Package org.wildfly.security.auth.server
Class SecurityIdentity
- java.lang.Object
-
- org.wildfly.security.auth.server.SecurityIdentity
-
- All Implemented Interfaces:
Supplier<SecurityIdentity>
,Scoped
,PermissionMappable
,PermissionVerifier
public final class SecurityIdentity extends Object implements PermissionVerifier, PermissionMappable, Supplier<SecurityIdentity>, Scoped
A loaded and authenticated security identity.- Author:
- David M. Lloyd
-
-
Field Summary
-
Fields inherited from interface org.wildfly.security.permission.PermissionVerifier
ALL, NONE
-
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description FlexibleIdentityAssociation
createFlexibleAssociation()
Create a new flexible identity association, initializing it with this identity.SecurityIdentity
createRunAsAnonymous()
Attempt to create a new identity that can be used to run as an anonymous user.SecurityIdentity
createRunAsAnonymous(boolean authorize)
Attempt to create a new identity that can be used to run as an anonymous user Calling with enabled security manager requiressetRunAsPrincipal
ElytronPermission
.SecurityIdentity
createRunAsIdentity(String name)
Attempt to create a new identity that can be used to run as a user with the given name.SecurityIdentity
createRunAsIdentity(String name, boolean authorize)
Attempt to create a new identity that can be used to run as a user with the given name.SecurityIdentity
createRunAsIdentity(Principal principal, boolean authorize)
Attempt to create a new identity that can be used to run as a user with the given principal.SecurityIdentity
get()
Get this identity.Attributes
getAttributes()
Get the attributes associated with this identity.Instant
getCreationTime()
Get the creation time of this identity, which is the time that the initial authentication occurred.Principal
getPrincipal()
Get the principal of this identity.IdentityCredentials
getPrivateCredentials()
Get the private credentials of this identity.IdentityCredentials
getPublicCredentials()
Get the public credentials of this identity.Roles
getRoles()
Get the roles associated with this identity.Roles
getRoles(String category)
Get the mapped roles associated with this identity.Roles
getRoles(String category, boolean fallbackToDefault)
Get the mapped roles associated with this identity.boolean
implies(Permission permission)
Determine if the permission is verified by this object.SecurityIdentity
intersectWith(PermissionVerifier verifier)
Create a new security identity which is the same as this one, but which limits authorization privileges to the intersection of the current privileges and the given verifier.boolean
isAnonymous()
Convenience method to determine if this identity is anonymous.<T> T
runAs(PrivilegedAction<T> action)
Deprecated.UseScoped.runAsSupplier(Supplier)
instead.<T> T
runAs(PrivilegedExceptionAction<T> action)
Deprecated.UseScoped.runAsSupplierEx(ExceptionSupplier)
instead.<T,P>
TrunAs(P parameter, ParametricPrivilegedAction<T,P> action)
Deprecated.UseScoped.runAsFunction(Function, Object)
instead.<T,P>
TrunAs(P parameter, ParametricPrivilegedExceptionAction<T,P> action)
Deprecated.UseScoped.runAsFunctionEx(ExceptionFunction, Object)
instead.static <T> T
runAsAll(PrivilegedExceptionAction<T> action, SecurityIdentity... identities)
Run an action under a series of identities.<T,U>
booleanrunAsBiPredicate(BiPredicate<T,U> action, T parameter1, U parameter2)
Run an action under this identity.<T,U>
voidrunAsConsumer(BiConsumer<T,U> action, T parameter1, U parameter2)
Run an action under this identity.<T,U,E extends Exception>
voidrunAsConsumerEx(org.wildfly.common.function.ExceptionBiConsumer<T,U,E> action, T parameter1, U parameter2)
Run an action under this identity.<T,U,E extends Exception>
booleanrunAsExBiPredicate(org.wildfly.common.function.ExceptionBiPredicate<T,U,E> action, T parameter1, U parameter2)
Run an action under this identity.<T,U,R>
RrunAsFunction(BiFunction<T,U,R> action, T parameter1, U parameter2)
Run an action under this identity.<T,U,R,E extends Exception>
RrunAsFunctionEx(org.wildfly.common.function.ExceptionBiFunction<T,U,R,E> action, T parameter1, U parameter2)
Run an action under this identity.<T> void
runAsObjIntConsumer(ObjIntConsumer<T> action, T parameter1, int parameter2)
Run an action under this identity.<T,E extends Exception>
voidrunAsObjIntConsumerEx(org.wildfly.common.function.ExceptionObjIntConsumer<T,E> action, T parameter1, int parameter2)
Run an action under this identity.String
toString()
SecurityIdentity
withDefaultRoleMapper(RoleMapper roleMapper)
Attempt to create a new identity which wraps the default roles with a default role mapper.SecurityIdentity
withPrivateCredential(Credential credential)
Create a new security identity which is the same as this one, but which includes the given credential as a private credential.SecurityIdentity
withPrivateCredentials(IdentityCredentials credentials)
Create a new security identity which is the same as this one, but which includes the given credentials as private credentials.SecurityIdentity
withPublicCredential(Credential credential)
Create a new security identity which is the same as this one, but which includes the given credential as a public credential.SecurityIdentity
withPublicCredentials(IdentityCredentials credentials)
Create a new security identity which is the same as this one, but which includes the given credentials as public credentials.SecurityIdentity
withRoleMapper(String category, RoleMapper roleMapper)
Attempt to create a new identity which replaces a role mapper category on the current identity.SecurityIdentity
withRuntimeAttributes(Attributes runtimeAttributes)
Create a new security identity which is the same as this one, but which includes the given runtime attributes.SecurityIdentity
withSecurityIdentity(SecurityIdentity securityIdentity)
Attempt to create a new identity that is the same as this identity but with an additional identity from a different security domain that will be associated with all 'run' calls.SecurityIdentity
withSecurityIdentitySupplier(Supplier<SecurityIdentity[]> securityIdentities)
Attempt to create a new identity that is the same as this identity but with aSupplier
to supply identities that will be associated with all 'run' calls.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
-
Methods inherited from interface org.wildfly.security.permission.PermissionVerifier
and, checkPermission, not, or, toPermissionCollection, unless, xor
-
Methods inherited from interface org.wildfly.security.auth.server.Scoped
runAs, runAs, runAsAction, runAsConsumer, runAsConsumerEx, runAsExceptionAction, runAsExIntFunction, runAsExLongFunction, runAsExPredicate, runAsFunction, runAsFunctionEx, runAsIntFunction, runAsLongFunction, runAsPredicate, runAsSupplier, runAsSupplierEx
-
-
-
-
Method Detail
-
runAs
@Deprecated public <T> T runAs(PrivilegedAction<T> action)
Deprecated.UseScoped.runAsSupplier(Supplier)
instead.Run an action under this identity.- Type Parameters:
T
- the action return type- Parameters:
action
- the action to run- Returns:
- the action result (may be
null
)
-
runAs
@Deprecated public <T> T runAs(PrivilegedExceptionAction<T> action) throws PrivilegedActionException
Deprecated.UseScoped.runAsSupplierEx(ExceptionSupplier)
instead.Run an action under this identity.- Type Parameters:
T
- the action return type- Parameters:
action
- the action to run- Returns:
- the action result (may be
null
) - Throws:
PrivilegedActionException
- if the action fails
-
runAs
@Deprecated public <T,P> T runAs(P parameter, ParametricPrivilegedAction<T,P> action)
Deprecated.UseScoped.runAsFunction(Function, Object)
instead.Run an action under this identity.- Type Parameters:
T
- the action return typeP
- the action parameter type- Parameters:
parameter
- the parameter to pass to the actionaction
- the action to run- Returns:
- the action result (may be
null
)
-
runAs
@Deprecated public <T,P> T runAs(P parameter, ParametricPrivilegedExceptionAction<T,P> action) throws PrivilegedActionException
Deprecated.UseScoped.runAsFunctionEx(ExceptionFunction, Object)
instead.Run an action under this identity.- Type Parameters:
T
- the action return typeP
- the action parameter type- Parameters:
parameter
- the parameter to pass to the actionaction
- the action to run- Returns:
- the action result (may be
null
) - Throws:
PrivilegedActionException
- if the action fails
-
runAsFunction
public <T,U,R> R runAsFunction(BiFunction<T,U,R> action, T parameter1, U parameter2)
Run an action under this identity.- Specified by:
runAsFunction
in interfaceScoped
- Type Parameters:
R
- the action return typeT
- the action first parameter typeU
- the action second parameter type- Parameters:
parameter1
- the first parameter to pass to the actionparameter2
- the second parameter to pass to the actionaction
- the action to run- Returns:
- the action result (may be
null
)
-
runAsConsumer
public <T,U> void runAsConsumer(BiConsumer<T,U> action, T parameter1, U parameter2)
Run an action under this identity.- Specified by:
runAsConsumer
in interfaceScoped
- Type Parameters:
T
- the action first parameter typeU
- the action second parameter type- Parameters:
parameter1
- the first parameter to pass to the actionparameter2
- the second parameter to pass to the actionaction
- the action to run
-
runAsObjIntConsumer
public <T> void runAsObjIntConsumer(ObjIntConsumer<T> action, T parameter1, int parameter2)
Run an action under this identity.- Specified by:
runAsObjIntConsumer
in interfaceScoped
- Type Parameters:
T
- the action first parameter type- Parameters:
parameter1
- the first parameter to pass to the actionparameter2
- the second parameter to pass to the actionaction
- the action to run
-
runAsFunctionEx
public <T,U,R,E extends Exception> R runAsFunctionEx(org.wildfly.common.function.ExceptionBiFunction<T,U,R,E> action, T parameter1, U parameter2) throws E extends Exception
Run an action under this identity.- Specified by:
runAsFunctionEx
in interfaceScoped
- Type Parameters:
R
- the action return typeT
- the action first parameter typeU
- the action second parameter typeE
- the action exception type- Parameters:
parameter1
- the first parameter to pass to the actionparameter2
- the second parameter to pass to the actionaction
- the action to run- Returns:
- the action result (may be
null
) - Throws:
E
- if the action throws this exceptionE extends Exception
-
runAsConsumerEx
public <T,U,E extends Exception> void runAsConsumerEx(org.wildfly.common.function.ExceptionBiConsumer<T,U,E> action, T parameter1, U parameter2) throws E extends Exception
Run an action under this identity.- Specified by:
runAsConsumerEx
in interfaceScoped
- Type Parameters:
T
- the action first parameter typeU
- the action second parameter typeE
- the action exception type- Parameters:
parameter1
- the first parameter to pass to the actionparameter2
- the second parameter to pass to the actionaction
- the action to run- Throws:
E
- if the action throws this exceptionE extends Exception
-
runAsObjIntConsumerEx
public <T,E extends Exception> void runAsObjIntConsumerEx(org.wildfly.common.function.ExceptionObjIntConsumer<T,E> action, T parameter1, int parameter2) throws E extends Exception
Run an action under this identity.- Specified by:
runAsObjIntConsumerEx
in interfaceScoped
- Type Parameters:
T
- the action first parameter typeE
- the action exception type- Parameters:
parameter1
- the first parameter to pass to the actionparameter2
- the second parameter to pass to the actionaction
- the action to run- Throws:
E
- if the action throws this exceptionE extends Exception
-
runAsBiPredicate
public <T,U> boolean runAsBiPredicate(BiPredicate<T,U> action, T parameter1, U parameter2)
Run an action under this identity.- Specified by:
runAsBiPredicate
in interfaceScoped
- Type Parameters:
T
- the action first parameter typeU
- the action second parameter type- Parameters:
parameter1
- the first parameter to pass to the actionparameter2
- the second parameter to pass to the actionaction
- the action to run- Returns:
- the action result (may be
null
)
-
runAsExBiPredicate
public <T,U,E extends Exception> boolean runAsExBiPredicate(org.wildfly.common.function.ExceptionBiPredicate<T,U,E> action, T parameter1, U parameter2) throws E extends Exception
Run an action under this identity.- Specified by:
runAsExBiPredicate
in interfaceScoped
- Type Parameters:
T
- the action first parameter typeU
- the action second parameter typeE
- the action exception type- Parameters:
parameter1
- the first parameter to pass to the actionparameter2
- the second parameter to pass to the actionaction
- the action to run- Returns:
- the action result (may be
null
) - Throws:
E
- if the action throws this exceptionE extends Exception
-
runAsAll
public static <T> T runAsAll(PrivilegedExceptionAction<T> action, SecurityIdentity... identities) throws PrivilegedActionException
Run an action under a series of identities.- Type Parameters:
T
- the action return type- Parameters:
action
- the action to runidentities
- the identities to set up- Returns:
- the action result (may be
null
) - Throws:
PrivilegedActionException
- if the action fails
-
getRoles
public Roles getRoles()
Get the roles associated with this identity.- Returns:
- the roles associated with this identity
-
getRoles
public Roles getRoles(String category)
Get the mapped roles associated with this identity. If no role mapping exists for the given category, an empty role set is returned.- Parameters:
category
- the role mapping category- Returns:
- the category roles
-
withSecurityIdentitySupplier
public SecurityIdentity withSecurityIdentitySupplier(Supplier<SecurityIdentity[]> securityIdentities)
Attempt to create a new identity that is the same as this identity but with aSupplier
to supply identities that will be associated with all 'run' calls. Any existing individual identities associated with this identity will be dropped. The supplier will be called for each run call so were possible should handle it's own optimisation.- Parameters:
securityIdentities
- aSupplier
for identities to be associated with every run call.- Returns:
- the new identity
- Throws:
IllegalArgumentException
- if the supplied identity
-
withSecurityIdentity
public SecurityIdentity withSecurityIdentity(SecurityIdentity securityIdentity)
Attempt to create a new identity that is the same as this identity but with an additional identity from a different security domain that will be associated with all 'run' calls. If aSupplier
has previously been associated with this identity it will be dropped.- Parameters:
securityIdentity
- theSecurityIdentity
to also be associated with all run calls made to this identity.- Returns:
- the new identity
- Throws:
IllegalArgumentException
- if the supplied identity
-
getRoles
public Roles getRoles(String category, boolean fallbackToDefault)
Get the mapped roles associated with this identity.- Parameters:
category
- the role mapping categoryfallbackToDefault
-true
if the default roles associated with this identity should be returned if no role mapping exists for the given category,false
otherwise- Returns:
- the category roles
-
withRoleMapper
public SecurityIdentity withRoleMapper(String category, RoleMapper roleMapper)
Attempt to create a new identity which replaces a role mapper category on the current identity. If the given role mapper is already set on the current identity, the current identity is returned.- Parameters:
category
- the category nameroleMapper
- the role mapper to use- Returns:
- the new identity
- Throws:
SecurityException
- if the calling class is not granted theChangeRoleMapperPermission
for the given category name
-
withDefaultRoleMapper
public SecurityIdentity withDefaultRoleMapper(RoleMapper roleMapper)
Attempt to create a new identity which wraps the default roles with a default role mapper.- Parameters:
roleMapper
- the roleMapper to map the roles.- Returns:
- the new identity
- Throws:
SecurityException
- if the calling class is not granted the withDefaultRoleMapper permission.
-
createRunAsIdentity
public SecurityIdentity createRunAsIdentity(String name) throws SecurityException
Attempt to create a new identity that can be used to run as a user with the given name. If the current identity is not authorized to run as a user with the given name, an exception is thrown. Calling with enabled security manager requiressetRunAsPrincipal
ElytronPermission
. Regardless security manager is enabled,RunAsPrincipalPermission
for given name is required.- Parameters:
name
- the name to attempt to run as- Returns:
- the new security identity
- Throws:
SecurityException
- if the operation authorization failed for any reason
-
createRunAsIdentity
public SecurityIdentity createRunAsIdentity(String name, boolean authorize) throws SecurityException
Attempt to create a new identity that can be used to run as a user with the given name. Calling with enabled security manager requiressetRunAsPrincipal
ElytronPermission
.- Parameters:
name
- the name to attempt to run asauthorize
- whether to check the current identity is authorized to run as a user with the given principal (hasRunAsPrincipalPermission
)- Returns:
- the new security identity
- Throws:
SecurityException
- if the caller does not have thesetRunAsPrincipal
ElytronPermission
or if the operation authorization failed for any other reason
-
createRunAsIdentity
public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException
Attempt to create a new identity that can be used to run as a user with the given principal. Calling with enabled security manager requiressetRunAsPrincipal
ElytronPermission
.- Parameters:
principal
- the principal to attempt to run asauthorize
- whether to check the current identity is authorized to run as a user with the given principal (hasRunAsPrincipalPermission
)- Returns:
- the new security identity
- Throws:
SecurityException
- if the caller does not have thesetRunAsPrincipal
ElytronPermission
or if the operation authorization failed for any other reason
-
createRunAsAnonymous
public SecurityIdentity createRunAsAnonymous() throws SecurityException
Attempt to create a new identity that can be used to run as an anonymous user. If the current identity is not authorized to run as an anonymous user, an exception is thrown. Calling with enabled security manager requiressetRunAsPrincipal
ElytronPermission
.LoginPermission
granted to the anonymous identity will be required.- Returns:
- the new security identity
- Throws:
SecurityException
- if the operation authorization failed for any reason
-
createRunAsAnonymous
public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException
Attempt to create a new identity that can be used to run as an anonymous user Calling with enabled security manager requiressetRunAsPrincipal
ElytronPermission
.- Parameters:
authorize
- whether to check the anonymous identity is authorized to log in (hasLoginPermission
)- Returns:
- the new security identity
- Throws:
SecurityException
- if the caller does not have thesetRunAsPrincipal
ElytronPermission
or if the operation authorization failed for any other reason
-
intersectWith
public SecurityIdentity intersectWith(PermissionVerifier verifier)
Create a new security identity which is the same as this one, but which limits authorization privileges to the intersection of the current privileges and the given verifier.- Parameters:
verifier
- the restricted verifier (must not benull
)- Returns:
- the restricted identity
-
implies
public boolean implies(Permission permission)
Description copied from interface:PermissionVerifier
Determine if the permission is verified by this object.- Specified by:
implies
in interfacePermissionVerifier
- Parameters:
permission
- the permission to verify (must not benull
)- Returns:
true
if the permission is implied by this verifier,false
otherwise
-
getAttributes
public Attributes getAttributes()
Get the attributes associated with this identity.- Specified by:
getAttributes
in interfacePermissionMappable
- Returns:
- a read-only instance of
Attributes
with all attributes associated with this identity
-
getPrincipal
public Principal getPrincipal()
Get the principal of this identity.- Specified by:
getPrincipal
in interfacePermissionMappable
- Returns:
- the principal of this identity
-
getCreationTime
public Instant getCreationTime()
Get the creation time of this identity, which is the time that the initial authentication occurred.- Specified by:
getCreationTime
in interfacePermissionMappable
- Returns:
- the creation time of this identity (not
null
)
-
getPublicCredentials
public IdentityCredentials getPublicCredentials()
Get the public credentials of this identity.- Specified by:
getPublicCredentials
in interfacePermissionMappable
- Returns:
- the public credentials of this identity (not
null
)
-
isAnonymous
public boolean isAnonymous()
Convenience method to determine if this identity is anonymous.- Returns:
true
if the identity is anonymous,false
otherwise
-
withPublicCredential
public SecurityIdentity withPublicCredential(Credential credential)
Create a new security identity which is the same as this one, but which includes the given credential as a public credential.- Parameters:
credential
- the credential (must not benull
)- Returns:
- the new identity
-
withPublicCredentials
public SecurityIdentity withPublicCredentials(IdentityCredentials credentials)
Create a new security identity which is the same as this one, but which includes the given credentials as public credentials.- Parameters:
credentials
- the credential set (must not benull
)- Returns:
- the new identity
-
withPrivateCredential
public SecurityIdentity withPrivateCredential(Credential credential)
Create a new security identity which is the same as this one, but which includes the given credential as a private credential.- Parameters:
credential
- the credential (must not benull
)- Returns:
- the new identity
-
withPrivateCredentials
public SecurityIdentity withPrivateCredentials(IdentityCredentials credentials)
Create a new security identity which is the same as this one, but which includes the given credentials as private credentials.- Parameters:
credentials
- the credential set (must not benull
)- Returns:
- the new identity
-
withRuntimeAttributes
public SecurityIdentity withRuntimeAttributes(Attributes runtimeAttributes)
Create a new security identity which is the same as this one, but which includes the given runtime attributes.- Parameters:
runtimeAttributes
- the runtime attributes (must not benull
)- Returns:
- the new identity
-
getPrivateCredentials
public IdentityCredentials getPrivateCredentials()
Get the private credentials of this identity. The caller must have thegetPrivateCredentials
ElytronPermission
.- Returns:
- the private credentials of this identity (not
null
)
-
get
public SecurityIdentity get()
Get this identity.- Specified by:
get
in interfaceSupplier<SecurityIdentity>
- Returns:
- this identity
-
createFlexibleAssociation
public FlexibleIdentityAssociation createFlexibleAssociation()
Create a new flexible identity association, initializing it with this identity.- Returns:
- the new flexible identity association (not
null
)
-
-