org.wildfly.security.auth.server

Class SecurityIdentity

java.lang.Object

org.wildfly.security.auth.server.SecurityIdentity

All Implemented Interfaces:

Supplier<SecurityIdentity>, Scoped, PermissionMappable, PermissionVerifier

public final class SecurityIdentity
extends Object
implements PermissionVerifier, PermissionMappable, Supplier<SecurityIdentity>, Scoped

A loaded and authenticated security identity.

Author:

David M. Lloyd

Field Summary

Fields inherited from interface org.wildfly.security.permission.PermissionVerifier

ALL, NONE

Method Summary

Modifier and Type	Method and Description
FlexibleIdentityAssociation	createFlexibleAssociation() Create a new flexible identity association, initializing it with this identity.
SecurityIdentity	createRunAsAnonymous() Attempt to create a new identity that can be used to run as an anonymous user.
SecurityIdentity	createRunAsAnonymous(boolean authorize) Attempt to create a new identity that can be used to run as an anonymous user Calling with enabled security manager requires setRunAsPrincipal ElytronPermission.
SecurityIdentity	createRunAsIdentity(Principal principal, boolean authorize) Attempt to create a new identity that can be used to run as a user with the given principal.
SecurityIdentity	createRunAsIdentity(String name) Attempt to create a new identity that can be used to run as a user with the given name.
SecurityIdentity	createRunAsIdentity(String name, boolean authorize) Attempt to create a new identity that can be used to run as a user with the given name.
SecurityIdentity	get() Get this identity.
Attributes	getAttributes() Get the attributes associated with this identity.
Instant	getCreationTime() Get the creation time of this identity, which is the time that the initial authentication occurred.
Principal	getPrincipal() Get the principal of this identity.
IdentityCredentials	getPrivateCredentials() Get the private credentials of this identity.
IdentityCredentials	getPublicCredentials() Get the public credentials of this identity.
Roles	getRoles() Get the roles associated with this identity.
Roles	getRoles(String category) Get the mapped roles associated with this identity.
Roles	getRoles(String category, boolean fallbackToDefault) Get the mapped roles associated with this identity.
boolean	implies(Permission permission) Determine if the permission is verified by this object.
SecurityIdentity	intersectWith(PermissionVerifier verifier) Create a new security identity which is the same as this one, but which limits authorization privileges to the intersection of the current privileges and the given verifier.
boolean	isAnonymous() Convenience method to determine if this identity is anonymous.
<T,P> T	runAs(P parameter, ParametricPrivilegedAction<T,P> action) Deprecated. Use Scoped.runAsFunction(Function, Object) instead.
<T,P> T	runAs(P parameter, ParametricPrivilegedExceptionAction<T,P> action) Deprecated. Use Scoped.runAsFunctionEx(ExceptionFunction, Object) instead.
<T> T	runAs(PrivilegedAction<T> action) Deprecated. Use Scoped.runAsSupplier(Supplier) instead.
<T> T	runAs(PrivilegedExceptionAction<T> action) Deprecated. Use Scoped.runAsSupplierEx(ExceptionSupplier) instead.
static <T> T	runAsAll(PrivilegedExceptionAction<T> action, SecurityIdentity... identities) Run an action under a series of identities.
<T,U> boolean	runAsBiPredicate(BiPredicate<T,U> action, T parameter1, U parameter2) Run an action under this identity.
<T,U> void	runAsConsumer(BiConsumer<T,U> action, T parameter1, U parameter2) Run an action under this identity.
<T,U,E extends Exception> void	runAsConsumerEx(org.wildfly.common.function.ExceptionBiConsumer<T,U,E> action, T parameter1, U parameter2) Run an action under this identity.
<T,U,E extends Exception> boolean	runAsExBiPredicate(org.wildfly.common.function.ExceptionBiPredicate<T,U,E> action, T parameter1, U parameter2) Run an action under this identity.
<T,U,R> R	runAsFunction(BiFunction<T,U,R> action, T parameter1, U parameter2) Run an action under this identity.
<T,U,R,E extends Exception> R	runAsFunctionEx(org.wildfly.common.function.ExceptionBiFunction<T,U,R,E> action, T parameter1, U parameter2) Run an action under this identity.
<T> void	runAsObjIntConsumer(ObjIntConsumer<T> action, T parameter1, int parameter2) Run an action under this identity.
<T,E extends Exception> void	runAsObjIntConsumerEx(org.wildfly.common.function.ExceptionObjIntConsumer<T,E> action, T parameter1, int parameter2) Run an action under this identity.
String	toString()
SecurityIdentity	withPrivateCredential(Credential credential) Create a new security identity which is the same as this one, but which includes the given credential as a private credential.
SecurityIdentity	withPrivateCredentials(IdentityCredentials credentials) Create a new security identity which is the same as this one, but which includes the given credentials as private credentials.
SecurityIdentity	withPublicCredential(Credential credential) Create a new security identity which is the same as this one, but which includes the given credential as a public credential.
SecurityIdentity	withPublicCredentials(IdentityCredentials credentials) Create a new security identity which is the same as this one, but which includes the given credentials as public credentials.
SecurityIdentity	withRoleMapper(String category, RoleMapper roleMapper) Attempt to create a new identity which replaces a role mapper category on the current identity.
SecurityIdentity	withSecurityIdentity(SecurityIdentity securityIdentity) Attempt to create a new identity that is the same as this identity but with an additional identity from a different security domain that will be associated with all 'run' calls.
SecurityIdentity	withSecurityIdentitySupplier(Supplier<SecurityIdentity[]> securityIdentities) Attempt to create a new identity that is the same as this identity but with a Supplier to supply identities that will be associated with all 'run' calls.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.wildfly.security.permission.PermissionVerifier

and, checkPermission, from, from, from, from, not, or, toPermissionCollection, unless, xor

Methods inherited from interface org.wildfly.security.auth.server.Scoped

runAs, runAs, runAsAction, runAsConsumer, runAsConsumerEx, runAsExceptionAction, runAsExIntFunction, runAsExLongFunction, runAsExPredicate, runAsFunction, runAsFunctionEx, runAsIntFunction, runAsLongFunction, runAsPredicate, runAsSupplier, runAsSupplierEx

Method Detail

runAs

@Deprecated
public <T> T runAs(PrivilegedAction<T> action)

Deprecated. Use Scoped.runAsSupplier(Supplier) instead.

Run an action under this identity.

Type Parameters:

T - the action return type

Parameters:

action - the action to run

Returns:

the action result (may be null)

runAs

@Deprecated
public <T> T runAs(PrivilegedExceptionAction<T> action)
                        throws PrivilegedActionException

Deprecated. Use Scoped.runAsSupplierEx(ExceptionSupplier) instead.

Run an action under this identity.

Type Parameters:

T - the action return type

Parameters:

action - the action to run

Returns:

the action result (may be null)

Throws:

PrivilegedActionException - if the action fails

runAs

@Deprecated
public <T,P> T runAs(P parameter,
                                 ParametricPrivilegedAction<T,P> action)

Deprecated. Use Scoped.runAsFunction(Function, Object) instead.

Run an action under this identity.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to run

Returns:

the action result (may be null)

runAs

@Deprecated
public <T,P> T runAs(P parameter,
                                 ParametricPrivilegedExceptionAction<T,P> action)
                          throws PrivilegedActionException

Deprecated. Use Scoped.runAsFunctionEx(ExceptionFunction, Object) instead.

Run an action under this identity.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to run

Returns:

the action result (may be null)

Throws:

PrivilegedActionException - if the action fails

runAsFunction

public <T,U,R> R runAsFunction(BiFunction<T,U,R> action,
                               T parameter1,
                               U parameter2)

Run an action under this identity.

Specified by:

runAsFunction in interface Scoped

Type Parameters:

R - the action return type

T - the action first parameter type

U - the action second parameter type

Parameters:

parameter1 - the first parameter to pass to the action

parameter2 - the second parameter to pass to the action

action - the action to run

Returns:

the action result (may be null)

runAsConsumer

public <T,U> void runAsConsumer(BiConsumer<T,U> action,
                                T parameter1,
                                U parameter2)

Run an action under this identity.

Specified by:

runAsConsumer in interface Scoped

Type Parameters:

T - the action first parameter type

U - the action second parameter type

Parameters:

parameter1 - the first parameter to pass to the action

parameter2 - the second parameter to pass to the action

action - the action to run

runAsObjIntConsumer

public <T> void runAsObjIntConsumer(ObjIntConsumer<T> action,
                                    T parameter1,
                                    int parameter2)

Run an action under this identity.

Specified by:

runAsObjIntConsumer in interface Scoped

Type Parameters:

T - the action first parameter type

Parameters:

parameter1 - the first parameter to pass to the action

parameter2 - the second parameter to pass to the action

action - the action to run

runAsFunctionEx

public <T,U,R,E extends Exception> R runAsFunctionEx(org.wildfly.common.function.ExceptionBiFunction<T,U,R,E> action,
                                                     T parameter1,
                                                     U parameter2)
                                              throws E extends Exception

Run an action under this identity.

Specified by:

runAsFunctionEx in interface Scoped

Type Parameters:

R - the action return type

T - the action first parameter type

U - the action second parameter type

E - the action exception type

Parameters:

parameter1 - the first parameter to pass to the action

parameter2 - the second parameter to pass to the action

action - the action to run

Returns:

the action result (may be null)

Throws:

E - if the action throws this exception

E extends Exception

runAsConsumerEx

public <T,U,E extends Exception> void runAsConsumerEx(org.wildfly.common.function.ExceptionBiConsumer<T,U,E> action,
                                                      T parameter1,
                                                      U parameter2)
                                               throws E extends Exception

Run an action under this identity.

Specified by:

runAsConsumerEx in interface Scoped

Type Parameters:

T - the action first parameter type

U - the action second parameter type

E - the action exception type

Parameters:

parameter1 - the first parameter to pass to the action

parameter2 - the second parameter to pass to the action

action - the action to run

Throws:

E - if the action throws this exception

E extends Exception

runAsObjIntConsumerEx

public <T,E extends Exception> void runAsObjIntConsumerEx(org.wildfly.common.function.ExceptionObjIntConsumer<T,E> action,
                                                          T parameter1,
                                                          int parameter2)
                                                   throws E extends Exception

Run an action under this identity.

Specified by:

runAsObjIntConsumerEx in interface Scoped

Type Parameters:

T - the action first parameter type

E - the action exception type

Parameters:

parameter1 - the first parameter to pass to the action

parameter2 - the second parameter to pass to the action

action - the action to run

Throws:

E - if the action throws this exception

E extends Exception

runAsBiPredicate

public <T,U> boolean runAsBiPredicate(BiPredicate<T,U> action,
                                      T parameter1,
                                      U parameter2)

Run an action under this identity.

Specified by:

runAsBiPredicate in interface Scoped

Type Parameters:

T - the action first parameter type

U - the action second parameter type

Parameters:

parameter1 - the first parameter to pass to the action

parameter2 - the second parameter to pass to the action

action - the action to run

Returns:

the action result (may be null)

runAsExBiPredicate

public <T,U,E extends Exception> boolean runAsExBiPredicate(org.wildfly.common.function.ExceptionBiPredicate<T,U,E> action,
                                                            T parameter1,
                                                            U parameter2)
                                                     throws E extends Exception

Run an action under this identity.

Specified by:

runAsExBiPredicate in interface Scoped

Type Parameters:

T - the action first parameter type

U - the action second parameter type

E - the action exception type

Parameters:

parameter1 - the first parameter to pass to the action

parameter2 - the second parameter to pass to the action

action - the action to run

Returns:

the action result (may be null)

Throws:

E - if the action throws this exception

E extends Exception

runAsAll

public static <T> T runAsAll(PrivilegedExceptionAction<T> action,
                             SecurityIdentity... identities)
                      throws PrivilegedActionException

Run an action under a series of identities.

Type Parameters:

T - the action return type

Parameters:

action - the action to run

identities - the identities to set up

Returns:

the action result (may be null)

Throws:

PrivilegedActionException - if the action fails

getRoles

public Roles getRoles()

Get the roles associated with this identity.

Returns:

the roles associated with this identity

getRoles

public Roles getRoles(String category)

Get the mapped roles associated with this identity. If no role mapping exists for the given category, an empty role set is returned.

Parameters:

category - the role mapping category

Returns:

the category roles

withSecurityIdentitySupplier

public SecurityIdentity withSecurityIdentitySupplier(Supplier<SecurityIdentity[]> securityIdentities)

Attempt to create a new identity that is the same as this identity but with a Supplier to supply identities that will be associated with all 'run' calls. Any existing individual identities associated with this identity will be dropped. The supplier will be called for each run call so were possible should handle it's own optimisation.

Parameters:

securityIdentities - a Supplier for identities to be associated with every run call.

Returns:

the new identity

Throws:

IllegalArgumentException - if the supplied identity

withSecurityIdentity

public SecurityIdentity withSecurityIdentity(SecurityIdentity securityIdentity)

Attempt to create a new identity that is the same as this identity but with an additional identity from a different security domain that will be associated with all 'run' calls. If a Supplier has previously been associated with this identity it will be dropped.

Parameters:

securityIdentity - the SecurityIdentity to also be associated with all run calls made to this identity.

Returns:

the new identity

Throws:

IllegalArgumentException - if the supplied identity

getRoles

public Roles getRoles(String category,
                      boolean fallbackToDefault)

Get the mapped roles associated with this identity.

Parameters:

category - the role mapping category

fallbackToDefault - true if the default roles associated with this identity should be returned if no role mapping exists for the given category, false otherwise

Returns:

the category roles

withRoleMapper

public SecurityIdentity withRoleMapper(String category,
                                       RoleMapper roleMapper)

Attempt to create a new identity which replaces a role mapper category on the current identity. If the given role mapper is already set on the current identity, the current identity is returned.

Parameters:

category - the category name

roleMapper - the role mapper to use

Returns:

the new identity

Throws:

SecurityException - if the calling class is not granted the ChangeRoleMapperPermission for the given category name

createRunAsIdentity

public SecurityIdentity createRunAsIdentity(String name)
                                     throws SecurityException

Attempt to create a new identity that can be used to run as a user with the given name. If the current identity is not authorized to run as a user with the given name, an exception is thrown. Calling with enabled security manager requires setRunAsPrincipal ElytronPermission. Regardless security manager is enabled, RunAsPrincipalPermission for given name is required.

Parameters:

name - the name to attempt to run as

Returns:

the new security identity

Throws:

SecurityException - if the operation authorization failed for any reason

createRunAsIdentity

public SecurityIdentity createRunAsIdentity(String name,
                                            boolean authorize)
                                     throws SecurityException

Attempt to create a new identity that can be used to run as a user with the given name. Calling with enabled security manager requires setRunAsPrincipal ElytronPermission.

Parameters:

name - the name to attempt to run as

authorize - whether to check the current identity is authorized to run as a user with the given principal (has RunAsPrincipalPermission)

Returns:

the new security identity

Throws:

SecurityException - if the caller does not have the setRunAsPrincipal ElytronPermission or if the operation authorization failed for any other reason

createRunAsIdentity

public SecurityIdentity createRunAsIdentity(Principal principal,
                                            boolean authorize)
                                     throws SecurityException

Attempt to create a new identity that can be used to run as a user with the given principal. Calling with enabled security manager requires setRunAsPrincipal ElytronPermission.

Parameters:

principal - the principal to attempt to run as

authorize - whether to check the current identity is authorized to run as a user with the given principal (has RunAsPrincipalPermission)

Returns:

the new security identity

Throws:

SecurityException - if the caller does not have the setRunAsPrincipal ElytronPermission or if the operation authorization failed for any other reason

createRunAsAnonymous

public SecurityIdentity createRunAsAnonymous()
                                      throws SecurityException

Attempt to create a new identity that can be used to run as an anonymous user. If the current identity is not authorized to run as an anonymous user, an exception is thrown. Calling with enabled security manager requires setRunAsPrincipal ElytronPermission. LoginPermission granted to the anonymous identity will be required.

Returns:

the new security identity

Throws:

SecurityException - if the operation authorization failed for any reason

createRunAsAnonymous

public SecurityIdentity createRunAsAnonymous(boolean authorize)
                                      throws SecurityException

Attempt to create a new identity that can be used to run as an anonymous user Calling with enabled security manager requires setRunAsPrincipal ElytronPermission.

Parameters:

authorize - whether to check the anonymous identity is authorized to log in (has LoginPermission)

Returns:

the new security identity

Throws:

SecurityException - if the caller does not have the setRunAsPrincipal ElytronPermission or if the operation authorization failed for any other reason

intersectWith

public SecurityIdentity intersectWith(PermissionVerifier verifier)

Create a new security identity which is the same as this one, but which limits authorization privileges to the intersection of the current privileges and the given verifier.

Parameters:

verifier - the restricted verifier (must not be null)

Returns:

the restricted identity

implies

public boolean implies(Permission permission)

Description copied from interface: PermissionVerifier

Determine if the permission is verified by this object.

Specified by:

implies in interface PermissionVerifier

Parameters:

permission - the permission to verify (must not be null)

Returns:

true if the permission is implied by this verifier, false otherwise

getAttributes

public Attributes getAttributes()

Get the attributes associated with this identity.

Specified by:

getAttributes in interface PermissionMappable

Returns:

a read-only instance of Attributes with all attributes associated with this identity

getPrincipal

public Principal getPrincipal()

Get the principal of this identity.

Specified by:

getPrincipal in interface PermissionMappable

Returns:

the principal of this identity

getCreationTime

public Instant getCreationTime()

Get the creation time of this identity, which is the time that the initial authentication occurred.

Specified by:

getCreationTime in interface PermissionMappable

Returns:

the creation time of this identity (not null)

getPublicCredentials

public IdentityCredentials getPublicCredentials()

Get the public credentials of this identity.

Specified by:

getPublicCredentials in interface PermissionMappable

Returns:

the public credentials of this identity (not null)

isAnonymous

public boolean isAnonymous()

Convenience method to determine if this identity is anonymous.

Returns:

true if the identity is anonymous, false otherwise

withPublicCredential

public SecurityIdentity withPublicCredential(Credential credential)

Create a new security identity which is the same as this one, but which includes the given credential as a public credential.

Parameters:

credential - the credential (must not be null)

Returns:

the new identity

withPublicCredentials

public SecurityIdentity withPublicCredentials(IdentityCredentials credentials)

Create a new security identity which is the same as this one, but which includes the given credentials as public credentials.

Parameters:

credentials - the credential set (must not be null)

Returns:

the new identity

withPrivateCredential

public SecurityIdentity withPrivateCredential(Credential credential)

Create a new security identity which is the same as this one, but which includes the given credential as a private credential.

Parameters:

credential - the credential (must not be null)

Returns:

the new identity

withPrivateCredentials

public SecurityIdentity withPrivateCredentials(IdentityCredentials credentials)

Create a new security identity which is the same as this one, but which includes the given credentials as private credentials.

Parameters:

credentials - the credential set (must not be null)

Returns:

the new identity

getPrivateCredentials

public IdentityCredentials getPrivateCredentials()

Get the private credentials of this identity. The caller must have the getPrivateCredentials ElytronPermission.

Returns:

the private credentials of this identity (not null)

get

public SecurityIdentity get()

Get this identity.

Specified by:

get in interface Supplier<SecurityIdentity>

Returns:

this identity

createFlexibleAssociation

public FlexibleIdentityAssociation createFlexibleAssociation()

Create a new flexible identity association, initializing it with this identity.

Returns:

the new flexible identity association (not null)

toString

public String toString()

Overrides:

toString in class Object