public abstract class AuthConfigFactory
extends java.lang.Object
AuthConfigProvider
objects that can be used to obtain authentication
context configuration objects, that is, ClientAuthConfig
and ServerAuthConfig
objects.
Authentication context configuration objects are used to obtain authentication context objects. Authentication
context objects, that is, ClientAuthContext
and ServerAuthContex
objects, encapsulate
authentication modules. Authentication modules are pluggable components that perform security-related processing of
request and response messages.
Callers do not operate on modules directly. Instead they rely on an authentication context to manage the invocation
of modules. A caller obtains an authentication context by calling the getAuthContext
method on a
ClientAuthConfig
or ServerAuthConfig
obtained from an AuthConfigProvider.
The following represents a typical sequence of calls for obtaining a client authentication context, and then using it to secure a request.
A system-wide AuthConfigFactory implementation can be set by invoking setFactory
, and retrieved using
getFactory
.
Every implementation of this abstract class must offer a public, zero argument constructor. This constructor must support the construction and registration (including self-registration) of AuthConfigProviders from a persistent declarative representation. For example, a factory implementation class could interpret the contents of a file containing a sequence of configuration entries, with one entry per AuthConfigProvider, and with each entry representing:
The entry syntax must also provide for the optional inclusion of information sufficient to define a RegistrationContext. This information would only be present when the factory will register the provider. For example, each entry could provide for the inclusion of one or more RegistrationContext objects of the following form:
registerConfigProvider(AuthConfigProvider provider, ...)
).
An AuthConfigFactory implementation is free to choose is own persistent declarative syntax as long as it conforms to the requirements defined by this class.
ClientAuthContext
,
ServerAuthContext
,
ClientAuthConfig
,
ServerAuthConfig
,
Properties
Modifier and Type | Class and Description |
---|---|
static interface |
AuthConfigFactory.RegistrationContext
Represents the layer identifier, application context identifier, and description components of an AuthConfigProvider
registration at the factory.
|
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
DEFAULT_FACTORY_SECURITY_PROPERTY
The name of the Security property used to define the default AuthConfigFactory implementation class.
|
static java.lang.String |
GET_FACTORY_PERMISSION_NAME
The name of the SecurityPermission required to call getFactory
|
static java.security.SecurityPermission |
getFactorySecurityPermission
Deprecated.
Following JEP 411
|
static java.lang.String |
PROVIDER_REGISTRATION_PERMISSION_NAME
The name of the SecurityPermission to be used to authorize access to the update methods of the factory implementation
class.
|
static java.security.SecurityPermission |
providerRegistrationSecurityPermission
Deprecated.
Following JEP 411
|
static java.lang.String |
SET_FACTORY_PERMISSION_NAME
The name of the SecurityPermission required to call setFactory
|
static java.security.SecurityPermission |
setFactorySecurityPermission
Deprecated.
Following JEP 411
|
Constructor and Description |
---|
AuthConfigFactory() |
Modifier and Type | Method and Description |
---|---|
abstract java.lang.String[] |
detachListener(RegistrationListener listener,
java.lang.String layer,
java.lang.String appContext)
Disassociate the listener from all the provider registrations whose layer and appContext values are matched by the
corresponding arguments to this method.
|
abstract AuthConfigProvider |
getConfigProvider(java.lang.String layer,
java.lang.String appContext,
RegistrationListener listener)
Get a registered AuthConfigProvider from the factory.
|
static AuthConfigFactory |
getFactory()
Get the system-wide AuthConfigFactory implementation.
|
abstract AuthConfigFactory.RegistrationContext |
getRegistrationContext(java.lang.String registrationID)
Get the registration context for the identified registration.
|
abstract java.lang.String[] |
getRegistrationIDs(AuthConfigProvider provider)
Get the registration identifiers for all registrations of the provider instance at the factory.
|
abstract void |
refresh()
Cause the factory to reprocess its persistent declarative representation of provider registrations.
|
abstract java.lang.String |
registerConfigProvider(AuthConfigProvider provider,
java.lang.String layer,
java.lang.String appContext,
java.lang.String description)
Registers within the (in-memory) factory, a provider of ServerAuthConfig and/or ClientAuthConfig objects for a
message layer and application context identifier.
|
abstract java.lang.String |
registerConfigProvider(java.lang.String className,
java.util.Map<java.lang.String,java.lang.String> properties,
java.lang.String layer,
java.lang.String appContext,
java.lang.String description)
Registers within the factory and records within the factory's persistent declarative representation of provider
registrations a provider of ServerAuthConfig and/or ClientAuthConfig objects for a message layer and application
context identifier.
|
abstract java.lang.String |
registerServerAuthModule(ServerAuthModule serverAuthModule,
java.lang.Object context)
Registers within the (in-memory) factory, an instance of a
ServerAuthModule for a
message layer and application context identifier as identified by a profile specific context object. |
abstract boolean |
removeRegistration(java.lang.String registrationID)
Remove the identified provider registration from the factory (and from the persistent declarative representation of
provider registrations, if appropriate) and invoke any listeners associated with the removed registration.
|
abstract void |
removeServerAuthModule(java.lang.Object context)
Remove the
ServerAuthModule (and potentially encompassing wrappers/factories) that was previously registered via a call
to registerServerAuthModule . |
static void |
setFactory(AuthConfigFactory factory)
Set the system-wide AuthConfigFactory implementation.
|
public static final java.lang.String DEFAULT_FACTORY_SECURITY_PROPERTY
public static final java.lang.String GET_FACTORY_PERMISSION_NAME
public static final java.lang.String SET_FACTORY_PERMISSION_NAME
public static final java.lang.String PROVIDER_REGISTRATION_PERMISSION_NAME
@Deprecated public static final java.security.SecurityPermission getFactorySecurityPermission
GET_FACTORY_PERMISSION_NAME
, that is used to authorize access to the
getFactory method.@Deprecated public static final java.security.SecurityPermission setFactorySecurityPermission
SET_FACTORY_PERMISSION_NAME
, that is used to authorize access to the
setFactory method.@Deprecated public static final java.security.SecurityPermission providerRegistrationSecurityPermission
PROVIDER_REGISTRATION_PERMISSION_NAME
) for use in
authorizing access to the update methods of the factory implementation class.public static AuthConfigFactory getFactory()
If a non-null system-wide factory instance is defined at the time of the call, for example, with
setFactory
, it will be returned. Otherwise, an attempt will be made to construct an instance of the
default AuthConfigFactory implementation class. The fully qualified class name of the default factory implementation
class is obtained from the value of the DEFAULT_FACTORY_SECURITY_PROPERTY
security property. When an
instance of the default factory implementation class is successfully constructed by this method, this method will set
it as the system-wide factory instance.
The absolute pathname of the Java security properties file is JAVA_HOME/lib/security/java.security, where JAVA_HOME refers to the directory where the JDK was installed.
When a SecurityManager is enabled, the getFactorySecurityPermission
will be required to call this method. If
at the time of the call, a system-wide factory instance has not already been defined, then the
setFactorySecurityPermission
will also be required.
java.lang.SecurityException
- If the caller does not have permission to retrieve the factory, or set it as the
system-wide instance. Also thrown if an exception was thrown during the class loading, or construction of the default
AuthConfigFactory implementation class; in which case the SecurityException will contain the root Exception as its
cause.public static void setFactory(AuthConfigFactory factory)
If an implementation was set previously, it will be replaced.
Listeners are not notified of a change to the registered factory.
factory
- The AuthConfigFactory instance, which may be null.java.lang.SecurityException
- If the caller does not have permission to set the factory.public abstract AuthConfigProvider getConfigProvider(java.lang.String layer, java.lang.String appContext, RegistrationListener listener)
All factories shall employ the following precedence rules to select the registered AuthConfigProvider that matches the layer and appContext arguments:
The above precedence rules apply equivalently to registrations created with a null or non-null className
argument.
layer
- A String identifying the message layer for which the registered AuthConfigProvider is to be returned.
The value of this argument may be null.appContext
- A String that identifies the application messaging context for which the registered
AuthConfigProvider is to be returned. The value of this argument may be null.listener
- The RegistrationListener whose notify
method is to be invoked if the corresponding
registration is unregistered or replaced. The value of this argument may be null.public abstract java.lang.String registerConfigProvider(java.lang.String className, java.util.Map<java.lang.String,java.lang.String> properties, java.lang.String layer, java.lang.String appContext, java.lang.String description)
This method employs the two argument constructor required to be supported by every implementation of the
AuthConfigProvider interface, and this method must pass a null value for the factory argument of the constructor.
AuthConfigProviderImpl AuthConfigProviderImpl(Map properties,
AuthConfigFactory factory)
.
At most one registration may exist within the factory for a given combination of message layer and appContext. Any pre-existing registration with identical values for layer and appContext is replaced by a subsequent registration. When replacement occurs, the registration identifier, layer, and appContext identifier remain unchanged, and the AuthConfigProvider (with initialization properties) and description are replaced.
Within the lifetime of its Java process, a factory must assign unique registration identifiers to registrations, and must never assign a previously used registration identifier to a registration whose message layer and or appContext identifier differ from the previous use.
Programmatic registrations performed by using this method must update (according to the replacement rules described above) the persistent declarative representation of provider registrations employed by the factory constructor.
When a SecurityManager is enabled, before loading the argument provider, and before making any changes to the
factory, this method must confirm that the calling access control context has been granted the
providerRegistrationSecurityPermission
className
- The fully qualified name of an AuthConfigProvider implementation class (or null). Calling this
method with a null value for this parameter shall cause getConfigProvider
to return null when it is
called with layer and appContext values for which the resulting registration is the best match.properties
- A Map object containing the initialization properties to be passed to the properties argument of
the provider constructor. This argument may be null.layer
- A String identifying the message layer for which the provider will be registered at the factory. A null
value may be passed as an argument for this parameter, in which case the provider is registered at all layers.appContext
- A String value that may be used by a runtime to request a configuration object from this provider.
A null value may be passed as an argument for this parameter, in which case the provider is registered for all
configuration ids (at the indicated layers).description
- A text String describing the provider. This value may be null.java.lang.SecurityException
- If the caller does not have permission to register a provider at the factory, or if the
the provider construction (given a non-null className
) or registration fails.public abstract java.lang.String registerConfigProvider(AuthConfigProvider provider, java.lang.String layer, java.lang.String appContext, java.lang.String description)
At most one registration may exist within the factory for a given combination of message layer and appContext. Any pre-existing registration with identical values for layer and appContext is replaced by a subsequent registration. When replacement occurs, the registration identifier, layer, and appContext identifier remain unchanged, and the AuthConfigProvider (with initialization properties) and description are replaced.
Within the lifetime of its Java process, a factory must assign unique registration identifiers to registrations, and must never assign a previously used registration identifier to a registration whose message layer and or appContext identifier differ from the previous use.
When a SecurityManager is enabled, and before making any changes to the factory, this method must confirm that the
calling access control context has been granted the providerRegistrationSecurityPermission
provider
- The AuthConfigProvider to be registered at the factory (or null). Calling this method with a null
value for this parameter shall cause getConfigProvider
to return null when it is called with layer and
appContext values for which the resulting registration is the best match.layer
- A String identifying the message layer for which the provider will be registered at the factory. A null
value may be passed as an argument for this parameter, in which case the provider is registered at all layers.appContext
- A String value that may be used by a runtime to request a configuration object from this provider.
A null value may be passed as an argument for this parameter, in which case the provider is registered for all
configuration ids (at the indicated layers).description
- A text String describing the provider. This value may be null.java.lang.SecurityException
- If the caller does not have permission to register a provider at the factory, or if the
provider registration fails.public abstract java.lang.String registerServerAuthModule(ServerAuthModule serverAuthModule, java.lang.Object context)
ServerAuthModule
for a
message layer and application context identifier as identified by a profile specific context object.
This will override any other modules that have already been registered, either via proprietary
means or using the standard API. The ServerAuthModule
is removed, via a call to
removeServerAuthModule
when the context associated with the profile specific context object ends.
Note that this method is a convenience method that can be used instead of registerConfigProvider
,
but should ultimately have the same effect. That is, the layer
and appContext
parameters
are generated from the context object, and the ServerAuthModule
is wrapped by an implementation
specific AuthConfigProvider
, which are then used to call registerConfigProvider
or an
internal method with the same effect. The returned registration ID is then associated with the profile specific
context object, and also returned from this method.
A "profile specific context object" is for example the ServletContext
in the
Servlet Container Profile. The context associated with this ServletContext
ends
when for example the application corresponding to it is undeployed. Association of the
registration ID with the ServletContext
simply means calling the setAttribute
method on the ServletContext
, with the registration ID as value. (The name attribute has not been
standardised in this version of the specification)
serverAuthModule
- the ServerAuthModule
instance to be registeredcontext
- the profile specific context of the application for which the module is registeredpublic abstract void removeServerAuthModule(java.lang.Object context)
ServerAuthModule
(and potentially encompassing wrappers/factories) that was previously registered via a call
to registerServerAuthModule
.
Note that this method is a convenience method that can be used instead of removeRegistration
, but should ultimately
have the same effect. That is calling removeRegistration
with the return value from registerServerAuthModule
must have the same effect in that the ServerAuthModule
is removed.
context
- the profile specific context of the application for which the module is removed.public abstract boolean removeRegistration(java.lang.String registrationID)
When a SecurityManager is enabled, and before making any changes to the factory, this method must confirm that the
calling access control context has been granted the providerRegistrationSecurityPermission
registrationID
- A String that identifies a provider registration at the factoryjava.lang.SecurityException
- If the caller does not have permission to unregister the provider at the factory.public abstract java.lang.String[] detachListener(RegistrationListener listener, java.lang.String layer, java.lang.String appContext)
Factories should periodically notify Listeners to effectively detach listeners that are no longer in use.
When a SecurityManager is enabled, and before making any changes to the factory, this method must confirm that the
calling access control context has been granted the providerRegistrationSecurityPermission
listener
- The RegistrationListener to be detached.layer
- A String identifying the message layer or null.appContext
- A String value identifying the application context or null.java.lang.SecurityException
- If the caller does not have permission to detach the listener from the factory.public abstract java.lang.String[] getRegistrationIDs(AuthConfigProvider provider)
provider
- The AuthConfigurationProvider whose registration identifiers are to be returned. This argument may be
null, in which case it indicates that the IDs of all active registrations within the factory are to be returned.public abstract AuthConfigFactory.RegistrationContext getRegistrationContext(java.lang.String registrationID)
registrationID
- A String that identifies a provider registration at the factorypublic abstract void refresh()
A factory should only replace an existing registration when a change of provider implementation class or initialization properties has occurred.
When a SecurityManager is enabled, and before the point where this method could have caused any changes to the
factory, this method must confirm that the calling access control context has been granted the
providerRegistrationSecurityPermission
java.lang.SecurityException
- If the caller does not have permission to refresh the factory, or if an error occurred
during the reinitialization.