- All Known Implementing Classes:
ServletSecurityManager
,SlimSecurityManager
public interface SecurityManager
The SecurityManager API.
- Author:
- Manfred Riem ([email protected]), Arjan Tijms
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic enum
The enum that qualifies the source of the authentication.static interface
Method that bypasses the authentication mechanism installed by the authentication manager and directly invokes an identity store. -
Method Summary
Modifier and TypeMethodDescriptionboolean
authenticate
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Authenticate the request.default boolean
authenticate
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, SecurityManager.AuthenticateSource source) Authenticate the request.void
declareRoles
(String[] roles) Declare roles.default void
declareRoles
(Collection<String> roles) Declare roles.default jakarta.servlet.http.HttpServletRequest
getAuthenticatedRequest
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Gets the request object the security system wants to put in place.default jakarta.servlet.http.HttpServletResponse
getAuthenticatedResponse
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Gets the response object the security system wants to put in place.default String
Get the auth method.default boolean
Get if we are denying uncovered HTTP methods.default String
Get the form error page.default String
Get the form login page.default String
Get the realm name.getRoles()
Get the declared rolesGet the web application.default boolean
isCallerAuthorizedForResource
(jakarta.servlet.http.HttpServletRequest request) Check if the current caller (which can be the anonymous caller) is authorized to access the requested resource.default boolean
isRequestedResourcePublic
(jakarta.servlet.http.HttpServletRequest request) Check if the requested resource, represented by the request, is public or not.default boolean
isRequestSecurityAsRequired
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Check if the current request adheres to the user data constraint, if any.boolean
isUserInRole
(jakarta.servlet.http.HttpServletRequest request, String role) Is the user in the specific role.void
Login.void
logout
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Logout.default void
postRequestProcess
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Gives the security system the opportunity to process the response after the request (after the target resource has been invoked).default void
setAuthMethod
(String authMethod) Set the auth method.default void
setDenyUncoveredHttpMethods
(boolean denyUncoveredHttpMethods) Set if we are denying uncovered HTTP methods.default void
setFormErrorPage
(String formErrorPage) Set the form error page.default void
setFormLoginPage
(String formLoginPage) Set the form login page.default void
setRealmName
(String realmName) Set the realm name.default void
setUsernamePasswordLoginHandler
(SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler) Set the handler that may be used by the login method to contact an identity store.void
setWebApplication
(WebApplication webApplication) Set the web application.
-
Method Details
-
authenticate
boolean authenticate(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException Authenticate the request.- Parameters:
request
- the request.response
- the response.- Returns:
- true if authenticated.
- Throws:
IOException
- when an I/O error occurs.jakarta.servlet.ServletException
- when a servlet error occurs.
-
authenticate
default boolean authenticate(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, SecurityManager.AuthenticateSource source) throws IOException, jakarta.servlet.ServletException Authenticate the request.- Parameters:
request
- the request.response
- the response.source
- the source or moment from where this authenticate method is called- Returns:
- true if authenticated.
- Throws:
IOException
- when an I/O error occurs.jakarta.servlet.ServletException
- when a servlet error occurs.
-
declareRoles
Declare roles.- Parameters:
roles
- the roles.
-
declareRoles
Declare roles.- Parameters:
roles
- the roles.
-
getAuthMethod
Get the auth method.- Returns:
- the auth method.
-
getAuthenticatedRequest
default jakarta.servlet.http.HttpServletRequest getAuthenticatedRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Gets the request object the security system wants to put in place.This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped request.
- Parameters:
request
- the request.response
- the response.- Returns:
- a request object that the runtime should put into service
-
getAuthenticatedResponse
default jakarta.servlet.http.HttpServletResponse getAuthenticatedResponse(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Gets the response object the security system wants to put in place.This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped response.
- Parameters:
request
- the request.response
- the response.- Returns:
- a response object that the runtime should put into service
-
getDenyUncoveredHttpMethods
default boolean getDenyUncoveredHttpMethods()Get if we are denying uncovered HTTP methods.- Returns:
- true if we are, false otherwise.
-
getFormErrorPage
Get the form error page.- Returns:
- the form error page.
-
getFormLoginPage
Get the form login page.- Returns:
- the form login page.
-
getRealmName
Get the realm name.- Returns:
- the realm name.
-
getRoles
Get the declared roles- Returns:
- the roles
-
isRequestSecurityAsRequired
default boolean isRequestSecurityAsRequired(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException Check if the current request adheres to the user data constraint, if any.In practice this means checking if HTTPS is used when so required by the application.
- Parameters:
request
- the request.response
- the response.- Returns:
- true if request adheres to constraints, false otherwise
- Throws:
IOException
- when an I/O error occurs.jakarta.servlet.ServletException
- when a servlet error occurs.
-
isRequestedResourcePublic
default boolean isRequestedResourcePublic(jakarta.servlet.http.HttpServletRequest request) Check if the requested resource, represented by the request, is public or not.- Parameters:
request
- the request.- Returns:
- true if the requested resource can be accessed by public (unauthenticated) callers, otherwise false
-
isCallerAuthorizedForResource
default boolean isCallerAuthorizedForResource(jakarta.servlet.http.HttpServletRequest request) Check if the current caller (which can be the anonymous caller) is authorized to access the requested resource.If the unauthenticated caller is authorized, then this means the resource is public (aka unconstrained, aka unchecked), and the outcome of this method MUST be consistent with
isRequestedResourcePublic(HttpServletRequest)
.- Parameters:
request
- the request.- Returns:
- true if the current caller is allowed to access the requested resource, false otherwise
-
postRequestProcess
default void postRequestProcess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException Gives the security system the opportunity to process the response after the request (after the target resource has been invoked).Although this may be rare to used in practice, it allows for encryption of the response, inserting security tokens, signing the response, etc.
- Parameters:
request
- the request.response
- the response.- Throws:
IOException
- when an I/O error occurs.jakarta.servlet.ServletException
- when a servlet error occurs.
-
getWebApplication
WebApplication getWebApplication()Get the web application.- Returns:
- the web application.
-
isUserInRole
Is the user in the specific role.- Parameters:
request
- the request.role
- the role.- Returns:
- true if in the role, false otherwise.
-
login
void login(jakarta.servlet.http.HttpServletRequest request, String username, String password) throws jakarta.servlet.ServletException Login.- Parameters:
request
- the request.username
- the username.password
- the password.- Throws:
jakarta.servlet.ServletException
- when unable to login.
-
logout
void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws jakarta.servlet.ServletException Logout.- Parameters:
request
- the request.response
- the response.- Throws:
jakarta.servlet.ServletException
- when a servlet error occurs.
-
setAuthMethod
Set the auth method.- Parameters:
authMethod
- the auth method.
-
setDenyUncoveredHttpMethods
default void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods) Set if we are denying uncovered HTTP methods.- Parameters:
denyUncoveredHttpMethods
- the boolean value.
-
setFormErrorPage
Set the form error page.- Parameters:
formErrorPage
- the form error page.
-
setFormLoginPage
Set the form login page.- Parameters:
formLoginPage
- the form login page.
-
setRealmName
Set the realm name.- Parameters:
realmName
- the realm name.
-
setWebApplication
Set the web application.- Parameters:
webApplication
- the web application.
-
setUsernamePasswordLoginHandler
default void setUsernamePasswordLoginHandler(SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler) Set the handler that may be used by the login method to contact an identity store.- Parameters:
usernamePasswordLoginHandler
- the handler
-