Module io.inverno.mod.security

Package io.inverno.mod.security.authentication

Interface Authenticator<A extends Credentials,B extends Authentication>

Type Parameters:

A - the type of credentials

B - the type of authentication

All Known Implementing Classes:

AbstractPrincipalAuthenticator, ActiveDirectoryAuthenticator, JWEAuthenticator, JWSAuthenticator, JWTEAuthenticator, JWTSAuthenticator, LDAPAuthenticator, PrincipalAuthenticator, UserAuthenticator

Functional Interface:

This is a functional interface and can therefore be used as the assignment target for a lambda expression or method reference.

@FunctionalInterface
public interface Authenticator<A extends Credentials,B extends Authentication>

An authenticator is used to authenticate the Credentials of an entity that wants to access protected services or resources.

The Authentication returned by the authenticate(io.inverno.mod.security.authentication.Credentials) method represents a proof of authentication, namely that the entity credentials have been validated.

Since:

1.5

Author:

Jeremy Kuhn

Method Summary

Modifier and Type	Method	Description
Mono<B>	authenticate(A credentials)	Authenticates the specified credentials and returns an authentication.
default Authenticator<A,B>	failOnDenied()	Transforms the authenticator so it fails on denied authentications.
default Authenticator<A,B>	failOnDeniedAndAnonymous()	Transforms the authenticator so it fails on denied and anonymous authentications.
default <T extends Authentication> Authenticator<A,T>	flatMap(Function<? super B,? extends Mono<? extends T>> mapper)	Invokes this authenticator and then transforms the resulting authentication publisher.
default <T extends Authentication> Authenticator<A,T>	map(Function<? super B,? extends T> mapper)	Invokes this authenticator and then transforms the resulting authentication.
default Authenticator<A,B>	or(Authenticator<? super A,? extends B> other)	Returns a composed authenticator which first invokes this authenticator and, if the credentials could not be authenticated, invokes the specified authenticator.

Method Details

authenticate

Mono<B> authenticate(A credentials)
              throws AuthenticationException

Authenticates the specified credentials and returns an authentication.

Implementations can return an empty mono to indicate that they were unable to authenticate the credentials. This does not mean credentials are invalid, this simply mean that a particular authenticator does not manage them and therefore can's possibly determine whether they are valid. For example, when considering login credentials composed of a user and a password, an authenticator which does not manage that particular user can return an empty mono.

Implementations must return denied authentications with AuthenticationException when they were able to authenticate credentials which turned out to be invalid. For example, a login credentials authenticator must return a denied authentication exception when it does manage a particular username but the provided password was invalid.

A denied authentication can also bre reported by throwing an AuthenticationException when returning an actual authentication instance is not practical.

Parameters:

credentials - the credentials to authenticate

Returns:

a mono emitting an authentication, an error mono or an empty mono if the authenticator could not authenticate the credentials

Throws:

AuthenticationException - if credentials were invalid

or

default Authenticator<A,B> or(Authenticator<? super A,? extends B> other)

Returns a composed authenticator which first invokes this authenticator and, if the credentials could not be authenticated, invokes the specified authenticator.

Parameters:

other - the authenticator to invoke in case this authenticator was not able to authenticate credentials

Returns:

a composed authenticator

flatMap

default <T extends Authentication>
Authenticator<A,T> flatMap(Function<? super B,? extends Mono<? extends T>> mapper)

Invokes this authenticator and then transforms the resulting authentication publisher.

Type Parameters:

T - the type of the resulting authentication

Parameters:

mapper - the function to transform the authentication publisher

Returns:

a transformed authentiator

map

default <T extends Authentication>
Authenticator<A,T> map(Function<? super B,? extends T> mapper)

Invokes this authenticator and then transforms the resulting authentication.

Type Parameters:

T - the type of the resulting authentication

Parameters:

mapper - the function to transform the authentication

Returns:

a transformed authentiator

failOnDenied

default Authenticator<A,B> failOnDenied()

Transforms the authenticator so it fails on denied authentications.

An authenticator is supposed to return a denied authentication in case of failed authentication, however this might not always be possible or convenient, especially when transforming authentication output using map(java.util.function.Function) or flatMap(java.util.function.Function) operators. As consequence, it might be desirable to actually propagate the original authentication error when a denied authentication is returned by the authenticator.

Returns:

an authenticator that returns an error mono on denied authentications

failOnDeniedAndAnonymous

default Authenticator<A,B> failOnDeniedAndAnonymous()

Transforms the authenticator so it fails on denied and anonymous authentications.

As for failOnDenied(), an authenticator can return a denied or an anonymous authentication, this operator allows to throw a corresponding AuthenticationException to stop a subsequent authentication transformation chain instead of dealing with denied and anonymous authentication when mapping the authentication output.

Returns:

an authenticator that returns an error mono on denied and anonymous authentications