1 /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited 2 * 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 package org.springframework.security; 17 18 import java.io.Serializable; 19 20 import java.security.Principal; 21 22 23 /** 24 * Represents an authentication request. 25 * 26 * <p> 27 * An <code>Authentication</code> object is not considered authenticated until 28 * it is processed by an {@link AuthenticationManager}. 29 * </p> 30 * 31 * <p> 32 * Stored in a request {@link org.springframework.security.context.SecurityContext}. 33 * </p> 34 * 35 * @author Ben Alex 36 * @version $Id: Authentication.java 2217 2007-10-27 00:45:30Z luke_t $ 37 */ 38 public interface Authentication extends Principal, Serializable { 39 //~ Methods ======================================================================================================== 40 41 /** 42 * Set by an <code>AuthenticationManager</code> to indicate the authorities that the principal has been 43 * granted. Note that classes should not rely on this value as being valid unless it has been set by a trusted 44 * <code>AuthenticationManager</code>.<p>Implementations should ensure that modifications to the returned 45 * array do not affect the state of the Authentication object (e.g. by returning an array copy).</p> 46 * 47 * @return the authorities granted to the principal, or <code>null</code> if authentication has not been completed 48 */ 49 GrantedAuthority[] getAuthorities(); 50 51 /** 52 * The credentials that prove the principal is correct. This is usually a password, but could be anything 53 * relevant to the <code>AuthenticationManager</code>. Callers are expected to populate the credentials. 54 * 55 * @return the credentials that prove the identity of the <code>Principal</code> 56 */ 57 Object getCredentials(); 58 59 /** 60 * Stores additional details about the authentication request. These might be an IP address, certificate 61 * serial number etc. 62 * 63 * @return additional details about the authentication request, or <code>null</code> if not used 64 */ 65 Object getDetails(); 66 67 /** 68 * The identity of the principal being authenticated. This is usually a username. Callers are expected to 69 * populate the principal. 70 * 71 * @return the <code>Principal</code> being authenticated 72 */ 73 Object getPrincipal(); 74 75 /** 76 * Used to indicate to <code>AbstractSecurityInterceptor</code> whether it should present the 77 * authentication token to the <code>AuthenticationManager</code>. Typically an <code>AuthenticationManager</code> 78 * (or, more often, one of its <code>AuthenticationProvider</code>s) will return an immutable authentication token 79 * after successful authentication, in which case that token can safely return <code>true</code> to this method. 80 * Returning <code>true</code> will improve performance, as calling the <code>AuthenticationManager</code> for 81 * every request will no longer be necessary.<p>For security reasons, implementations of this interface 82 * should be very careful about returning <code>true</code> to this method unless they are either immutable, or 83 * have some way of ensuring the properties have not been changed since original creation.</p> 84 * 85 * @return true if the token has been authenticated and the <code>AbstractSecurityInterceptor</code> does not need 86 * to represent the token for re-authentication to the <code>AuthenticationManager</code> 87 */ 88 boolean isAuthenticated(); 89 90 /** 91 * See {@link #isAuthenticated()} for a full description.<p>Implementations should <b>always</b> allow this 92 * method to be called with a <code>false</code> parameter, as this is used by various classes to specify the 93 * authentication token should not be trusted. If an implementation wishes to reject an invocation with a 94 * <code>true</code> parameter (which would indicate the authentication token is trusted - a potential security 95 * risk) the implementation should throw an {@link IllegalArgumentException}.</p> 96 * 97 * @param isAuthenticated <code>true</code> if the token should be trusted (which may result in an exception) or 98 * <code>false</code> if the token should not be trusted 99 * 100 * @throws IllegalArgumentException if an attempt to make the authentication token trusted (by passing 101 * <code>true</code> as the argument) is rejected due to the implementation being immutable or 102 * implementing its own alternative approach to {@link #isAuthenticated()} 103 */ 104 void setAuthenticated(boolean isAuthenticated) 105 throws IllegalArgumentException; 106 }