An AuthenticationStrategy is responsible for retriving a Principal for the current request.
An AuthorizationStrategy that uses HTTP Basic Auth.
An AuthorizationStrategy that uses HTTP Basic Auth. Override and implement authorize to determine if the presented user/token are valid.
A principal contains an identification of a user.
A principal contains an identification of a user.
a unique value identifying this principal in the underlying system. It could be a database id, or a username, email, etc.
An AuthenticationStrategy that retrieves a Principal from the current session.
An AuthenticationStrategy that retrieves a Principal from the current session. This Principal is then added to the request for downstream processing.
The Principal must be set on the session by some step handled external to this class, for example a login page.
If no Principal is set on the current session then a 401 is returned.
There must have been an appropriately configured SessionManager in the endpoint before authentication is attempted.
is used to specify the key that the Principal is stored in inside the session.
An AuthenticationStrategy is responsible for retriving a Principal for the current request. This Principal is then added as a property for the duration of the request.
How this Principal is retrieved is dependent on the type of strategy.
For example, the BasicAuthenticationStrategy, named after HTTP Basic Auth, creates a Principal based on the credentials provided in the Authorization header. If no credentials are supplied an appropriate 401 is returned.
A SessionAuthenticationStrategy looks up a Principal from the current session. The session would have been populated previously by some authenticating mechanism (login page for example).
Another type of AuthenticationStrategy might be to use an API header key to lookup details from a key database.
To implement a custom strategy, extend from AuthenticationStrategy populating the supplied request with a Principal, or returning an error response if appropriate.