com.ibm.mfp.server.security.external.checks
Interface SecurityCheck
-
- All Superinterfaces:
- java.io.Externalizable, java.io.Serializable
- All Known Implementing Classes:
- ExternalizableSecurityCheck
public interface SecurityCheck extends java.io.Externalizable
Represents server-side state of a security check.
Security checks are kept in a distributed cache, and are stateful, so it's the responsibility of the implementor to handle the persistent state.
-
-
Method Summary
Methods Modifier and Type Method and Description void
authorize(java.util.Set scope, java.util.Map credentials, HttpServletRequest request, AuthorizationResponse response)
Request the given scope from this security check.SecurityCheckConfiguration
createConfiguration(java.util.Properties properties)
Create configuration object and populate fields from the given properties.long
getExpiresAt()
Get the expiration of the current state of the security check.int
getInactivityTimeoutSec()
Get the security check inactivity timeout, usually the configured value.void
introspect(java.util.Set scope, IntrospectionResponse response)
Make sure this check currently grants the requested scope.
If the scope is granted, the implementation should add the granted scope, its expiration, and custom introspection data to the response parameter.void
logout()
Called upon explicit logout from this security check.void
setContext(java.lang.String name, SecurityCheckConfiguration config, AuthorizationContext authorizationContext, RegistrationContext registrationContext)
Initialize the security check with the context and configuration properties.
-
-
-
Method Detail
-
createConfiguration
SecurityCheckConfiguration createConfiguration(java.util.Properties properties)
Create configuration object and populate fields from the given properties. Use errors and warnings maps to report problems.
Called during deployment.- Parameters:
properties
- the merged properties to read and validate- Returns:
- new configuration object, not null
-
setContext
void setContext(java.lang.String name, SecurityCheckConfiguration config, AuthorizationContext authorizationContext, RegistrationContext registrationContext)
Initialize the security check with the context and configuration properties. This method is called after instantiation and also on each retrieve. The security checks should not keep the configuration data in the persistent state- Parameters:
name
- name of the security checkconfig
- security check configuration created bySecurityCheck.createConfiguration(Properties)
authorizationContext
- provides access to the transient state of the calling clientregistrationContext
- provides access to the persistent state of the calling client
-
getInactivityTimeoutSec
int getInactivityTimeoutSec()
Get the security check inactivity timeout, usually the configured value. 0 means no inactivity timeout defined for this check- Returns:
- inactivity timeout in seconds, 0 if none
-
getExpiresAt
long getExpiresAt()
Get the expiration of the current state of the security check. No assumption is made about the meaning of the state (success, failure, or any other). After the expiration the state of the security check is lost.- Returns:
- the time of expiration in millis
-
authorize
void authorize(java.util.Set scope, java.util.Map credentials, HttpServletRequest request, AuthorizationResponse response)
Request the given scope from this security check. The check can return success, challenge, or failure- Parameters:
scope
- the requested scope, comes from the scope mapping processing. Usually should not be analyzed by the security check, except of the case of a custom check that knows exactly what scopes should be granted at any point.credentials
- the credentials sent by the client - either as a challenge response or pre-emptivelyrequest
- the pre-authorization or registration request sent by the clientresponse
- the response to which this check adds its success, challenge, or failure
-
introspect
void introspect(java.util.Set scope, IntrospectionResponse response)
Make sure this check currently grants the requested scope.
If the scope is granted, the implementation should add the granted scope, its expiration, and custom introspection data to the response parameter. If the scope is not granted, the implementation should return silently.- Parameters:
scope
- scope expected to be granted by this checkresponse
- the response to which this check adds its granted scope and custom introspection data
-
logout
void logout()
Called upon explicit logout from this security check. The implementation may choose to modify or delete its persistent (registered) state, or other custom logic.
The transient state of this security check is destroyed automatically.
-
-