Class ServletSecurityManager
java.lang.Object
cloud.piranha.extension.security.servlet.ServletSecurityManager
- All Implemented Interfaces:
SecurityManager
SecurityManager implementation that uses Servlet Security semantics.
- Author:
- Arjan Tijms, Manfred Riem ([email protected])
-
Nested Class Summary
Nested classes/interfaces inherited from interface cloud.piranha.core.api.SecurityManager
SecurityManager.AuthenticateSource, SecurityManager.UsernamePasswordLoginHandler
-
Field Summary
Modifier and TypeFieldDescriptionprotected String
Stores the auth method.protected boolean
Stores if we are denying uncovered HTTP methods.protected String
Stores the form error page.protected String
Stores the form login page.protected String
Stores the realm name.Stores all declared roles in the applicationHandler for the specific HttpServletRequest#login method callprotected WebApplication
Stores the web application. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionboolean
authenticate
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Authenticate the request.boolean
authenticate
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, SecurityManager.AuthenticateSource source) Authenticate the request.void
declareRoles
(String[] roles) Declare roles.void
declareRoles
(Collection<String> roles) Declare roles.jakarta.servlet.http.HttpServletRequest
getAuthenticatedRequest
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Gets the request object the security system wants to put in place.jakarta.servlet.http.HttpServletResponse
getAuthenticatedResponse
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Gets the response object the security system wants to put in place.protected org.omnifaces.eleos.services.DefaultAuthenticationService
getAuthenticationService
(jakarta.servlet.http.HttpServletRequest request) Get the auth method.protected org.glassfish.exousia.AuthorizationService
getAuthorizationService
(jakarta.servlet.http.HttpServletRequest request) boolean
Get if we are denying uncovered HTTP methods.Get the form error page.Get the form login page.Get the realm name.getRoles()
Get the declared rolesGet the web application.boolean
isCallerAuthorizedForResource
(jakarta.servlet.http.HttpServletRequest request) Check if the current caller (which can be the anonymous caller) is authorized to access the requested resource.boolean
isRequestedResourcePublic
(jakarta.servlet.http.HttpServletRequest request) Check if the requested resource, represented by the request, is public or not.boolean
isRequestSecurityAsRequired
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Check if the current request adheres to the user data constraint, if any.boolean
isUserInRole
(jakarta.servlet.http.HttpServletRequest request, String role) Is the user in the specific role.void
Login.void
logout
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Logout.void
postRequestProcess
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Gives the security system the opportunity to process the response after the request (after the target resource has been invoked).void
setAuthMethod
(String authMethod) Set the auth method.void
setDenyUncoveredHttpMethods
(boolean denyUncoveredHttpMethods) Set if we are denying uncovered HTTP methods.void
setFormErrorPage
(String formErrorPage) Set the form error page.void
setFormLoginPage
(String formLoginPage) Set the form login page.void
setRealmName
(String realmName) Set the realm name.void
setUsernamePasswordLoginHandler
(SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler) Set the handler that may be used by the login method to contact an identity store.void
setWebApplication
(WebApplication webApplication) Set the web application.
-
Field Details
-
authMethod
Stores the auth method. -
denyUncoveredHttpMethods
protected boolean denyUncoveredHttpMethodsStores if we are denying uncovered HTTP methods. -
formErrorPage
Stores the form error page. -
formLoginPage
Stores the form login page. -
realmName
Stores the realm name. -
roles
Stores all declared roles in the application -
usernamePasswordLoginHandler
Handler for the specific HttpServletRequest#login method call -
webApplication
Stores the web application.
-
-
Constructor Details
-
ServletSecurityManager
public ServletSecurityManager()
-
-
Method Details
-
authenticate
public boolean authenticate(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException Description copied from interface:SecurityManager
Authenticate the request.- Specified by:
authenticate
in interfaceSecurityManager
- Parameters:
request
- the request.response
- the response.- Returns:
- true if authenticated.
- Throws:
IOException
- when an I/O error occurs.jakarta.servlet.ServletException
- when a servlet error occurs.
-
authenticate
public boolean authenticate(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, SecurityManager.AuthenticateSource source) throws IOException, jakarta.servlet.ServletException Description copied from interface:SecurityManager
Authenticate the request.- Specified by:
authenticate
in interfaceSecurityManager
- Parameters:
request
- the request.response
- the response.source
- the source or moment from where this authenticate method is called- Returns:
- true if authenticated.
- Throws:
IOException
- when an I/O error occurs.jakarta.servlet.ServletException
- when a servlet error occurs.
-
declareRoles
Description copied from interface:SecurityManager
Declare roles.- Specified by:
declareRoles
in interfaceSecurityManager
- Parameters:
roles
- the roles.
-
declareRoles
Description copied from interface:SecurityManager
Declare roles.- Specified by:
declareRoles
in interfaceSecurityManager
- Parameters:
roles
- the roles.
-
getAuthMethod
Description copied from interface:SecurityManager
Get the auth method.- Specified by:
getAuthMethod
in interfaceSecurityManager
- Returns:
- the auth method.
-
getAuthenticatedRequest
public jakarta.servlet.http.HttpServletRequest getAuthenticatedRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Description copied from interface:SecurityManager
Gets the request object the security system wants to put in place.This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped request.
- Specified by:
getAuthenticatedRequest
in interfaceSecurityManager
- Parameters:
request
- the request.response
- the response.- Returns:
- a request object that the runtime should put into service
-
getAuthenticatedResponse
public jakarta.servlet.http.HttpServletResponse getAuthenticatedResponse(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Description copied from interface:SecurityManager
Gets the response object the security system wants to put in place.This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped response.
- Specified by:
getAuthenticatedResponse
in interfaceSecurityManager
- Parameters:
request
- the request.response
- the response.- Returns:
- a response object that the runtime should put into service
-
getAuthenticationService
protected org.omnifaces.eleos.services.DefaultAuthenticationService getAuthenticationService(jakarta.servlet.http.HttpServletRequest request) -
getAuthorizationService
protected org.glassfish.exousia.AuthorizationService getAuthorizationService(jakarta.servlet.http.HttpServletRequest request) -
getDenyUncoveredHttpMethods
public boolean getDenyUncoveredHttpMethods()Description copied from interface:SecurityManager
Get if we are denying uncovered HTTP methods.- Specified by:
getDenyUncoveredHttpMethods
in interfaceSecurityManager
- Returns:
- true if we are, false otherwise.
-
getFormErrorPage
Description copied from interface:SecurityManager
Get the form error page.- Specified by:
getFormErrorPage
in interfaceSecurityManager
- Returns:
- the form error page.
-
getFormLoginPage
Description copied from interface:SecurityManager
Get the form login page.- Specified by:
getFormLoginPage
in interfaceSecurityManager
- Returns:
- the form login page.
-
getRealmName
Description copied from interface:SecurityManager
Get the realm name.- Specified by:
getRealmName
in interfaceSecurityManager
- Returns:
- the realm name.
-
getRoles
Description copied from interface:SecurityManager
Get the declared roles- Specified by:
getRoles
in interfaceSecurityManager
- Returns:
- the roles
-
isRequestSecurityAsRequired
public boolean isRequestSecurityAsRequired(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException Description copied from interface:SecurityManager
Check if the current request adheres to the user data constraint, if any.In practice this means checking if HTTPS is used when so required by the application.
- Specified by:
isRequestSecurityAsRequired
in interfaceSecurityManager
- Parameters:
request
- the request.response
- the response.- Returns:
- true if request adheres to constraints, false otherwise
- Throws:
IOException
- when an I/O error occurs.jakarta.servlet.ServletException
- when a servlet error occurs.
-
isRequestedResourcePublic
public boolean isRequestedResourcePublic(jakarta.servlet.http.HttpServletRequest request) Description copied from interface:SecurityManager
Check if the requested resource, represented by the request, is public or not.- Specified by:
isRequestedResourcePublic
in interfaceSecurityManager
- Parameters:
request
- the request.- Returns:
- true if the requested resource can be accessed by public (unauthenticated) callers, otherwise false
-
isCallerAuthorizedForResource
public boolean isCallerAuthorizedForResource(jakarta.servlet.http.HttpServletRequest request) Description copied from interface:SecurityManager
Check if the current caller (which can be the anonymous caller) is authorized to access the requested resource.If the unauthenticated caller is authorized, then this means the resource is public (aka unconstrained, aka unchecked), and the outcome of this method MUST be consistent with
SecurityManager.isRequestedResourcePublic(HttpServletRequest)
.- Specified by:
isCallerAuthorizedForResource
in interfaceSecurityManager
- Parameters:
request
- the request.- Returns:
- true if the current caller is allowed to access the requested resource, false otherwise
-
isUserInRole
Description copied from interface:SecurityManager
Is the user in the specific role.- Specified by:
isUserInRole
in interfaceSecurityManager
- Parameters:
request
- the request.role
- the role.- Returns:
- true if in the role, false otherwise.
-
login
public void login(jakarta.servlet.http.HttpServletRequest request, String username, String password) throws jakarta.servlet.ServletException Description copied from interface:SecurityManager
Login.- Specified by:
login
in interfaceSecurityManager
- Parameters:
request
- the request.username
- the username.password
- the password.- Throws:
jakarta.servlet.ServletException
- when unable to login.
-
postRequestProcess
public void postRequestProcess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws IOException, jakarta.servlet.ServletException Description copied from interface:SecurityManager
Gives the security system the opportunity to process the response after the request (after the target resource has been invoked).Although this may be rare to used in practice, it allows for encryption of the response, inserting security tokens, signing the response, etc.
- Specified by:
postRequestProcess
in interfaceSecurityManager
- Parameters:
request
- the request.response
- the response.- Throws:
IOException
- when an I/O error occurs.jakarta.servlet.ServletException
- when a servlet error occurs.
-
logout
public void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws jakarta.servlet.ServletException Description copied from interface:SecurityManager
Logout.- Specified by:
logout
in interfaceSecurityManager
- Parameters:
request
- the request.response
- the response.- Throws:
jakarta.servlet.ServletException
- when a servlet error occurs.
-
getWebApplication
Description copied from interface:SecurityManager
Get the web application.- Specified by:
getWebApplication
in interfaceSecurityManager
- Returns:
- the web application.
-
setWebApplication
Description copied from interface:SecurityManager
Set the web application.- Specified by:
setWebApplication
in interfaceSecurityManager
- Parameters:
webApplication
- the web application.
-
setUsernamePasswordLoginHandler
public void setUsernamePasswordLoginHandler(SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler) Description copied from interface:SecurityManager
Set the handler that may be used by the login method to contact an identity store.- Specified by:
setUsernamePasswordLoginHandler
in interfaceSecurityManager
- Parameters:
usernamePasswordLoginHandler
- the handler
-
setDenyUncoveredHttpMethods
public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods) Description copied from interface:SecurityManager
Set if we are denying uncovered HTTP methods.- Specified by:
setDenyUncoveredHttpMethods
in interfaceSecurityManager
- Parameters:
denyUncoveredHttpMethods
- the boolean value.
-
setAuthMethod
Description copied from interface:SecurityManager
Set the auth method.- Specified by:
setAuthMethod
in interfaceSecurityManager
- Parameters:
authMethod
- the auth method.
-
setFormErrorPage
Description copied from interface:SecurityManager
Set the form error page.- Specified by:
setFormErrorPage
in interfaceSecurityManager
- Parameters:
formErrorPage
- the form error page.
-
setFormLoginPage
Description copied from interface:SecurityManager
Set the form login page.- Specified by:
setFormLoginPage
in interfaceSecurityManager
- Parameters:
formLoginPage
- the form login page.
-
setRealmName
Description copied from interface:SecurityManager
Set the realm name.- Specified by:
setRealmName
in interfaceSecurityManager
- Parameters:
realmName
- the realm name.
-