View Javadoc
1   /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2    *
3    * Licensed under the Apache License, Version 2.0 (the "License");
4    * you may not use this file except in compliance with the License.
5    * You may obtain a copy of the License at
6    *
7    *     http://www.apache.org/licenses/LICENSE-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  package org.springframework.security;
17  
18  import java.io.Serializable;
19  
20  import java.security.Principal;
21  
22  
23  /**
24   * Represents an authentication request.
25   *
26   * <p>
27   * An <code>Authentication</code> object is not considered authenticated until
28   * it is processed by an {@link AuthenticationManager}.
29   * </p>
30   *
31   * <p>
32   * Stored in a request {@link org.springframework.security.context.SecurityContext}.
33   * </p>
34   *
35   * @author Ben Alex
36   * @version $Id: Authentication.java 2217 2007-10-27 00:45:30Z luke_t $
37   */
38  public interface Authentication extends Principal, Serializable {
39      //~ Methods ========================================================================================================
40  
41      /**
42       * Set by an <code>AuthenticationManager</code> to indicate the authorities that the principal has been
43       * granted. Note that classes should not rely on this value as being valid unless it has been set by a trusted
44       * <code>AuthenticationManager</code>.<p>Implementations should ensure that modifications to the returned
45       * array do not affect the state of the Authentication object (e.g. by returning an array copy).</p>
46       *
47       * @return the authorities granted to the principal, or <code>null</code> if authentication has not been completed
48       */
49      GrantedAuthority[] getAuthorities();
50  
51      /**
52       * The credentials that prove the principal is correct. This is usually a password, but could be anything
53       * relevant to the <code>AuthenticationManager</code>. Callers are expected to populate the credentials.
54       *
55       * @return the credentials that prove the identity of the <code>Principal</code>
56       */
57      Object getCredentials();
58  
59      /**
60       * Stores additional details about the authentication request. These might be an IP address, certificate
61       * serial number etc.
62       *
63       * @return additional details about the authentication request, or <code>null</code> if not used
64       */
65      Object getDetails();
66  
67      /**
68       * The identity of the principal being authenticated. This is usually a username. Callers are expected to
69       * populate the principal.
70       *
71       * @return the <code>Principal</code> being authenticated
72       */
73      Object getPrincipal();
74  
75      /**
76       * Used to indicate to <code>AbstractSecurityInterceptor</code> whether it should present the
77       * authentication token to the <code>AuthenticationManager</code>. Typically an <code>AuthenticationManager</code>
78       * (or, more often, one of its <code>AuthenticationProvider</code>s) will return an immutable authentication token
79       * after successful authentication, in which case that token can safely return <code>true</code> to this method.
80       * Returning <code>true</code> will improve performance, as calling the <code>AuthenticationManager</code> for
81       * every request will no longer be necessary.<p>For security reasons, implementations of this interface
82       * should be very careful about returning <code>true</code> to this method unless they are either immutable, or
83       * have some way of ensuring the properties have not been changed since original creation.</p>
84       *
85       * @return true if the token has been authenticated and the <code>AbstractSecurityInterceptor</code> does not need
86       *         to represent the token for re-authentication to the <code>AuthenticationManager</code>
87       */
88      boolean isAuthenticated();
89  
90      /**
91       * See {@link #isAuthenticated()} for a full description.<p>Implementations should <b>always</b> allow this
92       * method to be called with a <code>false</code> parameter, as this is used by various classes to specify the
93       * authentication token should not be trusted. If an implementation wishes to reject an invocation with a
94       * <code>true</code> parameter (which would indicate the authentication token is trusted - a potential security
95       * risk) the implementation should throw an {@link IllegalArgumentException}.</p>
96       *
97       * @param isAuthenticated <code>true</code> if the token should be trusted (which may result in an exception) or
98       *        <code>false</code> if the token should not be trusted
99       *
100      * @throws IllegalArgumentException if an attempt to make the authentication token trusted (by passing
101      *         <code>true</code> as the argument) is rejected due to the implementation being immutable or
102      *         implementing its own alternative approach to {@link #isAuthenticated()}
103      */
104     void setAuthenticated(boolean isAuthenticated)
105         throws IllegalArgumentException;
106 }