public interface AuthenticationMechanism
The implementation of this interface are assumed to be stateless, if there is a need to share state between the authenticate and handleComplete calls then it should be held in the HttpServerExchange.
As an in-bound request is received the authenticate method is called on each mechanism in turn until one of the following occurs: - - A mechanism successfully authenticates the incoming request. - A mechanism attempts but fails to authenticate the request. - The list of mechanisms is exhausted.
This means that if the authenticate method is called on a mechanism it should assume it is required to check if it can actually authenticate the incoming request, anything that would prevent it from performing the check would have already stopped the authenticate method from being called.
Authentication is allowed to proceed if either authentication was required AND one handler authenticated the request or it is allowed to proceed if it is not required AND no handler failed to authenticate the request.
The handleComplete methods are used as the request processing is returning up the chain, primarily these are used to challenge the client to authenticate but where supported by the mechanism they could also be used to send mechanism specific updates back with a request.
If a mechanism successfully authenticated the incoming request then only the handleComplete method on that mechanism is called.
If any mechanism failed or if authentication was required and no mechanism succeeded in authenticating the request then handleComplete will be called for all mechanisms.
Finally if authentication was not required handleComplete will not be called for any of the mechanisms.
The mechanisms will need to double check why handleComplete is being called, if the request was authenticated then they should do nothing unless the mechanism has intermediate state to send back. If the request was not authenticated then a challenge should be sent.
Modifier and Type | Interface and Description |
---|---|
static class | AuthenticationMechanism.AuthenticationMechanismOutcome The AuthenticationOutcome is used by an AuthenticationMechanism to indicate the outcome of the call to authenticate, the overall authentication process will then used this along with the current AuthenticationState to decide how to proceed with the current request. |
static class | AuthenticationMechanism.ChallengeResult Simple class to wrap the result of requesting a mechanism sends it's challenge. |
Modifier and Type | Method and Description |
---|---|
AuthenticationMechanism.AuthenticationMechanismOutcome | authenticate(HttpServerExchange exchange, SecurityContext securityContext) Perform authentication of the request. |
AuthenticationMechanism.ChallengeResult | sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) Send an authentication challenge to the remote client. |
AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext)
exchange
- The exchangeAuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext)
The individual mechanisms should update the response headers and body of the message as appropriate however they should not set the response code, instead that should be indicated in the AuthenticationMechanism.ChallengeResult
and the most appropriate overall response code will be selected.
exchange
- The exchangesecurityContext
- The security contextAuthenticationMechanism.ChallengeResult
indicating if a challenge was sent and the desired response code.Copyright © 2015 JBoss by Red Hat. All rights reserved.