All Downloads are FREE. Search and download functionalities are using the official Maven repository.

jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism Maven / Gradle / Ivy

There is a newer version: 11.0.0-M4
Show newest version
/*
 * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0, which is available at
 * http://www.eclipse.org/legal/epl-2.0.
 *
 * This Source Code may also be made available under the following Secondary
 * Licenses when the conditions for such availability set forth in the
 * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
 * version 2 with the GNU Classpath Exception, which is available at
 * https://www.gnu.org/software/classpath/license.html.
 *
 * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
 */

package jakarta.security.enterprise.authentication.mechanism.http;

import static jakarta.security.enterprise.AuthenticationStatus.SUCCESS;

import jakarta.security.auth.message.module.ServerAuthModule;
import jakarta.security.enterprise.AuthenticationException;
import jakarta.security.enterprise.AuthenticationStatus;
import jakarta.security.enterprise.identitystore.IdentityStore;
import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

/**
 * HttpAuthenticationMechanism is a mechanism for obtaining a caller's
 * credentials in some way, using the HTTP protocol where necessary.
 * 
 * 

* This is used to help in securing Jakarta Servlet endpoints, including * endpoints that may be build on top of Jakarta Servlets like Jakarta RESTful Web Services endpoints and * Jakarta Faces views. It specifically is not used for endpoints such as remote Jakarta Enterprise Beans * or (Jakarta Messaging) message driven beans. * *

* A HttpAuthenticationMechanism is essentially a Jakarta Servlet specific and CDI enabled version of * the {@link ServerAuthModule} that adheres to the Servlet Container Profile. See the Jakarta Authentication spec for * further details on this. * *

* Implementations of this class can notify the Jakarta Servlet container about a successful authentication by using the * {@link HttpMessageContext#notifyContainerAboutLogin(java.security.Principal, java.util.Set)} method. * *

* Implementations are expected and encouraged to delegate the actual credential validation and/or retrieval of the * caller name with optional groups to an {@link IdentityStore}. This is however not required and implementations * can either do the validation checks for authentication completely autonomously, or delegate only certain aspects of * the process to the store (e.g. use the store only for retrieving the groups an authenticated user is in). */ public interface HttpAuthenticationMechanism { /** * Authenticate an HTTP request. * *

* This method is called in response to an HTTP client request for a resource, and is always invoked * before any {@link Filter} or {@link HttpServlet}. Additionally this method is called * in response to {@link HttpServletRequest#authenticate(HttpServletResponse)} * *

* Note that by default this method is always called for every request, independent of whether * the request is to a protected or non-protected resource, or whether a caller was successfully authenticated * before within the same HTTP session or not. * *

* A CDI/Interceptor spec interceptor can be used to prevent calls to this method if needed. * See {@link AutoApplySession} and {@link RememberMe} for two examples. * * @param request contains the request the client has made * @param response contains the response that will be send to the client * @param httpMessageContext context for interacting with the container * @return the completion status of the processing performed by this method * @throws AuthenticationException when the processing failed */ AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException; /** * Secure the response, optionally. * *

* This method is called to allow for any post processing to be done on the request, and is always invoked * after any {@link Filter} or {@link HttpServlet}. * *

* Note that this method is only called when a (Servlet) resource has indeed been invoked, i.e. if a previous call * to validateRequest that was invoked before any {@link Filter} or {@link HttpServlet} returned SUCCESS. * * @param request contains the request the client has made * @param response contains the response that will be send to the client * @param httpMessageContext context for interacting with the container * @return the completion status of the processing performed by this method * @throws AuthenticationException when the processing failed */ default AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException { return SUCCESS; } /** * Remove mechanism specific principals and credentials from the subject and any other state the mechanism * might have used. * *

* This method is called in response to {@link HttpServletRequest#logout()} and gives the authentication mechanism * the option to remove any state associated with an earlier established authenticated identity. For example, an * authentication mechanism that stores state within a cookie can send remove that cookie here. * * @param request contains the request the client has made * @param response contains the response that will be send to the client * @param httpMessageContext context for interacting with the container */ default void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) { httpMessageContext.cleanClientSubject(); } }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy