Module cloud.piranha.security.jakarta

Package cloud.piranha.security.jakarta

Class JakartaSecurityManager

java.lang.Object

cloud.piranha.security.jakarta.JakartaSecurityManager

All Implemented Interfaces:

SecurityManager

public class JakartaSecurityManager
extends java.lang.Object
implements SecurityManager

SecurityManager implementation that uses Jakarta Security semantics. WIP!

Author:

Arjan Tijms

Nested Class Summary

Nested classes/interfaces inherited from interface cloud.piranha.webapp.api.SecurityManager

SecurityManager.AuthenticateSource, SecurityManager.UsernamePasswordLoginHandler

Constructor Summary

Constructors

Constructor	Description
JakartaSecurityManager()

Method Summary

Modifier and Type	Method	Description
boolean	authenticate(HttpServletRequest request, HttpServletResponse response)	Authenticate the request.
boolean	authenticate(HttpServletRequest request, HttpServletResponse response, SecurityManager.AuthenticateSource source)	Authenticate the request.
void	declareRoles(java.lang.String[] roles)	Declare roles.
void	declareRoles(java.util.Collection<java.lang.String> roles)
HttpServletRequest	getAuthenticatedRequest(HttpServletRequest request, HttpServletResponse response)	Gets the request object the security system wants to put in place.
HttpServletResponse	getAuthenticatedResponse(HttpServletRequest request, HttpServletResponse response)	Gets the response object the security system wants to put in place.
protected org.omnifaces.eleos.services.DefaultAuthenticationService	getAuthenticationService(HttpServletRequest request)
protected org.omnifaces.exousia.AuthorizationService	getAuthorizationService(HttpServletRequest request)
boolean	getDenyUncoveredHttpMethods()	Get if we are denying uncovered HTTP methods.
java.util.Set<java.lang.String>	getRoles()	Get the declared roles
WebApplication	getWebApplication()	Get the web application.
boolean	isCallerAuthorizedForResource(HttpServletRequest request)	Check if the current caller (which can be the anonymous caller) is authorized to access the requested resource.
boolean	isRequestedResourcePublic(HttpServletRequest request)	Check if the requested resource, represented by the request, is public or not.
boolean	isRequestSecurityAsRequired(HttpServletRequest request, HttpServletResponse response)	Check if the current request adheres to the user data constraint, if any.
boolean	isUserInRole(HttpServletRequest request, java.lang.String role)	Is the user in the specific role.
void	login(HttpServletRequest request, java.lang.String username, java.lang.String password)	Login.
void	logout(HttpServletRequest request, HttpServletResponse response)	Logout.
void	postRequestProcess(HttpServletRequest request, HttpServletResponse response)	Gives the security system the opportunity to process the response after the request (after the target resource has been invoked).
void	setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods)	Set if we are denying uncovered HTTP methods.
void	setUsernamePasswordLoginHandler(SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler)	Set the handler that may be used by the login method to contact an identity store.
void	setWebApplication(WebApplication webApplication)	Set the web application.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

JakartaSecurityManager

public JakartaSecurityManager()

Method Details

declareRoles

public void declareRoles(java.lang.String[] roles)

Description copied from interface: SecurityManager

Declare roles.

Specified by:

declareRoles in interface SecurityManager

Parameters:

roles - the roles.

declareRoles

public void declareRoles(java.util.Collection<java.lang.String> roles)

Specified by:

declareRoles in interface SecurityManager

getRoles

public java.util.Set<java.lang.String> getRoles()

Description copied from interface: SecurityManager

Get the declared roles

Specified by:

getRoles in interface SecurityManager

Returns:

the roles

isRequestSecurityAsRequired

public boolean isRequestSecurityAsRequired(HttpServletRequest request, HttpServletResponse response) throws java.io.IOException, ServletException

Description copied from interface: SecurityManager

Check if the current request adheres to the user data constraint, if any.

In practice this means checking if HTTPS is used when so required by the application.

Specified by:

isRequestSecurityAsRequired in interface SecurityManager

Parameters:

request - the request.

response - the response.

Returns:

true if request adheres to constraints, false otherwise

Throws:

java.io.IOException - when an I/O error occurs.

ServletException - when a servlet error occurs.

isRequestedResourcePublic

public boolean isRequestedResourcePublic(HttpServletRequest request)

Description copied from interface: SecurityManager

Check if the requested resource, represented by the request, is public or not.

Specified by:

isRequestedResourcePublic in interface SecurityManager

Parameters:

request - the request.

Returns:

true if the requested resource can be accessed by public (unauthenticated) callers, otherwise false

isCallerAuthorizedForResource

public boolean isCallerAuthorizedForResource(HttpServletRequest request)

Description copied from interface: SecurityManager

Check if the current caller (which can be the anonymous caller) is authorized to access the requested resource.

If the unauthenticated caller is authorized, then this means the resource is public (aka unconstrained, aka unchecked), and the outcome of this method MUST be consistent with SecurityManager.isRequestedResourcePublic(HttpServletRequest).

Specified by:

isCallerAuthorizedForResource in interface SecurityManager

Parameters:

request - the request.

Returns:

true if the current caller is allowed to access the requested resource, false otherwise

isUserInRole

public boolean isUserInRole(HttpServletRequest request, java.lang.String role)

Description copied from interface: SecurityManager

Is the user in the specific role.

Specified by:

isUserInRole in interface SecurityManager

Parameters:

request - the request.

role - the role.

Returns:

true if in the role, false otherwise.

authenticate

public boolean authenticate(HttpServletRequest request, HttpServletResponse response) throws java.io.IOException, ServletException

Description copied from interface: SecurityManager

Authenticate the request.

Specified by:

authenticate in interface SecurityManager

Parameters:

request - the request.

response - the response.

Returns:

true if authenticated.

Throws:

java.io.IOException - when an I/O error occurs.

ServletException - when a servlet error occurs.

authenticate

public boolean authenticate(HttpServletRequest request, HttpServletResponse response, SecurityManager.AuthenticateSource source) throws java.io.IOException, ServletException

Description copied from interface: SecurityManager

Authenticate the request.

Specified by:

authenticate in interface SecurityManager

Parameters:

request - the request.

response - the response.

source - the source or moment from where this authenticate method is called

Returns:

true if authenticated.

Throws:

java.io.IOException - when an I/O error occurs.

ServletException - when a servlet error occurs.

login

public void login(HttpServletRequest request, java.lang.String username, java.lang.String password) throws ServletException

Description copied from interface: SecurityManager

Login.

Specified by:

login in interface SecurityManager

Parameters:

request - the request.

username - the username.

password - the password.

Throws:

ServletException - when unable to login.

getAuthenticatedRequest

public HttpServletRequest getAuthenticatedRequest(HttpServletRequest request, HttpServletResponse response)

Description copied from interface: SecurityManager

Gets the request object the security system wants to put in place.

This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped request.

Specified by:

getAuthenticatedRequest in interface SecurityManager

Parameters:

request - the request.

response - the response.

Returns:

a request object that the runtime should put into service

getAuthenticatedResponse

public HttpServletResponse getAuthenticatedResponse(HttpServletRequest request, HttpServletResponse response)

Description copied from interface: SecurityManager

Gets the response object the security system wants to put in place.

This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped response.

Specified by:

getAuthenticatedResponse in interface SecurityManager

Parameters:

request - the request.

response - the response.

Returns:

a response object that the runtime should put into service

postRequestProcess

public void postRequestProcess(HttpServletRequest request, HttpServletResponse response) throws java.io.IOException, ServletException

Description copied from interface: SecurityManager

Gives the security system the opportunity to process the response after the request (after the target resource has been invoked).

Although this may be rare to used in practice, it allows for encryption of the response, inserting security tokens, signing the response, etc.

Specified by:

postRequestProcess in interface SecurityManager

Parameters:

request - the request.

response - the response.

Throws:

java.io.IOException - when an I/O error occurs.

ServletException - when a servlet error occurs.

logout

public void logout(HttpServletRequest request, HttpServletResponse response) throws ServletException

Description copied from interface: SecurityManager

Logout.

Specified by:

logout in interface SecurityManager

Parameters:

request - the request.

response - the response.

Throws:

ServletException - when a servlet error occurs.

getWebApplication

public WebApplication getWebApplication()

Description copied from interface: SecurityManager

Get the web application.

Specified by:

getWebApplication in interface SecurityManager

Returns:

the web application.

setWebApplication

public void setWebApplication(WebApplication webApplication)

Description copied from interface: SecurityManager

Set the web application.

Specified by:

setWebApplication in interface SecurityManager

Parameters:

webApplication - the web application.

setUsernamePasswordLoginHandler

public void setUsernamePasswordLoginHandler(SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler)

Description copied from interface: SecurityManager

Set the handler that may be used by the login method to contact an identity store.

Specified by:

setUsernamePasswordLoginHandler in interface SecurityManager

Parameters:

usernamePasswordLoginHandler - the handler

getAuthenticationService

protected org.omnifaces.eleos.services.DefaultAuthenticationService getAuthenticationService(HttpServletRequest request)

getAuthorizationService

protected org.omnifaces.exousia.AuthorizationService getAuthorizationService(HttpServletRequest request)

getDenyUncoveredHttpMethods

public boolean getDenyUncoveredHttpMethods()

Description copied from interface: SecurityManager

Get if we are denying uncovered HTTP methods.

Specified by:

getDenyUncoveredHttpMethods in interface SecurityManager

Returns:

true if we are, false otherwise.

setDenyUncoveredHttpMethods

public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods)

Description copied from interface: SecurityManager

Set if we are denying uncovered HTTP methods.

Specified by:

setDenyUncoveredHttpMethods in interface SecurityManager

Parameters:

denyUncoveredHttpMethods - the boolean value.