Interface HttpMessageContext
- All Known Implementing Classes:
HttpMessageContextWrapper
HttpMessageContext
contains all of the per-request state information and encapsulates the client request,
server response, container handler for authentication callbacks, and the subject representing the caller.-
Method Summary
Modifier and TypeMethodDescriptionvoid
Convenience method to clean the subject associated with this context.Instructs the container to "do nothing".Forwards to another resource (Jakarta Servlet, Jakarta Server Pages file, or HTML file) on the server.Returns the parameters that were provided with the SecurityContext#authenticate(AuthParameters) call.Gets the Principal set by a call to notifyContainerAboutLogin().Returns the subject for which authentication is to take place.Gets the groups set by a call to notifyContainerAboutLogin().Returns the low level Jakarta Authentication handler that the runtime provided when creating thisHttpMessageContext
, and which this context uses to communicate the authentication details to the runtime.jakarta.security.auth.message.MessageInfo
Returns the the low level Jakarta Authentication message info instance for the current request.jakarta.servlet.http.HttpServletRequest
Returns the request object associated with the current request.jakarta.servlet.http.HttpServletResponse
Returns the response object associated with the current request.boolean
Checks if the current call to an authentication mechanism is the result from the application callingSecurityContext.authenticate(HttpServletRequest, HttpServletResponse, AuthenticationParameters)
boolean
Checks if the currently requested resource is protected or not.boolean
Check if the runtime has been asked to register an authentication session duing the current request.Convenience method intended to pass theCredentialValidationResult
result of an identity store directly on to the container.notifyContainerAboutLogin
(String callername, Set<String> groups) Asks the container to register the given caller name and groups in order to make them available to the application for use withSecurityContext.isCallerInRole(String)
etc.notifyContainerAboutLogin
(Principal principal, Set<String> groups) Asks the container to register the given caller principal and groups in order to make them available to the application for use withSecurityContext.isCallerInRole(String)
etc.Sets the response status to SC_FOUND 302 (Found)Sets the response status to 404 (not found).Sets the response status to 401 (unauthorized).void
setRegisterSession
(String callerName, Set<String> groups) Asks the runtime to register an authentication session.void
setRequest
(jakarta.servlet.http.HttpServletRequest request) Sets the request object.void
setResponse
(jakarta.servlet.http.HttpServletResponse response) Set the response object.withRequest
(jakarta.servlet.http.HttpServletRequest request) Sets the request object.
-
Method Details
-
isProtected
boolean isProtected()Checks if the currently requested resource is protected or not. A protected resource is a resource (e.g. a Jakarta Servlet, Jakarta Faces page, Jakarta Server Pages page etc) for which a constraint has been defined in e.g.web.xml
.- Returns:
- true if a protected resource was requested, false if a public resource was requested.
-
isAuthenticationRequest
boolean isAuthenticationRequest()Checks if the current call to an authentication mechanism is the result from the application callingSecurityContext.authenticate(HttpServletRequest, HttpServletResponse, AuthenticationParameters)
If SecurityContext#authenticate was not called, the authentication mechanism may have been invoked by the container at the start of a request.
- Returns:
- true if SecurityContext#authenticate was called, false if not.
-
isRegisterSession
boolean isRegisterSession()Check if the runtime has been asked to register an authentication session duing the current request.- Returns:
- true if code has asked to register an authentication session, false otherwise.
-
setRegisterSession
Asks the runtime to register an authentication session. This will automatically remember the logged-in status as long as the current HTTP session remains valid. Without this being asked, aHttpAuthenticationMechanism
has to manually re-authenticate with the runtime at the start of each request.- Parameters:
callerName
- the caller name for which authentication should be be rememberedgroups
- the groups for which authentication should be remembered.
-
cleanClientSubject
void cleanClientSubject()Convenience method to clean the subject associated with this context.Cleaning this subject is done as defined by the Servlet Container Profile of Jakarta Authentication for the ServerAuthModule#cleanSubject method and the
HttpAuthenticationMechanism.cleanSubject(HttpServletRequest, HttpServletResponse, HttpMessageContext)
method defined by this specification. -
getAuthParameters
AuthenticationParameters getAuthParameters()Returns the parameters that were provided with the SecurityContext#authenticate(AuthParameters) call.- Returns:
- the parameters that were provided with the SecurityContext#authenticate(AuthParameters) call, or a default instance. Never null.
-
getHandler
CallbackHandler getHandler()Returns the low level Jakarta Authentication handler that the runtime provided when creating thisHttpMessageContext
, and which this context uses to communicate the authentication details to the runtime.Note: This is a low level object that most higher level code would not need to use directly.
- Returns:
- the handler that the runtime provided to this context
-
getMessageInfo
jakarta.security.auth.message.MessageInfo getMessageInfo()Returns the the low level Jakarta Authentication message info instance for the current request.Note: This is a low level object that most higher level code would not need to use directly.
- Returns:
- the message info instance for the current request.
-
getClientSubject
Subject getClientSubject()Returns the subject for which authentication is to take place.Note: This is a low level object that most higher level code would not need to use directly.
- Returns:
- the subject for which authentication is to take place.
-
getRequest
jakarta.servlet.http.HttpServletRequest getRequest()Returns the request object associated with the current request.- Returns:
- the request object associated with the current request.
-
setRequest
void setRequest(jakarta.servlet.http.HttpServletRequest request) Sets the request object.- Parameters:
request
- the request object to be set
-
withRequest
Sets the request object.- Parameters:
request
- the request object to be set.- Returns:
- the HttpMessageContext instance on which this method was called, useful for fluent style call call chains.
-
getResponse
jakarta.servlet.http.HttpServletResponse getResponse()Returns the response object associated with the current request.- Returns:
- the response object associated with the current request.
-
setResponse
void setResponse(jakarta.servlet.http.HttpServletResponse response) Set the response object.- Parameters:
response
- the response object to be set.
-
redirect
Sets the response status to SC_FOUND 302 (Found)As a convenience this method returns SEND_CONTINUE, so this method can be used in one fluent return statement from an
HttpAuthenticationMechanism
- Parameters:
location
- the location to redirect to- Returns:
AuthenticationStatus.SEND_CONTINUE
- See Also:
-
HttpServletResponse.sendRedirect(String)
-
forward
Forwards to another resource (Jakarta Servlet, Jakarta Server Pages file, or HTML file) on the server.As a convenience this method returns SEND_CONTINUE, so this method can be used in one fluent return statement from an
HttpAuthenticationMechanism
- Parameters:
path
- a String specifying the pathname to the resource.- Returns:
AuthenticationStatus.SEND_CONTINUE
- See Also:
-
RequestDispatcher.forward(jakarta.servlet.ServletRequest, jakarta.servlet.ServletResponse)
-
responseUnauthorized
AuthenticationStatus responseUnauthorized()Sets the response status to 401 (unauthorized).As a convenience this method returns SEND_FAILURE, so this method can be used in one fluent return statement from an
HttpAuthenticationMechanism
- Returns:
AuthenticationStatus.SEND_FAILURE
-
responseNotFound
AuthenticationStatus responseNotFound()Sets the response status to 404 (not found).As a convenience this method returns SEND_FAILURE, so this method can be used in one fluent return statement from an
HttpAuthenticationMechanism
- Returns:
AuthenticationStatus.SEND_FAILURE
-
notifyContainerAboutLogin
Asks the container to register the given caller name and groups in order to make them available to the application for use withSecurityContext.isCallerInRole(String)
etc.Note that after this call returned, the authenticated identity will not be immediately active. This will only take place (should no errors occur) after the authentication mechanism in which this call takes place returns control back to the container (runtime).
As a convenience this method returns SUCCESS, so this method can be used in one fluent return statement from an
HttpAuthenticationMechanism
- Parameters:
callername
- the caller name that will become the caller principalgroups
- the groups associated with the caller principal- Returns:
AuthenticationStatus.SUCCESS
-
notifyContainerAboutLogin
Asks the container to register the given caller principal and groups in order to make them available to the application for use withSecurityContext.isCallerInRole(String)
etc.Note that this call may result in the container establishing two caller principals to represent the caller's identity -- the Principal provided here as the principal parameter, and a second principal used as the container's representation of the caller identity. A second principal is added only if the container uses a different Principal type to represent the caller. If the types are the same, only one Principal is added.
If a second principal is added, the value returned by
Principal.getName()
will be the same for both principals.When two principals are added, the container's caller principal is returned from
SecurityContext.getCallerPrincipal()
, and the principal supplied here as a parameter can be retrieved usingSecurityContext.getPrincipalsByType(Class)
. When only one is added, it is returned bySecurityContext.getCallerPrincipal()
.Note that after this call returned, the authenticated identity will not be immediately active. This will only take place (should no errors occur) after the authentication mechanism in which this call takes place returns control back to the container (runtime).
As a convenience this method returns SUCCESS, so this method can be used in one fluent return statement from an
HttpAuthenticationMechanism
- Parameters:
principal
- the Principal that will become the caller principalgroups
- the groups associated with the caller principal- Returns:
AuthenticationStatus.SUCCESS
-
notifyContainerAboutLogin
Convenience method intended to pass theCredentialValidationResult
result of an identity store directly on to the container.If the outcome from the given
CredentialValidationResult.getStatus()
equalsCredentialValidationResult.Status.VALID
, theCallerPrincipal
and groups are obtained from theCredentialValidationResult
and passed intonotifyContainerAboutLogin(Principal, Set)
.If the outcome from the given
CredentialValidationResult.getStatus()
is not equal toCredentialValidationResult.Status.VALID
a failure result is returned.- Parameters:
result
- a CredentialValidationResult which is inspected for its status and from which the principal and groups are taken.- Returns:
AuthenticationStatus.SUCCESS
ifCredentialValidationResult.getStatus()
equalsCredentialValidationResult.Status.VALID
otherwiseAuthenticationStatus.SEND_FAILURE
-
doNothing
AuthenticationStatus doNothing()Instructs the container to "do nothing".When intending to do nothing, a Jakarta Security authentication mechanism has to indicate this explicitly via its return value.
As a convenience this method returns NOT_DONE, so this method can be used in one fluent return statement from an
HttpAuthenticationMechanism
- Returns:
AuthenticationStatus.NOT_DONE
-
getCallerPrincipal
Principal getCallerPrincipal()Gets the Principal set by a call to notifyContainerAboutLogin().- Returns:
- The caller principal
-
getGroups
Gets the groups set by a call to notifyContainerAboutLogin().- Returns:
- The groups
-