103928aee4356845252ac6b662d5c72c29903813eJake Slack// 203928aee4356845252ac6b662d5c72c29903813eJake Slack// ======================================================================== 303928aee4356845252ac6b662d5c72c29903813eJake Slack// Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd. 403928aee4356845252ac6b662d5c72c29903813eJake Slack// ------------------------------------------------------------------------ 503928aee4356845252ac6b662d5c72c29903813eJake Slack// All rights reserved. This program and the accompanying materials 603928aee4356845252ac6b662d5c72c29903813eJake Slack// are made available under the terms of the Eclipse Public License v1.0 703928aee4356845252ac6b662d5c72c29903813eJake Slack// and Apache License v2.0 which accompanies this distribution. 803928aee4356845252ac6b662d5c72c29903813eJake Slack// 903928aee4356845252ac6b662d5c72c29903813eJake Slack// The Eclipse Public License is available at 1003928aee4356845252ac6b662d5c72c29903813eJake Slack// http://www.eclipse.org/legal/epl-v10.html 1103928aee4356845252ac6b662d5c72c29903813eJake Slack// 1203928aee4356845252ac6b662d5c72c29903813eJake Slack// The Apache License v2.0 is available at 1303928aee4356845252ac6b662d5c72c29903813eJake Slack// http://www.opensource.org/licenses/apache2.0.php 1403928aee4356845252ac6b662d5c72c29903813eJake Slack// 1503928aee4356845252ac6b662d5c72c29903813eJake Slack// You may elect to redistribute this code under either of these licenses. 1603928aee4356845252ac6b662d5c72c29903813eJake Slack// ======================================================================== 1703928aee4356845252ac6b662d5c72c29903813eJake Slack// 1803928aee4356845252ac6b662d5c72c29903813eJake Slack 1903928aee4356845252ac6b662d5c72c29903813eJake Slackpackage org.eclipse.jetty.security; 2003928aee4356845252ac6b662d5c72c29903813eJake Slack 2103928aee4356845252ac6b662d5c72c29903813eJake Slackimport java.security.Principal; 2203928aee4356845252ac6b662d5c72c29903813eJake Slack 2303928aee4356845252ac6b662d5c72c29903813eJake Slackimport javax.security.auth.Subject; 2403928aee4356845252ac6b662d5c72c29903813eJake Slack 2503928aee4356845252ac6b662d5c72c29903813eJake Slackimport org.eclipse.jetty.server.Request; 2603928aee4356845252ac6b662d5c72c29903813eJake Slackimport org.eclipse.jetty.server.UserIdentity; 2703928aee4356845252ac6b662d5c72c29903813eJake Slack 2803928aee4356845252ac6b662d5c72c29903813eJake Slack/* ------------------------------------------------------------ */ 2903928aee4356845252ac6b662d5c72c29903813eJake Slack/** 3003928aee4356845252ac6b662d5c72c29903813eJake Slack * Associates UserIdentities from with threads and UserIdentity.Contexts. 3103928aee4356845252ac6b662d5c72c29903813eJake Slack * 3203928aee4356845252ac6b662d5c72c29903813eJake Slack */ 3303928aee4356845252ac6b662d5c72c29903813eJake Slackpublic interface IdentityService 3403928aee4356845252ac6b662d5c72c29903813eJake Slack{ 3503928aee4356845252ac6b662d5c72c29903813eJake Slack final static String[] NO_ROLES = new String[]{}; 3603928aee4356845252ac6b662d5c72c29903813eJake Slack 3703928aee4356845252ac6b662d5c72c29903813eJake Slack /* ------------------------------------------------------------ */ 3803928aee4356845252ac6b662d5c72c29903813eJake Slack /** 3903928aee4356845252ac6b662d5c72c29903813eJake Slack * Associate a user identity with the current thread. 4003928aee4356845252ac6b662d5c72c29903813eJake Slack * This is called with as a thread enters the 4103928aee4356845252ac6b662d5c72c29903813eJake Slack * {@link SecurityHandler#handle(String, Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)} 4203928aee4356845252ac6b662d5c72c29903813eJake Slack * method and then again with a null argument as that call exits. 4303928aee4356845252ac6b662d5c72c29903813eJake Slack * @param user The current user or null for no user to associated. 4403928aee4356845252ac6b662d5c72c29903813eJake Slack * @return an object representing the previous associated state 4503928aee4356845252ac6b662d5c72c29903813eJake Slack */ 4603928aee4356845252ac6b662d5c72c29903813eJake Slack Object associate(UserIdentity user); 4703928aee4356845252ac6b662d5c72c29903813eJake Slack 4803928aee4356845252ac6b662d5c72c29903813eJake Slack /* ------------------------------------------------------------ */ 4903928aee4356845252ac6b662d5c72c29903813eJake Slack /** 5003928aee4356845252ac6b662d5c72c29903813eJake Slack * Disassociate the user identity from the current thread 5103928aee4356845252ac6b662d5c72c29903813eJake Slack * and restore previous identity. 5203928aee4356845252ac6b662d5c72c29903813eJake Slack * @param previous The opaque object returned from a call to {@link IdentityService#associate(UserIdentity)} 5303928aee4356845252ac6b662d5c72c29903813eJake Slack */ 5403928aee4356845252ac6b662d5c72c29903813eJake Slack void disassociate(Object previous); 5503928aee4356845252ac6b662d5c72c29903813eJake Slack 5603928aee4356845252ac6b662d5c72c29903813eJake Slack /* ------------------------------------------------------------ */ 5703928aee4356845252ac6b662d5c72c29903813eJake Slack /** 5803928aee4356845252ac6b662d5c72c29903813eJake Slack * Associate a runas Token with the current user and thread. 5903928aee4356845252ac6b662d5c72c29903813eJake Slack * @param user The UserIdentity 6003928aee4356845252ac6b662d5c72c29903813eJake Slack * @param token The runAsToken to associate. 6103928aee4356845252ac6b662d5c72c29903813eJake Slack * @return The previous runAsToken or null. 6203928aee4356845252ac6b662d5c72c29903813eJake Slack */ 6303928aee4356845252ac6b662d5c72c29903813eJake Slack Object setRunAs(UserIdentity user, RunAsToken token); 6403928aee4356845252ac6b662d5c72c29903813eJake Slack 6503928aee4356845252ac6b662d5c72c29903813eJake Slack /* ------------------------------------------------------------ */ 6603928aee4356845252ac6b662d5c72c29903813eJake Slack /** 6703928aee4356845252ac6b662d5c72c29903813eJake Slack * Disassociate the current runAsToken from the thread 6803928aee4356845252ac6b662d5c72c29903813eJake Slack * and reassociate the previous token. 6903928aee4356845252ac6b662d5c72c29903813eJake Slack * @param token RUNAS returned from previous associateRunAs call 7003928aee4356845252ac6b662d5c72c29903813eJake Slack */ 7103928aee4356845252ac6b662d5c72c29903813eJake Slack void unsetRunAs(Object token); 7203928aee4356845252ac6b662d5c72c29903813eJake Slack 7303928aee4356845252ac6b662d5c72c29903813eJake Slack /* ------------------------------------------------------------ */ 7403928aee4356845252ac6b662d5c72c29903813eJake Slack /** 7503928aee4356845252ac6b662d5c72c29903813eJake Slack * Create a new UserIdentity for use with this identity service. 7603928aee4356845252ac6b662d5c72c29903813eJake Slack * The UserIdentity should be immutable and able to be cached. 7703928aee4356845252ac6b662d5c72c29903813eJake Slack * 7803928aee4356845252ac6b662d5c72c29903813eJake Slack * @param subject Subject to include in UserIdentity 7903928aee4356845252ac6b662d5c72c29903813eJake Slack * @param userPrincipal Principal to include in UserIdentity. This will be returned from getUserPrincipal calls 8003928aee4356845252ac6b662d5c72c29903813eJake Slack * @param roles set of roles to include in UserIdentity. 8103928aee4356845252ac6b662d5c72c29903813eJake Slack * @return A new immutable UserIdententity 8203928aee4356845252ac6b662d5c72c29903813eJake Slack */ 8303928aee4356845252ac6b662d5c72c29903813eJake Slack UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, String[] roles); 8403928aee4356845252ac6b662d5c72c29903813eJake Slack 8503928aee4356845252ac6b662d5c72c29903813eJake Slack /* ------------------------------------------------------------ */ 8603928aee4356845252ac6b662d5c72c29903813eJake Slack /** 8703928aee4356845252ac6b662d5c72c29903813eJake Slack * Create a new RunAsToken from a runAsName (normally a role). 8803928aee4356845252ac6b662d5c72c29903813eJake Slack * @param runAsName Normally a role name 8903928aee4356845252ac6b662d5c72c29903813eJake Slack * @return A new immutable RunAsToken 9003928aee4356845252ac6b662d5c72c29903813eJake Slack */ 9103928aee4356845252ac6b662d5c72c29903813eJake Slack RunAsToken newRunAsToken(String runAsName); 9203928aee4356845252ac6b662d5c72c29903813eJake Slack 9303928aee4356845252ac6b662d5c72c29903813eJake Slack /* ------------------------------------------------------------ */ 9403928aee4356845252ac6b662d5c72c29903813eJake Slack UserIdentity getSystemUserIdentity(); 9503928aee4356845252ac6b662d5c72c29903813eJake Slack} 96