Interface SecurityManager

    • Method Detail

      • getDenyUncoveredHttpMethods

        boolean getDenyUncoveredHttpMethods()
        Get if we are denying uncovered HTTP methods.
        Returns:
        true if we are, false otherwise.
      • isRequestSecurityAsRequired

        default boolean isRequestSecurityAsRequired​(HttpServletRequest request,
                                                    HttpServletResponse response)
                                             throws IOException,
                                                    ServletException
        Check if the current request adheres to the user data constraint, if any.

        In practice this means checking if HTTPS is used when so required by the application.

        Parameters:
        request - the request.
        response - the response.
        Returns:
        true if request adheres to constraints, false otherwise
        Throws:
        IOException - when an I/O error occurs.
        ServletException - when a servlet error occurs.
      • isRequestedResourcePublic

        default boolean isRequestedResourcePublic​(HttpServletRequest request)
        Check if the requested resource, represented by the request, is public or not.
        Parameters:
        request - the request.
        Returns:
        true if the requested resource can be accessed by public (unauthenticated) callers, otherwise false
      • isCallerAuthorizedForResource

        default boolean isCallerAuthorizedForResource​(HttpServletRequest request)
        Check if the current caller (which can be the anonymous caller) is authorized to access the requested resource.

        If the unauthenticated caller is authorized, then this means the resource is public (aka unconstrained, aka unchecked), and the outcome of this method MUST be consistend with isRequestedResourcePublic(HttpServletRequest).

        Parameters:
        request - the request.
        Returns:
        true if the current caller is allowed to access the requested resource, false otherwise
      • getAuthenticatedRequest

        default HttpServletRequest getAuthenticatedRequest​(HttpServletRequest request,
                                                           HttpServletResponse response)
        Gets the request object the security system wants to put in place.

        This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped request.

        Parameters:
        request - the request.
        response - the response.
        Returns:
        a request object that the runtime should put into service
      • getAuthenticatedResponse

        default HttpServletResponse getAuthenticatedResponse​(HttpServletRequest request,
                                                             HttpServletResponse response)
        Gets the response object the security system wants to put in place.

        This method allows the security system (or authentication module being delegated to) a custom or, more likely, wrapped response.

        Parameters:
        request - the request.
        response - the response.
        Returns:
        a response object that the runtime should put into service
      • postRequestProcess

        default void postRequestProcess​(HttpServletRequest request,
                                        HttpServletResponse response)
                                 throws IOException,
                                        ServletException
        Gives the security system the opportunity to process the response after the request (after the target resource has been invoked).

        Although this may be rare to used in practice, it allows for encryption of the response, inserting security tokens, signing the response, etc.

        Parameters:
        request - the request.
        response - the response.
        Throws:
        IOException - when an I/O error occurs.
        ServletException - when a servlet error occurs.
      • declareRoles

        void declareRoles​(String[] roles)
        Declare roles.
        Parameters:
        roles - the roles.
      • getWebApplication

        WebApplication getWebApplication()
        Get the web application.
        Returns:
        the web application.
      • isUserInRole

        boolean isUserInRole​(HttpServletRequest request,
                             String role)
        Is the user in the specific role.
        Parameters:
        request - the request.
        role - the role.
        Returns:
        true if in the role, false otherwise.
      • setDenyUncoveredHttpMethods

        void setDenyUncoveredHttpMethods​(boolean denyUncoveredHttpMethods)
        Set if we are denying uncovered HTTP methods.
        Parameters:
        denyUncoveredHttpMethods - the boolean value.
      • setWebApplication

        void setWebApplication​(WebApplication webApplication)
        Set the web application.
        Parameters:
        webApplication - the web application.
      • setUsernamePasswordLoginHandler

        default void setUsernamePasswordLoginHandler​(SecurityManager.UsernamePasswordLoginHandler usernamePasswordLoginHandler)
        Set the handler that may be used by the login method to contact an identity store.
        Parameters:
        usernamePasswordLoginHandler - the handler