Interface AuthenticationManager

    • Method Summary

      All Methods Instance Methods Abstract Methods Deprecated Methods 
      Modifier and Type Method Description
      Subject getActiveSubject()
      Deprecated.
      Use the JACC PolicyContextHandler using key "javax.security.auth.Subject.container"
      Principal getTargetPrincipal​(Principal anotherDomainPrincipal, Map<String,​Object> contextMap)
      Trust related usecases may require translation of a principal from another domain to the current domain An implementation of this interface may need to do a backdoor contact of the external trust provider in deriving the target principal
      boolean isValid​(Principal principal, Object credential)
      The isValid method is invoked to see if a user identity and associated credentials as known in the operational environment are valid proof of the user identity.
      boolean isValid​(Principal principal, Object credential, Subject activeSubject)
      The isValid method is invoked to see if a user identity and associated credentials as known in the operational environment are valid proof of the user identity.
      void logout​(Principal principal, Subject subject)
      This method must be invoked to perform the logout of the incoming principal.
    • Method Detail

      • isValid

        boolean isValid​(Principal principal,
                        Object credential)
        The isValid method is invoked to see if a user identity and associated credentials as known in the operational environment are valid proof of the user identity. Typically this is implemented as a call to isValid with a null Subject.
        Parameters:
        principal - - the user identity in the operation environment
        credential - - the proof of user identity as known in the operation environment
        Returns:
        true if the principal, credential pair is valid, false otherwise.
        See Also:
        isValid(Principal, Object, Subject)
      • isValid

        boolean isValid​(Principal principal,
                        Object credential,
                        Subject activeSubject)
        The isValid method is invoked to see if a user identity and associated credentials as known in the operational environment are valid proof of the user identity. This extends AuthenticationManager version to provide a copy of the resulting authenticated Subject. This allows a caller to authenticate a user and obtain a Subject whose state cannot be modified by other threads associated with the same principal.
        Parameters:
        principal - - the user identity in the operation environment
        credential - - the proof of user identity as known in the operation environment
        activeSubject - - the Subject which should be populated with the validated Subject contents. A JAAS based implementation would typically populate the activeSubject with the LoginContext.login result.
        Returns:
        true if the principal, credential pair is valid, false otherwise.
      • getActiveSubject

        Subject getActiveSubject()
        Deprecated.
        Use the JACC PolicyContextHandler using key "javax.security.auth.Subject.container"
        Get the currently authenticated subject. Historically implementations of AuthenticationManager isValid methods had the side-effect of setting the active Subject. This caused problems with multi-threaded usecases where the Subject instance was being shared by multiple threads. This is now deprecated in favor of the JACC PolicyContextHandler getContext(key, data) method.
        Returns:
        The previously authenticated Subject if isValid succeeded, null if isValid failed or has not been called for the active thread.
        See Also:
        PolicyContextHandler.getContext(String, Object)
      • getTargetPrincipal

        Principal getTargetPrincipal​(Principal anotherDomainPrincipal,
                                     Map<String,​Object> contextMap)
        Trust related usecases may require translation of a principal from another domain to the current domain An implementation of this interface may need to do a backdoor contact of the external trust provider in deriving the target principal
        Parameters:
        anotherDomainPrincipal - Principal that is applicable in the other domain (Can be null - in which case the contextMap is used solely to derive the target principal)
        contextMap - Any context information (including information on the other domain that may be relevant in deriving the target principal). Any SAML assertions that may be relevant can be passed here.
        Returns:
        principal from a target security domain
      • logout

        void logout​(Principal principal,
                    Subject subject)
        This method must be invoked to perform the logout of the incoming principal. The Subject associated with the principal is also provided, allowing implementations to perform any special cleanup based on the information contained in the Subject.
        Parameters:
        principal - the Principal being logged out.
        subject - the Subject associated with the principal being logged out.