1 //
2 // ========================================================================
3 // Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
4 // ------------------------------------------------------------------------
5 // All rights reserved. This program and the accompanying materials
6 // are made available under the terms of the Eclipse Public License v1.0
7 // and Apache License v2.0 which accompanies this distribution.
8 //
9 // The Eclipse Public License is available at
10 // http://www.eclipse.org/legal/epl-v10.html
11 //
12 // The Apache License v2.0 is available at
13 // http://www.opensource.org/licenses/apache2.0.php
14 //
15 // You may elect to redistribute this code under either of these licenses.
16 // ========================================================================
17 //
18
19 package org.eclipse.jetty.security;
20
21 import java.security.Principal;
22
23 import javax.security.auth.Subject;
24
25 import org.eclipse.jetty.server.Request;
26 import org.eclipse.jetty.server.UserIdentity;
27
28 /* ------------------------------------------------------------ */
29 /**
30 * Associates UserIdentities from with threads and UserIdentity.Contexts.
31 *
32 */
33 public interface IdentityService
34 {
35 final static String[] NO_ROLES = new String[]{};
36
37 /* ------------------------------------------------------------ */
38 /**
39 * Associate a user identity with the current thread.
40 * This is called with as a thread enters the
41 * {@link SecurityHandler#handle(String, Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}
42 * method and then again with a null argument as that call exits.
43 * @param user The current user or null for no user to associated.
44 * @return an object representing the previous associated state
45 */
46 Object associate(UserIdentity user);
47
48 /* ------------------------------------------------------------ */
49 /**
50 * Disassociate the user identity from the current thread
51 * and restore previous identity.
52 * @param previous The opaque object returned from a call to {@link IdentityService#associate(UserIdentity)}
53 */
54 void disassociate(Object previous);
55
56 /* ------------------------------------------------------------ */
57 /**
58 * Associate a runas Token with the current user and thread.
59 * @param user The UserIdentity
60 * @param token The runAsToken to associate.
61 * @return The previous runAsToken or null.
62 */
63 Object setRunAs(UserIdentity user, RunAsToken token);
64
65 /* ------------------------------------------------------------ */
66 /**
67 * Disassociate the current runAsToken from the thread
68 * and reassociate the previous token.
69 * @param token RUNAS returned from previous associateRunAs call
70 */
71 void unsetRunAs(Object token);
72
73 /* ------------------------------------------------------------ */
74 /**
75 * Create a new UserIdentity for use with this identity service.
76 * The UserIdentity should be immutable and able to be cached.
77 *
78 * @param subject Subject to include in UserIdentity
79 * @param userPrincipal Principal to include in UserIdentity. This will be returned from getUserPrincipal calls
80 * @param roles set of roles to include in UserIdentity.
81 * @return A new immutable UserIdententity
82 */
83 UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, String[] roles);
84
85 /* ------------------------------------------------------------ */
86 /**
87 * Create a new RunAsToken from a runAsName (normally a role).
88 * @param runAsName Normally a role name
89 * @return A new immutable RunAsToken
90 */
91 RunAsToken newRunAsToken(String runAsName);
92
93 /* ------------------------------------------------------------ */
94 UserIdentity getSystemUserIdentity();
95 }