1//
2//  ========================================================================
3//  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
4//  ------------------------------------------------------------------------
5//  All rights reserved. This program and the accompanying materials
6//  are made available under the terms of the Eclipse Public License v1.0
7//  and Apache License v2.0 which accompanies this distribution.
8//
9//      The Eclipse Public License is available at
10//      http://www.eclipse.org/legal/epl-v10.html
11//
12//      The Apache License v2.0 is available at
13//      http://www.opensource.org/licenses/apache2.0.php
14//
15//  You may elect to redistribute this code under either of these licenses.
16//  ========================================================================
17//
18
19package org.eclipse.jetty.security;
20
21import java.security.Principal;
22
23import javax.security.auth.Subject;
24
25import org.eclipse.jetty.server.Request;
26import org.eclipse.jetty.server.UserIdentity;
27
28/* ------------------------------------------------------------ */
29/**
30 * Associates UserIdentities from with threads and UserIdentity.Contexts.
31 *
32 */
33public interface IdentityService
34{
35    final static String[] NO_ROLES = new String[]{};
36
37    /* ------------------------------------------------------------ */
38    /**
39     * Associate a user identity with the current thread.
40     * This is called with as a thread enters the
41     * {@link SecurityHandler#handle(String, Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}
42     * method and then again with a null argument as that call exits.
43     * @param user The current user or null for no user to associated.
44     * @return an object representing the previous associated state
45     */
46    Object associate(UserIdentity user);
47
48    /* ------------------------------------------------------------ */
49    /**
50     * Disassociate the user identity from the current thread
51     * and restore previous identity.
52     * @param previous The opaque object returned from a call to {@link IdentityService#associate(UserIdentity)}
53     */
54    void disassociate(Object previous);
55
56    /* ------------------------------------------------------------ */
57    /**
58     * Associate a runas Token with the current user and thread.
59     * @param user The UserIdentity
60     * @param token The runAsToken to associate.
61     * @return The previous runAsToken or null.
62     */
63    Object setRunAs(UserIdentity user, RunAsToken token);
64
65    /* ------------------------------------------------------------ */
66    /**
67     * Disassociate the current runAsToken from the thread
68     * and reassociate the previous token.
69     * @param token RUNAS returned from previous associateRunAs call
70     */
71    void unsetRunAs(Object token);
72
73    /* ------------------------------------------------------------ */
74    /**
75     * Create a new UserIdentity for use with this identity service.
76     * The UserIdentity should be immutable and able to be cached.
77     *
78     * @param subject Subject to include in UserIdentity
79     * @param userPrincipal Principal to include in UserIdentity.  This will be returned from getUserPrincipal calls
80     * @param roles set of roles to include in UserIdentity.
81     * @return A new immutable UserIdententity
82     */
83    UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, String[] roles);
84
85    /* ------------------------------------------------------------ */
86    /**
87     * Create a new RunAsToken from a runAsName (normally a role).
88     * @param runAsName Normally a role name
89     * @return A new immutable RunAsToken
90     */
91    RunAsToken newRunAsToken(String runAsName);
92
93    /* ------------------------------------------------------------ */
94    UserIdentity getSystemUserIdentity();
95}
96