Package org.wildfly.security.auth.realm

Class FileSystemSecurityRealm

java.lang.Object

org.wildfly.security.auth.realm.FileSystemSecurityRealm

All Implemented Interfaces:

CacheableSecurityRealm, ModifiableSecurityRealm, SecurityRealm

public final class FileSystemSecurityRealm
extends Object
implements ModifiableSecurityRealm, CacheableSecurityRealm

A simple filesystem-backed security realm.

Author:

David M. Lloyd

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
(package private) static class	FileSystemSecurityRealm.AutoCloseableXMLStreamReaderHolder
(package private) static class	FileSystemSecurityRealm.AutoCloseableXMLStreamWriterHolder
(package private) static interface	FileSystemSecurityRealm.CredentialParseFunction
(package private) static class	FileSystemSecurityRealm.Identity
static class	FileSystemSecurityRealm.IntegrityResult
protected static class	FileSystemSecurityRealm.LoadedIdentity
private static class	FileSystemSecurityRealm.Version

Field Summary

Fields

Modifier and Type	Field	Description
(package private) static ElytronPermission	CREATE_SECURITY_REALM
private boolean	encoded
private Charset	hashCharset
private Encoding	hashEncoding
(package private) static Map<String,FileSystemSecurityRealm.Version>	KNOWN_NAMESPACES
private int	levels
private NameRewriter	nameRewriter
private PrivateKey	privateKey
private Supplier<Provider[]>	providers
private PublicKey	publicKey
private ConcurrentHashMap<String,IdentitySharedExclusiveLock>	realmIdentityLocks
private Path	root
private SecretKey	secretKey

Fields inherited from interface org.wildfly.security.auth.server.SecurityRealm

EMPTY_REALM

Constructor Summary

Constructors

Constructor	Description
FileSystemSecurityRealm(Path root)	Construct a new instance with 2 levels of hashing.
FileSystemSecurityRealm(Path root, int levels)	Construct a new instance.
FileSystemSecurityRealm(Path root, int levels, Supplier<Provider[]> providers)
FileSystemSecurityRealm(Path root, int levels, Encoding hashEncoding, Charset hashCharset)	Construct a new instance.
FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels)	Construct a new instance.
FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, boolean encoded)	Construct a new instance.
FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, boolean encoded, Encoding hashEncoding, Charset hashCharset)	Construct a new instance.
FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, boolean encoded, Encoding hashEncoding, Charset hashCharset, Supplier<Provider[]> providers, SecretKey secretKey, PrivateKey privateKey, PublicKey publicKey)	Construct a new instance.
FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, boolean encoded, Encoding hashEncoding, Charset hashCharset, SecretKey secretKey)	Construct a new instance.
FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, Encoding hashEncoding, Charset hashCharset)	Construct a new instance.
FileSystemSecurityRealm(Path root, Encoding hashEncoding, Charset hashCharset)	Construct a new instance with 2 levels of hashing.

Method Summary

Modifier and Type	Method	Description
static FileSystemSecurityRealmBuilder	builder()	Construct a new instance of the FileSystemSecurityRealmBuilder.
SupportLevel	getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec)	Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for] some identities), or definitely not obtainable.
SupportLevel	getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName)	Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable.
Charset	getHashCharset()
private ModifiableRealmIdentity	getRealmIdentity(String name, boolean exclusive)
RealmIdentity	getRealmIdentity(Principal principal)	Get a handle for to the identity for the given principal in the context of this security realm.
ModifiableRealmIdentity	getRealmIdentityForUpdate(Principal principal)	Get an update handle for to the identity for the given principal in the context of this security realm.
ModifiableRealmIdentityIterator	getRealmIdentityIterator()	Get an iterator over all of this realm's identities.
private IdentitySharedExclusiveLock	getRealmIdentityLockForName(String name)
boolean	hasIntegrityEnabled()	Checks if the FileSystemSecurityRealm has Integrity checking enabled
private String	nameFor(Path path)
private Path	pathFor(String name)
void	registerIdentityChangeListener(Consumer<Principal> listener)	Register a listener that should be invoked by this realm in order to notify the caching layer about changes to a specific identity.
private ModifiableRealmIdentityIterator	subIterator(Path root, int levels)
void	updateRealmKeyPair()	Re-generate the signatures for all the identities in this realm.
FileSystemSecurityRealm.IntegrityResult	verifyRealmIntegrity()	Verify the integrity of each identity file in this realm.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.wildfly.security.auth.server.ModifiableSecurityRealm

getRealmIdentityForUpdate

Methods inherited from interface org.wildfly.security.auth.server.SecurityRealm

getCredentialAcquireSupport, getRealmIdentity, getRealmIdentity, handleRealmEvent

Field Detail

CREATE_SECURITY_REALM

static final ElytronPermission CREATE_SECURITY_REALM

providers

private final Supplier<Provider[]> providers

KNOWN_NAMESPACES

static final Map<String,FileSystemSecurityRealm.Version> KNOWN_NAMESPACES

root

private final Path root

nameRewriter

private final NameRewriter nameRewriter

levels

private final int levels

encoded

private final boolean encoded

hashCharset

private final Charset hashCharset

hashEncoding

private final Encoding hashEncoding

secretKey

private final SecretKey secretKey

privateKey

private final PrivateKey privateKey

publicKey

private final PublicKey publicKey

realmIdentityLocks

private final ConcurrentHashMap<String,IdentitySharedExclusiveLock> realmIdentityLocks

Constructor Detail

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               NameRewriter nameRewriter,
                               int levels,
                               boolean encoded,
                               Encoding hashEncoding,
                               Charset hashCharset,
                               Supplier<Provider[]> providers,
                               SecretKey secretKey,
                               PrivateKey privateKey,
                               PublicKey publicKey)

Construct a new instance. Construction with enabled security manager requires createSecurityRealm ElytronPermission.

Parameters:

root - the root path of the identity store

nameRewriter - the name rewriter to apply to looked up names

levels - the number of levels of directory hashing to apply

encoded - whether identity names should be BASE32 encoded before using as filename (only applies if the security realm is unencrypted)

hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default.

hashEncoding - the string format for the hashed passwords. Uses Base64 by default.

providers - The providers supplier

secretKey - the SecretKey used to encrypt and decrypt the security realm (if null, the security realm will be unencrypted)

privateKey - the PrivateKey used to verify the integrity of the security realm (if null, the security realm will not verify integrity)

publicKey - the PublicKey used to verify the integrity of the security realm (if null, the security realm will not verify integrity)

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               NameRewriter nameRewriter,
                               int levels,
                               boolean encoded,
                               Encoding hashEncoding,
                               Charset hashCharset,
                               SecretKey secretKey)

Construct a new instance. Construction with enabled security manager requires createSecurityRealm ElytronPermission.

Parameters:

root - the root path of the identity store

nameRewriter - the name rewriter to apply to looked up names

levels - the number of levels of directory hashing to apply

encoded - whether identity names should be BASE32 encoded before using as filename

hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default.

hashEncoding - the string format for the hashed passwords. Uses Base64 by default.

secretKey - the SecretKey used to encrypt and decrypt the security realm (if null, the security realm will be unencrypted)

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               NameRewriter nameRewriter,
                               int levels,
                               boolean encoded,
                               Encoding hashEncoding,
                               Charset hashCharset)

Construct a new instance. Construction with enabled security manager requires createSecurityRealm ElytronPermission.

Parameters:

root - the root path of the identity store

nameRewriter - the name rewriter to apply to looked up names

levels - the number of levels of directory hashing to apply

encoded - whether identity names should be BASE32 encoded before using as filename

hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default.

hashEncoding - the string format for the hashed passwords. Uses Base64 by default.

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               NameRewriter nameRewriter,
                               int levels,
                               boolean encoded)

Construct a new instance. Construction with enabled security manager requires createSecurityRealm ElytronPermission.

Parameters:

root - the root path of the identity store

nameRewriter - the name rewriter to apply to looked up names

levels - the number of levels of directory hashing to apply

encoded - whether identity names should by BASE32 encoded before using as filename

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               NameRewriter nameRewriter,
                               int levels)

Construct a new instance.

Parameters:

root - the root path of the identity store

nameRewriter - the name rewriter to apply to looked up names

levels - the number of levels of directory hashing to apply

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               NameRewriter nameRewriter,
                               int levels,
                               Encoding hashEncoding,
                               Charset hashCharset)

Construct a new instance.

Parameters:

root - the root path of the identity store

nameRewriter - the name rewriter to apply to looked up names

levels - the number of levels of directory hashing to apply

hashEncoding - the string format for hashed passwords. Uses Base64 by default.

hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default and must not be null.

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               int levels)

Construct a new instance.

Parameters:

root - the root path of the identity store

levels - the number of levels of directory hashing to apply

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               int levels,
                               Encoding hashEncoding,
                               Charset hashCharset)

Construct a new instance.

Parameters:

root - the root path of the identity store

levels - the number of levels of directory hashing to apply

hashEncoding - the string format for hashed passwords. Uses Base64 by default.

hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default and must not be null.

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root)

Construct a new instance with 2 levels of hashing.

Parameters:

root - the root path of the identity store

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               Encoding hashEncoding,
                               Charset hashCharset)

Construct a new instance with 2 levels of hashing.

Parameters:

root - the root path of the identity store

hashEncoding - the string format for hashed passwords. Uses Base64 by default.

hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default and must not be null

FileSystemSecurityRealm

public FileSystemSecurityRealm(Path root,
                               int levels,
                               Supplier<Provider[]> providers)

Method Detail

builder

public static FileSystemSecurityRealmBuilder builder()

Construct a new instance of the FileSystemSecurityRealmBuilder.

Returns:

the new FileSystemSecurityRealmBuilder instance

hasIntegrityEnabled

public boolean hasIntegrityEnabled()

Checks if the FileSystemSecurityRealm has Integrity checking enabled

Returns:

true if Integrity checking is enabled, and false otherwise

pathFor

private Path pathFor(String name)

getHashCharset

public Charset getHashCharset()

nameFor

private String nameFor(Path path)

getRealmIdentity

public RealmIdentity getRealmIdentity(Principal principal)

Description copied from interface: SecurityRealm

Get a handle for to the identity for the given principal in the context of this security realm. Any validation / name mapping is an implementation detail for the realm. The identity may or may not exist. The returned handle must be cleaned up by a call to RealmIdentity.dispose().

Specified by:

getRealmIdentity in interface SecurityRealm

Parameters:

principal - the principal which identifies the identity within the realm (must not be null)

Returns:

the RealmIdentity for the provided principal (not null)

getRealmIdentityForUpdate

public ModifiableRealmIdentity getRealmIdentityForUpdate(Principal principal)

Description copied from interface: ModifiableSecurityRealm

Get an update handle for to the identity for the given principal in the context of this security realm. Any validation / name mapping is an implementation detail for the realm. The identity may or may not exist. The returned handle must be cleaned up by a call to RealmIdentity.dispose(). During the lifespan of a ModifiableRealmIdentity, no other updates or authentications may take place for the corresponding realm identity, thus care should be taken to minimize the duration of the identity's lifespan.

If there is not enough information to locate an identity compatible with this realm, ModifiableRealmIdentity.NON_EXISTENT may be returned.

Specified by:

getRealmIdentityForUpdate in interface ModifiableSecurityRealm

Parameters:

principal - the principal to use to locate the ModifiableRealmIdentity handle (must not be null)

Returns:

the ModifiableRealmIdentity for the provided information (not null)

registerIdentityChangeListener

public void registerIdentityChangeListener(Consumer<Principal> listener)

Description copied from interface: CacheableSecurityRealm

Register a listener that should be invoked by this realm in order to notify the caching layer about changes to a specific identity.

Specified by:

registerIdentityChangeListener in interface CacheableSecurityRealm

Parameters:

listener - the listener

getRealmIdentity

private ModifiableRealmIdentity getRealmIdentity(String name,
                                                 boolean exclusive)

getRealmIdentityIterator

public ModifiableRealmIdentityIterator getRealmIdentityIterator()
                                                         throws RealmUnavailableException

Description copied from interface: ModifiableSecurityRealm

Get an iterator over all of this realm's identities.

Specified by:

getRealmIdentityIterator in interface ModifiableSecurityRealm

Returns:

the identity iterator

Throws:

RealmUnavailableException - if the realm fails for some reason

subIterator

private ModifiableRealmIdentityIterator subIterator(Path root,
                                                    int levels)

getCredentialAcquireSupport

public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType,
                                                String algorithmName,
                                                AlgorithmParameterSpec parameterSpec)
                                         throws RealmUnavailableException

Description copied from interface: SecurityRealm

Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for] some identities), or definitely not obtainable.

Specified by:

getCredentialAcquireSupport in interface SecurityRealm

Parameters:

credentialType - the exact credential type (must not be null)

algorithmName - the algorithm name, or null if any algorithm is acceptable or the credential type does not support algorithm names

parameterSpec - the algorithm parameters to match, or null if any parameters are acceptable or the credential type does not support algorithm parameters

Returns:

the level of support for this credential

Throws:

RealmUnavailableException - if the realm is not able to handle requests for any reason

getEvidenceVerifySupport

public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType,
                                             String algorithmName)
                                      throws RealmUnavailableException

Description copied from interface: SecurityRealm

Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable.

Specified by:

getEvidenceVerifySupport in interface SecurityRealm

Parameters:

evidenceType - the type of evidence to be verified (must not be null)

algorithmName - the algorithm name, or null if any algorithm is acceptable or the evidence type does not support algorithm names

Returns:

the level of support for this evidence type

Throws:

RealmUnavailableException - if the realm is not able to handle requests for any reason

getRealmIdentityLockForName

private IdentitySharedExclusiveLock getRealmIdentityLockForName(String name)

updateRealmKeyPair

public void updateRealmKeyPair()
                        throws RealmUnavailableException

Re-generate the signatures for all the identities in this realm. This method is intended to be called after updating the key pair used by this realm.

Throws:

RealmUnavailableException - if the realm is not able to handle requests for any reason

verifyRealmIntegrity

public FileSystemSecurityRealm.IntegrityResult verifyRealmIntegrity()
                                                             throws RealmUnavailableException

Verify the integrity of each identity file in this realm.

Returns:

true if the integrity of all the identity files in the realm is successfully verified and false otherwise

Throws:

RealmUnavailableException