org.jasig.cas.authentication

Class PolicyBasedAuthenticationManager

java.lang.Object

org.jasig.cas.authentication.PolicyBasedAuthenticationManager

All Implemented Interfaces:

AuthenticationManager

public class PolicyBasedAuthenticationManager
extends Object
implements AuthenticationManager

Provides an authenticaiton manager that is inherently aware of multiple credentials and supports pluggable security policy via the AuthenticationPolicy component. The authentication process is as follows:

• For each given credential do the following:
• Iterate over all configured authentication handlers.
• Attempt to authenticate a credential if a handler supports it.
• On success attempt to resolve a principal by doing the following:
• Check whether a resolver is configured for the handler that authenticated the credential.
• If a suitable resolver is found, attempt to resolve the principal.
• If a suitable resolver is not found, use the principal resolved by the authentication handler.
• Check whether the security policy (e.g. any, all) is satisfied.
• If security policy is met return immediately.
• Continue if security policy is not met.
• After all credentials have been attempted check security policy again. Note there is an implicit security policy that requires at least one credential to be authenticated. Then the security policy given by setAuthenticationPolicy(AuthenticationPolicy) is applied. In all cases AuthenticationException is raised if security policy is not met.

It is an error condition to fail to resolve a principal.

Since:

4.0

Author:

Marvin S. Addison

Field Summary

Fields

Modifier and Type	Field and Description
protected org.slf4j.Logger	logger Log instance for logging events, errors, warnings, etc.

Fields inherited from interface org.jasig.cas.authentication.AuthenticationManager

AUTHENTICATION_METHOD_ATTRIBUTE

Constructor Summary

Constructors

Constructor and Description
PolicyBasedAuthenticationManager(AuthenticationHandler... handlers) Creates a new authentication manager with a varargs array of authentication handlers that are attempted in the listed order for supported credentials.
PolicyBasedAuthenticationManager(List<AuthenticationHandler> handlers) Creates a new authentication manager with a list of authentication handlers that are attempted in the listed order for supported credentials.
PolicyBasedAuthenticationManager(Map<AuthenticationHandler,PrincipalResolver> map) Creates a new authentication manager with a map of authentication handlers to the principal resolvers that should be used upon successful authentication if no principal is resolved by the authentication handler.

Method Summary

Methods

Modifier and Type	Method and Description
Authentication	authenticate(Credential... credentials) Authenticates the provided credentials.
protected AuthenticationBuilder	authenticateInternal(Credential... credentials) Follows the same contract as AuthenticationManager.authenticate(Credential...).
protected Principal	resolvePrincipal(String handlerName, PrincipalResolver resolver, Credential credential)
void	setAuthenticationMetaDataPopulators(List<AuthenticationMetaDataPopulator> populators) Sets the authentication metadata populators that will be applied to every successful authentication event.
void	setAuthenticationPolicy(AuthenticationPolicy policy) Sets the authentication policy used by this component.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected final org.slf4j.Logger logger

Log instance for logging events, errors, warnings, etc.

Constructor Detail

PolicyBasedAuthenticationManager

public PolicyBasedAuthenticationManager(AuthenticationHandler... handlers)

Creates a new authentication manager with a varargs array of authentication handlers that are attempted in the listed order for supported credentials. This form may only be used by authentication handlers that resolve principals during the authentication process.

Parameters:

handlers - One or more authentication handlers.

PolicyBasedAuthenticationManager

public PolicyBasedAuthenticationManager(List<AuthenticationHandler> handlers)

Creates a new authentication manager with a list of authentication handlers that are attempted in the listed order for supported credentials. This form may only be used by authentication handlers that resolve principals during the authentication process.

Parameters:

handlers - Non-null list of authentication handlers containing at least one entry.

PolicyBasedAuthenticationManager

public PolicyBasedAuthenticationManager(Map<AuthenticationHandler,PrincipalResolver> map)

Creates a new authentication manager with a map of authentication handlers to the principal resolvers that should be used upon successful authentication if no principal is resolved by the authentication handler. If the order of evaluation of authentication handlers is important, a map that preserves insertion order (e.g. LinkedHashMap) should be used.

Parameters:

map - Non-null map of authentication handler to principal resolver containing at least one entry.

Method Detail

authenticate

public final Authentication authenticate(Credential... credentials)
                                  throws AuthenticationException

Authenticates the provided credentials. On success, an Authentication object is returned containing metadata about the result of each authenticated credential. Note that a particular implementation may require some or all credentials to be successfully authenticated. Failure to authenticate is considered an exceptional case, and an AuthenticationException is thrown.

Specified by:

authenticate in interface AuthenticationManager

Parameters:

credentials - One or more credentials to authenticate.

Returns:

Authentication object on success that contains metadata about credentials that were authenticated.

Throws:

AuthenticationException - On authentication failure. The exception contains details on each of the credentials that failed to authenticate.

setAuthenticationMetaDataPopulators

public final void setAuthenticationMetaDataPopulators(List<AuthenticationMetaDataPopulator> populators)

Sets the authentication metadata populators that will be applied to every successful authentication event.

Parameters:

populators - Non-null list of metadata populators.

setAuthenticationPolicy

public void setAuthenticationPolicy(AuthenticationPolicy policy)

Sets the authentication policy used by this component.

Parameters:

policy - Non-null authentication policy. The default policy is AnyAuthenticationPolicy.

authenticateInternal

protected AuthenticationBuilder authenticateInternal(Credential... credentials)
                                              throws AuthenticationException

Follows the same contract as AuthenticationManager.authenticate(Credential...).

Parameters:

credentials - One or more credentials to authenticate.

Returns:

An authentication containing a resolved principal and metadata about successful and failed authentications. There SHOULD be a record of each attempted authentication, whether success or failure.

Throws:

AuthenticationException - When one or more credentials failed authentication such that security policy was not satisfied.

resolvePrincipal

protected Principal resolvePrincipal(String handlerName,
                         PrincipalResolver resolver,
                         Credential credential)