Class SecurityDomain

    • Method Detail

      • getCurrent

        public static SecurityDomain getCurrent()
        Get the SecurityDomain associated with the context class loader of the calling Thread or null if one is not associated. Obtaining security domain with enabled security manager requires getSecurityDomain ElytronPermission.
        Returns:
        the SecurityDomain associated with the context class loader of the calling Thread or null if one is not associated.
      • forIdentity

        public static SecurityDomain forIdentity​(SecurityIdentity identity)
        Get the security domain associated with the given identity. Obtaining security domain with enabled security manager requires getSecurityDomain ElytronPermission.
        Parameters:
        identity - the security identity (must not be null)
        Returns:
        the identity's security domain (not null)
      • builder

        public static SecurityDomain.Builder builder()
        Create a new security domain builder.
        Returns:
        the builder
      • createNewAuthenticationContext

        public ServerAuthenticationContext createNewAuthenticationContext()
        Create a new authentication context for this security domain which can be used to carry out a single authentication operation. Calling with enabled security manager requires createServerAuthenticationContext ElytronPermission.
        Returns:
        the new authentication context
      • createNewAuthenticationContext

        public ServerAuthenticationContext createNewAuthenticationContext​(MechanismConfigurationSelector mechanismConfigurationSelector)
        Create a new authentication context for this security domain which can be used to carry out a single authentication operation. Calling with enabled security manager requires createServerAuthenticationContext ElytronPermission.
        Parameters:
        mechanismConfigurationSelector - the selector to use to obtain the mechanism configuration
        Returns:
        the new authentication context
      • getIdentityLookupFunction

        public org.wildfly.common.function.ExceptionFunction<Principal,​RealmIdentity,​RealmUnavailableException> getIdentityLookupFunction()
        Get a function which can be used to look up principals without a security manager permission check. All returned identities must be disposed. Calling with enabled security manager requires getIdentity ElytronPermission.
        Returns:
        the lookup function (not null)
        Throws:
        SecurityException - if the caller is not authorized to perform the operation
      • getIdentityLookupForUpdateFunction

        public org.wildfly.common.function.ExceptionFunction<Principal,​ModifiableRealmIdentity,​RealmUnavailableException> getIdentityLookupForUpdateFunction()
        Get a function which can be used to look up principals for update without a security manager permission check. All returned identities must be disposed. Calling with enabled security manager requires getIdentityForUpdate ElytronPermission.
        Returns:
        the lookup function (not null)
        Throws:
        SecurityException - if the caller is not authorized to perform the operation
      • getCredentialAcquireSupport

        public SupportLevel getCredentialAcquireSupport​(Class<? extends Credential> credentialType,
                                                        String algorithmName,
                                                        AlgorithmParameterSpec parameterSpec)
        Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable. Credential is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Credential is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.
        Parameters:
        credentialType - the exact credential type (must not be null)
        algorithmName - the algorithm name, or null if any algorithm is acceptable or the credential type does not support algorithm names
        parameterSpec - the algorithm parameters to match, or null if any parameters are acceptable or the credential type does not support algorithm parameters
        Returns:
        the level of support for this credential
      • getCredentialAcquireSupport

        public SupportLevel getCredentialAcquireSupport​(Class<? extends Credential> credentialType,
                                                        String algorithmName)
        Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable. Credential is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Credential is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.
        Parameters:
        credentialType - the exact credential type (must not be null)
        algorithmName - the algorithm name, or null if any algorithm is acceptable or the credential type does not support algorithm names
        Returns:
        the level of support for this credential
      • getCredentialAcquireSupport

        public SupportLevel getCredentialAcquireSupport​(Class<? extends Credential> credentialType)
        Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for some identities), or definitely not obtainable. Credential is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Credential is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.
        Parameters:
        credentialType - the exact credential type (must not be null)
        Returns:
        the level of support for this credential
      • getEvidenceVerifySupport

        public SupportLevel getEvidenceVerifySupport​(Class<? extends Evidence> evidenceType,
                                                     String algorithmName)
        Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable. Evidence is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Evidence is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.
        Parameters:
        evidenceType - the type of evidence to be verified (must not be null)
        algorithmName - the algorithm name, or null if any algorithm is acceptable or the evidence type does not support algorithm names
        Returns:
        the level of support for this evidence type
      • getEvidenceVerifySupport

        public SupportLevel getEvidenceVerifySupport​(Class<? extends Evidence> evidenceType)
        Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable. Evidence is SupportLevel.SUPPORTED, if it is supported by all realms of the domain. Evidence is SupportLevel.POSSIBLY_SUPPORTED if it is supported or possibly supported by at least one realm of the domain. Otherwise it is SupportLevel.UNSUPPORTED.
        Parameters:
        evidenceType - the type of evidence to be verified (must not be null)
        Returns:
        the level of support for this evidence type
      • getCurrentSecurityIdentity

        public SecurityIdentity getCurrentSecurityIdentity()
        Get the current security identity for this domain. Code can be executed with given identity using SecurityIdentity.runAs* methods.
        Returns:
        the current security identity for this domain (not null)
      • getAnonymousSecurityIdentity

        public SecurityIdentity getAnonymousSecurityIdentity()
        Get the anonymous security identity for this realm.
        Returns:
        the anonymous security identity for this realm (not null)
      • createAdHocIdentity

        public SecurityIdentity createAdHocIdentity​(String name)
        Create an empty ad-hoc identity. The identity will have no authorization information and no credentials associated with it.
        Parameters:
        name - the identity name (must not be null)
        Returns:
        the ad-hoc identity
      • createAdHocIdentity

        public SecurityIdentity createAdHocIdentity​(Principal principal)
        Create an empty ad-hoc identity. The identity will have no authorization information and no credentials associated with it. Calling with enabled security manager requires createAdHocIdentity ElytronPermission.
        Parameters:
        principal - the identity principal (must not be null)
        Returns:
        the ad-hoc identity