• Home
• org.elasticsearch.plugin
• x-pack-core
• 7.12.1
• source code
• AuthenticationFailureHandler.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler Maven / Gradle / Ivy

/*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License
 * 2.0; you may not use this file except in compliance with the Elastic License
 * 2.0.
 */
package org.elasticsearch.xpack.core.security.authc;

import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.transport.TransportMessage;

/**
 * A AuthenticationFailureHandler is responsible for the handling of a request that has failed authentication. This must
 * consist of returning an exception and this exception can have headers to indicate authentication is required or another
 * HTTP operation such as a redirect.
 * 

 * For example, when using Basic authentication, most clients wait to send credentials until they have been challenged
 * for them. In this workflow a client makes a request, the server responds with a 401 status with the header
 * WWW-Authenticate: Basic realm=auth-realm, and then the client will send credentials. The same scheme also
 * applies for other methods of authentication, with changes to the value provided in the WWW-Authenticate header.
 * 

 * Additionally, some methods of authentication may require a different status code. When using an single sign on system,
 * clients will often retrieve a token from a single sign on system that is presented to the server and verified. When a
 * client does not provide such a token, then the server can choose to redirect the client to the single sign on system to
 * retrieve a token. This can be accomplished in the AuthenticationFailureHandler by setting the
 * {@link org.elasticsearch.rest.RestStatus#FOUND}
 * with a Location header that contains the location to redirect the user to.
 */
public interface AuthenticationFailureHandler {

    /**
     * This method is called when there has been an authentication failure for the given REST request and authentication
     * token.
     *
     * @param request The request that was being authenticated when the exception occurred
     * @param token   The token that was extracted from the request
     * @param context The context of the request that failed authentication that could not be authenticated
     * @return ElasticsearchSecurityException with the appropriate headers and message
     */
    ElasticsearchSecurityException failedAuthentication(RestRequest request, AuthenticationToken token, ThreadContext context);

    /**
     * This method is called when there has been an authentication failure for the given message and token
     *
     * @param message The transport message that could not be authenticated
     * @param token   The token that was extracted from the message
     * @param action  The name of the action that the message is trying to perform
     * @param context The context of the request that failed authentication that could not be authenticated
     * @return ElasticsearchSecurityException with the appropriate headers and message
     */
    ElasticsearchSecurityException failedAuthentication(TransportMessage message, AuthenticationToken token, String action,
                                                        ThreadContext context);

    /**
     * The method is called when an exception has occurred while processing the REST request. This could be an error that
     * occurred while attempting to extract a token or while attempting to authenticate the request
     *
     * @param request The request that was being authenticated when the exception occurred
     * @param e       The exception that was thrown
     * @param context The context of the request that failed authentication that could not be authenticated
     * @return ElasticsearchSecurityException with the appropriate headers and message
     */
    ElasticsearchSecurityException exceptionProcessingRequest(RestRequest request, Exception e, ThreadContext context);

    /**
     * The method is called when an exception has occurred while processing the transport message. This could be an error that
     * occurred while attempting to extract a token or while attempting to authenticate the request
     *
     * @param message The message that was being authenticated when the exception occurred
     * @param action  The name of the action that the message is trying to perform
     * @param e       The exception that was thrown
     * @param context The context of the request that failed authentication that could not be authenticated
     * @return ElasticsearchSecurityException with the appropriate headers and message
     */
    ElasticsearchSecurityException exceptionProcessingRequest(TransportMessage message, String action, Exception e, ThreadContext context);

    /**
     * This method is called when a REST request is received and no authentication token could be extracted AND anonymous
     * access is disabled. If anonymous access is enabled, this method will not be called
     *
     * @param request The request that did not have a token
     * @param context The context of the request that failed authentication that could not be authenticated
     * @return ElasticsearchSecurityException with the appropriate headers and message
     */
    ElasticsearchSecurityException missingToken(RestRequest request, ThreadContext context);

    /**
     * This method is called when a transport message is received and no authentication token could be extracted AND
     * anonymous access is disabled. If anonymous access is enabled this method will not be called
     *
     * @param message The message that did not have a token
     * @param action  The name of the action that the message is trying to perform
     * @param context The context of the request that failed authentication that could not be authenticated
     * @return ElasticsearchSecurityException with the appropriate headers and message
     */
    ElasticsearchSecurityException missingToken(TransportMessage message, String action, ThreadContext context);

    /**
     * This method is called when anonymous access is enabled, a request does not pass authorization with the anonymous
     * user, AND the anonymous service is configured to throw an authentication exception instead of an authorization
     * exception
     *
     * @param action the action that failed authorization for anonymous access
     * @param context The context of the request that failed authentication that could not be authenticated
     * @return ElasticsearchSecurityException with the appropriate headers and message
     */
    ElasticsearchSecurityException authenticationRequired(String action, ThreadContext context);
}