• Home
• javax
• javaee-api
• 8.0.1
• source code
• AuthenticationStatus.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

javax.security.enterprise.AuthenticationStatus Maven / Gradle / Ivy

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
 *
 * The contents of this file are subject to the terms of either the GNU
 * General Public License Version 2 only ("GPL") or the Common Development
 * and Distribution License("CDDL") (collectively, the "License").  You
 * may not use this file except in compliance with the License.  You can
 * obtain a copy of the License at
 * https://oss.oracle.com/licenses/CDDL+GPL-1.1
 * or LICENSE.txt.  See the License for the specific
 * language governing permissions and limitations under the License.
 *
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at LICENSE.txt.
 *
 * GPL Classpath Exception:
 * Oracle designates this particular file as subject to the "Classpath"
 * exception as provided by Oracle in the GPL Version 2 section of the License
 * file that accompanied this code.
 *
 * Modifications:
 * If applicable, add the following below the License Header, with the fields
 * enclosed by brackets [] replaced by your own identifying information:
 * "Portions Copyright [year] [name of copyright owner]"
 *
 * Contributor(s):
 * If you wish your version of this file to be governed by only the CDDL or
 * only the GPL Version 2, indicate your decision by adding "[Contributor]
 * elects to include this software in this distribution under the [CDDL or GPL
 * Version 2] license."  If you don't indicate a single choice of license, a
 * recipient has the option to distribute your version of this file under
 * either the CDDL, the GPL Version 2 or to extend the choice of license to
 * its licensees as provided above.  However, if you add GPL Version 2 code
 * and therefore, elected the GPL Version 2 license, then the option applies
 * only if the new code is made subject to such option by the copyright
 * holder.
 */

package javax.security.enterprise;

import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import javax.servlet.http.HttpServletRequest;

/**
 * The AuthenticationStatus is used as a return value by primarily
 * the {@link HttpAuthenticationMechanism} to indicate the result (status)
 * of the authentication process.
 * 
 * 

 * For the result from {@link HttpAuthenticationMechanism#validateRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)} 
 * an AuthenticationStatus must be transformed by the Java EE server into the corresponding JASPIC (JSR 196) AuthStatus
 * according to the following rules:
 * 
 * 

 *   
 AuthenticationStatus.NOT_DONE to AuthStatus.SUCCESS 
 *   
 AuthenticationStatus.SEND_CONTINUE to AuthStatus.SEND_CONTINUE 
 *   
 AuthenticationStatus.SUCCESS to AuthStatus.SUCCESS 
 *   
 AuthenticationStatus.SEND_FAILURE to AuthStatus.SEND_FAILURE 
 * 
 * 
 * 

 * After the transformation as outlined above the transformed result has to be processed by the Java EE server as 
 * specified by the Servlet Container Profile of the JASPIC 1.1 spec (chapter 3).
 * 
 * 

 * Implementation note: while the JASPIC Servlet Container Profile is the authoritative
 * source on how to process the AuthStatus.SUCCESS result and this specification puts no constraints 
 * of any kind on that, the expectation is that Java EE servers in practice will mainly look at the 
 * result being AuthStatus.SUCCESS or not AuthStatus.SUCCESS. Simply said, if the result is 
 * AuthStatus.SUCCESS the authenticated identity (if any) must be set (established) for the current HTTP request, 
 * otherwise not.
 * 
 * 

 * The return value of {@link SecurityContext#authenticate(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters)}
 * , which is also of type AuthenticationStatus, strongly relates to the outcome of the HttpAuthenticationMechanism#validateRequest
 * method as described above, but must be transformed by the Java EE server from the corresponding outcome of the
 * {@link HttpServletRequest#authenticate(javax.servlet.http.HttpServletResponse)} call as follows:
 * 
 * 

 *   
 true to AuthenticationStatus.SUCCESS 
 *   
 false to [last status] (see below) 
 *   
 ServletException or IOException to AuthenticationStatus.SEND_FAILURE 
 * 
 * 
 * 

 * When an HttpAuthenticationMechanism was used [last status] must be
 * the value returned by HttpAuthenticationMechanism#validateRequest.
 * 
 * 

 * When a JASPIC ServerAuthModule (SAM) was used and an HttpAuthenticationMechanism was not used 
 * Java EE servers are encouraged, but not required, to set [last status] to the value returned by
 * ServerAuthModule#validateRequest transformed as follows:
 * 
 * 

 *   
 AuthStatus.SEND_CONTINUE to AuthenticationStatus.SEND_CONTINUE 
 *   
 AuthStatus.SUCCESS to AuthenticationStatus.SUCCESS 
 *   
 AuthStatus.SEND_FAILURE to AuthenticationStatus.SEND_FAILURE 
 *   
 (all other outcomes) to AuthenticationStatus.NOT_DONE 
 * 
 * 
 * 

 * When a Java EE Server proprietary identity store equivalent was used and an 
 * HttpAuthenticationMechanism was not used 
 * Java EE servers are encouraged, but not required, to set [last status] to a value
 * that logically corresponds to the description of each enum constant of AuthenticationStatus. This outcome
 * should never be depended on by application code as being portable.
 * 
 * 

 * Application code calling SecurityContext#authenticate is expected to act on all possible
 * values of AuthenticationStatus.
 * 
 */
public enum AuthenticationStatus {

    /**
     * The authentication mechanism was called, but decided not to authenticate.
     * This status would be typically returned in pre-emptive security; the authentication
     * mechanism is called, but authentication is optional and would only take place when for
     * instance a specific request header is present.
     */
	NOT_DONE,
	
	/**
	 * The authentication mechanism was called and a multi-step authentication dialog with the caller
	 * has been started (for instance, the caller has been redirected to a login page). Simply said 
	 * authentication is "in progress". Calling application code (if any) should not write to the response
	 * when this status is received. 
	 */
	SEND_CONTINUE,
	
	/**
	 * The authentication mechanism was called and the caller was successfully authenticated. After the
	 * Java EE server has processed this outcome, the caller principal is available.
	 */
	SUCCESS,
	
	/**
	 * The authentication mechanism was called but the caller was not successfully authenticated and
	 * therefor the caller principal will not be made available.
	 * 

	 * Note that this status should be used to indicate a logical problem (such as a credential not matching or a caller
	 * ID that can not be found). Exceptions should be used for system level problems (such as a database connection timing out).
	 */
	SEND_FAILURE
}