Package de.aristaflow.adept2.base.security

Interface GlobalAuthMethod

  • public interface GlobalAuthMethod
    This interfaces somewhat extends AuthMethod but these authentication methods here are supported by the global security manager. Some authentication methods only work with a corresponding local security manager on client-side, for instance AuthMethod.NET_IP_ADDRESS since the server needs a client-IP and someone (preferably someone with a trusted signature) needs to provide it. Single Sign-On also usually requires some information from the client.

    These methods are only relevant for implementors of a local security manager or someone calling the global security manager directly. Note that in this case signing will be somewhat difficult.

    • Field Detail

      • SUBJECT_SIGNED

        static final String SUBJECT_SIGNED
        The caller provides a Subject that has been locally authenticated and is forwarded to the server for global authentication. Since the provided data is signed, it is trusted and does not require any more information unless the signature is invalid. The authentication will fail if the signature is invalid.
        The subject is authenticated by fulfilling a configured principal constraint (CONF_SUBJECT_SIGNED_ACCEPTED_PRINCIPAL). It is not provided to JAAS. If you want this, use JAAS_SUBJECT instead.

        Note that just like with JAAS_SUBJECT the principals of the subject or rather the corresponding classes need to be found by the global security manager.

        Combinations of parameters and their semantic for SUBJECT_SIGNED
        String, byte[], null String Ignored.
        byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, Subject> with a session token of the security manager that performed the authentication and the locally authenticated Subject. The SignedObject has to be signed by the very same security manager.
        String, byte[], AFCallbackHandler String Ignored.
        byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, Subject> with a session token of the security manager that performed the authentication and the locally authenticated Subject. The SignedObject has to be signed by the very same security manager.
        AFCallbackHandler Ignored.
        byte[], null byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, Subject> with a session token of the security manager that performed the authentication and the locally authenticated Subject. The SignedObject has to be signed by the very same security manager.
        byte[], AFCallbackHandler byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, Subject> with a session token of the security manager that performed the authentication and the locally authenticated Subject. The SignedObject has to be signed by the very same security manager.
        AFCallbackHandler Ignored.
        See Also:
        AuthMethod.JAAS, AuthMethod.JAAS_SUBJECT, AuthMethod.JAAS_UTF8_PASSWORD, Constant Field Values

      • CONF_SUBJECT_SIGNED_ACCEPTED_PRINCIPAL

        static final String CONF_SUBJECT_SIGNED_ACCEPTED_PRINCIPAL
        Configuration key (prefix) for SUBJECT_SIGNED.

        A Subject will be authenticated if its principals fulfill specific needs, that is the principals have specific names. This is similar to "Principal-based policy files". One configuration value is a list (comma-separated values) of strings, whereas each string in the list contains the principal class name and the name this principal must have, separated by 35 (CONF_SUBJECT_PRINCIPAL_SEPARATOR). There may be several of these class name-name tuples meaning that a provided subject has to have principals for each of these tuples (conjunction). If one tuple is missing in the subject, it will not be authenticated.
        To allow for disjunction of principal constraints, there may be several lists with this configuration key. However, in this case this configuration key must only be a prefix and each configuration key for principal constraints must differ. Append a . and order them by assigning a number. Lesser numbers have higher priority, e.g. SSAcceptedPrincipal.1, SSAcceptedPrincipal.2, etc. A subject will be accepted if it fulfills one of these principal constraints but all elements in one list need to be satisfied.

        See Also:
        Constant Field Values

      • CONF_SUBJECT_PRINCIPAL_SEPARATOR

        static final char CONF_SUBJECT_PRINCIPAL_SEPARATOR
        The separator in the configuration values (String) between principal class name and principal name.
        See Also:
        Constant Field Values

      • CONF_SUBJECT_SIGNED_ID_PRINCIPAL

        static final String CONF_SUBJECT_SIGNED_ID_PRINCIPAL
        Configuration key (prefix) for SUBJECT_SIGNED.

        When using a Subject no ID is required since this may be determined from the principals. Which principal is used is defined with this configuration key. Provide a simple string with the fully qualified class name of the principal of which the name corresponds to the ID.
        Just like CONF_SUBJECT_SIGNED_ACCEPTED_PRINCIPAL, there may be different identifying principals when accepting different principal constraints. Append the same number as for the corresponding principal constraint. If no identifying principal is present, the agent ID provided in an method of Authentication will be used.

        See Also:
        Constant Field Values

      • TRUSTED_NET_IP_SIGNED

        static final String TRUSTED_NET_IP_SIGNED
        The caller provides its IP address and signs this information. The authentication will fail if the signature is invalid.
        Combinations of parameters and their semantic for TRUSTED_NET_IP_SIGNED
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, InetAddress> with a session token of the security manager that resolved the address and the InetAddress of the local security manager. The SignedObject has to be signed by the very same security manager.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, InetAddress> with a session token of the security manager that resolved the address and the InetAddress of the local security manager. The SignedObject has to be signed by the very same security manager.
        AFCallbackHandler Ignored.
        byte[], null AuthenticationException always. The provided data is insufficient.
        byte[], AFCallbackHandler byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, InetAddress> with a session token of the security manager that resolved the address and the InetAddress of the local security manager. The SignedObject has to be signed by the very same security manager.
        AFCallbackHandler This will use a NameCallback for the username.
        See Also:
        AuthMethod.NET_IP_ADDRESS, Constant Field Values

      • TRUSTED_NET_IP_UNSIGNED

        static final String TRUSTED_NET_IP_UNSIGNED
        The authentication is done via the IP address provided by the communication context. It will be successful if IP address of the direct peer is a trusted one and the communication context (its signature) is valid. Additionally the caller has to provide its serialised IP address which has to equal the one from the communication context.
        Combinations of parameters and their semantic for TRUSTED_NET_IP_UNSIGNED
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] The serialised InetAddress of the local security manager.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] The serialised InetAddress of the local security manager.
        AFCallbackHandler Ignored.
        byte[], null AuthenticationException always. The provided data is insufficient.
        byte[], AFCallbackHandler byte[] The serialised InetAddress of the local security manager.
        AFCallbackHandler This will use a NameCallback for the username.
        See Also:
        AuthMethod.NET_IP_ADDRESS, Constant Field Values

      • CONF_TRUSTED_NET_IP

        static final String CONF_TRUSTED_NET_IP
        Configuration key (prefix) for trusted IP address-based authentication (TRUSTED_NET_IP_SIGNED, TRUSTED_NET_IP_UNSIGNED and IMPLICIT_NETWORK).

        Trusted network-based authentication will be successful if the provided and somehow signed (locally or by the communication context) IP-address is trusted. This configuration is a list (comma-separated values) of strings, representing all trusted IP-addresses.

        See Also:
        Constant Field Values

      • CONF_TRUSTED_SHARED_UTF8_KEYS

        static final String CONF_TRUSTED_SHARED_UTF8_KEYS
        Configuration key (prefix) for trusted shared key-based authentication (SHARED_UTF8_KEY).

        Trusted shared key-based authentication will be successful if the provided shared key is trusted. Note that the keys are UTF-8 strings which are not encrypted.

        See Also:
        Constant Field Values

      • CONF_OAUTH2_AUTH_SERVER_URL

        static final String CONF_OAUTH2_AUTH_SERVER_URL
        The configuration key for the OAuth2 authentication server used for the OAUTH2_TOKEN authentication method.
        See Also:
        Constant Field Values

      • TRUSTED_NET_MAC_SIGNED

        static final String TRUSTED_NET_MAC_SIGNED
        The caller provides its MAC address and signs this information. The authentication will fail if the signature is invalid.
        Combinations of parameters and their semantic for TRUSTED_NET_MAC_SIGNED
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, byte[]> with a session token of the security manager that resolved the address and the hardware address of the local security manager. The SignedObject has to be signed by the very same security manager.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, byte[]> with a session token of the security manager that resolved the address and the hardware address of the local security manager. The SignedObject has to be signed by the very same security manager.
        AFCallbackHandler Ignored.
        byte[], null AuthenticationException always. The provided data is insufficient.
        byte[], AFCallbackHandler byte[] A serialised SignedObject containing a SerialisablePair<SessionToken, byte[]> with a session token of the security manager that resolved the address and the hardware address of the local security manager. The SignedObject has to be signed by the very same security manager.
        AFCallbackHandler This will use a NameCallback for the username.
        See Also:
        AuthMethod.NET_MAC_ADDRESS, Constant Field Values

      • CONF_TRUSTED_NET_MAC_SIGNED

        static final String CONF_TRUSTED_NET_MAC_SIGNED
        Configuration key (prefix) for TRUSTED_NET_MAC_SIGNED.

        Trusted MAC-address-based authentication will be successful if the provided and signed MAC-address is trusted. This configuration is a list (comma-separated values) of strings, representing all trusted MAC-addresses where one MAC-address has the usual syntax, e.g. 01-50-3C-CA-DC-C2 (case of characters is not considered).

        See Also:
        Constant Field Values

      • IMPLICIT_NETWORK

        static final String IMPLICIT_NETWORK
        The authentication is done via the IP address(es) provided by the communication context(s). It will be successful if the either direct peer (the first communication context) is a trusted IP address or the route (one of the communication contexts) contains a trusted IP address and the communication contexts from the server to this IP address are valid.
        Combinations of parameters and their semantic for IMPLICIT_NETWORK
        String, byte[], null String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] Ignored.
        String, byte[], AFCallbackHandler String The identifier of the entity, usually the username or a numerical user ID (as String).
        byte[] Ignored.
        AFCallbackHandler Ignored.
        byte[], null AuthenticationException always. The provided data is insufficient.
        byte[], AFCallbackHandler byte[] Ignored.
        AFCallbackHandler This will use a NameCallback for the username.
        See Also:
        AuthMethod.IMPLICIT_NETWORK, Constant Field Values

      • CONF_IMPLICIT_NETWORK_PROTOCOL

        static final String CONF_IMPLICIT_NETWORK_PROTOCOL
        The configuration key for the protocol to use for the IMPLICIT_NETWORK authentication, that is whether one trusted IP on the route suffices or whether the direct peer needs to be a trusted IP.
        See Also:
        Constant Field Values

      • CONF_IMPLICIT_NETWORK_PROT_IP_PEER

        static final String CONF_IMPLICIT_NETWORK_PROT_IP_PEER
        Configuration value for CONF_IMPLICIT_NETWORK_PROTOCOL where the direct peer needs to have a trusted IP, that is only the first communication context is checked for a trusted IP.
        See Also:
        Constant Field Values