Class AuthContext
- All Implemented Interfaces:
Serializable
AuthContext
provides the implementation for
authenticating users.
A typical caller instantiates this class and starts the login process.
The caller then obtains an array of Callback
objects,
which contains the information required by the authentication plug-in
module. The caller requests information from the user. On receiving
the information from the user, the caller submits the same to this class.
While more information is required, the above process continues until all
the information required by the plug-ins/authentication modules, has
been supplied. The caller then checks if the user has successfully
been authenticated. If successfully authenticated, the caller can
then get the Subject
and SSOToken
for the user;
if not successfully authenticated, the caller obtains the
AuthLoginException
.
The implementation supports authenticating users either locally i.e., in process with all authentication modules configured or remotely to an authentication service/framework. (See documentation to configure in either of the modes).
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
The classIndexType
defines the possible kinds of "objects" or "resources" for which an authentication can be performed.static class
The classStatus
defines the possible authentication states during the login process. -
Constructor Summary
ConstructorDescriptionAuthContext
(SSOToken ssoToken) Constructs an instance ofAuthContext
for a given organization name, or sub organization name contained in the single sign on token.AuthContext
(SSOToken ssoToken, boolean forceAuth) Constructs an instance ofAuthContext
for a given organization name, or sub organization name contained in the single sign on token.AuthContext
(String orgName) Constructs an instance ofAuthContext
for a given organization name or sub organization name.AuthContext
(String orgName, URL url) Constructs an instance ofAuthContext
for a given organization name, or sub organization name and the OpenAM server URL. -
Method Summary
Modifier and TypeMethodDescriptionvoid
abort()
Terminates an ongoinglogin
call that has not yet completed.Returns the client's hostname or IP address as set by setClientHostNameReturns login exception, if any, during the authentication process.Returns authentication module/s instances (or plugins) configured for a organization, or sub-organization name that was set during theAuthContext
constructor.Returns the the organization name that was set during theAuthContext
constructor.Callback[]
Returns an array ofCallback
objects that must be populated by the user and returned back.Callback[]
getRequirements
(boolean noFilter) Returns an array ofCallback
objects that must be populated by the user and returned back.Returns the Single-Sign-On (SSO) Token for the authenticated user.Returns the current status of the authentication process asAuthContext.Status
.Returns the set of Principals or Subject the user has been authenticated as.boolean
Returnstrue
if the login process requires more information from the user to complete the authentication.boolean
hasMoreRequirements
(boolean noFilter) Returnstrue
if the login process requires more information from the user to complete the authentication.void
login()
Starts the login process for the givenAuthContext
object.void
login
(AuthContext.IndexType type, String indexName) Starts the login process for the givenAuthContext
object identified by the index type and index name.void
login
(AuthContext.IndexType indexType, String indexName, String[] params) Starts the login process for the givenAuthContext
object identified by the index type and index name with default parameters.void
login
(AuthContext.IndexType indexType, String indexName, String[] params, Map envMap) Starts the login process for the givenAuthContext
object identified by the index type and index name with certain parameters and environment map.void
login
(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Starts the login process for the givenAuthContext
object.void
logout()
Logs out the user and also invalidates the single sign on token associated with thisAuthContext
.void
Logs out the user and also invalidates the single sign on token associated with thisAuthContext
.void
setClientHostName
(String hostname) Sets the client's hostname or IP address.This could be used by the policy component to restrict access to resources.void
submitRequirements
(Callback[] info) Submits the populatedCallback
objects to the authentication plug-in modules.
-
Constructor Details
-
AuthContext
Constructs an instance ofAuthContext
for a given organization name or sub organization name. This organization or sub-organization name must be either "/" separated ( where it starts with "/" ) , DN , Domain name or DNS Alias Name.Caller would then use
login
to start the authentication process and usegetRequirements()
andsubmitRequirements()
to pass the credentials needed for authentication by the plugin authentication modules. The methodgetStatus()
returns the authentication status.- Parameters:
orgName
- Name of the user's organization.- Throws:
AuthLoginException
- ifAuthContext
creation fails. This exception is kept for backward compatibility only.
-
AuthContext
Constructs an instance ofAuthContext
for a given organization name, or sub organization name and the OpenAM server URL. This organization or sub-organization name must be either "/" separated ( where it starts with "/" ) , DN , Domain name or DNS Alias Name. And theurl
should specify the OpenAM server's protocol, host name, and port number, for example :http://daye.red.iplanet.com:58080
Caller would then uselogin
to start the authentication process and usegetRequirements()
andsubmitRequirements()
to pass the credentials needed for authentication by the plugin authentication modules. The methodgetStatus()
returns the authentication status.- Parameters:
orgName
- name of the user's organizationurl
- URL of the OpenAm instance to talk to- Throws:
AuthLoginException
- ifAuthContext
creation fails. This exception is kept for backward compatibility only.
-
AuthContext
Constructs an instance ofAuthContext
for a given organization name, or sub organization name contained in the single sign on token. This constructor should be called for re-authentication of an authenticated user. single sign on token is the authenticated resource's Single-Sign-On Token. If the session properties based on the login method used matches those in the user's new authenticated session then session upgrade will be done. A new session containing properties from both old single sign on token and new session shall be returned and old session will be destroyed if authentication passes. Caller would then uselogin
to start the authentication process and usegetRequirements()
andsubmitRequirements()
to pass the credentials needed for authentication by the plugin authentication modules. The methodgetStatus()
returns the authentication status.- Parameters:
ssoToken
- single sign on token representing the resource's previous authenticated session.- Throws:
AuthLoginException
- ifAuthContext
creation fails. This exception is kept for backward compatibility only.
-
AuthContext
Constructs an instance ofAuthContext
for a given organization name, or sub organization name contained in the single sign on token. This constructor should be called for re-authentication of an authenticated user. single sign on token is the authenticated resource's Single-Sign-On Token. If the session properties based on the login method used matches those in the user's new authenticated session then session upgrade will be done. If forceAuth flag istrue
then the existing session is used and no new session is created otherwise this constructor behaves same as the constructor with no forceAuth flag. Caller would then uselogin
to start the authentication process and usegetRequirements()
andsubmitRequirements()
to pass the credentials needed for authentication by the plugin authentication modules. The methodgetStatus()
returns the authentication status.- Parameters:
ssoToken
- single sign on token representing the resource's previous authenticated session.forceAuth
- indicates that authentication preocess has to be restarted and given single sign on token will be used and new session will not be created.- Throws:
AuthLoginException
- ifAuthContext
creation fails. This exception is kept for backward compatibility only.
-
-
Method Details
-
login
Starts the login process for the givenAuthContext
object.- Throws:
AuthLoginException
- if an error occurred during login.
-
login
@Supported public void login(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthLoginException Starts the login process for the givenAuthContext
object.- Parameters:
request
- The HttpServletRequest that was sent to start the authentication process.response
- The corresponding HttpServletResponse for the HttpServletRequest.- Throws:
AuthLoginException
- If an error occurred during login.
-
login
@Supported public void login(AuthContext.IndexType type, String indexName) throws AuthLoginException Starts the login process for the givenAuthContext
object identified by the index type and index name. TheIndexType
defines the possible kinds of "objects" or "resources" for which an authentication can be performed. Currently supported index types are users, roles, services (or application), levels, resources and mechanism/authentication modules.- Parameters:
type
- Authentication index type.indexName
- Authentication index name.- Throws:
AuthLoginException
- if an error occurred during login.
-
login
@Supported public void login(AuthContext.IndexType indexType, String indexName, String[] params) throws AuthLoginException Starts the login process for the givenAuthContext
object identified by the index type and index name with default parameters. TheIndexType
defines the possible kinds of "objects" or "resources" for which an authentication can be performed. Currently supported index types are users, roles, services (or application), levels, resources and mechanism/authentication modules.- Parameters:
indexType
- authentication index type.indexName
- authentication index name.params
- contains the default values for the callbacks. The order of this array matches the callbacks order for this login process. value for thePasswordCallback
is also in String format, it will be converted tochar[]
when it is set to the callback. Internal processing for this string array uses|
as separator. Hence|
should not be used in these default values. Currently onlyNameCallback
andPasswordCallback
are supported.- Throws:
AuthLoginException
- if an error occurred during login.
-
login
@Supported public void login(AuthContext.IndexType indexType, String indexName, String[] params, Map envMap) throws AuthLoginException Starts the login process for the givenAuthContext
object identified by the index type and index name with certain parameters and environment map. TheIndexType
defines the possible kinds of "objects" or "resources" for which an authentication can be performed. Currently supported index types are users, roles, services (or application), levels, modules and resources.- Parameters:
indexType
- authentication index type.indexName
- authentication index name.params
- contains the default values for the callbacks. The order of this array matches the callbacks order for this login process. value for thePasswordCallback
is also in String format, it will be converted tochar[]
when it is set to the callback. Internal processing for this string array uses|
as separator. Hence|
should not be used in these default values. Currently onlyNameCallback
andPasswordCallback
are supported.envMap
- contains the environment key/value pairs. Key is a String object indicating the property name, value is a Set of String values for the property. Currenty this parameter only applicable when the indexTye isAuthContext.IndexType.RESOURCE
.- Throws:
AuthLoginException
- if an error occurred during login.
-
getSubject
Returns the set of Principals or Subject the user has been authenticated as. This should be invoked only after successful authentication.- Returns:
Subject
for the authenticated User. If the authentication fails or the authentication is in process, this will returnnull
.
-
hasMoreRequirements
Returnstrue
if the login process requires more information from the user to complete the authentication.NOTE: This method has to be called as a condition of a
while
loop in order to complete the authentication process and get the correctStatus
after submitting the requirements.- Returns:
true
if more credentials are required from the user.
-
hasMoreRequirements
Returnstrue
if the login process requires more information from the user to complete the authentication. NOTE: This method has to be called as a condition of awhile
loop in order to complete the authentication process and get the correctStatus
after submitting the requirements.- Parameters:
noFilter
- flag indicates whether to filterPagePropertiesCallback
or not. Valuetrue
will not filterPagePropertiesCallback
.- Returns:
true
if more credentials are required from the user.
-
getRequirements
Returns an array ofCallback
objects that must be populated by the user and returned back. These objects are requested by the authentication plug-ins, and these are usually displayed to the user. The user then provides the requested information for it to be authenticated.- Returns:
- an array of
Callback
objects requesting credentials from user
-
getRequirements
Returns an array ofCallback
objects that must be populated by the user and returned back. These objects are requested by the authentication plug-ins, and these are usually displayed to the user. The user then provides the requested information for it to be authenticated.- Parameters:
noFilter
- boolean flag indicating whether to filterPagePropertiesCallback
or not. Valuetrue
will not filterPagePropertiesCallback
.- Returns:
- an array of
Callback
objects requesting credentials from user
-
submitRequirements
Submits the populatedCallback
objects to the authentication plug-in modules. Called aftergetRequirements
method and obtaining user's response to these requests.- Parameters:
info
- Array ofCallback
objects.
-
logout
Logs out the user and also invalidates the single sign on token associated with thisAuthContext
.- Throws:
AuthLoginException
- if an error occurred during logout.
-
logoutUsingTokenID
Logs out the user and also invalidates the single sign on token associated with thisAuthContext
. This method causes the logout to happen on the server and the correct SPI hooks to be called.- Throws:
AuthLoginException
- if an error occurred during logout.
-
getLoginException
Returns login exception, if any, during the authentication process. Typically set when the login fails.- Returns:
- login exception.
-
getSSOToken
Returns the Single-Sign-On (SSO) Token for the authenticated user. If the user has not successfully authenticatedException
will be thrown.Single sign token can be used as the authenticated token.
- Returns:
- Single-Sign-On token for the valid user after successful authentication.
- Throws:
com.sun.identity.shared.locale.L10NMessageImpl
- if the user is not authenticated or an error is encountered in retrieving the user's single sign on token.
-
getStatus
Returns the current status of the authentication process asAuthContext.Status
.- Returns:
Status
of the authentication process.
-
getOrganizationName
Returns the the organization name that was set during theAuthContext
constructor.- Returns:
- Organization name in the
AuthContext
.
-
getModuleInstanceNames
Returns authentication module/s instances (or plugins) configured for a organization, or sub-organization name that was set during theAuthContext
constructor.- Returns:
- Set of Module instance names.
-
abort
Terminates an ongoinglogin
call that has not yet completed.- Throws:
AuthLoginException
- if an error occurred during abort.
-
setClientHostName
Sets the client's hostname or IP address.This could be used by the policy component to restrict access to resources. This method is ineffective if the "Remote Auth Security" option under the global configuration of Core Authentication Service is not enabled. This method must be called before callinglogin
method. If it is called after callinglogin
then it is ineffective.- Parameters:
hostname
- hostname or ip address
-
getClientHostName
Returns the client's hostname or IP address as set by setClientHostName- Returns:
- hostname/IP address
-