public interface IdentityStore
IdentityStore
is a mechanism for validating a caller's credentials
and accessing a caller's identity attributes. It can be used by an
authentication mechanism, such as a Jakarta Security HttpAuthenticationMechanism
or a Jakarta Authentication ServerAuthModule
.
Stores which do only validation or only group lookup are allowed.
An IdentityStore
obtains identity data from a persistent store,
such as a database, LDAP server, or file.
Modifier and Type | Interface and Description |
---|---|
static class |
IdentityStore.ValidationType
Determines the type of validation (operations) that should be done by this store.
|
Modifier and Type | Field and Description |
---|---|
static java.util.Set<IdentityStore.ValidationType> |
DEFAULT_VALIDATION_TYPES
Default set of validation types.
|
Modifier and Type | Method and Description |
---|---|
default java.util.Set<java.lang.String> |
getCallerGroups(CredentialValidationResult validationResult)
Returns groups for the caller, who is identified by the
CallerPrincipal
(and potentially other values) found in the validationResult parameter. |
default int |
priority()
Determines the order of invocation for multiple
IdentityStore s. |
default CredentialValidationResult |
validate(Credential credential)
Validates the given credential.
|
default java.util.Set<IdentityStore.ValidationType> |
validationTypes()
Determines the type of validation the
IdentityStore should be used for. |
static final java.util.Set<IdentityStore.ValidationType> DEFAULT_VALIDATION_TYPES
VALIDATE
and PROVIDE_GROUPS
.default CredentialValidationResult validate(Credential credential)
As a convenience, a default implementation is provided that looks up an overload of this method
that has, as its one and only parameter, a subclass of Credential
. Here is an example of what
an implementation of this interface looks like with such an overloaded method:
public class ExampleIdentityStore implements IdentityStore { public CredentialValidationResult validate(UsernamePasswordCredential usernamePasswordCredential) { // Implementation ... return INVALID_RESULT; } }
Note that the overloaded method is only called when the actual type passed into this method will exactly match the parameter type of the overloaded method. There's no attempt being done to find the most specific overloaded method such as specified in JLS 15.2.
This method returns a CredentialValidationResult
representing the result of the validation attempt:
whether it succeeded or failed, and, for a successful validation, the CallerPrincipal
, and possibly
groups or other attributes, of the caller.
credential
- The credential to validate.default java.util.Set<java.lang.String> getCallerGroups(CredentialValidationResult validationResult)
CallerPrincipal
(and potentially other values) found in the validationResult
parameter.
Callers (i.e., IdentityStoreHandler
s) should have
IdentityStorePermission
permission to invoke this method.
Implementations should check for this permission before doing any work:
SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkPermission(new IdentityStorePermission("getGroups"); }
validationResult
- The CredentialValidationResult
returned
by a previous call to validate(Credential)
.Set
of groups found for the caller, if any, or an empty Set
otherwise.java.lang.SecurityException
- May be thrown if the calling code does not have IdentityStorePermission
.default int priority()
IdentityStore
s.
Stores with a lower priority value are consulted first.default java.util.Set<IdentityStore.ValidationType> validationTypes()
IdentityStore
should be used for.
By default, its used for credential validation AND providing groups.
Implementations of this API should not return a direct reference
to a Set
used internally to represent an IdentityStore
's validation types,
unless it is an immutable Set
. Callers of the API should be aware that
the returned Set
may be immutable, or a copy, and that, in any case,
it should not be modified by the caller.
Set
containing the validation types enabled for the IdentityStore
.