Package org.wildfly.security.auth.server

Class SecurityDomain

java.lang.Object

org.wildfly.security.auth.server.SecurityDomain

public final class SecurityDomain
extends Object

A security domain. Security domains encapsulate a set of security policies.

Author:

David M. Lloyd, Darran Lofthouse

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	SecurityDomain.Builder	A builder for creating new security domains.
static class	SecurityDomain.RealmBuilder	A builder for a realm within a security domain.
private static class	SecurityDomain.ScheduledExecutorServiceProvider

Field Summary

Fields

Modifier and Type	Field	Description
private SecurityIdentity	anonymousIdentity
(package private) static ElytronPermission	AUTHENTICATE
private Map<String,RoleMapper>	categoryRoleMappers
private static ConcurrentHashMap<ClassLoader,SecurityDomain>	CLASS_LOADER_DOMAIN_MAP
(package private) static ElytronPermission	CREATE_AD_HOC_IDENTITY
(package private) static ElytronPermission	CREATE_AUTH_CONTEXT
(package private) static ElytronPermission	CREATE_SECURITY_DOMAIN
private ThreadLocal<Supplier<SecurityIdentity>>	currentSecurityIdentity
private String	defaultRealmName
private static RealmInfo	EMPTY_REALM_INFO
private Function<Evidence,Principal>	evidenceDecoder
(package private) static ElytronPermission	GET_IDENTITY
(package private) static ElytronPermission	GET_IDENTITY_FOR_UPDATE
(package private) static ElytronPermission	GET_SECURITY_DOMAIN
(package private) static ElytronPermission	HANDLE_SECURITY_EVENT
private PermissionMapper	permissionMapper
private Function<Principal,Principal>	postRealmPrincipalRewriter
private Function<Principal,Principal>	preRealmPrincipalRewriter
private Map<String,RealmInfo>	realmMap
private RealmMapper	realmMapper
(package private) static ElytronPermission	REGISTER_SECURITY_DOMAIN
private RoleDecoder	roleDecoder
private RoleMapper	roleMapper
private Consumer<SecurityEvent>	securityEventListener
private UnaryOperator<SecurityIdentity>	securityIdentityTransformer
private Predicate<SecurityDomain>	trustedSecurityDomain
(package private) static ElytronPermission	UNREGISTER_SECURITY_DOMAIN

Constructor Summary

Constructors

Constructor	Description
SecurityDomain(SecurityDomain.Builder builder, LinkedHashMap<String,RealmInfo> realmMap)

Method Summary

Modifier and Type	Method	Description
SecurityIdentity	authenticate(String name, Evidence evidence)	Perform an authentication based on Evidence for the specified identity name.
SecurityIdentity	authenticate(Principal principal, Evidence evidence)	Perform an authentication based on Evidence for the specified identity Principal.
SecurityIdentity	authenticate(Evidence evidence)	Perform an authentication based on Evidence alone.
static SecurityDomain.Builder	builder()	Create a new security domain builder.
SecurityIdentity	createAdHocIdentity(String name)	Create an empty ad-hoc identity.
SecurityIdentity	createAdHocIdentity(Principal principal)	Create an empty ad-hoc identity.
ServerAuthenticationContext	createNewAuthenticationContext()	Create a new authentication context for this security domain which can be used to carry out a single authentication operation.
ServerAuthenticationContext	createNewAuthenticationContext(MechanismConfigurationSelector mechanismConfigurationSelector)	Create a new authentication context for this security domain which can be used to carry out a single authentication operation.
(package private) ServerAuthenticationContext	createNewAuthenticationContext(SecurityIdentity capturedIdentity, MechanismConfigurationSelector mechanismConfigurationSelector)
static SecurityDomain	forIdentity(SecurityIdentity identity)	Get the security domain associated with the given identity.
(package private) Supplier<SecurityIdentity>	getAndSetCurrentSecurityIdentity(Supplier<SecurityIdentity> newIdentity)
SecurityIdentity	getAnonymousSecurityIdentity()	Get the anonymous security identity for this realm.
(package private) Map<String,RoleMapper>	getCategoryRoleMappers()
SupportLevel	getCredentialAcquireSupport(Class<? extends Credential> credentialType)	Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable.
SupportLevel	getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName)	Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable.
SupportLevel	getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec)	Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable.
static SecurityDomain	getCurrent()	Get the SecurityDomain associated with the context class loader of the calling Thread or null if one is not associated.
SecurityIdentity	getCurrentSecurityIdentity()	Get the current security identity for this domain.
(package private) String	getDefaultRealmName()
(package private) Function<Evidence,Principal>	getEvidenceDecoder()
SupportLevel	getEvidenceVerifySupport(Class<? extends Evidence> evidenceType)	Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable.
SupportLevel	getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName)	Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable.
RealmIdentity	getIdentity(String name)	Look up a RealmIdentity by name by wrapping the name in a NamePrincipal and calling getIdentity(Principal).
RealmIdentity	getIdentity(Principal principal)	Look up a RealmIdentity by principal.
ModifiableRealmIdentity	getIdentityForUpdate(Principal principal)	Look up a ModifiableRealmIdentity by principal.
org.wildfly.common.function.ExceptionFunction<Principal,ModifiableRealmIdentity,RealmUnavailableException>	getIdentityLookupForUpdateFunction()	Get a function which can be used to look up principals for update without a security manager permission check.
org.wildfly.common.function.ExceptionFunction<Principal,RealmIdentity,RealmUnavailableException>	getIdentityLookupFunction()	Get a function which can be used to look up principals without a security manager permission check.
(package private) <I,R extends SecurityRealm> I	getIdentityPrivileged(Principal principal, Class<R> realmType, org.wildfly.common.function.ExceptionBiFunction<R,Principal,I,RealmUnavailableException> fn, Supplier<I> nonExistent, Supplier<I> anonymous)
(package private) Function<Principal,Principal>	getPostRealmRewriter()
(package private) Function<Principal,Principal>	getPreRealmRewriter()
(package private) SecurityRealm	getRealm(String realmName)
(package private) RealmInfo	getRealmInfo(String realmName)
(package private) Collection<RealmInfo>	getRealmInfos()
(package private) RealmMapper	getRealmMapper()
(package private) RoleDecoder	getRoleDecoder()
(package private) RoleMapper	getRoleMapper()
static ScheduledExecutorService	getScheduledExecutorService()	Gets ScheduledExecutorService for authentication related scheduled task (like authentication timeout).
private SupportLevel	getSupportLevel(Function<SecurityRealm,SupportLevel> getSupportLevel)
void	handleSecurityEvent(SecurityEvent securityEvent)	Handle a SecurityEvent.
(package private) PermissionVerifier	mapPermissions(SecurityIdentity securityIdentity)
(package private) String	mapRealmName(Principal principal, Evidence evidence)
(package private) Roles	mapRoles(SecurityIdentity securityIdentity)
private SupportLevel	minMax(SupportLevel min, SupportLevel max)
void	registerWithClassLoader(ClassLoader classLoader)	Register this SecurityDomain with the specified ClassLoader.
(package private) static void	safeHandleSecurityEvent(SecurityDomain domain, SecurityEvent event)
(package private) void	setCurrentSecurityIdentity(Supplier<SecurityIdentity> newIdentity)
(package private) SecurityIdentity	transform(SecurityIdentity securityIdentity)
(package private) boolean	trustsDomain(SecurityDomain domain)
static void	unregisterClassLoader(ClassLoader classLoader)	Unregister any SecurityDomain associated with the specified ClassLoader.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CLASS_LOADER_DOMAIN_MAP

private static final ConcurrentHashMap<ClassLoader,SecurityDomain> CLASS_LOADER_DOMAIN_MAP

EMPTY_REALM_INFO

private static final RealmInfo EMPTY_REALM_INFO

AUTHENTICATE

static final ElytronPermission AUTHENTICATE

CREATE_SECURITY_DOMAIN

static final ElytronPermission CREATE_SECURITY_DOMAIN

REGISTER_SECURITY_DOMAIN

static final ElytronPermission REGISTER_SECURITY_DOMAIN

GET_SECURITY_DOMAIN

static final ElytronPermission GET_SECURITY_DOMAIN

UNREGISTER_SECURITY_DOMAIN

static final ElytronPermission UNREGISTER_SECURITY_DOMAIN

CREATE_AUTH_CONTEXT

static final ElytronPermission CREATE_AUTH_CONTEXT

GET_IDENTITY

static final ElytronPermission GET_IDENTITY

GET_IDENTITY_FOR_UPDATE

static final ElytronPermission GET_IDENTITY_FOR_UPDATE

CREATE_AD_HOC_IDENTITY

static final ElytronPermission CREATE_AD_HOC_IDENTITY

HANDLE_SECURITY_EVENT

static final ElytronPermission HANDLE_SECURITY_EVENT

realmMap

private final Map<String,RealmInfo> realmMap

defaultRealmName

private final String defaultRealmName

preRealmPrincipalRewriter

private final Function<Principal,Principal> preRealmPrincipalRewriter

realmMapper

private final RealmMapper realmMapper

postRealmPrincipalRewriter

private final Function<Principal,Principal> postRealmPrincipalRewriter

currentSecurityIdentity

private final ThreadLocal<Supplier<SecurityIdentity>> currentSecurityIdentity

roleMapper

private final RoleMapper roleMapper

anonymousIdentity

private final SecurityIdentity anonymousIdentity

permissionMapper

private final PermissionMapper permissionMapper

categoryRoleMappers

private final Map<String,RoleMapper> categoryRoleMappers

securityIdentityTransformer

private final UnaryOperator<SecurityIdentity> securityIdentityTransformer

trustedSecurityDomain

private final Predicate<SecurityDomain> trustedSecurityDomain

securityEventListener

private final Consumer<SecurityEvent> securityEventListener

evidenceDecoder

private final Function<Evidence,Principal> evidenceDecoder

roleDecoder

private final RoleDecoder roleDecoder

Constructor Detail

SecurityDomain

SecurityDomain(SecurityDomain.Builder builder,
               LinkedHashMap<String,RealmInfo> realmMap)

Method Detail

registerWithClassLoader

public void registerWithClassLoader(ClassLoader classLoader)

Register this SecurityDomain with the specified ClassLoader. Registration with enabled security manager requires registerSecurityDomain ElytronPermission.

Parameters:

classLoader - the non null ClassLoader to associate this SecurityDomain with.

Throws:

IllegalStateException - If a SecurityDomain is already associated with the specified ClassLoader.

getCurrent

public static SecurityDomain getCurrent()

Get the SecurityDomain associated with the context class loader of the calling Thread or null if one is not associated. Obtaining security domain with enabled security manager requires getSecurityDomain ElytronPermission.

Returns:

the SecurityDomain associated with the context class loader of the calling Thread or null if one is not associated.

forIdentity

public static SecurityDomain forIdentity(SecurityIdentity identity)

Get the security domain associated with the given identity. Obtaining security domain with enabled security manager requires getSecurityDomain ElytronPermission.

Parameters:

identity - the security identity (must not be null)

Returns:

the identity's security domain (not null)

unregisterClassLoader

public static void unregisterClassLoader(ClassLoader classLoader)

Unregister any SecurityDomain associated with the specified ClassLoader. Unregistration with enabled security manager requires unregisterSecurityDomain ElytronPermission.

Parameters:

classLoader - the non null ClassLoader to clear any SecurityDomain association.

builder

public static SecurityDomain.Builder builder()

Create a new security domain builder.

Returns:

the builder

createNewAuthenticationContext

public ServerAuthenticationContext createNewAuthenticationContext()

Create a new authentication context for this security domain which can be used to carry out a single authentication operation. Calling with enabled security manager requires createServerAuthenticationContext ElytronPermission.

Returns:

the new authentication context

createNewAuthenticationContext

public ServerAuthenticationContext createNewAuthenticationContext(MechanismConfigurationSelector mechanismConfigurationSelector)

Create a new authentication context for this security domain which can be used to carry out a single authentication operation. Calling with enabled security manager requires createServerAuthenticationContext ElytronPermission.

Parameters:

mechanismConfigurationSelector - the selector to use to obtain the mechanism configuration

Returns:

the new authentication context

createNewAuthenticationContext

ServerAuthenticationContext createNewAuthenticationContext(SecurityIdentity capturedIdentity,
                                                           MechanismConfigurationSelector mechanismConfigurationSelector)

authenticate

public SecurityIdentity authenticate(Evidence evidence)
                              throws RealmUnavailableException,
                                     SecurityException

Perform an authentication based on Evidence alone. Note: It is the caller's responsibility to destroy any evidence passed into this method.

Parameters:

evidence - the Evidence to use for authentication.

Returns:

the authenticated identity.

Throws:

RealmUnavailableException - if the requires SecurityRealm is not available.

SecurityException - if authentication fails.

authenticate

public SecurityIdentity authenticate(String name,
                                     Evidence evidence)
                              throws RealmUnavailableException,
                                     SecurityException

Perform an authentication based on Evidence for the specified identity name. Note: It is the caller's responsibility to destroy any evidence passed into this method.

Parameters:

name - the name of the identity to authenticate or null if the identity is to be derived from the evidence.

evidence - the Evidence to use for authentication.

Returns:

the authenticated identity.

Throws:

RealmUnavailableException - if the requires SecurityRealm is not available.

SecurityException - if authentication fails.

authenticate

public SecurityIdentity authenticate(Principal principal,
                                     Evidence evidence)
                              throws RealmUnavailableException,
                                     SecurityException

Perform an authentication based on Evidence for the specified identity Principal. Note: It is the caller's responsibility to destroy any evidence passed into this method. Calling with enabled security manager requires authenticate ElytronPermission.

Parameters:

principal - the principal of the identity to authenticate or null if the identity is to be derived from the evidence.

evidence - the Evidence to use for authentication.

Returns:

the authenticated identity.

Throws:

RealmUnavailableException - if the requires SecurityRealm is not available.

SecurityException - if authentication fails.

getIdentity

public RealmIdentity getIdentity(String name)
                          throws RealmUnavailableException

Look up a RealmIdentity by name by wrapping the name in a NamePrincipal and calling getIdentity(Principal). The returned identity must be disposed.

Parameters:

name - the name to map (must not be null)

Returns:

the identity for the name (not null, may be non-existent)

Throws:

RealmUnavailableException - if the realm is not able to perform the mapping

IllegalArgumentException - if the name is not valid

SecurityException - if the caller is not authorized to perform the operation

getIdentity

public RealmIdentity getIdentity(Principal principal)
                          throws RealmUnavailableException,
                                 IllegalArgumentException

Look up a RealmIdentity by principal. The returned identity must be disposed. Calling with enabled security manager requires getIdentity ElytronPermission.

Parameters:

principal - the principal to map (must not be null)

Returns:

the identity for the name (not null, may be non-existent)

Throws:

IllegalArgumentException - if the principal could not be successfully decoded to a name

RealmUnavailableException - if the realm is not able to perform the mapping

SecurityException - if the caller is not authorized to perform the operation

getIdentityForUpdate

public ModifiableRealmIdentity getIdentityForUpdate(Principal principal)
                                             throws RealmUnavailableException,
                                                    IllegalArgumentException

Look up a ModifiableRealmIdentity by principal. The returned identity must be disposed. Calling with enabled security manager requires getIdentityForUpdate ElytronPermission.

Parameters:

principal - the principal to map (must not be null)

Returns:

the identity for the name (not null, may be non-existent)

Throws:

IllegalArgumentException - if the principal could not be successfully decoded to a name

RealmUnavailableException - if the realm is not able to perform the mapping

SecurityException - if the caller is not authorized to perform the operation

getIdentityLookupFunction

public org.wildfly.common.function.ExceptionFunction<Principal,RealmIdentity,RealmUnavailableException> getIdentityLookupFunction()

Get a function which can be used to look up principals without a security manager permission check. All returned identities must be disposed. Calling with enabled security manager requires getIdentity ElytronPermission.

Returns:

the lookup function (not null)

Throws:

SecurityException - if the caller is not authorized to perform the operation

getIdentityLookupForUpdateFunction

public org.wildfly.common.function.ExceptionFunction<Principal,ModifiableRealmIdentity,RealmUnavailableException> getIdentityLookupForUpdateFunction()

Get a function which can be used to look up principals for update without a security manager permission check. All returned identities must be disposed. Calling with enabled security manager requires getIdentityForUpdate ElytronPermission.

Returns:

the lookup function (not null)

Throws:

SecurityException - if the caller is not authorized to perform the operation

getIdentityPrivileged

<I,R extends SecurityRealm> I getIdentityPrivileged(Principal principal,
                                                          Class<R> realmType,
                                                          org.wildfly.common.function.ExceptionBiFunction<R,Principal,I,RealmUnavailableException> fn,
                                                          Supplier<I> nonExistent,
                                                          Supplier<I> anonymous)
                                                   throws RealmUnavailableException

Throws:

RealmUnavailableException

getRealm

SecurityRealm getRealm(String realmName)

getRealmInfo

RealmInfo getRealmInfo(String realmName)

getRealmInfos

Collection<RealmInfo> getRealmInfos()

getCredentialAcquireSupport

public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType,
                                                String algorithmName,
                                                AlgorithmParameterSpec parameterSpec)

Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable. Credential is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Credential is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.

Parameters:

credentialType - the exact credential type (must not be null)

algorithmName - the algorithm name, or null if any algorithm is acceptable or the credential type does not support algorithm names

parameterSpec - the algorithm parameters to match, or null if any parameters are acceptable or the credential type does not support algorithm parameters

Returns:

the level of support for this credential

getCredentialAcquireSupport

public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType,
                                                String algorithmName)

Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable. Credential is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Credential is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.

Parameters:

credentialType - the exact credential type (must not be null)

algorithmName - the algorithm name, or null if any algorithm is acceptable or the credential type does not support algorithm names

Returns:

the level of support for this credential

getCredentialAcquireSupport

public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType)

Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable. Credential is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Credential is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.

Parameters:

credentialType - the exact credential type (must not be null)

Returns:

the level of support for this credential

getEvidenceVerifySupport

public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType,
                                             String algorithmName)

Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable. Evidence is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Evidence is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.

Parameters:

evidenceType - the type of evidence to be verified (must not be null)

algorithmName - the algorithm name, or null if any algorithm is acceptable or the evidence type does not support algorithm names

Returns:

the level of support for this evidence type

getEvidenceVerifySupport

public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType)

Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable. Evidence is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Evidence is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.

Parameters:

evidenceType - the type of evidence to be verified (must not be null)

Returns:

the level of support for this evidence type

getSupportLevel

private SupportLevel getSupportLevel(Function<SecurityRealm,SupportLevel> getSupportLevel)

minMax

private SupportLevel minMax(SupportLevel min,
                            SupportLevel max)

getCurrentSecurityIdentity

public SecurityIdentity getCurrentSecurityIdentity()

Get the current security identity for this domain. Code can be executed with given identity using SecurityIdentity.runAs* methods.

Returns:

the current security identity for this domain (not null)

getAnonymousSecurityIdentity

public SecurityIdentity getAnonymousSecurityIdentity()

Get the anonymous security identity for this realm.

Returns:

the anonymous security identity for this realm (not null)

createAdHocIdentity

public SecurityIdentity createAdHocIdentity(String name)

Create an empty ad-hoc identity. The identity will have no authorization information and no credentials associated with it.

Parameters:

name - the identity name (must not be null)

Returns:

the ad-hoc identity

createAdHocIdentity

public SecurityIdentity createAdHocIdentity(Principal principal)

Create an empty ad-hoc identity. The identity will have no authorization information and no credentials associated with it. Calling with enabled security manager requires createAdHocIdentity ElytronPermission.

Parameters:

principal - the identity principal (must not be null)

Returns:

the ad-hoc identity

getAndSetCurrentSecurityIdentity

Supplier<SecurityIdentity> getAndSetCurrentSecurityIdentity(Supplier<SecurityIdentity> newIdentity)

setCurrentSecurityIdentity

void setCurrentSecurityIdentity(Supplier<SecurityIdentity> newIdentity)

mapRoles

Roles mapRoles(SecurityIdentity securityIdentity)

mapPermissions

PermissionVerifier mapPermissions(SecurityIdentity securityIdentity)

getPreRealmRewriter

Function<Principal,Principal> getPreRealmRewriter()

mapRealmName

String mapRealmName(Principal principal,
                    Evidence evidence)

getDefaultRealmName

String getDefaultRealmName()

getRealmMapper

RealmMapper getRealmMapper()

getPostRealmRewriter

Function<Principal,Principal> getPostRealmRewriter()

getRoleMapper

RoleMapper getRoleMapper()

getCategoryRoleMappers

Map<String,RoleMapper> getCategoryRoleMappers()

transform

SecurityIdentity transform(SecurityIdentity securityIdentity)

trustsDomain

boolean trustsDomain(SecurityDomain domain)

handleSecurityEvent

public void handleSecurityEvent(SecurityEvent securityEvent)

Handle a SecurityEvent. Calling with enabled security manager requires handleSecurityEvent ElytronPermission.

Parameters:

securityEvent - SecurityEvent to be handled

See Also:

SecurityDomain.Builder.setSecurityEventListener(Consumer)

safeHandleSecurityEvent

static void safeHandleSecurityEvent(SecurityDomain domain,
                                    SecurityEvent event)

getEvidenceDecoder

Function<Evidence,Principal> getEvidenceDecoder()

getRoleDecoder

RoleDecoder getRoleDecoder()

getScheduledExecutorService

public static ScheduledExecutorService getScheduledExecutorService()

Gets ScheduledExecutorService for authentication related scheduled task (like authentication timeout).

Returns:

the executor service