001 /*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied. See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019 package org.apache.shiro.authc.pam;
020
021 import org.apache.shiro.authc.AuthenticationException;
022 import org.apache.shiro.authc.AuthenticationInfo;
023 import org.apache.shiro.authc.AuthenticationToken;
024 import org.apache.shiro.realm.Realm;
025
026 import java.util.Collection;
027
028
029 /**
030 * A {@code AuthenticationStrategy} implementation assists the {@link ModularRealmAuthenticator} during the
031 * log-in process in a pluggable realm (PAM) environment.
032 *
033 * <p>The {@code ModularRealmAuthenticator} will consult implementations of this interface on what to do during each
034 * interaction with the configured Realms. This allows a pluggable strategy of whether or not an authentication
035 * attempt must be successful for all realms, only 1 or more realms, no realms, etc.
036 *
037 * @author Les Hazlewood
038 * @see AllSuccessfulStrategy
039 * @see AtLeastOneSuccessfulStrategy
040 * @see FirstSuccessfulStrategy
041 * @since 0.2
042 */
043 public interface AuthenticationStrategy {
044
045 /**
046 * Method invoked by the ModularAuthenticator signifying that the authentication process is about to begin for the
047 * specified {@code token} - called before any {@code Realm} is actually invoked.
048 *
049 * <p>The {@code AuthenticationInfo} object returned from this method is essentially an empty place holder for
050 * aggregating account data across multiple realms. It should be populated by the strategy implementation over the
051 * course of authentication attempts across the multiple realms. It will be passed into the
052 * {@link #beforeAttempt} calls, allowing inspection of the aggregated account data up to that point in the
053 * multi-realm authentication, allowing any logic to be executed accordingly.
054 *
055 * @param realms the Realms that will be consulted during the authentication process for the specified token.
056 * @param token the Principal/Credential representation to be used during authentication for a corresponding subject.
057 * @return an empty AuthenticationInfo object that will populated with data from multiple realms.
058 * @throws AuthenticationException if the strategy implementation does not wish the Authentication attempt to execute.
059 */
060 AuthenticationInfo beforeAllAttempts(Collection<? extends Realm> realms, AuthenticationToken token) throws AuthenticationException;
061
062 /**
063 * Method invoked by the ModularAuthenticator just prior to the realm being consulted for account data,
064 * allowing pre-authentication-attempt logic for that realm only.
065 *
066 * <p>This method returns an {@code AuthenticationInfo} object that will be used for further interaction with realms. Most
067 * implementations will merely return the {@code aggregate} method argument if they don't have a need to
068 * manipulate it.
069 *
070 * @param realm the realm that will be consulted for {@code AuthenticationInfo} for the specified {@code token}.
071 * @param token the {@code AuthenticationToken} submitted for the subject attempting system log-in.
072 * @param aggregate the aggregated AuthenticationInfo object being used across the multi-realm authentication attempt
073 * @return the AuthenticationInfo object that will be presented to further realms in the authentication process - returning
074 * the {@code aggregate} method argument is the normal case if no special action needs to be taken.
075 * @throws org.apache.shiro.authc.AuthenticationException
076 * an exception thrown by the Strategy implementation if it wishes the login
077 * process for the associated subject (user) to stop immediately.
078 */
079 AuthenticationInfo beforeAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException;
080
081 /**
082 * Method invoked by the ModularAuthenticator just after the given realm has been consulted for authentication,
083 * allowing post-authentication-attempt logic for that realm only.
084 *
085 * <p>This method returns an {@code AuthenticationInfo} object that will be used for further interaction with realms. Most
086 * implementations will merge the {@code singleRealmInfo} into the {@code aggregateInfo} and
087 * just return the {@code aggregateInfo} for continued use throughout the authentication process.</p>
088 *
089 * @param realm the realm that was just consulted for {@code AuthenticationInfo} for the given {@code token}.
090 * @param token the {@code AuthenticationToken} submitted for the subject attempting system log-in.
091 * @param singleRealmInfo the info returned from a single realm.
092 * @param aggregateInfo the aggregate info representing all realms in a multi-realm environment.
093 * @param t the Throwable thrown by the Realm during the attempt, or {@code null} if the method returned normally.
094 * @return the AuthenticationInfo object that will be presented to further realms in the authentication process - returning
095 * the {@code aggregateAccount} method argument is the normal case if no special action needs to be taken.
096 * @throws AuthenticationException an exception thrown by the Strategy implementation if it wishes the login process
097 * for the associated subject (user) to stop immediately.
098 */
099 AuthenticationInfo afterAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo singleRealmInfo, AuthenticationInfo aggregateInfo, Throwable t)
100 throws AuthenticationException;
101
102 /**
103 * Method invoked by the ModularAuthenticator signifying that all of its configured Realms have been consulted
104 * for account data, allowing post-proccessing after all realms have completed.
105 *
106 * <p>Returns the final AuthenticationInfo object that will be returned from the Authenticator to the authenticate() caller.
107 * This is most likely the aggregate AuthenticationInfo object that has been populated by many realms, but the actual return value is
108 * always up to the implementation.
109 *
110 * @param token the {@code AuthenticationToken} submitted for the subject attempting system log-in.
111 * @param aggregate the aggregate {@code AuthenticationInfo} instance populated by all realms during the log-in attempt.
112 * @return the final {@code AuthenticationInfo} object to return to the Authenticator.authenticate() caller.
113 * @throws AuthenticationException if the Strategy implementation wishes to fail the authentication attempt.
114 */
115 AuthenticationInfo afterAllAttempts(AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException;
116 }