This interface represents an abstract challenge-response oriented authentication scheme.
Authentication schemes can be either request or connection based. The former are
expected to provide an authorization response with each request message while the latter
is executed only once and applies to the underlying connection for its entire life span.
Care must be taken when re-using connections authorized through a connection based
authentication scheme and they may carry a particular security context and be authorized
for a particular user identity. It is important that such schemes always provide
the user identity they represent through the
#getPrincipal() method.
Authentication scheme are expected to transition through a series of standard phases or
states.
Authentication scheme starts off its life cycle with no context and no specific state.
The
#processChallenge(AuthChallenge,HttpContext) method is called to
process an authentication challenge received either from the target server or a proxy.
The authentication scheme transitions to CHALLENGED state and is expected to validate
the token passed to it as a parameter and initialize its internal state based on
challenge details. Standard authentication schemes are expected to provide a realm
attribute in the challenge.
#getRealm() can be called to obtain an identifier
of the realm that requires authorization.
Once the challenge has been fully processed the
#isResponseReady(HttpHost,CredentialsProvider,HttpContext) method to determine whether the scheme is capable of
generating a authorization response based on its current state and it holds user credentials
required to do so. If this method returns
false the authentication is considered
to be in FAILED state and no authorization response. Otherwise the scheme is considered
to be in RESPONSE_READY state.
Once the scheme is ready to respond to the challenge the
#generateAuthResponse(HttpHost,HttpRequest,HttpContext) method to generate a response token, which will
be sent to the opposite endpoint in the subsequent request message.
Certain non-standard schemes may involve multiple challenge / response exchanges to
fully establish a shared context and complete the authentication process. Authentication
schemes are required to return
true
#isChallengeComplete() once the
handshake is considered complete.
The authentication scheme is considered successfully completed and in SUCCESS state
if the opposite endpoint accepts the request message containing the authorization
response and responds with a message indicating no authentication failure .
If the opposite endpoint sends status code 401 or 407 in response to a request message
containing the terminal authorization response, the scheme is considered unsuccessful
and in FAILED state.