Package de.aristaflow.adept2.base.security

Interface AuthMethod

  • public interface AuthMethod
    This interfaces declares and describes various authentication methods that may be supported by implementations of Authentication and SecurityManager. An implementation may choose not to support an authentication method and throw an AuthenticationException with an appropriate message when called with this authentication method. Usually these authentication methods are used for the local security manager which in turn may provide the result of the local authentication to the global security manager before really authenticating. The local security manager may change the authentication method, for instance, using JAAS locally and sending the corresponding Subject to the global security manager without the authentication data used locally.

    There are several method parameters for authentication but not all work with every authentication method and some are optional. This interface explains the possible parameter combinations and their meaning. First there may or may not be a unique identifier of type String, for instance the username. Second there must always be the name of the authentication method (String), usually one that is declared in this interface. Third the authentication data (byte[]) of the authentication method is always present, but for some authentication methods, this may be null. And last a CallbackHandler may be provided that allows the implementation of an authentication method to request additional data since the provided one is insufficient. For instance when no username is provided but one is needed and an appropriate callback handler is required, the username may be requested interactively. Another example for callbacks is the need to change the password since the provided one has expired.
    The different combinations of some sort of user ID (String), authentication data (byte[]) and callback handler (AFCallbackHandler) and the meaning of the respective parameter value are explained for each supported authentication method below. Additionally, the known callbacks are described but this may not be complete since the used callbacks may depend on the implementation.

    Each authentication method may have specific configuration values that are read from the configuration of the SecurityManager. These are also defined and described here.

    • Field Detail

      • UTF8_PASSWORD

        static final String UTF8_PASSWORD
        The usual password based authentication. The password is plain being no hash and not encoded (except UTF-8).
        If JAAS is used locally (CONF_USE_JAAS, the String (if present) will be provided to a NameCallback and the password (byte[]) will be provided to a PasswordCallback.
        If no JAAS is used locally, the organisational model will be inspected.
        Combinations of parameters and their semantic for UTF-8_PASSWORD
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] The plain password as UTF-8-encoded byte representation of the password string.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] The plain password as UTF-8-encoded byte representation of the password string.
        AFCallbackHandler This may use a NameCallback if the username is not found and PasswordCallback if the password is wrong. When using JAAS, there may be additional callbacks depending on the underlying JAAS-LoginModule.
        byte[], null AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
        byte[], AFCallbackHandler byte[] The plain password as UTF-8-encoded byte representation of the password string.
        AFCallbackHandler This will use a NameCallback for the username and may use PasswordCallback if the password is wrong. When using JAAS, there may be additional callbacks depending on the underlying JAAS-LoginModule.
        See Also:
        Constant Field Values

      • JAAS

        static final String JAAS
        A JAAS-based authentication without any further information. This depends on the JAAS-configuration of the local JVM and therefore the usage of a callback handler is strongly encouraged.
        This method requires JAAS to be configured (CONF_USE_JAAS).
        Combinations of parameters and their semantic for JAAS
        String, byte[], null String Ignored.
        byte[] Ignored.
        String, byte[], AFCallbackHandler String Ignored.
        byte[] Ignored.
        AFCallbackHandler This may use a NameCallback if the username is not found and PasswordCallback if the password is wrong. There may be additional callbacks depending on the underlying JAAS-LoginModule.
        byte[], null byte[] Ignored.
        byte[], AFCallbackHandler byte[] Ignored.
        AFCallbackHandler This will use a NameCallback for the username and may use PasswordCallback if the password is wrong. There may be additional callbacks depending on the underlying JAAS-LoginModule.
        See Also:
        Constant Field Values

      • JAAS_UTF8_PASSWORD

        static final String JAAS_UTF8_PASSWORD
        The usual password based authentication like UTF8_PASSWORD but this time requiring JAAS. Therefore this method requires JAAS to be configured (CONF_USE_JAAS). The password is plain being no hash and not encoded (except UTF-8).
        Combinations of parameters and their semantic for JAAS_UTF8_PASSWORD
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String). This will be provided to a NameCallback.
        byte[] The plain password as UTF-8-encoded byte representation of the password string. This will be provided to a PasswordCallback.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String). This will be provided to a NameCallback.
        byte[] The plain password as UTF-8-encoded byte representation of the password string. This will be provided to a PasswordCallback.
        AFCallbackHandler The handler to which all callbacks except NameCallback and PasswordCallback will be forwarded to. These callbacks depend on the underlying JAAS-LoginModule.
        byte[], null byte[] The plain password as UTF-8-encoded byte representation of the password string. This will be provided to a PasswordCallback.
        byte[], AFCallbackHandler byte[] The plain password as UTF-8-encoded byte representation of the password string.
        AFCallbackHandler The handler to which all callbacks except PasswordCallback will be forwarded to. These callbacks depend on the underlying JAAS-LoginModule.

      • JAAS_SUBJECT

        static final String JAAS_SUBJECT
        A JAAS-based authentication with a Subject to provide to the local JAAS.
        This method requires JAAS to be configured (CONF_USE_JAAS).

        Note that the principals of the subject or rather the corresponding classes need to be found by the global security manager.

        Combinations of parameters and their semantic for JAAS_SUBJECT
        String, byte[], null String Ignored.
        byte[] A serialised Subject that is provided to the JAAS-LoginContext.
        String, byte[], AFCallbackHandler String Ignored.
        byte[] A serialised Subject that is provided to the JAAS-LoginContext.
        AFCallbackHandler The callbacks depend on the designated subject and the underlying JAAS-LoginModule.
        byte[], null byte[] A serialised Subject that is provided to the JAAS-LoginContext.
        byte[], AFCallbackHandler byte[] A serialised Subject that is provided to the JAAS-LoginContext.
        AFCallbackHandler The callbacks depend on the designated subject and the underlying JAAS-LoginModule.

      • FORWARD_SUBJECT

        static final String FORWARD_SUBJECT
        The authentication data is a Subject but it is not provided to the local JAAS but just forwarded to the global security manager using GlobalAuthMethod.JAAS_SUBJECT on server-side.
        Combinations of parameters and their semantic for FORWARD_SUBJECT
        String, byte[], null String Just forwarded to the global security manager where it should be ignored.
        byte[] A serialised Subject that is provided to the global security manager.
        String, byte[], AFCallbackHandler String Just forwarded to the global security manager where it should be ignored.
        byte[] A serialised Subject that is provided to the global security manager.
        AFCallbackHandler The callbacks depend on the designated subject and the JAAS-LoginModule on server-side.
        byte[], null byte[] A serialised Subject that is provided to the global security manager.
        byte[], AFCallbackHandler byte[] A serialised Subject that is provided to the global security manager.
        AFCallbackHandler The callbacks depend on the designated subject and the JAAS-LoginModule on server-side.
        See Also:
        Constant Field Values

      • CONF_NET_LOCAL_ADDRESS

        static final String CONF_NET_LOCAL_ADDRESS
        Configuration key for network-based authentication (NET_IP_ADDRESS and NET_MAC_ADDRESS).

        The client requesting network-based authentication may have several network interfaces. This configuration provides the name (or the textual representation) as String of the network interface to use.
        Obviously one should not use "localhost". ;-)

        See Also:
        Constant Field Values

      • NET_IP_ADDRESS

        static final String NET_IP_ADDRESS
        The local security manager provides its own configured IP-address (see CONF_NET_LOCAL_ADDRESS), signs it and calls GlobalAuthMethod.TRUSTED_NET_IP_SIGNED at the global security manager. Untrusted security manager should omit the signature and use GlobalAuthMethod.TRUSTED_NET_IP_UNSIGNED.
        Combinations of parameters and their semantic for NET_IP_ADDRESS
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] Ignored.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] Ignored.
        AFCallbackHandler Just forwarded to the global security manager.
        byte[], null AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
        byte[], AFCallbackHandler byte[] Ignored.
        AFCallbackHandler Just forwarded to the global security manager where it will probably request the name via NameCallback.
        See Also:
        Constant Field Values

      • NET_MAC_ADDRESS

        static final String NET_MAC_ADDRESS
        The local security manager provides its own configured MAC-address (see CONF_NET_LOCAL_ADDRESS), signs it and calls GlobalAuthMethod.TRUSTED_NET_MAC_SIGNED at the global security manager.
        Note that for determining the MAC-address.
        Combinations of parameters and their semantic for NET_MAC_ADDRESS
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] Ignored.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] Ignored.
        AFCallbackHandler Just forwarded to the global security manager.
        byte[], null AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
        byte[], AFCallbackHandler byte[] Ignored.
        AFCallbackHandler Just forwarded to the global security manager where it will probably request the name via NameCallback.
        See Also:
        Constant Field Values

      • IMPLICIT_NETWORK

        static final String IMPLICIT_NETWORK
        The communication provides the network-related data which is interpreted by the global security manager. The local security manager just forwards the call, however, no parameters are needed, a callback handler may be useful.
        Combinations of parameters and their semantic for IMPLICIT_NETWORK
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] Just forwarded to the global security manager where it should be ignored.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] Just forwarded to the global security manager where it should be ignored.
        AFCallbackHandler Just forwarded to the global security manager.
        byte[], null AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
        byte[], AFCallbackHandler byte[] Just forwarded to the global security manager where it should be ignored.
        AFCallbackHandler Just forwarded to the global security manager where it will probably request the name via NameCallback.
        See Also:
        Constant Field Values

      • SHARED_UTF8_KEY

        static final String SHARED_UTF8_KEY
        The clients provide a shared key (a string provided as UTF-8). If the server has this key in a list of accepted keys, the authentication will be accepted. The local security manager just forwards the call.
        Combinations of parameters and their semantic for SHARED_UTF8_KEY
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] The plain shared key as UTF-8-encoded byte representation of the corresponding string.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] The plain shared key as UTF-8-encoded byte representation of the corresponding string.
        AFCallbackHandler This may use a NameCallback if the username is not found.
        byte[], null AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
        byte[], AFCallbackHandler byte[] The plain shared key as UTF-8-encoded byte representation of the corresponding string.
        AFCallbackHandler This will use a NameCallback for the username.
        See Also:
        Constant Field Values

      • OAUTH2_TOKEN

        static final String OAUTH2_TOKEN
        The user is identified via an OAuth2 token. If the configured OOauth server accepts the token for the designated user name, the authentication will be accepted. The local security manager just forwards the call.
        Combinations of parameters and their semantic for OAUTH2_TOKEN
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] The UTF-8-encoded byte representation of the OAuth2 token.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] The UTF-8-encoded byte representation of the OAuth2 token.
        AFCallbackHandler This may use a NameCallback if the username is not found.
        byte[], null AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
        byte[], AFCallbackHandler byte[] The UTF-8-encoded byte representation of the OAuth2 token.
        AFCallbackHandler This will use a NameCallback for the username.
        See Also:
        Constant Field Values

      • SERIALISED_CLIENT_SESSION_FACTORY

        static final String SERIALISED_CLIENT_SESSION_FACTORY
        The user is identified via the own client session factory. This is simply serialised to a byte array. If the designated client session factory is valid, authentication will succeed and a new client session factory will be returned. This will not change the user session ID, the app name will be ignored.
        Combinations of parameters and their semantic for SERIALISED_CLIENT_SESSION_FACTORY
        String, byte[], null String Just forwarded to the global security manager where it should be ignored.
        byte[] The old client session factory serialised to a byte array.
        String, byte[], AFCallbackHandler String Just forwarded to the global security manager where it should be ignored.
        byte[] The old client session factory serialised to a byte array.
        AFCallbackHandler Ignored.
        byte[], null byte[] The old client session factory serialised to a byte array.
        byte[], AFCallbackHandler byte[] The old client session factory serialised to a byte array.
        AFCallbackHandler Ignored.
        See Also:
        Constant Field Values