Module cloud.piranha.extension.security.servlet
Package cloud.piranha.extension.security.servlet

Class ServletSecurityManager

java.lang.Object
cloud.piranha.extension.security.servlet.ServletSecurityManager
All Implemented Interfaces:
SecurityManager
public class ServletSecurityManager extends Object implements SecurityManager
SecurityManager implementation that uses Servlet Security semantics.
Author:
Arjan Tijms, Manfred Riem ([email protected])

  • Field Details

    • authMethod

      protected String authMethod
      Stores the auth method.

    • denyUncoveredHttpMethods

      protected boolean denyUncoveredHttpMethods
      Stores if we are denying uncovered HTTP methods.

    • formErrorPage

      protected String formErrorPage
      Stores the form error page.

    • formLoginPage

      protected String formLoginPage
      Stores the form login page.

    • realmName

      protected String realmName
      Stores the realm name.

    • roles

      protected final Set<String> roles
      Stores all declared roles in the application

    • usernamePasswordLoginHandler

      protected SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler
      Handler for the specific HttpServletRequest#login method call

    • webApplication

      protected WebApplication webApplication
      Stores the web application.

  • Constructor Details

    • ServletSecurityManager

      public ServletSecurityManager()

  • Method Details

    • authenticate

      public boolean authenticate(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException
      Description copied from interface: SecurityManager
      Authenticate the request.
      Specified by:
      authenticate in interface SecurityManager
      Parameters:
      request - the request.
      response - the response.
      Returns:
      true if authenticated.
      Throws:
      IOException - when an I/O error occurs.
      jakarta.servlet.ServletException - when a servlet error occurs.

    • authenticate

      public boolean authenticate(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, SecurityManager.AuthenticateSource source) throws IOException, jakarta.servlet.ServletException
      Description copied from interface: SecurityManager
      Authenticate the request.
      Specified by:
      authenticate in interface SecurityManager
      Parameters:
      request - the request.
      response - the response.
      source - the source or moment from where this authenticate method is called
      Returns:
      true if authenticated.
      Throws:
      IOException - when an I/O error occurs.
      jakarta.servlet.ServletException - when a servlet error occurs.

    • declareRoles

      public void declareRoles(String[] roles)
      Description copied from interface: SecurityManager
      Declare roles.
      Specified by:
      declareRoles in interface SecurityManager
      Parameters:
      roles - the roles.

    • declareRoles

      public void declareRoles(Collection<String> roles)
      Description copied from interface: SecurityManager
      Declare roles.
      Specified by:
      declareRoles in interface SecurityManager
      Parameters:
      roles - the roles.

    • getAuthMethod

      public String getAuthMethod()
      Description copied from interface: SecurityManager
      Get the auth method.
      Specified by:
      getAuthMethod in interface SecurityManager
      Returns:
      the auth method.

    • getAuthenticatedRequest

      public jakarta.servlet.http.HttpServletRequest getAuthenticatedRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: SecurityManager
      Gets the request object the security system wants to put in place.

      This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped request.

      Specified by:
      getAuthenticatedRequest in interface SecurityManager
      Parameters:
      request - the request.
      response - the response.
      Returns:
      a request object that the runtime should put into service

    • getAuthenticatedResponse

      public jakarta.servlet.http.HttpServletResponse getAuthenticatedResponse(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: SecurityManager
      Gets the response object the security system wants to put in place.

      This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped response.

      Specified by:
      getAuthenticatedResponse in interface SecurityManager
      Parameters:
      request - the request.
      response - the response.
      Returns:
      a response object that the runtime should put into service

    • getAuthenticationService

      protected org.omnifaces.eleos.services.DefaultAuthenticationService getAuthenticationService(jakarta.servlet.http.HttpServletRequest request)

    • getAuthorizationService

      protected org.glassfish.exousia.AuthorizationService getAuthorizationService(jakarta.servlet.http.HttpServletRequest request)

    • getDenyUncoveredHttpMethods

      public boolean getDenyUncoveredHttpMethods()
      Description copied from interface: SecurityManager
      Get if we are denying uncovered HTTP methods.
      Specified by:
      getDenyUncoveredHttpMethods in interface SecurityManager
      Returns:
      true if we are, false otherwise.

    • getFormErrorPage

      public String getFormErrorPage()
      Description copied from interface: SecurityManager
      Get the form error page.
      Specified by:
      getFormErrorPage in interface SecurityManager
      Returns:
      the form error page.

    • getFormLoginPage

      public String getFormLoginPage()
      Description copied from interface: SecurityManager
      Get the form login page.
      Specified by:
      getFormLoginPage in interface SecurityManager
      Returns:
      the form login page.

    • getRealmName

      public String getRealmName()
      Description copied from interface: SecurityManager
      Get the realm name.
      Specified by:
      getRealmName in interface SecurityManager
      Returns:
      the realm name.

    • getRoles

      public Set<String> getRoles()
      Description copied from interface: SecurityManager
      Get the declared roles
      Specified by:
      getRoles in interface SecurityManager
      Returns:
      the roles

    • isRequestSecurityAsRequired

      public boolean isRequestSecurityAsRequired(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException
      Description copied from interface: SecurityManager
      Check if the current request adheres to the user data constraint, if any.

      In practice this means checking if HTTPS is used when so required by the application.

      Specified by:
      isRequestSecurityAsRequired in interface SecurityManager
      Parameters:
      request - the request.
      response - the response.
      Returns:
      true if request adheres to constraints, false otherwise
      Throws:
      IOException - when an I/O error occurs.
      jakarta.servlet.ServletException - when a servlet error occurs.

    • isRequestedResourcePublic

      public boolean isRequestedResourcePublic(jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: SecurityManager
      Check if the requested resource, represented by the request, is public or not.
      Specified by:
      isRequestedResourcePublic in interface SecurityManager
      Parameters:
      request - the request.
      Returns:
      true if the requested resource can be accessed by public (unauthenticated) callers, otherwise false

    • isCallerAuthorizedForResource

      public boolean isCallerAuthorizedForResource(jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: SecurityManager
      Check if the current caller (which can be the anonymous caller) is authorized to access the requested resource.

      If the unauthenticated caller is authorized, then this means the resource is public (aka unconstrained, aka unchecked), and the outcome of this method MUST be consistent with SecurityManager.isRequestedResourcePublic(HttpServletRequest).

      Specified by:
      isCallerAuthorizedForResource in interface SecurityManager
      Parameters:
      request - the request.
      Returns:
      true if the current caller is allowed to access the requested resource, false otherwise

    • isUserInRole

      public boolean isUserInRole(jakarta.servlet.http.HttpServletRequest request, String role)
      Description copied from interface: SecurityManager
      Is the user in the specific role.
      Specified by:
      isUserInRole in interface SecurityManager
      Parameters:
      request - the request.
      role - the role.
      Returns:
      true if in the role, false otherwise.

    • login

      public void login(jakarta.servlet.http.HttpServletRequest request, String username, String password) throws jakarta.servlet.ServletException
      Description copied from interface: SecurityManager
      Login.
      Specified by:
      login in interface SecurityManager
      Parameters:
      request - the request.
      username - the username.
      password - the password.
      Throws:
      jakarta.servlet.ServletException - when unable to login.

    • postRequestProcess

      public void postRequestProcess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException
      Description copied from interface: SecurityManager
      Gives the security system the opportunity to process the response after the request (after the target resource has been invoked).

      Although this may be rare to used in practice, it allows for encryption of the response, inserting security tokens, signing the response, etc.

      Specified by:
      postRequestProcess in interface SecurityManager
      Parameters:
      request - the request.
      response - the response.
      Throws:
      IOException - when an I/O error occurs.
      jakarta.servlet.ServletException - when a servlet error occurs.

    • logout

      public void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws jakarta.servlet.ServletException
      Description copied from interface: SecurityManager
      Logout.
      Specified by:
      logout in interface SecurityManager
      Parameters:
      request - the request.
      response - the response.
      Throws:
      jakarta.servlet.ServletException - when a servlet error occurs.

    • getWebApplication

      public WebApplication getWebApplication()
      Description copied from interface: SecurityManager
      Get the web application.
      Specified by:
      getWebApplication in interface SecurityManager
      Returns:
      the web application.

    • setWebApplication

      public void setWebApplication(WebApplication webApplication)
      Description copied from interface: SecurityManager
      Set the web application.
      Specified by:
      setWebApplication in interface SecurityManager
      Parameters:
      webApplication - the web application.

    • setUsernamePasswordLoginHandler

      public void setUsernamePasswordLoginHandler(SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler)
      Description copied from interface: SecurityManager
      Set the handler that may be used by the login method to contact an identity store.
      Specified by:
      setUsernamePasswordLoginHandler in interface SecurityManager
      Parameters:
      usernamePasswordLoginHandler - the handler

    • setDenyUncoveredHttpMethods

      public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods)
      Description copied from interface: SecurityManager
      Set if we are denying uncovered HTTP methods.
      Specified by:
      setDenyUncoveredHttpMethods in interface SecurityManager
      Parameters:
      denyUncoveredHttpMethods - the boolean value.

    • setAuthMethod

      public void setAuthMethod(String authMethod)
      Description copied from interface: SecurityManager
      Set the auth method.
      Specified by:
      setAuthMethod in interface SecurityManager
      Parameters:
      authMethod - the auth method.

    • setFormErrorPage

      public void setFormErrorPage(String formErrorPage)
      Description copied from interface: SecurityManager
      Set the form error page.
      Specified by:
      setFormErrorPage in interface SecurityManager
      Parameters:
      formErrorPage - the form error page.

    • setFormLoginPage

      public void setFormLoginPage(String formLoginPage)
      Description copied from interface: SecurityManager
      Set the form login page.
      Specified by:
      setFormLoginPage in interface SecurityManager
      Parameters:
      formLoginPage - the form login page.

    • setRealmName

      public void setRealmName(String realmName)
      Description copied from interface: SecurityManager
      Set the realm name.
      Specified by:
      setRealmName in interface SecurityManager
      Parameters:
      realmName - the realm name.