorithm parameters * @return the level of support for this credential type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredentialAcquireSupport(credentialType, algorithmName, parameterSpec); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param parameterSpec the algorithm parameters to match, or {@code null} if any parameters are acceptable or the credential type * does not support algorithm parameters * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, algorithmName, parameterSpec); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType, String algorithmName) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, algorithmName, null); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType, String algorithmName) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, algorithmName, null); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param algorithmName the algorithm name, or {@code null} if any algorithm is acceptable or the credential type does * not support algorithm names * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType, String algorithmName) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, algorithmName, null); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, null, null); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, null, null); }
/** * Acquire a credential of the given type. The credential type is defined by its {@code Class} and an optional {@code algorithmName}. If the * algorithm name is not given, then the query is performed for any algorithm of the given type. * * @param credentialType the credential type class (must not be {@code null}) * @param <C> the credential type * * @return the credential, or {@code null} if the principal has no credential of that type * * @throws RealmUnavailableException if the realm is not able to handle requests for any reason * @throws IllegalStateException if no authentication has been initiated or authentication is already completed */ public <C extends Credential> C getCredential(Class<C> credentialType) throws RealmUnavailableException { Assert.checkNotNullParam("credentialType", credentialType); return stateRef.get().getCredential(credentialType, null, null); }
@Override boolean authorizeAnonymous(final boolean requireLoginPermission) { final AtomicReference<State> stateRef = getStateRef(); final SecurityIdentity anonymousIdentity = getSecurityDomain().getAnonymousSecurityIdentity(); return (! requireLoginPermission || anonymousIdentity.implies(LoginPermission.getInstance())) && (stateRef.compareAndSet(this, new AnonymousAuthorizedState(anonymousIdentity)) || stateRef.get().authorizeAnonymous(requireLoginPermission)); }
@Override boolean authorizeAnonymous(boolean requireLoginPermission) { transition(); return stateRef.get().authorizeAnonymous(requireLoginPermission); }