| Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
| Realm |
|
| 1.0;1 |
| 1 | /* | |
| 2 | * Licensed to the Apache Software Foundation (ASF) under one | |
| 3 | * or more contributor license agreements. See the NOTICE file | |
| 4 | * distributed with this work for additional information | |
| 5 | * regarding copyright ownership. The ASF licenses this file | |
| 6 | * to you under the Apache License, Version 2.0 (the | |
| 7 | * "License"); you may not use this file except in compliance | |
| 8 | * with the License. You may obtain a copy of the License at | |
| 9 | * | |
| 10 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 11 | * | |
| 12 | * Unless required by applicable law or agreed to in writing, | |
| 13 | * software distributed under the License is distributed on an | |
| 14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
| 15 | * KIND, either express or implied. See the License for the | |
| 16 | * specific language governing permissions and limitations | |
| 17 | * under the License. | |
| 18 | */ | |
| 19 | package org.apache.shiro.realm; | |
| 20 | ||
| 21 | import org.apache.shiro.authc.AuthenticationException; | |
| 22 | import org.apache.shiro.authc.AuthenticationInfo; | |
| 23 | import org.apache.shiro.authc.AuthenticationToken; | |
| 24 | ||
| 25 | /** | |
| 26 | * A <tt>Realm</tt> is a security component that can access application-specific security entities | |
| 27 | * such as users, roles, and permissions to determine authentication and authorization operations. | |
| 28 | * | |
| 29 | * <p><tt>Realm</tt>s usually have a 1-to-1 correspondance with a datasource such as a relational database, | |
| 30 | * file sysetem, or other similar resource. As such, implementations of this interface use datasource-specific APIs to | |
| 31 | * determine authorization data (roles, permissions, etc), such as JDBC, File IO, Hibernate or JPA, or any other | |
| 32 | * Data Access API. They are essentially security-specific | |
| 33 | * <a href="http://en.wikipedia.org/wiki/Data_Access_Object" target="_blank">DAO</a>s. | |
| 34 | * | |
| 35 | * <p>Because most of these datasources usually contain Subject (a.k.a. User) information such as usernames and | |
| 36 | * passwords, a Realm can act as a pluggable authentication module in a | |
| 37 | * <a href="http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules">PAM</a> configuration. This allows a Realm to | |
| 38 | * perform <i>both</i> authentication and authorization duties for a single datasource, which caters to the large | |
| 39 | * majority of applications. If for some reason you don't want your Realm implementation to perform authentication | |
| 40 | * duties, you should override the {@link #supports(org.apache.shiro.authc.AuthenticationToken)} method to always | |
| 41 | * return <tt>false</tt>. | |
| 42 | * | |
| 43 | * <p>Because every application is different, security data such as users and roles can be | |
| 44 | * represented in any number of ways. Shiro tries to maintain a non-intrusive development philosophy whenever | |
| 45 | * possible - it does not require you to implement or extend any <tt>User</tt>, <tt>Group</tt> or <tt>Role</tt> | |
| 46 | * interfaces or classes. | |
| 47 | * | |
| 48 | * <p>Instead, Shiro allows applications to implement this interface to access environment-specific datasources | |
| 49 | * and data model objects. The implementation can then be plugged in to the application's Shiro configuration. | |
| 50 | * This modular technique abstracts away any environment/modeling details and allows Shiro to be deployed in | |
| 51 | * practically any application environment. | |
| 52 | * | |
| 53 | * <p>Most users will not implement the <tt>Realm</tt> interface directly, but will extend one of the subclasses, | |
| 54 | * {@link org.apache.shiro.realm.AuthenticatingRealm AuthenticatingRealm} or {@link org.apache.shiro.realm.AuthorizingRealm}, greatly reducing the effort requird | |
| 55 | * to implement a <tt>Realm</tt> from scratch.</p> | |
| 56 | * | |
| 57 | * @see org.apache.shiro.realm.CachingRealm CachingRealm | |
| 58 | * @see org.apache.shiro.realm.AuthenticatingRealm AuthenticatingRealm | |
| 59 | * @see org.apache.shiro.realm.AuthorizingRealm AuthorizingRealm | |
| 60 | * @see org.apache.shiro.authc.pam.ModularRealmAuthenticator ModularRealmAuthenticator | |
| 61 | * @since 0.1 | |
| 62 | */ | |
| 63 | public interface Realm { | |
| 64 | ||
| 65 | /** | |
| 66 | * Returns the (application-unique) name assigned to this <code>Realm</code>. All realms configured for a single | |
| 67 | * application must have a unique name. | |
| 68 | * | |
| 69 | * @return the (application-unique) name assigned to this <code>Realm</code>. | |
| 70 | */ | |
| 71 | String getName(); | |
| 72 | ||
| 73 | /** | |
| 74 | * Returns <tt>true</tt> if this realm wishes to authenticate the Subject represented by the given | |
| 75 | * {@link org.apache.shiro.authc.AuthenticationToken AuthenticationToken} instance, <tt>false</tt> otherwise. | |
| 76 | * | |
| 77 | * <p>If this method returns <tt>false</tt>, it will not be called to authenticate the Subject represented by | |
| 78 | * the token - more specifically, a <tt>false</tt> return value means this Realm instance's | |
| 79 | * {@link #getAuthenticationInfo} method will not be invoked for that token. | |
| 80 | * | |
| 81 | * @param token the AuthenticationToken submitted for the authentication attempt | |
| 82 | * @return <tt>true</tt> if this realm can/will authenticate Subjects represented by specified token, | |
| 83 | * <tt>false</tt> otherwise. | |
| 84 | */ | |
| 85 | boolean supports(AuthenticationToken token); | |
| 86 | ||
| 87 | /** | |
| 88 | * Returns an account's authentication-specific information for the specified <tt>token</tt>, | |
| 89 | * or <tt>null</tt> if no account could be found based on the <tt>token</tt>. | |
| 90 | * | |
| 91 | * <p>This method effectively represents a login attempt for the corresponding user with the underlying EIS datasource. | |
| 92 | * Most implementations merely just need to lookup and return the account data only (as the method name implies) | |
| 93 | * and let Shiro do the rest, but implementations may of course perform eis specific login operations if so | |
| 94 | * desired. | |
| 95 | * | |
| 96 | * @param token the application-specific representation of an account principal and credentials. | |
| 97 | * @return the authentication information for the account associated with the specified <tt>token</tt>, | |
| 98 | * or <tt>null</tt> if no account could be found. | |
| 99 | * @throws org.apache.shiro.authc.AuthenticationException | |
| 100 | * if there is an error obtaining or constructing an AuthenticationInfo object based on the | |
| 101 | * specified <tt>token</tt> or implementation-specifc login behavior fails. | |
| 102 | */ | |
| 103 | AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException; | |
| 104 | ||
| 105 | } |