/** * Attempt to authorize an authentication attempt. If the authorization is successful, {@code true} is returned and * the context is placed in the "authorized" state with the new authorization identity. If the authorization fails, * {@code false} is returned and the state of the context is unchanged. * * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication name was not set or authentication was already complete */ public boolean authorize() throws RealmUnavailableException, IllegalStateException { return authorize(true); }
boolean authorized = authorizationID != null ? authorize(authorizationID) : authorize(); log.tracef("Handling AuthorizeCallback: authenticationID = %s authorizationID = %s authorized = %b", authenticationID, authorizationID, authorized); authorizeCallback.setAuthorized(authorized); if (authorize()) { authorizedIdentity = getAuthorizedIdentity();
/** * Attempt to authorize a change to a new user (possibly including an authentication attempt). If the authorization * is successful, {@code true} is returned and the context is placed in the "authorized" state with the new authorization * identity. If the authorization fails, {@code false} is returned and the state of the context is unchanged. * * @param principal the authorization principal (must not be {@code null}) * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws IllegalArgumentException if the principal is syntactically invalid * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication principal was not set or authentication was already complete */ public boolean authorize(Principal principal) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException { return authorize(principal, true); }
/** * Attempt to authorize a change to a new user (possibly including an authentication attempt). If the authorization * is successful, {@code true} is returned and the context is placed in the "authorized" state with the new authorization * identity. If the authorization fails, {@code false} is returned and the state of the context is unchanged. * * @param name the authorization name (must not be {@code null}) * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws IllegalArgumentException if the name is syntactically invalid * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication name was not set or authentication was already complete */ public boolean authorize(String name) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException { checkNotNullParam("name", name); return authorize(new NamePrincipal(name), true); }
/** * Attempt to create a new identity that can be used to run as a user with the given principal. * * Calling with enabled security manager requires {@code setRunAsPrincipal} {@link ElytronPermission}. * * @param principal the principal to attempt to run as * @param authorize whether to check the current identity is authorized to run as a user * with the given principal (has {@link RunAsPrincipalPermission}) * @return the new security identity * @throws SecurityException if the caller does not have the {@code setRunAsPrincipal} * {@link ElytronPermission} or if the operation authorization failed for any other reason */ public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException { Assert.checkNotNullParam("principal", principal); final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } try (final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY))) { if (! (context.importIdentity(this) && context.authorize(principal, authorize))) { throw log.runAsAuthorizationFailed(this.principal, principal, null); } return context.getAuthorizedIdentity(); } catch (RealmUnavailableException e) { throw log.runAsAuthorizationFailed(this.principal, principal, e); } }
context.setAuthenticationPrincipal(principal); if (context.verifyEvidence(evidence)) { if (context.authorize()) { context.succeed(); return context.getAuthorizedIdentity();
if (principal != null) serverAuthenticationContext.setAuthenticationPrincipal(principal); if (serverAuthenticationContext.verifyEvidence(evidence)) { if (serverAuthenticationContext.authorize()) { if (evidence instanceof PasswordGuessEvidence) { PasswordGuessEvidence passwordGuessEvidence = PasswordGuessEvidence.class.cast(evidence);
private boolean restoreIdentity() { if (securityDomain == null) { return false; } HttpScope sessionScope = httpExchangeSpi.getScope(Scope.SESSION); if (sessionScope != null && sessionScope.supportsAttachments()) { String principalName = sessionScope.getAttachment(AUTHENTICATED_PRINCIPAL_KEY, String.class); if (principalName != null) { ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(); try { authenticationContext.setAuthenticationName(principalName); if (authenticationContext.authorize()) { SecurityIdentity authorizedIdentity = authenticationContext.getAuthorizedIdentity(); httpExchangeSpi.authenticationComplete(authorizedIdentity, programaticMechanismName); setupProgramaticLogout(sessionScope); return true; } else { sessionScope.setAttachment(AUTHENTICATED_PRINCIPAL_KEY, null); // Whatever was in there no longer works so just drop it. } } catch (IllegalArgumentException | RealmUnavailableException | IllegalStateException e) { httpExchangeSpi.authenticationFailed(e.getMessage(), programaticMechanismName); } } } return false; }
context.setAuthenticationName(username); if (context.verifyEvidence(evidence)) { if (context.authorize()) { context.succeed(); return context.getAuthorizedIdentity();
authenticationContext.setAuthenticationName(username); if (authenticationContext.verifyEvidence(evidence)) { if (authenticationContext.authorize()) { SecurityIdentity authorizedIdentity = authenticationContext.getAuthorizedIdentity(); HttpScope sessionScope = httpExchangeSpi.getScope(Scope.SESSION);
if (! authenticationContext.authorize()) { if (authenticationOptional) { ElytronMessages.log.tracef("Credential validation failed: identity is not authorized principal [%s], ignoring as authentication is optional", principal);
/** * Attempt to authorize an authentication attempt. If the authorization is successful, {@code true} is returned and * the context is placed in the "authorized" state with the new authorization identity. If the authorization fails, * {@code false} is returned and the state of the context is unchanged. * * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication name was not set or authentication was already complete */ public boolean authorize() throws RealmUnavailableException, IllegalStateException { return authorize(true); }
/** * Attempt to authorize an authentication attempt. If the authorization is successful, {@code true} is returned and * the context is placed in the "authorized" state with the new authorization identity. If the authorization fails, * {@code false} is returned and the state of the context is unchanged. * * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication name was not set or authentication was already complete */ public boolean authorize() throws RealmUnavailableException, IllegalStateException { return authorize(true); }
/** * Attempt to authorize an authentication attempt. If the authorization is successful, {@code true} is returned and * the context is placed in the "authorized" state with the new authorization identity. If the authorization fails, * {@code false} is returned and the state of the context is unchanged. * * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication name was not set or authentication was already complete */ public boolean authorize() throws RealmUnavailableException, IllegalStateException { return authorize(true); }
/** * Attempt to authorize a change to a new user (possibly including an authentication attempt). If the authorization * is successful, {@code true} is returned and the context is placed in the "authorized" state with the new authorization * identity. If the authorization fails, {@code false} is returned and the state of the context is unchanged. * * @param principal the authorization principal (must not be {@code null}) * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws IllegalArgumentException if the principal is syntactically invalid * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication principal was not set or authentication was already complete */ public boolean authorize(Principal principal) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException { return authorize(principal, true); }
/** * Attempt to authorize a change to a new user (possibly including an authentication attempt). If the authorization * is successful, {@code true} is returned and the context is placed in the "authorized" state with the new authorization * identity. If the authorization fails, {@code false} is returned and the state of the context is unchanged. * * @param principal the authorization principal (must not be {@code null}) * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws IllegalArgumentException if the principal is syntactically invalid * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication principal was not set or authentication was already complete */ public boolean authorize(Principal principal) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException { return authorize(principal, true); }
/** * Attempt to authorize a change to a new user (possibly including an authentication attempt). If the authorization * is successful, {@code true} is returned and the context is placed in the "authorized" state with the new authorization * identity. If the authorization fails, {@code false} is returned and the state of the context is unchanged. * * @param name the authorization name (must not be {@code null}) * @return {@code true} if the authorization succeeded, {@code false} otherwise * @throws IllegalArgumentException if the name is syntactically invalid * @throws RealmUnavailableException if the realm is not available * @throws IllegalStateException if the authentication name was not set or authentication was already complete */ public boolean authorize(String name) throws IllegalArgumentException, RealmUnavailableException, IllegalStateException { checkNotNullParam("name", name); return authorize(new NamePrincipal(name), true); }
private static SecurityIdentity createSecurityIdentity(Principal principal, Set<String> roles) { ServerAuthenticationContext serverAuthenticationContext = INFLOW_SECURITY_DOMAIN.createNewAuthenticationContext(); try { serverAuthenticationContext.verifyEvidence(new EvidenceWithRoles(principal, roles)); serverAuthenticationContext.authorize(); } catch (RealmUnavailableException e) { // As the domain is backed by a dummy realm that never throws this Exception it is impossible for it to be thrown. throw new IllegalStateException(e); } return serverAuthenticationContext.getAuthorizedIdentity(); }
private static SecurityIdentity createSecurityIdentity(Principal principal, Set<String> roles) { ServerAuthenticationContext serverAuthenticationContext = INFLOW_SECURITY_DOMAIN.createNewAuthenticationContext(); try { serverAuthenticationContext.verifyEvidence(new EvidenceWithRoles(principal, roles)); serverAuthenticationContext.authorize(); } catch (RealmUnavailableException e) { // As the domain is backed by a dummy realm that never throws this Exception it is impossible for it to be thrown. throw new IllegalStateException(e); } return serverAuthenticationContext.getAuthorizedIdentity(); }