103928aee4356845252ac6b662d5c72c29903813eJake Slack//
203928aee4356845252ac6b662d5c72c29903813eJake Slack//  ========================================================================
303928aee4356845252ac6b662d5c72c29903813eJake Slack//  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
403928aee4356845252ac6b662d5c72c29903813eJake Slack//  ------------------------------------------------------------------------
503928aee4356845252ac6b662d5c72c29903813eJake Slack//  All rights reserved. This program and the accompanying materials
603928aee4356845252ac6b662d5c72c29903813eJake Slack//  are made available under the terms of the Eclipse Public License v1.0
703928aee4356845252ac6b662d5c72c29903813eJake Slack//  and Apache License v2.0 which accompanies this distribution.
803928aee4356845252ac6b662d5c72c29903813eJake Slack//
903928aee4356845252ac6b662d5c72c29903813eJake Slack//      The Eclipse Public License is available at
1003928aee4356845252ac6b662d5c72c29903813eJake Slack//      http://www.eclipse.org/legal/epl-v10.html
1103928aee4356845252ac6b662d5c72c29903813eJake Slack//
1203928aee4356845252ac6b662d5c72c29903813eJake Slack//      The Apache License v2.0 is available at
1303928aee4356845252ac6b662d5c72c29903813eJake Slack//      http://www.opensource.org/licenses/apache2.0.php
1403928aee4356845252ac6b662d5c72c29903813eJake Slack//
1503928aee4356845252ac6b662d5c72c29903813eJake Slack//  You may elect to redistribute this code under either of these licenses.
1603928aee4356845252ac6b662d5c72c29903813eJake Slack//  ========================================================================
1703928aee4356845252ac6b662d5c72c29903813eJake Slack//
1803928aee4356845252ac6b662d5c72c29903813eJake Slack
1903928aee4356845252ac6b662d5c72c29903813eJake Slackpackage org.eclipse.jetty.security;
2003928aee4356845252ac6b662d5c72c29903813eJake Slack
2103928aee4356845252ac6b662d5c72c29903813eJake Slackimport java.security.Principal;
2203928aee4356845252ac6b662d5c72c29903813eJake Slack
2303928aee4356845252ac6b662d5c72c29903813eJake Slackimport javax.security.auth.Subject;
2403928aee4356845252ac6b662d5c72c29903813eJake Slack
2503928aee4356845252ac6b662d5c72c29903813eJake Slackimport org.eclipse.jetty.server.Request;
2603928aee4356845252ac6b662d5c72c29903813eJake Slackimport org.eclipse.jetty.server.UserIdentity;
2703928aee4356845252ac6b662d5c72c29903813eJake Slack
2803928aee4356845252ac6b662d5c72c29903813eJake Slack/* ------------------------------------------------------------ */
2903928aee4356845252ac6b662d5c72c29903813eJake Slack/**
3003928aee4356845252ac6b662d5c72c29903813eJake Slack * Associates UserIdentities from with threads and UserIdentity.Contexts.
3103928aee4356845252ac6b662d5c72c29903813eJake Slack *
3203928aee4356845252ac6b662d5c72c29903813eJake Slack */
3303928aee4356845252ac6b662d5c72c29903813eJake Slackpublic interface IdentityService
3403928aee4356845252ac6b662d5c72c29903813eJake Slack{
3503928aee4356845252ac6b662d5c72c29903813eJake Slack    final static String[] NO_ROLES = new String[]{};
3603928aee4356845252ac6b662d5c72c29903813eJake Slack
3703928aee4356845252ac6b662d5c72c29903813eJake Slack    /* ------------------------------------------------------------ */
3803928aee4356845252ac6b662d5c72c29903813eJake Slack    /**
3903928aee4356845252ac6b662d5c72c29903813eJake Slack     * Associate a user identity with the current thread.
4003928aee4356845252ac6b662d5c72c29903813eJake Slack     * This is called with as a thread enters the
4103928aee4356845252ac6b662d5c72c29903813eJake Slack     * {@link SecurityHandler#handle(String, Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}
4203928aee4356845252ac6b662d5c72c29903813eJake Slack     * method and then again with a null argument as that call exits.
4303928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param user The current user or null for no user to associated.
4403928aee4356845252ac6b662d5c72c29903813eJake Slack     * @return an object representing the previous associated state
4503928aee4356845252ac6b662d5c72c29903813eJake Slack     */
4603928aee4356845252ac6b662d5c72c29903813eJake Slack    Object associate(UserIdentity user);
4703928aee4356845252ac6b662d5c72c29903813eJake Slack
4803928aee4356845252ac6b662d5c72c29903813eJake Slack    /* ------------------------------------------------------------ */
4903928aee4356845252ac6b662d5c72c29903813eJake Slack    /**
5003928aee4356845252ac6b662d5c72c29903813eJake Slack     * Disassociate the user identity from the current thread
5103928aee4356845252ac6b662d5c72c29903813eJake Slack     * and restore previous identity.
5203928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param previous The opaque object returned from a call to {@link IdentityService#associate(UserIdentity)}
5303928aee4356845252ac6b662d5c72c29903813eJake Slack     */
5403928aee4356845252ac6b662d5c72c29903813eJake Slack    void disassociate(Object previous);
5503928aee4356845252ac6b662d5c72c29903813eJake Slack
5603928aee4356845252ac6b662d5c72c29903813eJake Slack    /* ------------------------------------------------------------ */
5703928aee4356845252ac6b662d5c72c29903813eJake Slack    /**
5803928aee4356845252ac6b662d5c72c29903813eJake Slack     * Associate a runas Token with the current user and thread.
5903928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param user The UserIdentity
6003928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param token The runAsToken to associate.
6103928aee4356845252ac6b662d5c72c29903813eJake Slack     * @return The previous runAsToken or null.
6203928aee4356845252ac6b662d5c72c29903813eJake Slack     */
6303928aee4356845252ac6b662d5c72c29903813eJake Slack    Object setRunAs(UserIdentity user, RunAsToken token);
6403928aee4356845252ac6b662d5c72c29903813eJake Slack
6503928aee4356845252ac6b662d5c72c29903813eJake Slack    /* ------------------------------------------------------------ */
6603928aee4356845252ac6b662d5c72c29903813eJake Slack    /**
6703928aee4356845252ac6b662d5c72c29903813eJake Slack     * Disassociate the current runAsToken from the thread
6803928aee4356845252ac6b662d5c72c29903813eJake Slack     * and reassociate the previous token.
6903928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param token RUNAS returned from previous associateRunAs call
7003928aee4356845252ac6b662d5c72c29903813eJake Slack     */
7103928aee4356845252ac6b662d5c72c29903813eJake Slack    void unsetRunAs(Object token);
7203928aee4356845252ac6b662d5c72c29903813eJake Slack
7303928aee4356845252ac6b662d5c72c29903813eJake Slack    /* ------------------------------------------------------------ */
7403928aee4356845252ac6b662d5c72c29903813eJake Slack    /**
7503928aee4356845252ac6b662d5c72c29903813eJake Slack     * Create a new UserIdentity for use with this identity service.
7603928aee4356845252ac6b662d5c72c29903813eJake Slack     * The UserIdentity should be immutable and able to be cached.
7703928aee4356845252ac6b662d5c72c29903813eJake Slack     *
7803928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param subject Subject to include in UserIdentity
7903928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param userPrincipal Principal to include in UserIdentity.  This will be returned from getUserPrincipal calls
8003928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param roles set of roles to include in UserIdentity.
8103928aee4356845252ac6b662d5c72c29903813eJake Slack     * @return A new immutable UserIdententity
8203928aee4356845252ac6b662d5c72c29903813eJake Slack     */
8303928aee4356845252ac6b662d5c72c29903813eJake Slack    UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, String[] roles);
8403928aee4356845252ac6b662d5c72c29903813eJake Slack
8503928aee4356845252ac6b662d5c72c29903813eJake Slack    /* ------------------------------------------------------------ */
8603928aee4356845252ac6b662d5c72c29903813eJake Slack    /**
8703928aee4356845252ac6b662d5c72c29903813eJake Slack     * Create a new RunAsToken from a runAsName (normally a role).
8803928aee4356845252ac6b662d5c72c29903813eJake Slack     * @param runAsName Normally a role name
8903928aee4356845252ac6b662d5c72c29903813eJake Slack     * @return A new immutable RunAsToken
9003928aee4356845252ac6b662d5c72c29903813eJake Slack     */
9103928aee4356845252ac6b662d5c72c29903813eJake Slack    RunAsToken newRunAsToken(String runAsName);
9203928aee4356845252ac6b662d5c72c29903813eJake Slack
9303928aee4356845252ac6b662d5c72c29903813eJake Slack    /* ------------------------------------------------------------ */
9403928aee4356845252ac6b662d5c72c29903813eJake Slack    UserIdentity getSystemUserIdentity();
9503928aee4356845252ac6b662d5c72c29903813eJake Slack}
96