• Home
• org.wildfly.security
• wildfly-elytron
• 1.17.3.Final
• source code
• CachedIdentityAuthorizeCallback.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.wildfly.security.auth.callback.CachedIdentityAuthorizeCallback Maven / Gradle / Ivy

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2016 Red Hat, Inc., and individual contributors
 * as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.wildfly.security.auth.callback;

import org.wildfly.common.Assert;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.cache.CachedIdentity;
import org.wildfly.security.cache.IdentityCache;

import java.security.Principal;
import java.util.function.Function;

import static org.wildfly.common.Assert.checkNotNullParam;

/**
 * 
A callback that is capable of perform authorization based on the identities managed by an {@link IdentityCache}.
 *
 * 
This callback can be used in two ways:
 *
 * 

 *     
As an alternative to {@link javax.security.sasl.AuthorizeCallback}. As a result, the identity (if successfully authorized) will be cached
 *     
To perform a lookup in the cache and authorize the cached identity locally
 * 
 *
 * @author Pedro Igor
 */
public class CachedIdentityAuthorizeCallback implements ExtendedCallback {

    private final Function identityCache;
    private final boolean localCache;
    private Principal principal;
    private boolean authorized;
    private SecurityDomain securityDomain;

    /**
     * Creates a new instance in order to authorize identities managed by the given identityCache.
     *
     * @param identityCache the identity cache
     */
    public CachedIdentityAuthorizeCallback(IdentityCache identityCache) {
        this(identityCache, false);
    }

    /**
     * Creates a new instance in order to authorize identities managed by the given identityCache.
     *
     * @param identityCache the identity cache
     * @param localCache if true, indicates that authorization should be based on the given {@code identityCache} only. In case the mechanism
     *                   performing the authorization is wrapped by another one that provides a top-level cache (eg.: SSO), only the given
     *                   {@code identityCache} will be considered.
     */
    public CachedIdentityAuthorizeCallback(IdentityCache identityCache, boolean localCache) {
        this(securityDomain1 -> identityCache, localCache);
    }

    /**
     * 
Creates a new instance in order to authorize identities managed by the given identityCache.
     *
     * 
This constructor can be used to perform caching operations (e.g.: put, get and remove) in the context of a {@link SecurityDomain}.
     *
     * @param identityCache a function that creates an {@link IdentityCache} given a {@link SecurityDomain}
     * @param localCache if true, indicates that authorization should be based on the given {@code identityCache} only. In case the mechanism
     *                   performing the authorization is wrapped by another one that provides a top-level cache (eg.: SSO), only the given
     *                   {@code identityCache} will be considered.
     */
    public CachedIdentityAuthorizeCallback(Function identityCache, boolean localCache) {
        checkNotNullParam("identityCache", identityCache);
        this.identityCache = identityCache;
        this.localCache = localCache;
    }

    /**
     * Creates a new instance to authenticate, authorize and cache the identity associated with the given name.
     *
     * @param name the name associated with the identity
     * @param identityCache the identity cache
     */
    public CachedIdentityAuthorizeCallback(String name, IdentityCache identityCache) {
        this(new NamePrincipal(name), identityCache);
    }

    /**
     * Creates a new instance to authenticate, authorize and cache the identity associated with the given principal.
     *
     * @param principal the principal associated with the identity
     * @param identityCache the identity cache
     * @param localCache if true, indicates that authorization should be based on the given {@code identityCache} only. In case the mechanism
     *                   performing the authorization is wrapped by another one that provides a top-level cache (eg.: SSO), only the given
     *                   {@code identityCache} will be considered.
     */
    public CachedIdentityAuthorizeCallback(Principal principal, IdentityCache identityCache, boolean localCache) {
        this(principal, securityDomain -> identityCache, localCache);
    }

    /**
     * Creates a new instance to authenticate, authorize and cache the identity associated with the given principal.
     *
     * @param principal the principal associated with the identity
     * @param identityCache the identity cache
     */
    public CachedIdentityAuthorizeCallback(Principal principal, IdentityCache identityCache) {
        this(principal, securityDomain -> identityCache, false);
    }

    /**
     * 
Creates a new instance to authenticate, authorize and cache the identity associated with the given principal.
     *
     * 
This constructor can be used to perform caching operations (e.g.: put, get and remove) in the context of a {@link SecurityDomain}.
     *
     * @param principal the principal associated with the identity
     * @param identityCache a function that creates an {@link IdentityCache} given a {@link SecurityDomain}
     * @param localCache if true, indicates that authorization should be based on the given {@code identityCache} only. In case the mechanism
     *                   performing the authorization is wrapped by another one that provides a top-level cache (eg.: SSO), only the given
     *                   {@code identityCache} will be considered.
     */
    public CachedIdentityAuthorizeCallback(Principal principal, Function identityCache, boolean localCache) {
        checkNotNullParam("principal", principal);
        checkNotNullParam("identityCache", identityCache);
        this.principal = principal;
        this.identityCache = identityCache;
        this.localCache = localCache;
    }

    /**
     * Indicates if a cached identity was successfully authorized.
     *
     * @return true if the cached identity was successfully authorized. Otherwise, false
     */
    public boolean isAuthorized() {
        return authorized;
    }

    /**
     * Authorizes and caches the given securityIdentity.
     *
     * @param securityIdentity the identity to authorize and cache. If null, the corresponding identity will be removed from the cache
     */
    public void setAuthorized(SecurityIdentity securityIdentity) {
        if (authorized = securityIdentity != null) {
            createDomainCache().put(securityIdentity);
        } else {
            createDomainCache().remove();
        }
    }

    /**
     * Returns the {@link Principal} representing the cached identity.
     *
     * @return the principal (not {@code null})
     */
    public Principal getPrincipal() {
        CachedIdentity cachedIdentity = createDomainCache().get();
        if (cachedIdentity != null) {
            return new NamePrincipal(cachedIdentity.getName());
        }
        return null;
    }

    /**
     * Returns the authorization {@link Principal}.
     *
     * @return the principal (not {@code null})
     */
    public Principal getAuthorizationPrincipal() {
        return this.principal;
    }

    /**
     * Returns a cached {@link SecurityIdentity}, if present in the cache.
     *
     * @return the cached identity or null if there is no entry in the cache
     */
    public SecurityIdentity getIdentity() {
        CachedIdentity cachedIdentity = createDomainCache().get();
        if (cachedIdentity != null) {
            return cachedIdentity.getSecurityIdentity();
        }
        return null;
    }

    /**
     * Indicates if authorization decisions should be performed based on the given {@link IdentityCache} only.
     *
     * @return true indicating that authorization decisions should be performed based on the given {@link IdentityCache} only. Otherwise, false
     */
    public boolean isLocalCache() {
        return localCache;
    }

    /**
     * Set the current {@link SecurityDomain} in order to obtain identities from the cache
     *
     * @param securityDomain the current security domain
     */
    public void setSecurityDomain(SecurityDomain securityDomain) {
        Assert.checkNotNullParam("securityDomain", securityDomain);
        this.securityDomain = securityDomain;
    }

    @Override
    public boolean isOptional() {
        return false;
    }

    @Override
    public boolean needsInformation() {
        return false;
    }

    private IdentityCache createDomainCache() {
        return this.identityCache.apply(securityDomain);
    }
}