Package org.forgerock.opendj.rest2ldap.authz

Class Authorization

java.lang.Object
org.forgerock.opendj.rest2ldap.authz.Authorization
public final class Authorization extends Object
Factory methods to create Filter performing authentication and authorizations.

  • Method Details

    • newAuthorizationFilter

      public static org.forgerock.http.Filter newAuthorizationFilter(Iterable<? extends ConditionalFilters.ConditionalFilter> filters)
      Creates a new Filter in charge of injecting an LdapClientContext. This Filter tries each of the provided filters until one can apply. If no filter can be applied, the last filter in the list will be applied allowing it to formulate a valid, implementation specific, error response.
      Parameters:
      filters - Iterable of authorization ConditionalFilters to try. If empty, the returned filter will always respond with 403 Forbidden.
      Returns:
      A new authorization Filter

    • newConditionalHttpBasicAuthenticationFilter

      public static ConditionalFilters.ConditionalFilter newConditionalHttpBasicAuthenticationFilter(AuthenticationStrategy authenticationStrategy, Function<org.forgerock.http.protocol.Headers,Pair<String,String>,NeverThrowsException> credentialsExtractor)
      Creates a new ConditionalFilters.ConditionalFilter performing authentication. If authentication succeed, it injects a SecurityContext with the authenticationId provided by the user. Otherwise, returns a HTTP 401 - Unauthorized response. The condition of this ConditionalFilters.ConditionalFilter will return true if the supplied requests contains credentials information, false otherwise.
      Parameters:
      authenticationStrategy - AuthenticationStrategy to validate the user's provided credentials.
      credentialsExtractor - Function to extract the credentials from the received request.
      Returns:
      a new ConditionalFilters.ConditionalFilter
      Throws:
      NullPointerException - if a parameter is null.

    • newConditionalDirectConnectionFilter

      public static ConditionalFilters.ConditionalFilter newConditionalDirectConnectionFilter(LdapClient ldapClient)
      Creates a ConditionalFilters.ConditionalFilter injecting an LdapClientContext with a connection issued from the given connectionFactory. The condition is always true.
      Parameters:
      ldapClient - The ldap client used to get the LdapClientSocket to inject.
      Returns:
      A new ConditionalFilters.ConditionalFilter.
      Throws:
      NullPointerException - if connectionFactory is null

    • newProxyAuthorizationFilter

      public static org.forgerock.http.Filter newProxyAuthorizationFilter(LdapClient ldapClient)
      Creates a filter injecting an LdapClientContext given the information provided in the SecurityContext. The connection contained in the created LdapClientContext will add a ProxiedAuthV2RequestControl to each LDAP requests.
      Parameters:
      ldapClient - The ldap client used to create the connection which will be injected in the LdapClientContext
      Returns:
      A new filter.
      Throws:
      NullPointerException - if connectionFactory is null

    • newTokenIntrospectionAccessTokenResolver

      public static org.forgerock.http.oauth2.AccessTokenResolver newTokenIntrospectionAccessTokenResolver(org.forgerock.http.Handler httpClient, URI introspectionEndPointURL)
      Creates a new RFC 7662 compliant AccessTokenResolver.

      Parameters:
      httpClient - Http client handler used to perform the request
      introspectionEndPointURL - Introspect endpoint URL to use to resolve the access token.
      Returns:
      A new AccessTokenResolver instance.
      See Also:

    • newCtsAccessTokenResolver

      public static org.forgerock.http.oauth2.AccessTokenResolver newCtsAccessTokenResolver(LdapClient ldapClient, String ctsBaseDNTemplate)
      Creates a new CTS access token resolver.
      Parameters:
      ldapClient - The LdapClient to use to perform search against the CTS.
      ctsBaseDNTemplate - The base DN template to use to resolve the access token DN.
      Returns:
      A new CTS access token resolver.

    • newFileAccessTokenResolver

      public static org.forgerock.http.oauth2.AccessTokenResolver newFileAccessTokenResolver(Path tokenFolder)
      Creates a new file access token resolver which should only be used for test purpose.
      Parameters:
      tokenFolder - The folder where the access token to resolve must be stored.
      Returns:
      A new file access token resolver which should only be used for test purpose.

    • newOAuth2ResourceServerFilter

      public static org.forgerock.http.Filter newOAuth2ResourceServerFilter(String realm, Set<String> scopes, org.forgerock.http.oauth2.AccessTokenResolver resolver, String authzIdTemplate)
      Creates a new OAuth2 authorization filter configured with provided parameters.
      Parameters:
      realm - The realm to displays in error responses.
      scopes - Scopes that an access token must have to be access a resource.
      resolver - The AccessTokenResolver to use to resolve an access token.
      authzIdTemplate - Authorization ID template.
      Returns:
      A new OAuth2 authorization filter configured with provided parameters.

    • newConditionalOAuth2ResourceServerFilter

      public static ConditionalFilters.ConditionalFilter newConditionalOAuth2ResourceServerFilter(String realm, Set<String> scopes, org.forgerock.http.oauth2.AccessTokenResolver resolver, String authzIdTemplate)
      Creates a new optional OAuth2 authorization filter configured with provided parameters.

      This filter will be used only if an OAuth2 Authorization header is present in the incoming request.

      Parameters:
      realm - The realm to displays in error responses.
      scopes - Scopes that an access token must have to be access a resource.
      resolver - The AccessTokenResolver to use to resolve an access token.
      authzIdTemplate - Authorization ID template.
      Returns:
      A new OAuth2 authorization filter configured with provided parameters.