forked from seedstack/seed
-
Notifications
You must be signed in to change notification settings - Fork 1
/
SecuritySupport.java
282 lines (253 loc) · 12.3 KB
/
SecuritySupport.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
/*
* Copyright © 2013-2019, The SeedStack authors <http://seedstack.org>
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
package org.seedstack.seed.security;
import java.util.Collection;
import java.util.Set;
import org.seedstack.seed.security.principals.PrincipalProvider;
import org.seedstack.seed.security.principals.SimplePrincipalProvider;
/**
* Support for all security concerns. Retrieve connected user principals, get/check roles/permissions...
*/
public interface SecuritySupport {
/**
* Gets the principal provider that holds the user's identity. The identity is just an Object; in most simple
* case, a String of the user's id.
*
* @return The principalProvider holding the identity. Not null, empty value if none.
*/
PrincipalProvider<?> getIdentityPrincipal();
/**
* Retrieves all the PrincipalProviders containing the user's details.
*
* @return A non-null collection of user's PrincipalProviders.
*/
Collection<PrincipalProvider<?>> getOtherPrincipals();
/**
* Gets the first {@link PrincipalProvider} that provide a principal assignable to the specified type.
*
* @param <T> type of the principal
* @param principalClass the Principal type, not null
* @return The first first {@link PrincipalProvider} that provide a principal assignable to the specified type.
* Null if none found.
* @see org.seedstack.seed.security.principals.Principals#getOnePrincipalByType(Collection, Class)
*/
<T> PrincipalProvider<T> getPrincipalByType(Class<T> principalClass);
/**
* Gets all {@link PrincipalProvider}s that provide a principal assignable to the specified type.
*
* @param <T> type of the principal
* @param principalClass the Principal type, not null
* @return A collection of the user's PrincipalProviders of type principalProviderClass. Not null.
* @see org.seedstack.seed.security.principals.Principals#getPrincipalsByType(Collection, Class)
*/
<T> Collection<PrincipalProvider<T>> getPrincipalsByType(Class<T> principalClass);
/**
* Gets the user's SimplePrincipalProviders.<br>
* A {@link org.seedstack.seed.security.principals.SimplePrincipalProvider} is a name/value principal. A list of
* common SimplePrincipalProviders names are found in class
* {@link org.seedstack.seed.security.principals.Principals}.
*
* @return the list of the user's SimplePrincipalProviders. Not null
* @see org.seedstack.seed.security.principals.Principals#getSimplePrincipals(Collection)
*/
Collection<SimplePrincipalProvider> getSimplePrincipals();
/**
* Gets the SimplePrincipalProvider which name is provided.
*
* @param principalName the name of the principal. Null returns null.
* @return the SimplePrincipalProvider identified by principalName. Null if none found.
* @see org.seedstack.seed.security.principals.Principals#getSimplePrincipalByName(Collection, String)
*/
SimplePrincipalProvider getSimplePrincipalByName(String principalName);
/**
* Tells if the connected user has the given permission.<br>
* The permission is given as a String in the form "object:action[:id]" (e.g. door:open or document:print).
*
* @param permission the string permission to test. Not null
* @return true if user has the given permission, false otherwise.
*/
boolean isPermitted(String permission);
/**
* Tells if the connected user has the given permission on the given scopes.<br>
* The permission is given as a String in the form "object:action[:id]" (e.g. door:open or document:print).
*
* @param permission the string permission to test. Not null
* @param scopes the scopes to verify the permission on. optional
* @return true if user has the given permission, false otherwise.
*/
boolean isPermitted(String permission, Scope... scopes);
/**
* Tells if the connected user has all of the given permissions.<br>
* The permissions are given as Strings in the form "object:action[:id]" (e.g. door:open or document:print).
*
* @param permissions the string permissions to test. not null
* @return true if user has all the given permissions, false otherwise.
*/
boolean isPermittedAll(String... permissions);
/**
* Tells if the connected user has at least one of the given permissions.<br>
* The permissions are given as Strings in the form "object:action[:id]" (e.g. door:open or document:print).
*
* @param permissions the string permissions to test. Not null
* @return true if user has at least one of the given permissions, false otherwise.
*/
boolean isPermittedAny(String... permissions);
/**
* Checks if the connected user has the given permission on the given scopes : if the user does not have the
* permission, throws an exception to
* block execution.<br>
* <br>
* The permission is given as a String in the form "object:action[:id]" (e.g. door:open or document:print).
*
* @param permission the string permission to test. Not null.
* @param scopes the scopes to verify the permission on. optional
* @throws AuthorizationException if the user does not have the permission.
*/
void checkPermission(String permission, Scope... scopes);
/**
* Checks if the connected user has the given permission : if the user does not have the permission, throws an
* exception to block execution.<br>
* <br>
* The permission is given as a String in the form "object:action[:id]" (e.g. door:open or document:print).
*
* @param permission the string permission to test. Not null.
* @throws AuthorizationException if the user does not have the permission.
*/
void checkPermission(String permission);
/**
* Checks if the connected user has the given permissions : if the user does not have all the permissions, throws
* an exception to block execution.<br>
* <br>
* The permissions are given as Strings in the form "object:action[:id]" (e.g. door:open or document:print).
*
* @param permissions the string permissions to test. Not null.
* @throws AuthorizationException if the user does not have all of the given permissions.
*/
void checkPermissions(String... permissions);
/**
* Tells if the connected user has the given role on all the given scopes.<br>
* <br>
* Note that it is discouraged to test for roles in your application as role names are prone to change in the
* life span of your application. To
* ensure durability of your code, check permissions instead of roles.
*
* @param roleIdentifier the id of the role to test. Not null.
* @param scopes the scopes to verify the role on. optional
* @return true if the user has the role, false otherwise.
*/
boolean hasRole(String roleIdentifier, Scope... scopes);
/**
* Tells if the connected user has the given role.<br>
* <br>
* Note that it is discouraged to test for roles in your application as role names are prone to change in the
* life span of your application. To
* ensure durability of your code, check permissions instead of roles.
*
* @param roleIdentifier the id of the role to test. Not null.
* @return true if the user has the role, false otherwise.
*/
boolean hasRole(String roleIdentifier);
/**
* Tells if the connected user has all of the given roles.<br>
* <br>
* Note that it is discouraged to test for roles in your application as role names are prone to change in the
* life span of your application. To
* ensure durability of your code, check permissions instead of roles.
*
* @param roleIdentifiers the names of the roles to test. Not null.
* @return true if the user has all the roles, false otherwise.
*/
boolean hasAllRoles(String... roleIdentifiers);
/**
* Tells if the connected user has at least one of the given roles.<br>
* <br>
* Note that it is discouraged to test for roles in your application as role names are prone to change in the
* life span of your application. To
* ensure durability of your code, check permissions instead of roles.
*
* @param roleIdentifiers the names of the roles to test. Not null.
* @return true if the user has at least one of the roles, false otherwise.
*/
boolean hasAnyRole(String... roleIdentifiers);
/**
* Checks if the connected user has the given role : throws an exception otherwise.<br>
* <br>
* Note that it is discouraged to test for roles in your application as role names are prone to change in the
* life span of your application. To
* ensure durability of your code, check permissions instead of roles.
*
* @param roleIdentifier the name of the role to check. Not null.
* @throws AuthorizationException if the user does not have the given role.
*/
void checkRole(String roleIdentifier);
/**
* Checks if the connected user has all the given roles : throws an exception otherwise.<br>
* <br>
* Note that it is discouraged to test for roles in your application as role names are prone to change in the
* life span of your application. To
* ensure durability of your code, check permissions instead of roles.
*
* @param roleIdentifiers the name of the roles to check. Not null.
* @throws AuthorizationException if the user does not have all the given role.
*/
void checkRoles(String... roleIdentifiers);
/**
* Gives the roles given to the user. You can find all the scopes of a Role by calling role.getScopes() or the
* scopes
* of a specific type (like SimpleScope) by calling role.getScopesByType(SimpleScope.class)
*
* @return a Set of all the roles the user has. Not null, empty if none.
*/
Set<Role> getRoles();
/**
* Gives all the simple scopes of the user found in all its roles.
*
* @return a Set of all the scopes.
*/
Set<SimpleScope> getSimpleScopes();
/**
* Explicitly authenticates a subject with its authentication token.
* <h3>Web Environment Warning</h3> In a Web application, this is typically handled by a security Web filter, so
* calling this method should be avoided in such environments.
*/
void login(AuthenticationToken authenticationToken);
/**
* Logs out the connected user and invalidates and/or removes any associated entities, such as a Session and
* authorization data. After this method is called, the user is considered 'anonymous' and may continue to be
* used for another log-in if desired. <h3>Web Environment Warning</h3> Calling this method in web environments
* will usually remove any associated session cookie as part of session invalidation. Because cookies are part of
* the HTTP header, and headers can only be set before the response body (html, image, etc) is sent, this method
* in web environments must be called before <em>any</em> content has been rendered. <p> The typical approach
* most applications use in this scenario is to redirect the user to a different location (e .g. home page)
* immediately after calling this method. This is an effect of the HTTP protocol itself and not a reflection of
* the implementation.
*/
void logout();
/**
* Check if the current user is authenticated.
* <p>
* Authenticated on Shiro means that subject has successfully logged in on the current session
*
* @return true if authenticated, false otherwise.
* @see org.seedstack.seed.security.SecuritySupport#isRemembered()
*/
boolean isAuthenticated();
/**
* Checks if the current user has logged successfully on a previous session
*
* @return true if remembered, false otherwise.
*/
boolean isRemembered();
/**
* Returns the host name or IP string of the host of the connected user, or {@code null} if the host is unknown.
*
* @return the host name or IP string of the host that originated this session, or {@code null} if the host
* address is unknown.
*/
String getHost();
}