de.aristaflow.adept2.base.security

Interface SecurityManager

All Superinterfaces:

Authentication

All Known Subinterfaces:

GlobalSecurityManager

public interface SecurityManager
extends Authentication

Interface for providing session factories for system components. These provide access to the complete AristaFlow-API (client and server).

When bootstrapping only a simple security manager will be provided. This security manager does only need to support authenticatePrivileged(String, long, String, byte[], AFCallbackHandler). All other methods may throw an UnsupportedOperationException. However, as soon as an organisational model manager is available, its security manager will be used.

Author:

Ulrich Kreher

Method Summary

Modifier and Type	Method and Description
SessionFactory	authenticatePrivileged(java.lang.String agentName, long orgPositionID, java.lang.String method, byte[] authenticationData, AFCallbackHandler callbackHandler) Identifies and authenticates a privileged agent (for instance a system component) by the corresponding name and ID referring to the appropriate QualifedAgent with the designated authentication method providing the authentication method-specific data.
SessionFactory[]	authenticatePrivilegedCombined(java.lang.String method, byte[] authenticationData, AFCallbackHandler callbackHandler) Performs a combined authentication of a privileged agent that is Authentication.authenticate(String, byte[], AFCallbackHandler) and authenticatePrivileged(String, long, String, byte[], AFCallbackHandler) in one step.
SessionFactory[]	authenticatePrivilegedCombined(java.lang.String agentName, java.lang.String method, byte[] authenticationData, AFCallbackHandler callbackHandler) Performs a combined authentication of a privileged agent that is Authentication.authenticate(String, String, byte[], AFCallbackHandler) and authenticatePrivileged(String, long, String, byte[], AFCallbackHandler) in one step.
SerialisablePair<java.math.BigInteger,java.math.BigInteger>	getGlobalPublicKeySpec() Gets the components (modulus and exponent) of the public RSA key of the global security manager which allows to verify instances of SessionFactory retrieved from the global security manager.
SerialisablePair<java.math.BigInteger,java.math.BigInteger>	getLocalPublicKeySpec() Gets the components (modulus and exponent) of the public RSA key of the local security manager which allows to verify the integrity of security critical methods called by the local security manager.

Methods inherited from interface de.aristaflow.adept2.base.security.Authentication

authenticate, authenticate, authenticate, authenticate, authenticate, authenticate, authenticate, authenticateCombined, authenticateCombined, logoff

Method Detail

authenticatePrivileged

SessionFactory authenticatePrivileged(java.lang.String agentName,
                                      long orgPositionID,
                                      java.lang.String method,
                                      byte[] authenticationData,
                                      AFCallbackHandler callbackHandler)
                               throws AuthenticationException,
                                      IntegrityException

Identifies and authenticates a privileged agent (for instance a system component) by the corresponding name and ID referring to the appropriate QualifedAgent with the designated authentication method providing the authentication method-specific data. For information on this data refer to AuthMethod. The designated callback handler allows the used authentication method to request additional data while authenticating. For how to use this refer to CallbackHandler and JAAS. For the used refer to the corresponding authentication method. The returned session factory allows the agent to create (privileged) session tokens that are needed to call the ADEPT2-API.

Parameters:

agentName - The unique name of the agent to authenticate. This must not be null nor the empty string.

orgPositionID - The ID of the organisational position of the corresponding QualifedAgent.

method - The authentication method to use for authentication. This must not be null nor the empty string.

authenticationData - The data required by the designated authentication method. Depending on the authentication method this may be null or empty.

callbackHandler - A handler for callbacks allowing the used authentication method to request further data. This may be null in case no callbacks are required.

Returns:

The session factory for the designated agent and the corresponding organisational position encapsulating the security.

Throws:

AuthenticationException - If the designated agent cannot be authenticated by the designated data with the designated authentication method and the callback handler or the agent is not allowed to log on at the provided application, an AuthenticationException will be thrown.

IntegrityException - If setting the global security manager in the returned session token fails due to problems with the integrity of the local or the global security manager, an IntegrityException will be thrown.

authenticatePrivilegedCombined

SessionFactory[] authenticatePrivilegedCombined(java.lang.String agentName,
                                                java.lang.String method,
                                                byte[] authenticationData,
                                                AFCallbackHandler callbackHandler)
                                         throws AuthenticationException,
                                                IntegrityException

Performs a combined authentication of a privileged agent that is Authentication.authenticate(String, String, byte[], AFCallbackHandler) and authenticatePrivileged(String, long, String, byte[], AFCallbackHandler) in one step. Choosing the organisational position is done via a OrgPositionChoiceCallback. If there is only one organisational position, this will be chosen without using the callback.
Note that this method requires an appropriate callback handler unless you are absolutely sure, there is only one organisational position. To logon for several organisational positions at once, implement the callback handling to always select the appropriate (or all) offered choices.
User session IDs will also be retrieved via UserSessionIDCallback. However, since using user session IDs is optional, the callback handler need not handle these callbacks and may even throw an UnsupportedCallbackException for them.

The restrictions for valid combinations for the authentication method apply here additionally.

Parameters:

agentName - The unique name of the agent to authenticate. This must not be null nor the empty string.

method - The authentication method to use for authentication. This must not be null.

authenticationData - The data required by the designated authentication method. Depending on the authentication method this may be null or empty.

callbackHandler - A handler for callbacks allowing the used authentication method to request further data. This may be null in case no callbacks (especially for choosing the organisational position) are required.

Returns:

The session factory/factories for the designated agent and the chosen organisational position/positions encapsulating the security.

Throws:

AuthenticationException - If the designated agent cannot be authenticated by the designated data with the designated authentication method and the callback handler or the agent is not allowed to log on at the provided application, an AuthenticationException will be thrown.

IntegrityException - If setting the global security manager in the returned session token fails due to problems with the integrity of the local or the global security manager, an IntegrityException will be thrown.

authenticatePrivilegedCombined

SessionFactory[] authenticatePrivilegedCombined(java.lang.String method,
                                                byte[] authenticationData,
                                                AFCallbackHandler callbackHandler)
                                         throws AuthenticationException,
                                                IntegrityException

Performs a combined authentication of a privileged agent that is Authentication.authenticate(String, byte[], AFCallbackHandler) and authenticatePrivileged(String, long, String, byte[], AFCallbackHandler) in one step. Choosing the organisational position is done via a OrgPositionChoiceCallback. If there is only one organisational position, this will be chosen without using the callback.
Note that this method requires an appropriate callback handler unless you are absolutely sure, there is only one organisational position. To logon for several organisational positions at once, implement the callback handling to always select the appropriate (or all) offered choices.
User session IDs will also be retrieved via UserSessionIDCallback. However, since using user session IDs is optional, the callback handler need not handle these callbacks and may even throw an UnsupportedCallbackException for them.

The restrictions for valid combinations for the authentication method apply here additionally.

Parameters:

method - The authentication method to use for authentication. This must not be null.

authenticationData - The data required by the designated authentication method. Depending on the authentication method this may be null or empty.

callbackHandler - A handler for callbacks allowing the used authentication method to request further data. This may be null in case no callbacks (especially for choosing the organisational position) are required.

Returns:

The session factory/factories for the designated agent and the chosen organisational position/positions encapsulating the security.

Throws:

AuthenticationException - If the designated agent cannot be authenticated by the designated data with the designated authentication method and the callback handler or the agent is not allowed to log on at the provided application, an AuthenticationException will be thrown.

IntegrityException - If setting the global security manager in the returned session token fails due to problems with the integrity of the local or the global security manager, an IntegrityException will be thrown.

getLocalPublicKeySpec

SerialisablePair<java.math.BigInteger,java.math.BigInteger> getLocalPublicKeySpec()

Gets the components (modulus and exponent) of the public RSA key of the local security manager which allows to verify the integrity of security critical methods called by the local security manager.

Use this to create a RSAPublicKeySpec and afterwards an RSAPublicKey using the local JVM via

 RSAPublicKeySpec keySpec = new RSAPublicKeySpec(pair.getFirst(), pair.getSecond();
 PublicKey pk = SecurityTools.getRSAKeyFactoryInstance().generatePublic(keySpec);
 

Returns:

The components (modulus and exponent) of the public RSA key of the local security manager which allows to verify the integrity of security critical methods called by the local security manager.

getGlobalPublicKeySpec

SerialisablePair<java.math.BigInteger,java.math.BigInteger> getGlobalPublicKeySpec()

Gets the components (modulus and exponent) of the public RSA key of the global security manager which allows to verify instances of SessionFactory retrieved from the global security manager.

Use this to create a RSAPublicKeySpec and afterwards an RSAPublicKey using the local JVM via

 RSAPublicKeySpec keySpec = new RSAPublicKeySpec(pair.getFirst(), pair.getSecond();
 PublicKey pk = SecurityTools.getRSAKeyFactoryInstance().generatePublic(keySpec);
 

Returns:

The components (modulus and exponent) of the public RSA key of the global security manager which allows to verify instances of SessionFactory retrieved from the global security manager.