CallerOnlyCredential represents a credential that only
45 | * contains a caller name and no secret of any kind.
46 | *
47 | *
48 | * This kind of credential is for internal usage within an application, e.g.
49 | * for "run-as" functionality in a context where the caller is already
50 | * sufficiently trusted.
51 | *
52 | */
53 | public class CallerOnlyCredential implements Credential {
54 |
55 | private final String caller;
56 |
57 | /**
58 | * @param caller The caller name
59 | */
60 | public CallerOnlyCredential(String caller) {
61 | this.caller = caller;
62 | }
63 |
64 | public String getCaller() {
65 | return caller;
66 | }
67 |
68 | }
69 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/authentication/mechanism/http/FormAuthenticationMechanismDefinition.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.authentication.mechanism.http;
42 |
43 | import static java.lang.annotation.ElementType.TYPE;
44 | import static java.lang.annotation.RetentionPolicy.RUNTIME;
45 |
46 | import java.lang.annotation.Retention;
47 | import java.lang.annotation.Target;
48 |
49 | import javax.enterprise.util.Nonbinding;
50 |
51 | /**
52 | * Annotation used to define a container authentication mechanism that implements
53 | * FORM authentication as defined by the Servlet spec (13.6.3) and make that
54 | * implementation available as an enabled CDI bean.
55 | *
56 | */
57 | @Retention(RUNTIME)
58 | @Target(TYPE)
59 | public @interface FormAuthenticationMechanismDefinition {
60 |
61 | @Nonbinding
62 | LoginToContinue loginToContinue();
63 |
64 | }
65 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/credential/RememberMeCredential.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.credential;
42 |
43 | /**
44 | * RememberMeCredential represents a credential presented as a token,
45 | * for the explicit usage with the JSR 375 provided remember me function.
46 | *
47 | */
48 | public class RememberMeCredential implements Credential {
49 |
50 | private final String token;
51 |
52 | /**
53 | * Constructor
54 | *
55 | * @param token The token value to compare for authentication.
56 | */
57 | public RememberMeCredential(String token) {
58 | this.token = token;
59 | }
60 |
61 | /**
62 | * Determines the token value to compare for authentication.
63 | *
64 | * @return The token value to compare for authentication.
65 | */
66 | public String getToken() {
67 | return token;
68 | }
69 |
70 | }
71 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/authentication/mechanism/http/BasicAuthenticationMechanismDefinition.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.authentication.mechanism.http;
42 |
43 | import static java.lang.annotation.ElementType.TYPE;
44 | import static java.lang.annotation.RetentionPolicy.RUNTIME;
45 |
46 | import java.lang.annotation.Retention;
47 | import java.lang.annotation.Target;
48 |
49 |
50 | /**
51 | * Annotation used to define a container authentication mechanism that implements
52 | * the HTTP basic access authentication protocol as defined by the Servlet spec (13.6.1)
53 | * and make that implementation available as an enabled CDI bean.
54 | *
55 | */
56 | @Retention(RUNTIME)
57 | @Target(TYPE)
58 | public @interface BasicAuthenticationMechanismDefinition {
59 |
60 | /**
61 | * Name of realm that will be sent via the WWW-Authenticate header.
62 | *
63 | * Note that this realm name does not couple a named identity store
64 | * configuration to the authentication mechanism.
65 | *
66 | * @return Name of realm
67 | */
68 | String realmName() default "";
69 | }
70 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/credential/Credential.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.credential;
42 |
43 | /**
44 | * Credential represents the credential the caller will use to authenticate.
45 | */
46 | public interface Credential {
47 |
48 | /**
49 | * Determines whether the credential value has been securely cleared.
50 | * @return true if the credential has been cleared, otherwise false.
51 | */
52 | default boolean isCleared() {
53 | return false;
54 | }
55 |
56 | /**
57 | * Clears the credential. For example, if the credential includes a password,
58 | * this method would overwrite the password value.
59 | */
60 | default void clear() {}
61 |
62 | /**
63 | * Determines whether the credential is valid. This would be called as part of
64 | * the credential validation process to check the integrity of the credential,
65 | * such as a signature check. This check would be self-contained,
66 | * not requiring identity store access.
67 | *
68 | * @return true if credential has integrity.
69 | */
70 | default boolean isValid() {
71 | return true;
72 | }
73 |
74 | }
75 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/authentication/mechanism/http/CustomFormAuthenticationMechanismDefinition.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.authentication.mechanism.http;
42 |
43 | import static java.lang.annotation.ElementType.TYPE;
44 | import static java.lang.annotation.RetentionPolicy.RUNTIME;
45 |
46 | import java.lang.annotation.Retention;
47 | import java.lang.annotation.Target;
48 |
49 | import javax.enterprise.util.Nonbinding;
50 | import javax.security.enterprise.SecurityContext;
51 |
52 | /**
53 | * Annotation used to define a container authentication mechanism that implements
54 | * authentication resembling Servlet FORM authentication (Servlet spec 13.6.3).
55 | *
56 | * Instead of posting back to a predefined action to continue the authentication dialog
57 | * (Servlet spec 13.6.3 step 3), this variant depends on the application calling
58 | * {@link SecurityContext#authenticate(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters)}
59 | *
60 | */
61 | @Retention(RUNTIME)
62 | @Target(TYPE)
63 | public @interface CustomFormAuthenticationMechanismDefinition {
64 |
65 | @Nonbinding
66 | LoginToContinue loginToContinue();
67 |
68 | }
69 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/credential/AbstractClearableCredential.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.credential;
42 |
43 | /**
44 | * AbstractClearableCredential contains behavior common to
45 | * {@link Credential} implementations that can be meaningfully
46 | * cleared.
47 | */
48 | public abstract class AbstractClearableCredential implements Credential {
49 |
50 | private volatile boolean cleared = false;
51 |
52 | @Override
53 | public final boolean isCleared() {
54 | return cleared;
55 | }
56 |
57 | /**
58 | * Specifies that the credential value has been securely cleared.
59 | */
60 | protected final void setCleared() {
61 | this.cleared = true;
62 | }
63 |
64 | @Override
65 | public final void clear() {
66 | clearCredential();
67 | setCleared();
68 | }
69 |
70 | /**
71 | * Invokes the specific subclass to securely clear the credential value.
72 | * Some {@link Credential} subclasses contain credential values
73 | * which are inherently secure, such as tokens, for which clearing the
74 | * credential may not be necessary.
75 | *
76 | * For example, if the credential includes a password, 77 | * this method would overwrite the password value. 78 | */ 79 | protected abstract void clearCredential(); 80 | } 81 | -------------------------------------------------------------------------------- /src/main/java/javax/security/enterprise/identitystore/IdentityStorePermission.java: -------------------------------------------------------------------------------- 1 | /* 2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 3 | * 4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved. 5 | * 6 | * The contents of this file are subject to the terms of either the GNU 7 | * General Public License Version 2 only ("GPL") or the Common Development 8 | * and Distribution License("CDDL") (collectively, the "License"). You 9 | * may not use this file except in compliance with the License. You can 10 | * obtain a copy of the License at 11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1 12 | * or LICENSE.txt. See the License for the specific 13 | * language governing permissions and limitations under the License. 14 | * 15 | * When distributing the software, include this License Header Notice in each 16 | * file and include the License file at LICENSE.txt. 17 | * 18 | * GPL Classpath Exception: 19 | * Oracle designates this particular file as subject to the "Classpath" 20 | * exception as provided by Oracle in the GPL Version 2 section of the License 21 | * file that accompanied this code. 22 | * 23 | * Modifications: 24 | * If applicable, add the following below the License Header, with the fields 25 | * enclosed by brackets [] replaced by your own identifying information: 26 | * "Portions Copyright [year] [name of copyright owner]" 27 | * 28 | * Contributor(s): 29 | * If you wish your version of this file to be governed by only the CDDL or 30 | * only the GPL Version 2, indicate your decision by adding "[Contributor] 31 | * elects to include this software in this distribution under the [CDDL or GPL 32 | * Version 2] license." If you don't indicate a single choice of license, a 33 | * recipient has the option to distribute your version of this file under 34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to 35 | * its licensees as provided above. However, if you add GPL Version 2 code 36 | * and therefore, elected the GPL Version 2 license, then the option applies 37 | * only if the new code is made subject to such option by the copyright 38 | * holder. 39 | */ 40 | 41 | package javax.security.enterprise.identitystore; 42 | 43 | import java.security.BasicPermission; 44 | 45 | /** 46 | * Class for IdentityStore permissions. 47 | *
48 | * Currently defined permission names are: 49 | *
53 | * No actions are defined.
54 | *
55 | */
56 | public class IdentityStorePermission extends BasicPermission {
57 |
58 | /**
59 | * Create an IdentityStorePermission with the specified name.
60 | *
61 | * @param name Name of the permission.
62 | * @throws NullPointerException If name is null.
63 | * @throws IllegalArgumentException If name is empty.
64 | */
65 | public IdentityStorePermission(String name) {
66 | super(name);
67 | }
68 |
69 | /**
70 | * Create an IdentityStorePermission with the specified name.
71 | * No actions are defined for this permission; the action parameter
72 | * should be specified as {code}null{code}.
73 | *
74 | * @param name Name of the permission.
75 | * @param action Action for the permission; always null.
76 | * @throws NullPointerException If name is null.
77 | * @throws IllegalArgumentException If name is empty.
78 | */
79 | public IdentityStorePermission(String name, String action) {
80 | super(name, action);
81 | }
82 |
83 | }
84 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/authentication/mechanism/http/AutoApplySession.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.authentication.mechanism.http;
42 |
43 | import static java.lang.annotation.ElementType.TYPE;
44 | import static java.lang.annotation.RetentionPolicy.RUNTIME;
45 |
46 | import java.lang.annotation.Inherited;
47 | import java.lang.annotation.Retention;
48 | import java.lang.annotation.Target;
49 |
50 | import javax.interceptor.InterceptorBinding;
51 |
52 | /**
53 | * The AutoApplySession annotation provides an application the ability to declaratively designate
54 | * that an authentication mechanism uses the javax.servlet.http.registerSession
55 | * and auto applies this for every request.
56 | *
57 | *
58 | * See the JASPIC 1.1 specification section 3.8.4 for further details on javax.servlet.http.registerSession.
59 | *
60 | *
61 | * This support is provided via an implementation of an interceptor spec interceptor that conducts the 62 | * necessary logic. 63 | * 64 | *
65 | * Example: 66 | * 67 | *
68 | *
69 | * {@literal @}RequestScoped
70 | * {@literal @}AutoApplySession
71 | * public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {
72 | * // ...
73 | * }
74 | *
75 | *
76 | *
77 | */
78 | @Inherited
79 | @InterceptorBinding
80 | @Retention(RUNTIME)
81 | @Target(TYPE)
82 | public @interface AutoApplySession {
83 | }
84 |
--------------------------------------------------------------------------------
/release.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4 | #
5 | # Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
6 | #
7 | # The contents of this file are subject to the terms of either the GNU
8 | # General Public License Version 2 only ("GPL") or the Common Development
9 | # and Distribution License("CDDL") (collectively, the "License"). You
10 | # may not use this file except in compliance with the License. You can
11 | # obtain a copy of the License at
12 | # https://oss.oracle.com/licenses/CDDL+GPL-1.1
13 | # or LICENSE.txt. See the License for the specific
14 | # language governing permissions and limitations under the License.
15 | #
16 | # When distributing the software, include this License Header Notice in each
17 | # file and include the License file at LICENSE.txt.
18 | #
19 | # GPL Classpath Exception:
20 | # Oracle designates this particular file as subject to the "Classpath"
21 | # exception as provided by Oracle in the GPL Version 2 section of the License
22 | # file that accompanied this code.
23 | #
24 | # Modifications:
25 | # If applicable, add the following below the License Header, with the fields
26 | # enclosed by brackets [] replaced by your own identifying information:
27 | # "Portions Copyright [year] [name of copyright owner]"
28 | #
29 | # Contributor(s):
30 | # If you wish your version of this file to be governed by only the CDDL or
31 | # only the GPL Version 2, indicate your decision by adding "[Contributor]
32 | # elects to include this software in this distribution under the [CDDL or GPL
33 | # Version 2] license." If you don't indicate a single choice of license, a
34 | # recipient has the option to distribute your version of this file under
35 | # either the CDDL, the GPL Version 2 or to extend the choice of license to
36 | # its licensees as provided above. However, if you add GPL Version 2 code
37 | # and therefore, elected the GPL Version 2 license, then the option applies
38 | # only if the new code is made subject to such option by the copyright
39 | # holder.
40 | #
41 |
42 | #------------------------------------------------------
43 | #-- BE SURE TO HAVE THE FOLLOWING IN YOUR SETTINGS.XML
44 | #------------------------------------------------------
45 | #
46 | # AuthenticationException exception with null as its detail message.
61 | */
62 | public AuthenticationException() {
63 | super();
64 | }
65 |
66 | /**
67 | * Constructs a new AuthenticationException exception with the specified detail message.
68 | *
69 | * @param message
70 | * the detail message.
71 | */
72 | public AuthenticationException(String message) {
73 | super(message);
74 | }
75 |
76 | /**
77 | * Constructs a new AuthenticationException exception with the specified detail message and cause.
78 | *
79 | * @param message
80 | * the detail message.
81 | * @param cause
82 | * the cause.
83 | */
84 | public AuthenticationException(String message, Throwable cause) {
85 | super(message, cause);
86 | }
87 |
88 | /**
89 | * Constructs a new AuthenticationException exception with the specified cause.
90 | *
91 | * @param cause
92 | * the cause.
93 | */
94 | public AuthenticationException(Throwable cause) {
95 | super(cause);
96 | }
97 |
98 | }
99 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/credential/Password.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.credential;
42 |
43 | import static java.util.Arrays.copyOf;
44 | import java.util.Objects;
45 |
46 | import java.util.Arrays;
47 |
48 | /**
49 | * Represents a text-based password, and includes a built-in mechanism for securely
50 | * clearing the value.
51 | */
52 | public class Password {
53 |
54 | private static final char[] EMPTY_VALUE = new char[0];
55 | private volatile char[] value;
56 |
57 | /**
58 | * Constructor
59 | *
60 | * @param value The password value
61 | * @throws java.lang.NullPointerException Value is null
62 | */
63 | public Password(char[] value) {
64 | Objects.requireNonNull(value, "Password value may not be null");
65 |
66 | this.value = copyOf(value, value.length);
67 | }
68 |
69 | /**
70 | * Constructor
71 | *
72 | * @param value The password value
73 | * @throws java.lang.NullPointerException Value is null
74 | */
75 | public Password(String value) {
76 | this(null == value ? null : value.toCharArray());
77 | }
78 |
79 | /**
80 | * Determines the password value.
81 | *
82 | * @return The password value, empty array if cleared.
83 | */
84 | public char[] getValue() {
85 | return value;
86 | }
87 |
88 | /**
89 | * Securely clears the password value.
90 | */
91 | public void clear() {
92 | if (EMPTY_VALUE == value)
93 | return;
94 |
95 | char[] tempValue = value;
96 | value = EMPTY_VALUE;
97 |
98 | for (int i = 0; i < tempValue.length; i++) {
99 | tempValue[i] = 0x00;
100 | }
101 | }
102 |
103 | public boolean compareTo(String password) {
104 | if (password == null) {
105 | return false;
106 | }
107 |
108 | return Arrays.equals(password.toCharArray(), value);
109 | }
110 | }
111 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/identitystore/IdentityStoreHandler.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.identitystore;
42 |
43 | import javax.security.auth.message.module.ServerAuthModule;
44 | import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
45 | import javax.security.enterprise.credential.Credential;
46 |
47 | /**
48 | * IdentityStoreHandler is a mechanism for validating a caller's
49 | * credentials, and accessing a caller's identity attributes, by consulting
50 | * a set of one or more {@link IdentityStore}s.
51 | * 52 | * It is intended for use by an authentication mechanism, such as an 53 | * {@link HttpAuthenticationMechanism} (JSR 375) or a {@link ServerAuthModule} 54 | * (JSR 196/JASPIC). 55 | *
56 | * Beans should inject only this handler, and not {@link IdentityStore} 57 | * directly, as multiple stores may exist. 58 | *
59 | * Implementations of JSR 375 must supply a default implementation of {@code IdentityStoreHandler} 60 | * that behaves as described in the JSR 375 specification document. 61 | * Applications do not need to supply an {@code IdentityStoreHandler} 62 | * unless application-specific behavior is desired. 63 | */ 64 | public interface IdentityStoreHandler { 65 | 66 | /** 67 | * Validate the given {@link Credential} and return the identity and attributes 68 | * of the caller it represents. 69 | *
70 | * Implementations of this method will typically invoke the {@code validate()} 71 | * and {@code getCallerGroups()} methods of one or more {@link IdentityStore}s 72 | * and return an aggregated result. 73 | *
74 | * Note that the {@link IdentityStore} may check for {@link IdentityStorePermission}
75 | * if {@code getCallerGroups()} is called and a {@link SecurityManager} is configured.
76 | * (The default built-in stores do perform this check; application-supplied stores
77 | * may or may not.) An implementation of this method should therefore invoke
78 | * {@code getCallerGroups()} in the context of a {@link java.security.PrivilegedAction},
79 | * and arrange to be granted the appropriate {@link IdentityStorePermission} permission.
80 | *
81 | * @param credential The credential to validate.
82 | * @return The validation result.
83 | */
84 | CredentialValidationResult validate(Credential credential);
85 | }
86 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/identitystore/RememberMeIdentityStore.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.identitystore;
42 |
43 | import java.util.Set;
44 |
45 | import javax.security.auth.message.module.ServerAuthModule;
46 | import javax.security.enterprise.CallerPrincipal;
47 | import javax.security.enterprise.authentication.mechanism.http.RememberMe;
48 | import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
49 | import javax.security.enterprise.credential.RememberMeCredential;
50 |
51 | /**
52 | * RememberMeIdentityStore is a mechanism for validating a caller's
53 | * credentials and accessing a caller's identity attributes that's specifically
54 | * tailored for the "remember me" feature.
55 | *
56 | *
57 | * This is not intended to be directly used by an authentication mechanism such as 58 | * the JSR 375 {@link HttpAuthenticationMechanism} or the JSR 196 (JASPIC) 59 | * {@link ServerAuthModule}. Instead, the interceptor implementation backing the 60 | * {@link RememberMe} annotation is intended to use this. 61 | * 62 | */ 63 | public interface RememberMeIdentityStore { 64 | 65 | /** 66 | * Validates the given credential. 67 | * 68 | * @param credential The credential to validate. 69 | * @return The validation result, including associated caller groups. 70 | */ 71 | CredentialValidationResult validate(RememberMeCredential credential); 72 | 73 | /** 74 | * Associates the given principal and groups with a token. 75 | *
76 | * The token generated by this method is intended to be used with the
77 | * {@link RememberMeCredential} and passed into the {@link #validate(RememberMeCredential)}
78 | * method.
79 | *
80 | * @param callerPrincipal The principal to be associated.
81 | * @param groups The groups the principal is in.
82 | * @return A token that can be used to get the principal and groups back at a later time.
83 | */
84 | String generateLoginToken(CallerPrincipal callerPrincipal, Set
90 | * If the token did not exist (i.e. no principal and groups were associated with that token)
91 | * no exception will be thrown.
92 | *
93 | * @param token The token that is to be removed.
94 | */
95 | void removeLoginToken(String token);
96 |
97 | }
98 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/identitystore/Pbkdf2PasswordHash.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.identitystore;
42 |
43 | /**
44 | * This interface represents the built-in {@code Pbkdf2PasswordHash} implementation.
45 | *
46 | * To use {@code Pbkdf2PasswordHash} with the built-in Database {@link IdentityStore},
47 | * configure this interface type as the {@code hashAlgorithm} value
48 | * on the {@link DatabaseIdentityStoreDefinition} annotation.
49 | *
50 | * To configure parameters for {@code Pbkdf2PasswordHash}, specify them as the
51 | * {@code hashAlgorithmParameters} value on the {@link DatabaseIdentityStoreDefinition} annotation.
52 | *
53 | * The built-in implementation must support the following configurable parameters:
54 | *
61 | * And the following PBKDF2 algorithms:
62 | *
72 | * The encoded format produced by {@link #generate(char[])}, and consumed by {@link #verify(char[], String)},
73 | * is as follows:
74 | *
85 | * Because the algorithm and the parameters used to generate the hash are stored with the hash,
86 | * the built-in {@code Pbkdf2PasswordHash} implementation can verify hashes generated using algorithm
87 | * and parameter values that differ from the currently configured values. This means the configuration
88 | * parameters can be changed without impacting the ability to verify existing password hashes.
89 | *
90 | * (Password hashes generated using algorithms/parameters outside the range supported by
91 | * {@code Pbkdf2PasswordHash} cannot be verified.)
92 | *
93 | * @see DatabaseIdentityStoreDefinition#hashAlgorithm()
94 | * @see DatabaseIdentityStoreDefinition#hashAlgorithmParameters()
95 | */
96 | public interface Pbkdf2PasswordHash extends PasswordHash {
97 |
98 | }
99 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/credential/BasicAuthenticationCredential.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.credential;
42 |
43 | import java.io.UnsupportedEncodingException;
44 | import java.util.Base64;
45 |
46 | /**
47 | *
48 | * Implementations of {@code PasswordHash} are configured for the built-in Database {@link IdentityStore}
49 | * by configuring the type on the {@link DatabaseIdentityStoreDefinition} annotation.
50 | * Parameters for the {@code PasswordHash} can also be configured on the annotation,
51 | * and will be passed to the {@link #initialize(Map)} method when the {@link IdentityStore} is initialized.
52 | *
53 | * @see DatabaseIdentityStoreDefinition#hashAlgorithm()
54 | * @see DatabaseIdentityStoreDefinition#hashAlgorithmParameters()
55 | */
56 | public interface PasswordHash {
57 |
58 | /**
59 | * Initialize the instance with the parameters it should use to
60 | * generate and verify password hashes. The parameters are the
61 | * name/value pairs specified with the
62 | * {@link DatabaseIdentityStoreDefinition#hashAlgorithmParameters()}
63 | * attribute.
64 | *
65 | * An implementation is not required to support parameters, and may
66 | * ignore parameters passed to it. It is also possible that an implementation
67 | * will use the specified parameters when generating a new password hash,
68 | * but ignore them in favor of parameters stored with an existing password
69 | * hash when verifying.
70 | *
71 | * If no parameters were supplied, the argument is an empty {@link Map}.
72 | *
73 | * @param parameters A {@link Map} of the provided parameters, empty if no parameters were supplied.
74 | */
75 | default void initialize(Map
81 | * This method should not be used to generate a password hash for verification purposes;
82 | * use {@link #verify(char[], String)} for that purpose. Use this method only to generate
83 | * password hashes for new or changed passwords.
84 | *
85 | * The returned hash value should be fully encoded, such that it can be directly stored, as is,
86 | * with no additional formatting or encoding applied.
87 | *
88 | * @param password The password to generate a hash for.
89 | * @return The generated password hash value.
90 | */
91 | String generate(char[] password);
92 |
93 | /**
94 | * Verify a password against the hashed password value retrieved from a user's account.
95 | *
96 | * The {@code hashedPassword} parameter should be provided exactly as retrieved from the database,
97 | * with no decoding or formatting applied. The {@code password} parameter should be hashed and
98 | * compared to the hashed password.
99 | *
100 | * @param password The password to verify.
101 | * @param hashedPassword The hashed password to compare against.
102 | * @return True if the password matched the hashed password, false otherwise.
103 | */
104 | boolean verify(char[] password, String hashedPassword);
105 |
106 | }
107 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/authentication/mechanism/http/LoginToContinue.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.authentication.mechanism.http;
42 |
43 | import static java.lang.annotation.ElementType.TYPE;
44 | import static java.lang.annotation.RetentionPolicy.RUNTIME;
45 |
46 | import java.lang.annotation.Inherited;
47 | import java.lang.annotation.Retention;
48 | import java.lang.annotation.Target;
49 |
50 | import javax.enterprise.util.Nonbinding;
51 | import javax.interceptor.InterceptorBinding;
52 |
53 | /**
54 | * The
58 | * When the
64 | * When the
67 | * Expressions can be either immediate (
73 | * Attributes that are documented as being EL alternatives to non-
79 | * The EL alternative attribute MUST contain a valid EL expression. Attributes of type string that are not EL alternative
80 | * attributes can contain either an expression or a string value that is not an expression.
81 | *
82 | *
93 | * Expression language is supported for these annotations as well, but in a slightly different way.
94 | * See the javadoc of both these annotations for how the expression language support differs.
95 | *
96 | * @version 1.0
97 | */
98 | package javax.security.enterprise;
99 |
100 | import javax.el.ELProcessor;
101 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/authentication/mechanism/http/HttpMessageContextWrapper.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.authentication.mechanism.http;
42 |
43 | import java.security.Principal;
44 | import java.util.Set;
45 |
46 | import javax.security.auth.Subject;
47 | import javax.security.auth.callback.CallbackHandler;
48 | import javax.security.auth.message.MessageInfo;
49 | import javax.security.enterprise.AuthenticationStatus;
50 | import javax.security.enterprise.identitystore.CredentialValidationResult;
51 | import javax.servlet.http.HttpServletRequest;
52 | import javax.servlet.http.HttpServletResponse;
53 |
54 | /**
55 | * This class is an implementation of the HttpMessageContext interface that
56 | * can be subclassed by developers wishing to provide extra or different
57 | * functionality.
58 | *
59 | * All methods default to calling the wrapped object.
60 | *
61 | */
62 | public class HttpMessageContextWrapper implements HttpMessageContext {
63 |
64 | private final HttpMessageContext httpMessageContext;
65 |
66 | public HttpMessageContextWrapper(HttpMessageContext httpMessageContext) {
67 | this.httpMessageContext = httpMessageContext;
68 | }
69 |
70 | public HttpMessageContext getWrapped() {
71 | return httpMessageContext;
72 | }
73 |
74 | @Override
75 | public boolean isProtected() {
76 | return getWrapped().isProtected();
77 | }
78 |
79 | @Override
80 | public boolean isAuthenticationRequest() {
81 | return getWrapped().isAuthenticationRequest();
82 | }
83 |
84 | @Override
85 | public boolean isRegisterSession() {
86 | return getWrapped().isRegisterSession();
87 | }
88 |
89 | @Override
90 | public void setRegisterSession(String callerName, Set
101 | * If "remember me" is not configured, this parameter is silently ignored.
102 | *
103 | * @see RememberMe
104 | * @see RememberMeIdentityStore
105 | *
106 | * @param rememberMe if
58 | * The container-provided {@code IdentityStore} must support validating {@link UsernamePasswordCredential},
59 | * and may support validating other credential types.
60 | */
61 | @Retention(RUNTIME)
62 | @Target(TYPE)
63 | public @interface DatabaseIdentityStoreDefinition {
64 |
65 | /**
66 | * Full JNDI name of the data source that provides access to the data base
67 | * where the caller identities are stored.
68 | *
69 | * @return Full JNDI name of the data source
70 | */
71 | String dataSourceLookup() default "java:comp/DefaultDataSource"; // default data source
72 |
73 | /**
74 | * SQL query to validate the {caller, password} pair.
75 | *
76 | * Only needed when {@link #useFor()} contains
77 | * {@link ValidationType#VALIDATE}.
78 | *
79 | *
80 | * The name of the caller that is to be authenticated has to be set as the
81 | * one and only placeholder. The (hashed) password should be in the first
82 | * column of the result.
83 | *
84 | *
85 | * Example query:
86 | *
104 | * The name of the caller that has been authenticated has to be set as the
105 | * one and only placeholder. The group name should be in the first column of
106 | * the result.
107 | *
108 | *
109 | * Example query:
110 | *
133 | * Parameters are specified as a list of name/value pairs, using the format below:
134 | *
138 | * For example:
139 | *
144 | * This attribute supports immediate EL expressions (${} syntax) for both the
145 | *
59 | * This is used to help in securing Servlet endpoints, including
60 | * endpoints that may be build on top of Servlet like JAX-RS endpoints and JSF views.
61 | * It specifically is not used for endpoints such as remote EJB beans or (JMS) message driven beans.
62 | *
63 | *
64 | * A
69 | * Implementations of this class can notify the Servlet container about a successful authentication by using the
70 | * {@link HttpMessageContext#notifyContainerAboutLogin(java.security.Principal, java.util.Set)} method.
71 | *
72 | *
73 | * Implementations are expected and encouraged to delegate the actual credential validation and/or retrieval of the
74 | * caller name with optional groups to an {@link IdentityStore}. This is however not required and implementations
75 | * can either do the validation checks for authentication completely autonomously, or delegate only certain aspects of
76 | * the process to the store (e.g. use the store only for retrieving the groups an authenticated user is in).
77 | */
78 | public interface HttpAuthenticationMechanism {
79 |
80 | /**
81 | * Authenticate an HTTP request.
82 | *
83 | *
84 | * This method is called in response to an HTTP client request for a resource, and is always invoked
85 | * before any {@link Filter} or {@link HttpServlet}. Additionally this method is called
86 | * in response to {@link HttpServletRequest#authenticate(HttpServletResponse)}
87 | *
88 | *
89 | * Note that by default this method is always called for every request, independent of whether
90 | * the request is to a protected or non-protected resource, or whether a caller was successfully authenticated
91 | * before within the same HTTP session or not.
92 | *
93 | *
94 | * A CDI/Interceptor spec interceptor can be used to prevent calls to this method if needed.
95 | * See {@link AutoApplySession} and {@link RememberMe} for two examples.
96 | *
97 | * @param request contains the request the client has made
98 | * @param response contains the response that will be send to the client
99 | * @param httpMessageContext context for interacting with the container
100 | * @return the completion status of the processing performed by this method
101 | * @throws AuthenticationException when the processing failed
102 | */
103 | AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException;
104 |
105 | /**
106 | * Secure the response, optionally.
107 | *
108 | *
109 | * This method is called to allow for any post processing to be done on the request, and is always invoked
110 | * after any {@link Filter} or {@link HttpServlet}.
111 | *
112 | *
113 | * Note that this method is only called when a (Servlet) resource has indeed been invoked, i.e. if a previous call
114 | * to
131 | * This method is called in response to {@link HttpServletRequest#logout()} and gives the authentication mechanism
132 | * the option to remove any state associated with an earlier established authenticated identity. For example, an
133 | * authentication mechanism that stores state within a cookie can send remove that cookie here.
134 | *
135 | * @param request contains the request the client has made
136 | * @param response contains the response that will be send to the client
137 | * @param httpMessageContext context for interacting with the container
138 | */
139 | default void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) {
140 | httpMessageContext.cleanClientSubject();
141 | }
142 |
143 | }
144 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/AuthenticationStatus.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise;
42 |
43 | import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
44 | import javax.servlet.http.HttpServletRequest;
45 |
46 | /**
47 | * The AuthenticationStatus is used as a return value by primarily
48 | * the {@link HttpAuthenticationMechanism} to indicate the result (status)
49 | * of the authentication process.
50 | *
51 | *
52 | * For the result from {@link HttpAuthenticationMechanism#validateRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)}
53 | * an AuthenticationStatus must be transformed by the Java EE server into the corresponding JASPIC (JSR 196) AuthStatus
54 | * according to the following rules:
55 | *
56 | *
64 | * After the transformation as outlined above the transformed result has to be processed by the Java EE server as
65 | * specified by the Servlet Container Profile of the JASPIC 1.1 spec (chapter 3).
66 | *
67 | *
68 | * Implementation note: while the JASPIC Servlet Container Profile is the authoritative
69 | * source on how to process the
76 | * The return value of {@link SecurityContext#authenticate(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters)}
77 | * , which is also of type AuthenticationStatus, strongly relates to the outcome of the
88 | * When an
92 | * When a JASPIC ServerAuthModule (SAM) was used and an
104 | * When a Java EE Server proprietary identity store equivalent was used and an
105 | *
111 | * Application code calling
143 | * Note that this status should be used to indicate a logical problem (such as a credential not matching or a caller
144 | * ID that can not be found). Exceptions should be used for system level problems (such as a database connection timing out).
145 | */
146 | SEND_FAILURE
147 | }
148 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/SecurityContext.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise;
42 |
43 | import java.security.Principal;
44 | import java.util.Set;
45 |
46 | import javax.ejb.SessionContext;
47 | import javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters;
48 | import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
49 | import javax.servlet.http.HttpServletRequest;
50 | import javax.servlet.http.HttpServletResponse;
51 |
52 | /**
53 | * The SecurityContext provides an access point for programmatic security; an injectable type that is intended to be
54 | * used by application code to query and interact with the Java EE Security API.
55 | *
56 | *
57 | * Unless otherwise indicated, this type must be usable in all Java EE containers, specifically the Servlet
58 | * and EJB containers.
59 | *
60 | *
61 | */
62 | public interface SecurityContext {
63 |
64 | /**
65 | * Retrieve the platform-specific
77 | * This can be used to retrieve application-specific
78 | * Principals when the platform's representation of the caller uses a different principal type.
79 | *
80 | * The returned Set is not backed by the Subject's internal Principal Set.
81 | * A new Set is created and returned for each method invocation.
82 | * Modifications to the returned Set will not affect the internal Principal Set.
83 | *
84 | * @param pType Class object representing the type of Principal to return.
85 | *
86 | * @return Set of Principals of the given type, or an empty set.
87 | */
88 |
95 | * This method can not be used to test for roles that are mapped to specific named Servlets or
96 | * named EJB beans. For a Servlet an example of this would be the
100 | * Should code in either such Servlet or EJB bean wish to take such mapped (aka referenced, linked) roles into
101 | * account, the facilities for that specific container should be used instead. For instance for Servlet that would
102 | * be {@link HttpServletRequest#isUserInRole(String)} and for EJB beans that would be
103 | * {@link SessionContext#isCallerInRole(String)}.
104 | *
105 | *
106 | * @param role a
117 | * A caller has access if the web resource is either not protected (constrained), or when it is protected by a role
118 | * and the caller is in that role.
119 | *
120 | * @param resource the name of the web resource to test access for. This is a
134 | * Programmatically triggering means that the container responds as if the caller had attempted to access a constrained resource
135 | * and acts by invoking a configured authentication mechanism (such as the {@link HttpAuthenticationMechanism}).
136 | *
137 | *
138 | * Whether the authentication dialog is to be started or continued depends on the (logical) state of the authentication dialog. If
139 | * such dialog is currently in progress, a call to this method will continue it. If such dialog is not in progress a new one will be
140 | * started. A new dialog can be forced to be started regardless of one being in progress or not by providing a value of
141 | *
144 | * This method requires an {@link HttpServletRequest} and {@link HttpServletResponse} argument to be passed in, and
145 | * can therefore only be used in a valid Servlet context.
146 | *
147 | * @param request The
64 | * Stores which do only validation or only group lookup are allowed.
65 | *
66 | * An
79 | * As a convenience, a default implementation is provided that looks up an overload of this method
80 | * that has, as its one and only parameter, a subclass of {@link Credential}. Here is an example of what
81 | * an implementation of this interface looks like with such an overloaded method:
82 | *
93 | * Note that the overloaded method is only called when the actual type passed into this method will exactly match
94 | * the parameter type of the overloaded method. There's no attempt being done to find the most specific overloaded method
95 | * such as specified in JLS 15.2.
96 | *
97 | * This method returns a {@link CredentialValidationResult} representing the result of the validation attempt:
98 | * whether it succeeded or failed, and, for a successful validation, the {@link CallerPrincipal}, and possibly
99 | * groups or other attributes, of the caller.
100 | *
101 | * @param credential The credential to validate.
102 | * @return The validation result.
103 | */
104 | default CredentialValidationResult validate(Credential credential) {
105 | try {
106 | return CredentialValidationResult.class.cast(
107 | MethodHandles.lookup()
108 | .bind(this, "validate", methodType(CredentialValidationResult.class, credential.getClass()))
109 | .invoke(credential));
110 | } catch (NoSuchMethodException e) {
111 | return NOT_VALIDATED_RESULT;
112 | } catch (Throwable e) {
113 | throw new IllegalStateException(e);
114 | }
115 | }
116 |
117 | /**
118 | * Returns groups for the caller, who is identified by the {@link CallerPrincipal}
119 | * (and potentially other values) found in the {@code validationResult} parameter.
120 | *
121 | * Callers (i.e., {@link IdentityStoreHandler}s) should have
122 | * {@link IdentityStorePermission} permission to invoke this method.
123 | * Implementations should check for this permission before doing any work:
124 | *
154 | * Implementations of this API should not return a direct reference
155 | * to a {@link Set} used internally to represent an {@link IdentityStore}'s validation types,
156 | * unless it is an immutable {@link Set}. Callers of the API should be aware that
157 | * the returned {@link Set} may be immutable, or a copy, and that, in any case,
158 | * it should not be modified by the caller.
159 | *
160 | * @return {@link Set} containing the validation types enabled for the {@link IdentityStore}.
161 | */
162 | default Set
63 | * For the remember me function the credentials provided by the caller are exchanged for a (long-lived) token
64 | * which is send to the user as the value of a cookie, in a similar way to how the HTTP session ID is send.
65 | * It should be realized that this token effectively becomes the credential to establish the caller's
66 | * identity within the application and care should be taken to handle and store the token securely. E.g.
67 | * by using this feature with a secure transport (SSL/HTTPS), storing a strong hash instead of the actual
68 | * token, and implementing an expiration policy.
69 | *
70 | *
71 | * The token is vended by a special purpose {@link IdentityStore}-like artifact; an implementation of the
72 | * {@link RememberMeIdentityStore}.
73 | *
74 | *
75 | * This support is provided via an implementation of an interceptor spec interceptor that conducts the
76 | * necessary logic.
77 | *
78 | *
79 | * Example:
80 | *
81 | *
92 | * EL expressions in attributes of type
97 | * Note: this facility DOES NOT constitute any kind of "session management" system, but instead
98 | * represents a special purpose authentication mechanism using a long-lived token, that is vended and validated by the
99 | * {@link RememberMeIdentityStore}.
100 | *
101 | */
102 | @Inherited
103 | @InterceptorBinding
104 | @Retention(RUNTIME)
105 | @Target(TYPE)
106 | public @interface RememberMe {
107 |
108 | /**
109 | * Max age in seconds for the remember me cookie.
110 | * Defaults to one day.
111 | *
112 | * @see Cookie#setMaxAge(int)
113 | *
114 | * @return Max age in seconds
115 | *
116 | */
117 | @Nonbinding
118 | int cookieMaxAgeSeconds() default 86400; // 1 day
119 |
120 | /**
121 | * EL expression variant of
9 | ORACLE AMERICA, INC. IS WILLING TO LICENSE THIS SPECIFICATION TO YOU ONLY UPON THE
10 | CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS AGREEMENT. PLEASE READ THE
11 | TERMS AND CONDITIONS OF THIS AGREEMENT CAREFULLY. BY DOWNLOADING THIS SPECIFICATION,
12 | YOU ACCEPT THE TERMS AND CONDITIONS OF THE AGREEMENT. IF YOU ARE NOT WILLING TO BE
13 | BOUND BY IT, SELECT THE "DECLINE" BUTTON AT THE BOTTOM OF THIS PAGE.
14 |
16 | Specification: JSR-375 Java EE Security API ("Specification")
17 |
19 | Version: 1.0
20 |
22 | Status: Final Release
23 |
25 | Specification Lead: Oracle America, Inc. ("Specification Lead")
26 |
28 | Release: August 2017
29 |
31 | Copyright 2017 Oracle America, Inc.
32 |
36 | LIMITED LICENSE GRANTS
37 |
39 | 1. License for Evaluation Purposes. Specification Lead hereby grants you a fully-paid, non-exclusive, non-
40 | transferable, worldwide, limited license (without the right to sublicense), under Specification Lead's
41 | applicable intellectual property rights to view, download, use and reproduce the Specification only for
42 | the purpose of internal evaluation. This includes (i) developing applications intended to run on an
43 | implementation of the Specification, provided that such applications do not themselves implement any
44 | portion(s) of the Specification, and (ii) discussing the Specification with any third party; and (iii)
45 | excerpting brief portions of the Specification in oral or written communications which discuss the
46 | Specification provided that such excerpts do not in the aggregate constitute a significant portion of the
47 | Specification.
48 |
50 | 2. License for the Distribution of Compliant Implementations. Specification Lead also grants you a
51 | perpetual, non-exclusive, non-transferable, worldwide, fully paid-up, royalty free, limited license
52 | (without the right to sublicense) under any applicable copyrights or, subject to the provisions of
53 | subsection 4 below, patent rights it may have covering the Specification to create and/or distribute an
54 | Independent Implementation of the Specification that: (a) fully implements the Specification including
55 | all its required interfaces and functionality; (b) does not modify, subset, superset or otherwise extend
56 | the Licensor Name Space, or include any public or protected packages, classes, Java interfaces, fields or
57 | methods within the Licensor Name Space other than those required/authorized by the Specification or
58 | Specifications being implemented; and (c) passes the Technology Compatibility Kit (including satisfying
59 | the requirements of the applicable TCK Users Guide) for such Specification ("Compliant
60 | Implementation"). In addition, the foregoing license is expressly conditioned on your not acting outside
61 | its scope. No license is granted hereunder for any other purpose (including, for example, modifying the
62 | Specification, other than to the extent of your fair use rights, or distributing the Specification to third
63 | parties). Also, no right, title, or interest in or to any trademarks, service marks, or trade names of
64 | Specification Lead or Specification Lead's licensors is granted hereunder. Java, and Java-related logos,
65 | marks and names are trademarks or registered trademarks of Oracle America, Inc. in the U.S. and other
66 | countries.
67 |
69 | 3. Pass-through Conditions. You need not include limitations (a)-(c) from the previous paragraph or any
70 | other particular "pass through" requirements in any license You grant concerning the use of your
71 | Independent Implementation or products derived from it. However, except with respect to
72 | Independent Implementations (and products derived from them) that satisfy limitations (a)-(c) from the
73 | previous paragraph, You may neither: (a) grant or otherwise pass through to your licensees any licenses
74 | under Specification Lead's applicable intellectual property rights; nor (b) authorize your licensees to
75 | make any claims concerning their implementation's compliance with the Specification in question.
76 |
78 | 4. Reciprocity Concerning Patent Licenses.
79 |
81 |
82 |
83 | a. With respect to any patent claims covered by the license granted under subparagraph 2
84 | above that would be infringed by all technically feasible implementations of the Specification, such
85 | license is conditioned upon your offering on fair, reasonable and non-discriminatory terms, to any party
86 | seeking it from You, a perpetual, non-exclusive, non-transferable, worldwide license under Your patent
87 | rights which are or would be infringed by all technically feasible implementations of the Specification to
88 | develop, distribute and use a Compliant Implementation.
89 |
91 |
92 |
93 | b. With respect to any patent claims owned by Specification Lead and covered by the license
94 | granted under subparagraph 2, whether or not their infringement can be avoided in a technically
95 | feasible manner when implementing the Specification, such license shall terminate with respect to such
96 | claims if You initiate a claim against Specification Lead that it has, in the course of performing its
97 | responsibilities as the Specification Lead, induced any other entity to infringe Your patent rights.
98 |
100 |
101 |
102 | c. Also with respect to any patent claims owned by Specification Lead and covered by the license
103 | granted under subparagraph 2 above, where the infringement of such claims can be avoided in a
104 | technically feasible manner when implementing the Specification such license, with respect to such
105 | claims, shall terminate if You initiate a claim against Specification Lead that its making, having made,
106 | using, offering to sell, selling or importing a Compliant Implementation infringes Your patent rights.
107 |
109 | 5. Definitions. For the purposes of this Agreement: "Independent Implementation" shall mean an
110 | implementation of the Specification that neither derives from any of Specification Lead's source code or
111 | binary code materials nor, except with an appropriate and separate license from Specification Lead,
112 | includes any of Specification Lead's source code or binary code materials; "Licensor Name Space" shall
113 | mean the public class or interface declarations whose names begin with "java", "javax", "com.oracle",
114 | "com.sun" or their equivalents in any subsequent naming convention adopted by Oracle America, Inc.
115 | through the Java Community Process, or any recognized successors or replacements thereof; and
116 | "Technology Compatibility Kit" or "TCK" shall mean the test suite and accompanying TCK User's Guide
117 | provided by Specification Lead which corresponds to the Specification and that was available either (i)
118 | from Specification Lead's 120 days before the first release of Your Independent Implementation that
119 | allows its use for commercial purposes, or (ii) more recently than 120 days from such release but against
120 | which You elect to test Your implementation of the Specification.
121 |
123 | This Agreement will terminate immediately without notice from Specification Lead if you breach the
124 | Agreement or act outside the scope of the licenses granted above.
125 |
127 | DISCLAIMER OF WARRANTIES
128 |
130 | THE SPECIFICATION IS PROVIDED "AS IS". SPECIFICATION LEAD MAKES NO REPRESENTATIONS OR
131 | WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF
132 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT (INCLUDING AS A
133 | CONSEQUENCE OF ANY PRACTICE OR IMPLEMENTATION OF THE SPECIFICATION), OR THAT THE
134 | CONTENTS OF THE SPECIFICATION ARE SUITABLE FOR ANY PURPOSE. This document does not represent
135 | any commitment to release or implement any portion of the Specification in any product. In addition,
136 | the Specification could include technical inaccuracies or typographical errors.
137 |
139 | LIMITATION OF LIABILITY
140 |
142 | TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SPECIFICATION LEAD OR ITS LICENSORS BE
143 | LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION, LOST REVENUE, PROFITS OR DATA, OR
144 | FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED
145 | AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED IN ANY WAY TO YOUR
146 | HAVING, IMPLEMENTING OR OTHERWISE USING THE SPECIFICATION, EVEN IF SPECIFICATION LEAD
147 | AND/OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
148 | You will indemnify, hold harmless, and defend Specification Lead and its licensors from any claims
149 | arising or resulting from: (i) your use of the Specification; (ii) the use or distribution of your Java
150 | application, applet and/or implementation; and/or (iii) any claims that later versions or releases of any
151 | Specification furnished to you are incompatible with the Specification provided to you under this license.
152 |
154 | RESTRICTED RIGHTS LEGEND
155 |
157 | U.S. Government: If this Specification is being acquired by or on behalf of the U.S. Government or by a
158 | U.S. Government prime contractor or subcontractor (at any tier), then the Government's rights in the
159 | Software and accompanying documentation shall be only as set forth in this license; this is in accordance
160 | with 48 C.F.R. 227.7201 through 227.7202-4 (for Department of Defense (DoD) acquisitions) and with 48
161 | C.F.R. 2.101 and 12.212 (for non-DoD acquisitions).
162 |
164 | REPORT
165 |
167 | If you provide Specification Lead with any comments or suggestions concerning the Specification
168 | ("Feedback"), you hereby: (i) agree that such Feedback is provided on a non-proprietary and non-
169 | confidential basis, and (ii) grant Specification Lead a perpetual, non-exclusive, worldwide, fully paid-up,
170 | irrevocable license, with the right to sublicense through multiple levels of sublicensees, to incorporate,
171 | disclose, and use without limitation the Feedback for any purpose.
172 |
174 | GENERAL TERMS
175 |
177 | Any action related to this Agreement will be governed by California law and controlling U.S. federal law.
178 | The U.N. Convention for the International Sale of Goods and the choice of law rules of any jurisdiction
179 | will not apply.
180 |
182 | The Specification is subject to U.S. export control laws and may be subject to export or import
183 | regulations in other countries. Licensee agrees to comply strictly with all such laws and regulations and
184 | acknowledges that it has the responsibility to obtain such licenses to export, re-export or import as may
185 | be required after delivery to Licensee.
186 |
188 | This Agreement is the parties' entire agreement relating to its subject matter. It supersedes all prior or
189 | contemporaneous oral or written communications, proposals, conditions, representations and
190 | warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment,
191 | or other communication between the parties relating to its subject matter during the term of this
192 | Agreement. No modification to this Agreement will be binding, unless in writing and signed by an
193 | authorized representative of each party.
194 |
60 | * The container-provided {@code IdentityStore} must support validating {@link UsernamePasswordCredential},
61 | * and may support validating other credential types.
62 | */
63 | @Retention(RUNTIME)
64 | @Target(TYPE)
65 | public @interface LdapIdentityStoreDefinition {
66 |
67 | /**
68 | * Enum representing LDAP search scope values.
69 | */
70 | enum LdapSearchScope { ONE_LEVEL, SUBTREE }
71 |
72 | /**
73 | * URL where the LDAP server can be reached.
74 | *
75 | * E.g.:
85 | * This value is needed if caller or group lookup will be done. It is not needed if the
86 | * store will be used only to authenticate callers using direct binding (see callerBaseDn).
87 | *
88 | * This user needs search permission in the LDAP for persons and/or groups.
89 | *
90 | * E.g.:
108 | * When this member value is specified, and callerSearchBase is not, direct binding is attempted.
109 | *
110 | * The callerNameAttribute must be specified along with this attribute so that the
111 | * runtime can create the "leaf" RDN needed to concatenate with the base DN to create the
112 | * full DN of the caller.
113 | *
114 | * @return The base distinguished name for callers.
115 | */
116 | String callerBaseDn() default "";
117 |
118 | /**
119 | * Name of the attribute that contains the callers name in the person object
120 | * (e.g., "
122 | * This attribute will be used, with callerBaseDn, to construct caller DNs for direct binding.
123 | * It is also used to retrieve the caller's name when the caller object is instead looked up
124 | * using search.
125 | *
126 | * The value of this attribute is returned as the caller principal name
127 | * for a successful credential validation.
128 | *
129 | * The following gives an example in ldif format:
130 | *
151 | * Overrides callerBaseDn, if configured, causing caller search
152 | * to be used instead of direct binding.
153 | * Requires that the bindDn member be filled in.
154 | *
155 | * @return Base DN for searching the LDAP tree for callers.
156 | */
157 | String callerSearchBase() default "";
158 |
159 | /**
160 | * Search filter to find callers when callerSearchBase is set.
161 | * The search is performed starting from the callerSearchBase DN
162 | * with the scope specified by callerSearchScope.
163 | *
164 | * @return Search expression to find callers.
165 | */
166 | String callerSearchFilter() default "";
167 |
168 | /**
169 | * Search scope for caller searches: determines depth
170 | * of the search in the LDAP tree.
171 | *
172 | * @return The search scope
173 | */
174 | LdapSearchScope callerSearchScope() default LdapSearchScope.SUBTREE;
175 |
176 | /**
177 | * Allow callerSearchScope to be specified as an EL expression.
178 | * If set, overrides any value set with callerSearchScope.
179 | *
180 | * @return the callerSearchScope EL expression
181 | */
182 | String callerSearchScopeExpression() default "";
183 |
184 | /**
185 | * Search base for looking up groups
186 | * (e.g., "
188 | * Needed only for a store that performs group lookup.
189 | * Requires that the bindDn member be filled in.
190 | *
191 | * @return Base DN for searching the LDAP tree for groups.
192 | */
193 | String groupSearchBase() default "";
194 |
195 | /**
196 | * Search filter to find groups when groupSearchBase is set.
197 | * The search is performed starting from the groupSearchBase DN
198 | * with the scope specified by groupSearchScope.
199 | *
200 | * @return Search expression to find groups.
201 | */
202 | String groupSearchFilter() default "";
203 |
204 | /**
205 | * Search scope for group searches, determines depth
206 | * of the search in the LDAP tree.
207 | *
208 | * @return The search scope
209 | */
210 | LdapSearchScope groupSearchScope() default LdapSearchScope.SUBTREE;
211 |
212 | /**
213 | * Allow groupSearchScope to be specified as an EL expression.
214 | * If set, overrides any value set with groupSearchScope.
215 | *
216 | * @return the groupSearchScope EL expression
217 | */
218 | String groupSearchScopeExpression() default "";
219 |
220 | /**
221 | * Name of the attribute of a group object that represents the group name
222 | * (e.g., "
233 | * The value of this attribute must be the full DN of the caller. The following gives an example
234 | * entry in ldif format:
235 | *
255 | * This attribute is used only if: a) group search is not configured
256 | * (i.e., no groupSearchBase and groupSearchFilter configured); and,
257 | * b) the caller's DN is available, either because groups are being returned
258 | * during the credential validation phase by an identity store that performs
259 | * both validation and group lookup, or because the DN is available in the
260 | * {@link CredentialValidationResult} passed to the
261 | * {@link IdentityStore#getCallerGroups(CredentialValidationResult)} method.
262 | *
263 | * The value of this attribute must be the full DN of the group. The following gives an example
264 | * entry in ldif format:
265 | *
287 | * The default value of 0 means wait forever (assuming the connection
288 | * itself does not time out).
289 | *
290 | * @return The readTimeout value.
291 | */
292 | int readTimeout() default 0;
293 |
294 | /**
295 | * Allow readTimeout to be specified as an EL expression.
296 | * If set, overrides any value set with readTimeout.
297 | *
298 | * @return The readTimeout EL expression
299 | */
300 | String readTimeoutExpression() default "";
301 |
302 | /**
303 | * Set the maximum number of results (objects) the server should
304 | * return in response to a search.
305 | *
306 | * The default value is set to 1000, which corresponds to the
307 | * maximum number of results most LDAP servers will return for
308 | * in a single response. Most LDAP servers support paging through
309 | * result sets larger than 1000, but doing so should rarely be
310 | * necessary for normal validation and group lookup use cases.
311 | * Implementations of the built-in LDAP IdentityStore MAY support
312 | * paging through larger result sets, but are NOT REQUIRED to.
313 | *
314 | * @return The maximum number of results the LDAP server should return.
315 | */
316 | int maxResults() default 1000;
317 |
318 | /**
319 | * Allow maxResults to be specified as an EL expression.
320 | * If set, overrides any value set with maxResults.
321 | *
322 | * @return The maxResults EL expression
323 | */
324 | String maxResultsExpression() default "";
325 |
326 | /**
327 | * Determines the order in case multiple IdentityStores are found.
328 | * @return The priority.
329 | */
330 | int priority() default 80;
331 |
332 | /**
333 | * Allow priority to be specified as an EL expression.
334 | * If set, overrides any value set with priority.
335 | *
336 | * @return The priority EL expression
337 | */
338 | String priorityExpression() default "";
339 |
340 | /**
341 | * Determines what the identity store is used for
342 | *
343 | * @return The type the identity store is used for
344 | */
345 | ValidationType[] useFor() default {VALIDATE, PROVIDE_GROUPS};
346 |
347 | /**
348 | * Allow useFor to be specified as an EL expression.
349 | * If set, overrides any value set with useFor.
350 | *
351 | * @return The useFor EL expression
352 | */
353 | String useForExpression() default "";
354 |
355 | }
356 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/authentication/mechanism/http/HttpMessageContext.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.authentication.mechanism.http;
42 |
43 | import java.security.Principal;
44 | import java.util.Set;
45 |
46 | import javax.security.auth.Subject;
47 | import javax.security.auth.callback.CallbackHandler;
48 | import javax.security.auth.message.MessageInfo;
49 | import javax.security.enterprise.AuthenticationStatus;
50 | import javax.security.enterprise.CallerPrincipal;
51 | import javax.security.enterprise.SecurityContext;
52 | import javax.security.enterprise.identitystore.CredentialValidationResult;
53 | import javax.security.enterprise.identitystore.CredentialValidationResult.Status;
54 | import javax.servlet.RequestDispatcher;
55 | import javax.servlet.http.HttpServletRequest;
56 | import javax.servlet.http.HttpServletResponse;
57 |
58 | /**
59 | *
78 | * If SecurityContext#authenticate was not called, the authentication mechanism may have been invoked by the
79 | * container at the start of a request.
80 | *
81 | * @return true if SecurityContext#authenticate was called, false if not.
82 | */
83 | boolean isAuthenticationRequest();
84 |
85 | /**
86 | * Check if the runtime has been asked to register an authentication session duing the current request.
87 | *
88 | * @return true if code has asked to register an authentication session, false otherwise.
89 | */
90 | boolean isRegisterSession();
91 |
92 | /**
93 | * Asks the runtime to register an authentication session. This will automatically remember the logged-in status
94 | * as long as the current HTTP session remains valid. Without this being asked, a {@link HttpAuthenticationMechanism}
95 | * has to manually re-authenticate with the runtime at the start of each request.
96 | *
97 | * @param callerName the caller name for which authentication should be be remembered
98 | * @param groups the groups for which authentication should be remembered.
99 | */
100 | void setRegisterSession(String callerName, Set
106 | * Cleaning this subject is done as defined by the Servlet Container Profile of JASPIC
107 | * (JSR 196) for the ServerAuthModule#cleanSubject method and the
108 | * {@link HttpAuthenticationMechanism#cleanSubject(HttpServletRequest, HttpServletResponse, HttpMessageContext)}
109 | * method defined by this specification.
110 | */
111 | void cleanClientSubject();
112 |
113 | /**
114 | * Returns the parameters that were provided with the SecurityContext#authenticate(AuthParameters) call.
115 | *
116 | * @return the parameters that were provided with the SecurityContext#authenticate(AuthParameters) call, or a default instance. Never null.
117 | */
118 | AuthenticationParameters getAuthParameters();
119 |
120 | /**
121 | * Returns the low level JSR 196 handler that the runtime provided when creating this {@link HttpMessageContext},
122 | * and which this context uses to communicate the authentication details to the runtime.
123 | *
124 | *
125 | * Note: This is a low level object that most higher level code would not need to use directly.
126 | *
127 | * @return the handler that the runtime provided to this context
128 | */
129 | CallbackHandler getHandler();
130 |
131 | /**
132 | * Returns the the low level JSR 196 message info instance for the current request.
133 | *
134 | *
135 | * Note: This is a low level object that most higher level code would not need to use directly.
136 | *
137 | * @return the message info instance for the current request.
138 | */
139 | MessageInfo getMessageInfo();
140 |
141 | /**
142 | * Returns the subject for which authentication is to take place.
143 | *
144 | *
145 | * Note: This is a low level object that most higher level code would not need to use directly.
146 | *
147 | * @return the subject for which authentication is to take place.
148 | */
149 | Subject getClientSubject();
150 |
151 | /**
152 | * Returns the request object associated with the current request.
153 | *
154 | * @return the request object associated with the current request.
155 | */
156 | HttpServletRequest getRequest();
157 |
158 | /**
159 | * Sets the request object.
160 | *
161 | * @param request the request object to be set
162 | *
163 | */
164 | void setRequest(HttpServletRequest request);
165 |
166 | /**
167 | * Sets the request object.
168 | *
169 | * @param request the request object to be set.
170 | *
171 | * @return the HttpMessageContext instance on which this method was called, useful for
172 | * fluent style call call chains.
173 | */
174 | HttpMessageContext withRequest(HttpServletRequest request);
175 |
176 | /**
177 | * Returns the response object associated with the current request.
178 | *
179 | * @return the response object associated with the current request.
180 | */
181 | HttpServletResponse getResponse();
182 |
183 | /**
184 | * Set the response object.
185 | *
186 | * @param response the response object to be set.
187 | */
188 | void setResponse(HttpServletResponse response);
189 |
190 | /**
191 | * Sets the response status to SC_FOUND 302 (Found)
192 | *
193 | *
194 | * As a convenience this method returns SEND_CONTINUE, so this method can be used in
195 | * one fluent return statement from an {@link HttpAuthenticationMechanism}
196 | *
197 | * @param location the location to redirect to
198 | *
199 | * @return {@link AuthenticationStatus#SEND_CONTINUE}
200 | *
201 | * @see HttpServletResponse#sendRedirect(String)
202 | */
203 | AuthenticationStatus redirect(String location);
204 |
205 | /**
206 | * Forwards to another resource (servlet, JSP file, or HTML file) on the server.
207 | *
208 | *
209 | * As a convenience this method returns SEND_CONTINUE, so this method can be used in
210 | * one fluent return statement from an {@link HttpAuthenticationMechanism}
211 | *
212 | * @param path a String specifying the pathname to the resource.
213 | *
214 | * @return {@link AuthenticationStatus#SEND_CONTINUE}
215 | *
216 | * @see RequestDispatcher#forward(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
217 | */
218 | AuthenticationStatus forward(String path);
219 |
220 | /**
221 | * Sets the response status to 401 (unauthorized).
222 | *
223 | * As a convenience this method returns SEND_FAILURE, so this method can be used in
224 | * one fluent return statement from an {@link HttpAuthenticationMechanism}
225 | *
226 | * @return {@link AuthenticationStatus#SEND_FAILURE}
227 | */
228 | AuthenticationStatus responseUnauthorized();
229 |
230 | /**
231 | * Sets the response status to 404 (not found).
232 | *
233 | * As a convenience this method returns SEND_FAILURE, so this method can be used in
234 | * one fluent return statement from an {@link HttpAuthenticationMechanism}
235 | *
236 | * @return {@link AuthenticationStatus#SEND_FAILURE}
237 | */
238 | AuthenticationStatus responseNotFound();
239 |
240 | /**
241 | * Asks the container to register the given caller name and groups in order to make
242 | * them available to the application for use with {@link SecurityContext#isCallerInRole(String)} etc.
243 | *
244 | *
245 | * Note that after this call returned, the authenticated identity will not be immediately active. This
246 | * will only take place (should no errors occur) after the authentication mechanism
247 | * in which this call takes place returns control back to the container (runtime).
248 | *
249 | *
250 | * As a convenience this method returns SUCCESS, so this method can be used in
251 | * one fluent return statement from an {@link HttpAuthenticationMechanism}
252 | *
253 | * @param callername the caller name that will become the caller principal
254 | * @param groups the groups associated with the caller principal
255 | * @return {@link AuthenticationStatus#SUCCESS}
256 | *
257 | */
258 | AuthenticationStatus notifyContainerAboutLogin(String callername, Set
265 | * Note that this call may result in the container establishing two caller principals to
266 | * represent the caller's identity -- the Principal provided here as the principal parameter,
267 | * and a second principal used as the container's representation of the caller identity.
268 | * A second principal is added only if the container uses a different Principal type to
269 | * represent the caller. If the types are the same, only one Principal is added.
270 | *
271 | *
272 | * If a second principal is added, the value returned by {@link Principal#getName()}
273 | * will be the same for both principals.
274 | *
275 | *
276 | * When two principals are added, the container's caller principal is returned from
277 | * {@link SecurityContext#getCallerPrincipal()}, and the principal supplied here
278 | * as a parameter can be retrieved using {@link SecurityContext#getPrincipalsByType(Class)}.
279 | * When only one is added, it is returned by {@link SecurityContext#getCallerPrincipal()}.
280 | *
281 | *
282 | * Note that after this call returned, the authenticated identity will not be immediately active. This
283 | * will only take place (should no errors occur) after the authentication mechanism
284 | * in which this call takes place returns control back to the container (runtime).
285 | *
286 | *
287 | * As a convenience this method returns SUCCESS, so this method can be used in
288 | * one fluent return statement from an {@link HttpAuthenticationMechanism}
289 | *
290 | * @param principal the Principal that will become the caller principal
291 | * @param groups the groups associated with the caller principal
292 | * @return {@link AuthenticationStatus#SUCCESS}
293 | *
294 | */
295 | AuthenticationStatus notifyContainerAboutLogin(Principal principal, Set
302 | * If the outcome from the given {@link CredentialValidationResult#getStatus()} equals
303 | * {@link Status#VALID}, the {@link CallerPrincipal} and groups are obtained from the
304 | *
308 | * If the outcome from the given {@link CredentialValidationResult#getStatus()} is not
309 | * equal to {@link Status#VALID} a failure result is returned.
310 | *
311 | * @param result a CredentialValidationResult which is inspected for its status and from which the principal and groups
312 | * are taken.
313 | *
314 | * @return {@link AuthenticationStatus#SUCCESS} if {@link CredentialValidationResult#getStatus()}
315 | * equals {@link Status#VALID} otherwise {@link AuthenticationStatus#SEND_FAILURE}
316 | *
317 | */
318 | AuthenticationStatus notifyContainerAboutLogin(CredentialValidationResult result);
319 |
320 | /**
321 | * Instructs the container to "do nothing".
322 | *
323 | *
324 | * When intending to do nothing, a JSR 375 authentication mechanism has to indicate this
325 | * explicitly via its return value.
326 | *
327 | *
328 | * As a convenience this method returns NOT_DONE, so this method can be used in
329 | * one fluent return statement from an {@link HttpAuthenticationMechanism}
330 | *
331 | * @return {@link AuthenticationStatus#NOT_DONE}
332 | */
333 | AuthenticationStatus doNothing();
334 |
335 | /**
336 | * Gets the Principal set by a call to notifyContainerAboutLogin().
337 | *
338 | * @return The caller principal
339 | */
340 | Principal getCallerPrincipal();
341 |
342 | /**
343 | * Gets the groups set by a call to notifyContainerAboutLogin().
344 | *
345 | * @return The groups
346 | */
347 | Set
60 | *
55 | Pbkdf2PasswordHash.Algorithm // default "PBKDF2WithHmacSHA256"
56 | Pbkdf2PasswordHash.Iterations // default 2048, minimum 1024
57 | Pbkdf2PasswordHash.SaltSizeBytes // default 32, minimum 16
58 | Pbkdf2PasswordHash.KeySizeBytes // default 32, minimum 16
59 | *
68 | * Algorithm names are the string literal names documented for the corresponding algorithms by the
69 | *
70 | Java Cryptography Architecture Standard Algorithm Name Documentation.
71 | *
63 | PBKDF2WithHmacSHA224
64 | PBKDF2WithHmacSHA256
65 | PBKDF2WithHmacSHA384
66 | PBKDF2WithHmacSHA512
67 | *
77 | * Where:
78 | *
75 | {@code
79 | *
84 | * BasicAuthenticationCredential extends UsernamePasswordCredential
48 | * to represent credentials used by HTTP Basic Authentication.
49 | */
50 | public class BasicAuthenticationCredential extends UsernamePasswordCredential {
51 |
52 | /**
53 | * Constructor
54 | *
55 | * @param authorizationHeader HTTP Basic Authentication header
56 | */
57 | public BasicAuthenticationCredential(String authorizationHeader) {
58 | super(parseUsername(authorizationHeader), parsePassword(authorizationHeader));
59 | }
60 |
61 | /**
62 | * Utility for decoding the HTTP Basic Authentication header.
63 | *
64 | * @param authorizationHeader The encoded header
65 | * @return The decoded header
66 | */
67 | private static String decodeHeader(String authorizationHeader) {
68 | final String BASIC_AUTH_CHARSET = "US-ASCII";
69 |
70 | if (null == authorizationHeader)
71 | throw new NullPointerException("authorization header");
72 | if (authorizationHeader.isEmpty())
73 | throw new IllegalArgumentException("authorization header is empty");
74 | Base64.Decoder decoder = Base64.getMimeDecoder();
75 | byte[] decodedBytes = decoder.decode(authorizationHeader);
76 | try {
77 | return new String(decodedBytes, BASIC_AUTH_CHARSET);
78 | } catch (UnsupportedEncodingException e) {
79 | throw new IllegalStateException("Unknown Charset: " + BASIC_AUTH_CHARSET, e);
80 | }
81 | }
82 |
83 | /**
84 | * Utility for parsing the HTTP Basic Authentication username.
85 | *
86 | * @param authorizationHeader The encoded header
87 | * @return The username
88 | */
89 | private static String parseUsername(String authorizationHeader) {
90 | String decodedAuthorizationHeader = decodeHeader(authorizationHeader);
91 | int delimiterIndex = decodedAuthorizationHeader.indexOf(':');
92 | if (delimiterIndex > -1) {
93 | return decodedAuthorizationHeader.substring(0, delimiterIndex);
94 | } else {
95 | return decodedAuthorizationHeader;
96 | }
97 | }
98 |
99 | /**
100 | * Utility for parsing the HTTP Basic Authentication password.
101 | *
102 | * @param authorizationHeader The encoded header
103 | * @return The password
104 | */
105 | private static Password parsePassword(String authorizationHeader) {
106 | String decodedAuthorizationHeader = decodeHeader(authorizationHeader);
107 | int delimiterIndex = decodedAuthorizationHeader.indexOf(':');
108 | if (delimiterIndex > -1) {
109 | return new Password(decodedAuthorizationHeader.substring(delimiterIndex + 1));
110 | } else {
111 | return new Password("");
112 | }
113 | }
114 | }
115 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/identitystore/PasswordHash.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.identitystore;
42 |
43 | import java.util.Map;
44 |
45 | /**
46 | * {@code PasswordHash} is an interface for objects that can generate and verify password hashes.
47 | * LoginToContinue annotation provides an application the ability to declaratively
55 | * add login to continue functionality to an authentication mechanism.
56 | *
57 | * LoginToContinue annotation is used on a custom authentication mechanism, EL
59 | * expressions in attributes of type String are evaluated for every request requiring
60 | * authentication. Both immediate and deferred syntax is supported, but effectively the semantics
61 | * are always deferred.
62 | *
63 | * LoginToContinue annotation is used as attribute in either the
65 | * {@link FormAuthenticationMechanismDefinition} or {@link CustomFormAuthenticationMechanismDefinition},
66 | * expressions using immediate syntax are evaluated only once when the {@link HttpAuthenticationMechanism}
67 | * bean is created. Since these beans are application scoped, this means only once per application.
68 | * Expressions using deferred syntax are evaluated as described above when the LoginToContinue annotation
69 | * is used on a custom authentication mechanism.
70 | *
71 | */
72 | @Inherited
73 | @InterceptorBinding
74 | @Retention(RUNTIME)
75 | @Target(TYPE)
76 | public @interface LoginToContinue {
77 |
78 | /**
79 | * The resource (page) a caller should get to see in case the originally requested
80 | * resource requires authentication, and the caller is currently not authenticated.
81 | *
82 | * @return page a caller is directed to to authenticate (login)
83 | */
84 | @Nonbinding
85 | String loginPage() default "/login";
86 |
87 | /**
88 | * Use a forward to reach the page set by the {@link LoginToContinue#loginPage()}
89 | * if true, otherwise use a redirect.
90 | *
91 | * @return true if a forward is to be used, false for a redirect
92 | */
93 | @Nonbinding
94 | boolean useForwardToLogin() default true;
95 |
96 | /**
97 | * EL expression variant of useForwardToLogin().
98 | * The expression needs to evaluate to a boolean outcome. All named CDI beans are available
99 | * to the expression. If both this attribute and useForwardToLogin() are specified, this
100 | * attribute take precedence.
101 | *
102 | * @return an expression evaluating to true if a forward is to be used, false for a redirect
103 | */
104 | @Nonbinding
105 | String useForwardToLoginExpression() default "";
106 |
107 | /**
108 | * The resource (page) a caller should get to see in case an error, such as providing invalid
109 | * credentials, occurs on the page set by {@link LoginToContinue#loginPage()}.
110 | *
111 | * @return page a caller is directed to after an authentication (login) error
112 | */
113 | @Nonbinding
114 | String errorPage() default "/login-error";
115 |
116 | }
117 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/package-info.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | /**
42 | * The main Java EE Security API package. This package contains classes and interfaces that span authentication,
43 | * authorization and identity concerns.
44 | *
45 | * EL Support in annotations
46 | *
47 | * This specification supports the use of expression language 3.0 in annotations. This is described in more detail below:
48 | *
49 | * ...Definition annotations
50 | *
51 | * The Java EE Security API features several annotations, with names that end with Definition,
52 | * which, when used, make CDI beans available. For completeness, this concerns the following annotations:
53 | *
54 | *
55 | *
61 | *
62 | * For all attributes of type String on these annotations, Expression Language 3.0 expressions can be used.
63 | * All named CDI beans are available to that expression, as well as the default classes as specified by EL 3.0 for the
64 | * {@link ELProcessor}.
65 | *
66 | * ${} syntax), or deferred (#{} syntax). Immediate
68 | * expressions are evaluated once when the bean instance corresponding to the "...Definition" annotation is actually created.
69 | * Since such beans are application scoped, that means once for the entire application. Deferred expressions are evaluated in
70 | * each request where the security runtime needs to use the value of these attributes.
71 | *
72 | * String type
74 | * attributes (attributes for which the name ends with Expression, hereafter called EL alternative attribute)
75 | * MUST evaluate to the same type as the attribute they are an alternative to. If the EL alternative attribute has a
76 | * non empty value, it takes precedence over the attribute which it is an alternative to.
77 | *
78 | * Interceptor annotations
83 | *
84 | * The Java EE Security API features several annotations with attributes that denote interceptor spec interceptors.
85 | * For completeness, this concerns the following annotations:
86 | *
87 | *
88 | *
91 | *
92 | * true the "remember me" feature will be used if authentication succeeds and if so configured.
107 | *
108 | * @return the instance of AuthenticationParameters on which this call was made, useful for a fluent/builder
109 | * style creation of parameters.
110 | */
111 | public AuthenticationParameters rememberMe(boolean rememberMe) {
112 | setRememberMe(rememberMe);
113 | return this;
114 | }
115 |
116 | /**
117 | * The credential set as parameter in this instance.
118 | *
119 | * @see AuthenticationParameters#credential(Credential)
120 | *
121 | * @return the credential set as parameter in this instance
122 | */
123 | public Credential getCredential() {
124 | return credential;
125 | }
126 |
127 | /**
128 | * Sets the credential as parameter in this instance.
129 | *
130 | * @see AuthenticationParameters#credential(Credential)
131 | *
132 | * @param credential the credential to be set as parameter in this instance.
133 | */
134 | public void setCredential(Credential credential) {
135 | this.credential = credential;
136 | }
137 |
138 | /**
139 | * Whether a new authentication dialog is required.
140 | *
141 | * @see AuthenticationParameters#newAuthentication(boolean)
142 | *
143 | * @return whether a new authentication dialog is required.
144 | */
145 | public boolean isNewAuthentication() {
146 | return newAuthentication;
147 | }
148 |
149 | /**
150 | * Sets whether a new authentication dialog is required.
151 | *
152 | * @see AuthenticationParameters#newAuthentication(boolean)
153 | *
154 | * @param newAuthentication whether a new authentication dialog is required
155 | */
156 | public void setNewAuthentication(boolean newAuthentication) {
157 | this.newAuthentication = newAuthentication;
158 | }
159 |
160 | /**
161 | * Whether "remember me" should be used.
162 | *
163 | * @see AuthenticationParameters#rememberMe(boolean)
164 | *
165 | * @return whether "remember me" should be used.
166 | */
167 | public boolean isRememberMe() {
168 | return rememberMe;
169 | }
170 |
171 | /**
172 | * Sets whether "remember me" should be used.
173 | *
174 | * @see AuthenticationParameters#rememberMe(boolean)
175 | *
176 | * @param rememberMe whether "remember me" should be used.
177 | */
178 | public void setRememberMe(boolean rememberMe) {
179 | this.rememberMe = rememberMe;
180 | }
181 |
182 | }
183 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/identitystore/DatabaseIdentityStoreDefinition.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.identitystore;
42 |
43 | import static java.lang.annotation.ElementType.TYPE;
44 | import java.lang.annotation.Retention;
45 | import static java.lang.annotation.RetentionPolicy.RUNTIME;
46 | import java.lang.annotation.Target;
47 | import java.util.stream.Stream;
48 | import javax.security.enterprise.credential.UsernamePasswordCredential;
49 | import javax.security.enterprise.identitystore.IdentityStore.ValidationType;
50 | import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.PROVIDE_GROUPS;
51 | import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.VALIDATE;
52 |
53 | /**
54 | * Annotation used to define a container-provided {@link IdentityStore} that
55 | * stores caller credentials and identity attributes in a relational database,
56 | * and make that implementation available as an enabled CDI bean.
57 | *
87 | *
91 | *
92 | * @return SQL query to validate
93 | */
94 | String callerQuery() default "";
95 |
96 | /**
97 | * SQL query to retrieve the groups associated with the caller when
98 | * authentication succeeds.
99 | *
100 | * Only needed when {@link #useFor()} contains
101 | * {@link ValidationType#PROVIDE_GROUPS}.
102 | *
103 | *
88 | * select password from callers where name = ?
89 | *
90 | *
111 | *
115 | *
116 | * @return SQL query to retrieve the groups
117 | */
118 | String groupsQuery() default "";
119 |
120 | /**
121 | * A {@link PasswordHash} implementation used to verify plaintext passwords
122 | * by generating a hash of the password and comparing it against the hashed
123 | * value returned from the database via the {@link #callerQuery()}.
124 | *
125 | * @return The password hash used to verify plaintext passwords.
126 | */
127 |
128 | Class hashAlgorithm() default Pbkdf2PasswordHash.class;
129 |
130 | /**
131 | * Used to specify algorithm-specific parameters.
132 | *
112 | * select group_name from caller_groups where caller_name = ?
113 | *
114 | *
137 | *
135 | parameterName=parameterValue
136 | *
143 | *
140 | * Algorithm.param1="value"
141 | * Algorithm.param2=32
142 | *
parameterValue as well as for a full array element. If an EL
146 | * expression is used for a full array element, the expression must evaluate
147 | * to either a single string, a string array or a string {@link Stream} where
148 | * in each case every string must adhere to the above specified format.
149 | *
150 | * @return The algorithm parameters.
151 | */
152 | String[] hashAlgorithmParameters() default {};
153 |
154 | /**
155 | * Determines the order in case multiple IdentityStores are found.
156 | *
157 | * @return the priority.
158 | */
159 | int priority() default 70;
160 |
161 | /**
162 | * Allow priority to be specified as an EL expression.
163 | * If set, overrides any value set with priority.
164 | *
165 | * @return the priority EL expression
166 | */
167 | String priorityExpression() default "";
168 |
169 | /**
170 | * Determines what the identity store is used for
171 | *
172 | * @return the type the identity store is used for
173 | */
174 | ValidationType[] useFor() default {VALIDATE, PROVIDE_GROUPS};
175 |
176 | /**
177 | * Allow useFor to be specified as an EL expression.
178 | * If set, overrides any value set with useFor.
179 | *
180 | * @return the useFor EL expression
181 | */
182 | String useForExpression() default "";
183 |
184 | }
185 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/authentication/mechanism/http/HttpAuthenticationMechanism.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.authentication.mechanism.http;
42 |
43 | import static javax.security.enterprise.AuthenticationStatus.SUCCESS;
44 |
45 | import javax.security.auth.message.module.ServerAuthModule;
46 | import javax.security.enterprise.AuthenticationException;
47 | import javax.security.enterprise.AuthenticationStatus;
48 | import javax.security.enterprise.identitystore.IdentityStore;
49 | import javax.servlet.Filter;
50 | import javax.servlet.http.HttpServlet;
51 | import javax.servlet.http.HttpServletRequest;
52 | import javax.servlet.http.HttpServletResponse;
53 |
54 | /**
55 | * HttpAuthenticationMechanism is a mechanism for obtaining a caller's
56 | * credentials in some way, using the HTTP protocol where necessary.
57 | *
58 | * HttpAuthenticationMechanism is essentially a Servlet specific and CDI enabled version of
65 | * the {@link ServerAuthModule} that adheres to the Servlet Container Profile. See the JASPIC spec for further
66 | * details on this.
67 | *
68 | * validateRequest that was invoked before any {@link Filter} or {@link HttpServlet} returned SUCCESS.
115 | *
116 | * @param request contains the request the client has made
117 | * @param response contains the response that will be send to the client
118 | * @param httpMessageContext context for interacting with the container
119 | * @return the completion status of the processing performed by this method
120 | * @throws AuthenticationException when the processing failed
121 | */
122 | default AuthenticationStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException {
123 | return SUCCESS;
124 | }
125 |
126 | /**
127 | * Remove mechanism specific principals and credentials from the subject and any other state the mechanism
128 | * might have used.
129 | *
130 | *
57 | *
62 | *
63 | * AuthStatus.SUCCESS result and this specification puts no constraints
70 | * of any kind on that, the expectation is that Java EE servers in practice will mainly look at the
71 | * result being AuthStatus.SUCCESS or not AuthStatus.SUCCESS. Simply said, if the result is
72 | * AuthStatus.SUCCESS the authenticated identity (if any) must be set (established) for the current HTTP request,
73 | * otherwise not.
74 | *
75 | * HttpAuthenticationMechanism#validateRequest
78 | * method as described above, but must be transformed by the Java EE server from the corresponding outcome of the
79 | * {@link HttpServletRequest#authenticate(javax.servlet.http.HttpServletResponse)} call as follows:
80 | *
81 | *
82 | *
86 | *
87 | * true to AuthenticationStatus.SUCCESS false to [last status] (see below) ServletException or IOException to AuthenticationStatus.SEND_FAILURE HttpAuthenticationMechanism was used [last status] must be
89 | * the value returned by HttpAuthenticationMechanism#validateRequest.
90 | *
91 | * HttpAuthenticationMechanism was not used
93 | * Java EE servers are encouraged, but not required, to set [last status] to the value returned by
94 | * ServerAuthModule#validateRequest transformed as follows:
95 | *
96 | *
97 | *
102 | *
103 | * HttpAuthenticationMechanism was not used
106 | * Java EE servers are encouraged, but not required, to set [last status] to a value
107 | * that logically corresponds to the description of each enum constant of AuthenticationStatus. This outcome
108 | * should never be depended on by application code as being portable.
109 | *
110 | * SecurityContext#authenticate is expected to act on all possible
112 | * values of AuthenticationStatus.
113 | *
114 | */
115 | public enum AuthenticationStatus {
116 |
117 | /**
118 | * The authentication mechanism was called, but decided not to authenticate.
119 | * This status would be typically returned in pre-emptive security; the authentication
120 | * mechanism is called, but authentication is optional and would only take place when for
121 | * instance a specific request header is present.
122 | */
123 | NOT_DONE,
124 |
125 | /**
126 | * The authentication mechanism was called and a multi-step authentication dialog with the caller
127 | * has been started (for instance, the caller has been redirected to a login page). Simply said
128 | * authentication is "in progress". Calling application code (if any) should not write to the response
129 | * when this status is received.
130 | */
131 | SEND_CONTINUE,
132 |
133 | /**
134 | * The authentication mechanism was called and the caller was successfully authenticated. After the
135 | * Java EE server has processed this outcome, the caller principal is available.
136 | */
137 | SUCCESS,
138 |
139 | /**
140 | * The authentication mechanism was called but the caller was not successfully authenticated and
141 | * therefor the caller principal will not be made available.
142 | * java.security.Principal that represents
66 | * the name of authenticated caller, or null if the current caller is not authenticated.
67 | *
68 | * @return Principal representing the name of the current authenticated user, or null if not authenticated.
69 | */
70 | Principal getCallerPrincipal();
71 |
72 | /**
73 | * Retrieve all Principals of the given type from the authenticated caller's Subject,
74 | * or an empty set if the current caller is not authenticated, or if the specified type
75 | * isn't found in the Subject.
76 | * false.
93 | *
94 | * role-name nested in a
97 | * security-role-ref element nested in a servlet element in web.xml.
98 | *
99 | * String specifying the name of the logical application role
107 | * @return true if the authenticated caller is in the given role, false if the caller is not authentication or
108 | * is not in the given role.
109 | */
110 | boolean isCallerInRole(String role);
111 |
112 | /**
113 | * Checks whether the caller has access to the provided "web resource" using the given methods,
114 | * as specified by section 13.8 of the Servlet specification.
115 | *
116 | * URLPatternSpec that
121 | * identifies the application specific web resources to which the permission pertains. For a full specification of this
122 | * pattern see {@link javax.security.jacc.WebResourcePermission#WebResourcePermission(String, String)}.
123 | * @param methods one or more methods to check for whether the caller has access to the web resource using one of those methods.
124 | *
125 | * @return true if the caller has access to the web resource using one of the given methods, false otherwise.
126 | */
127 | boolean hasAccessToWebResource(String resource, String... methods);
128 |
129 | /**
130 | * Signal to the container (programmatically trigger) that it should start or continue a web/HTTP based authentication dialog with
131 | * the caller.
132 | *
133 | * true for the {@link AuthenticationParameters#newAuthentication} parameter with this call.
142 | *
143 | * HttpServletRequest associated with the current web resource invocation.
148 | * @param response The HttpServletResponse associated with the given HttpServletRequest.
149 | * @param parameters The parameters that are provided along with a programmatic authentication request, for instance the credentials.
150 | * collected by the application for continuing an authentication dialog.
151 | *
152 | * @return The state of the authentication mechanism after being triggered by this call
153 | */
154 | AuthenticationStatus authenticate(HttpServletRequest request, HttpServletResponse response, AuthenticationParameters parameters);
155 |
156 | }
157 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/identitystore/IdentityStore.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.identitystore;
42 |
43 | import static java.lang.invoke.MethodType.methodType;
44 | import static java.util.Collections.emptySet;
45 | import static javax.security.enterprise.identitystore.CredentialValidationResult.NOT_VALIDATED_RESULT;
46 | import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.PROVIDE_GROUPS;
47 | import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.VALIDATE;
48 |
49 | import java.lang.invoke.MethodHandles;
50 | import java.util.EnumSet;
51 | import java.util.Set;
52 |
53 | import javax.security.auth.message.module.ServerAuthModule;
54 | import javax.security.enterprise.CallerPrincipal;
55 | import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
56 | import javax.security.enterprise.credential.Credential;
57 |
58 | /**
59 | * IdentityStore is a mechanism for validating a caller's credentials
60 | * and accessing a caller's identity attributes. It can be used by an
61 | * authentication mechanism, such as a JSR 375 {@link HttpAuthenticationMechanism}
62 | * or a JSR 196 (JASPIC) {@link ServerAuthModule}.
63 | * IdentityStore obtains identity data from a persistent store,
67 | * such as a database, LDAP server, or file.
68 | */
69 | public interface IdentityStore {
70 |
71 | /**
72 | * Default set of validation types. Contains {@code VALIDATE} and {@code PROVIDE_GROUPS}.
73 | */
74 | Set
92 | * {@code
83 | public class ExampleIdentityStore implements IdentityStore {
84 |
85 | public CredentialValidationResult validate(UsernamePasswordCredential usernamePasswordCredential) {
86 | // Implementation ...
87 | return INVALID_RESULT;
88 | }
89 |
90 | }
91 | * }
130 | *
131 | * @param validationResult The {@link CredentialValidationResult} returned
132 | * by a previous call to {@link #validate(Credential)}.
133 | * @return The {@link Set} of groups found for the caller, if any, or an empty {@link Set} otherwise.
134 | * @throws SecurityException May be thrown if the calling code does not have {@link IdentityStorePermission}.
135 | */
136 | default Set{@code
125 | SecurityManager security = System.getSecurityManager();
126 | if (security != null) {
127 | security.checkPermission(new IdentityStorePermission("getGroups");
128 | }
129 | * }
82 | *
90 | *
91 | *
83 | * {@literal @}RequestScoped
84 | * {@literal @}RememberMe
85 | * public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {
86 | * // ...
87 | * }
88 | *
89 | * String are evaluated for every request requiring
93 | * authentication. Both immediate and deferred syntax is supported, but effectively the semantics
94 | * are always deferred.
95 | *
96 | * cookieMaxAgeSeconds().
122 | * The expression needs to evaluate to an integer outcome. All named CDI beans are available to the expression
123 | * as well as default classes as specified by EL 3.0 for the {@link ELProcessor}
124 | * and the implicit objects "self" which refers to the interceptor target and
125 | * "httpMessageContext" which refers to the current {@link HttpMessageContext}.
126 | * If both this attribute and cookieMaxAgeSeconds() are specified, this
127 | * attribute takes precedence.
128 | *
129 | * @return an expression evaluating to an integer designating the max age in seconds for the remember me cookie.
130 | */
131 | @Nonbinding
132 | String cookieMaxAgeSecondsExpression() default "";
133 |
134 | /**
135 | * Flag to indicate that the remember me cookie should only be
136 | * sent using a secure protocol (e.g. HTTPS or SSL).
137 | *
138 | * @see Cookie#setSecure(boolean)
139 | *
140 | * @return true if the cookie should be sent using a secure protocol only
141 | * false for any protocol.
142 | */
143 | @Nonbinding
144 | boolean cookieSecureOnly() default true;
145 |
146 | /**
147 | * EL expression variant of cookieSecureOnly().
148 | * The expression needs to evaluate to a boolean outcome. All named CDI beans are available to the expression
149 | * as well as default classes as specified by EL 3.0 for the {@link ELProcessor}
150 | * and the implicit objects "self" which refers to the interceptor target and
151 | * "httpMessageContext" which refers to the current {@link HttpMessageContext}.
152 | * If both this attribute and cookieSecureOnly() are specified, this
153 | * attribute takes precedence.
154 | *
155 | * @return an expression evaluating to an integer designating the max age in seconds for the remember me cookie.
156 | */
157 | @Nonbinding
158 | String cookieSecureOnlyExpression() default "";
159 |
160 | /**
161 | * Flag to indicate that the remember me cookie should not be exposed to
162 | * client-side scripting code, and should only be sent with HTTP requests.
163 | *
164 | * @see Cookie#setHttpOnly(boolean)
165 | *
166 | * @return true if the cookie should be sent only with HTTP requests
167 | * (and not be made available to client-side scripting code), false otherwise.
168 | */
169 | @Nonbinding
170 | boolean cookieHttpOnly() default true;
171 |
172 | /**
173 | * EL expression variant of cookieHttpOnly().
174 | * The expression needs to evaluate to a boolean outcome. All named CDI beans are available to the expression
175 | * as well as default classes as specified by EL 3.0 for the {@link ELProcessor}
176 | * and the implicit objects "self" which refers to the interceptor target and
177 | * "httpMessageContext" which refers to the current {@link HttpMessageContext}.
178 | * If both this attribute and cookieHttpOnly() are specified, this
179 | * attribute takes precedence.
180 | *
181 | * @return an expression evaluating to true if the cookie should be sent only with HTTP requests , false otherwise.
182 | */
183 | @Nonbinding
184 | String cookieHttpOnlyExpression() default "";
185 |
186 | /**
187 | * Name of the remember me cookie.
188 | *
189 | * @see Cookie#getName()
190 | *
191 | * @return The name of the cookie
192 | */
193 | @Nonbinding
194 | String cookieName() default "JREMEMBERMEID";
195 |
196 | /**
197 | * Flag to determine if remember me should be used.
198 | *
199 | * @return Flag to determine if remember me should be used
200 | */
201 | @Nonbinding
202 | boolean isRememberMe() default true;
203 |
204 | /**
205 | * EL expression to determine if remember me should be used. This is evaluated
206 | * for every request requiring authentication. The expression needs to evaluate
207 | * to a boolean outcome. All named CDI beans are available to the expression
208 | * as well as default classes as specified by EL 3.0 for the {@link ELProcessor}
209 | * and the implicit objects "self" which refers to the interceptor target and
210 | * "httpMessageContext" which refers to the current {@link HttpMessageContext}.
211 | *
212 | * @return EL expression to determine if remember me should be used
213 | *
214 | */
215 | @Nonbinding
216 | String isRememberMeExpression() default "";
217 | }
218 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/identitystore/CredentialValidationResult.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.identitystore;
42 |
43 | import static java.util.Collections.emptySet;
44 | import static java.util.Collections.unmodifiableSet;
45 | import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.INVALID;
46 | import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.NOT_VALIDATED;
47 | import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.VALID;
48 |
49 | import java.util.HashSet;
50 | import java.util.Set;
51 |
52 | import javax.security.enterprise.CallerPrincipal;
53 | import javax.security.enterprise.credential.Credential;
54 |
55 | /**
56 | * CredentialValidationResult is the result from an attempt to
57 | * validate an instance of {@link Credential}.
58 | *
59 | * @see IdentityStore#validate
60 | */
61 | public class CredentialValidationResult {
62 |
63 | public static final CredentialValidationResult INVALID_RESULT = new CredentialValidationResult(INVALID);
64 | public static final CredentialValidationResult NOT_VALIDATED_RESULT = new CredentialValidationResult(NOT_VALIDATED);
65 |
66 | private final Status status;
67 | private final String storeId;
68 | private final String callerDn;
69 | private final String callerUniqueId;
70 | private final CallerPrincipal callerPrincipal;
71 | private final Set
33 | All rights reserved.
34 |
196 |
197 |
198 |
--------------------------------------------------------------------------------
/src/main/java/javax/security/enterprise/identitystore/LdapIdentityStoreDefinition.java:
--------------------------------------------------------------------------------
1 | /*
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 | *
4 | * Copyright (c) 2015-2017 Oracle and/or its affiliates. All rights reserved.
5 | *
6 | * The contents of this file are subject to the terms of either the GNU
7 | * General Public License Version 2 only ("GPL") or the Common Development
8 | * and Distribution License("CDDL") (collectively, the "License"). You
9 | * may not use this file except in compliance with the License. You can
10 | * obtain a copy of the License at
11 | * https://oss.oracle.com/licenses/CDDL+GPL-1.1
12 | * or LICENSE.txt. See the License for the specific
13 | * language governing permissions and limitations under the License.
14 | *
15 | * When distributing the software, include this License Header Notice in each
16 | * file and include the License file at LICENSE.txt.
17 | *
18 | * GPL Classpath Exception:
19 | * Oracle designates this particular file as subject to the "Classpath"
20 | * exception as provided by Oracle in the GPL Version 2 section of the License
21 | * file that accompanied this code.
22 | *
23 | * Modifications:
24 | * If applicable, add the following below the License Header, with the fields
25 | * enclosed by brackets [] replaced by your own identifying information:
26 | * "Portions Copyright [year] [name of copyright owner]"
27 | *
28 | * Contributor(s):
29 | * If you wish your version of this file to be governed by only the CDDL or
30 | * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 | * elects to include this software in this distribution under the [CDDL or GPL
32 | * Version 2] license." If you don't indicate a single choice of license, a
33 | * recipient has the option to distribute your version of this file under
34 | * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 | * its licensees as provided above. However, if you add GPL Version 2 code
36 | * and therefore, elected the GPL Version 2 license, then the option applies
37 | * only if the new code is made subject to such option by the copyright
38 | * holder.
39 | */
40 |
41 | package javax.security.enterprise.identitystore;
42 |
43 | import javax.security.enterprise.identitystore.IdentityStore;
44 | import javax.security.enterprise.identitystore.IdentityStore.ValidationType;
45 |
46 | import java.lang.annotation.Retention;
47 | import java.lang.annotation.Target;
48 |
49 | import static java.lang.annotation.ElementType.TYPE;
50 | import static java.lang.annotation.RetentionPolicy.RUNTIME;
51 | import javax.security.enterprise.credential.UsernamePasswordCredential;
52 | import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.PROVIDE_GROUPS;
53 | import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.VALIDATE;
54 |
55 | /**
56 | * Annotation used to define a container-provided {@link IdentityStore} that stores
57 | * caller credentials and identity attributes (together caller identities) in an
58 | * LDAP store, and make that implementation available as an enabled CDI bean.
59 | * ldap://localhost:33389
76 | *
77 | * @return URL where the LDAP server can be reached
78 | */
79 | String url() default "";
80 |
81 | /**
82 | * Distinguished name for the application or administrative user that will be used to
83 | * make the initial connection to the LDAP and to perform searches and lookups.
84 | * uid=ldap,ou=apps,dc=jsr375,dc=net
91 | *
92 | * @return The distinguished name for the application user.
93 | */
94 | String bindDn() default "";
95 |
96 | /**
97 | * Password for the application/admin user defined by the bindDn member.
98 | * Only used when the member bindDn is filled in.
99 | *
100 | * @return password for the application user.
101 | */
102 | String bindDnPassword() default "";
103 |
104 | /**
105 | * Base distinguished name for callers in the LDAP store
106 | * (e.g., "ou=caller,dc=jsr375,dc=net").
107 | * uid").
121 | *
131 | *
142 | *
143 | * @return Name of the attribute that represents the caller name
144 | */
145 | String callerNameAttribute() default "uid";
146 |
147 | /**
148 | * Search base for looking up callers
149 | * (e.g., "
132 | * dn: uid=peter,ou=caller,dc=jsr375,dc=net
133 | * objectclass: top
134 | * objectclass: uidObject
135 | * objectclass: person
136 | * uid: peter
137 | * cn: Peter Smith
138 | * sn: Peter
139 | * userPassword: secret1
140 | *
141 | * ou=caller,dc=jsr375,dc=net").
150 | * ou=group,dc=jsr375,dc=net").
187 | * cn")
223 | *
224 | * @return Name of the attribute that represents the group name
225 | */
226 | String groupNameAttribute() default "cn";
227 |
228 | /**
229 | * Name of the attribute in a group object that identifies the
230 | * members of the group
231 | * (e.g., "member").
232 | *
236 | *
245 | *
246 | * @return Attribute for the group members
247 | */
248 | String groupMemberAttribute() default "member";
249 |
250 | /**
251 | * Name of the attribute in a person object that identifies the groups
252 | * the caller belongs to
253 | * (e.g., "
237 | * dn: cn=foo,ou=group,dc=jsr375,dc=net
238 | * objectclass: top
239 | * objectclass: groupOfNames
240 | * cn: foo
241 | * member: uid=pete,ou=caller,dc=jsr375,dc=net
242 | * member: uid=john,ou=caller,dc=jsr375,dc=net
243 | *
244 | * memberOf").
254 | *
266 | *
277 | *
278 | * @return Attribute for group membership
279 | */
280 | String groupMemberOfAttribute() default "memberOf";
281 |
282 | /**
283 | * Set the timeout value that should be used when waiting for
284 | * the LDAP server to return results. Note that this is different
285 | * from the connection timeout for the underlying socket connection;
286 | *
267 | * dn: uid=peter,ou=caller,dc=jsr375,dc=net
268 | * objectclass: top
269 | * objectclass: uidObject
270 | * objectclass: person
271 | * uid: peter
272 | * cn: Peter Smith
273 | * memberOf: cn=foo,ou=group,dc=jsr375,dc=net
274 | * memberOf: cn=bar,ou=group,dc=jsr375,dc=net
275 | *
276 | * HttpMessageContext contains all of the per-request state information and encapsulates the client request,
60 | * server response, container handler for authentication callbacks, and the subject representing the caller.
61 | *
62 | */
63 | public interface HttpMessageContext {
64 |
65 | /**
66 | * Checks if the currently requested resource is protected or not. A protected resource
67 | * is a resource (e.g. a Servlet, JSF page, JSP page etc) for which a constraint has been defined
68 | * in e.g. web.xml.
69 | *
70 | * @return true if a protected resource was requested, false if a public resource was requested.
71 | */
72 | boolean isProtected();
73 |
74 | /**
75 | * Checks if the current call to an authentication mechanism is the result from the
76 | * application calling {@link SecurityContext#authenticate(HttpServletRequest, HttpServletResponse, AuthenticationParameters)}
77 | * CredentialValidationResult result of an
299 | * identity store directly on to the container.
300 | *
301 | * CredentialValidationResult and passed into
305 | * {@link HttpMessageContext#notifyContainerAboutLogin(Principal, Set)}.
306 | *
307 | *