Custom Security Providers

Owned by Anonymous
Last updated: Jul 19, 2013 by Jim MarinoVersion comment
3 min read

The Fabric3 standalone basic security provider may be replaced with a more capable (and dynamic) alternative by substituting the fabric3-security-impl.jar in the extensions repository.

The custom security provider must implement the AuthenticationService and AuthorizationService interfaces from the org.fabric3.spi.security package (defined in fabric3-spi):

/**
 * Implemented by security providers that perform authentication.
 */
public interface AuthenticationService {

    /**
     * Authenticates a user.
     *
     * @param token the authentication token
     * @return the authenticated subject
     * @throws AuthenticationException if the authentication attempt was unsuccessful. The exception will wrap an underlying cause typically thrown by
     *                                 the security provider.
     */
    SecuritySubject authenticate(AuthenticationToken<?, ?> token) throws AuthenticationException;
}

/**
 * Implemented by security providers that perform authorization.
 */
public interface AuthorizationService {

    /**
     * Determines if the subject has a role.
     *
     * @param subject the subject
     * @param role    the role
     * @throws AuthorizationException if the user does not have the role or there is a general error performing authorization. If the user does not
     *                                have the role, NotAuthorizedException will be thrown.
     */
    void checkRole(SecuritySubject subject, String role) throws AuthorizationException;

    /**
     * Determines if the subject has the collection of roles.
     *
     * @param subject the subject
     * @param roles   the roles
     * @throws AuthorizationException if the user does not have the roles or there is a general error performing authorization. If the user does not
     *                                have a role, NotAuthorizedException will be thrown.
     */
    void checkRoles(SecuritySubject subject, Collection<String> roles) throws AuthorizationException;

    /**
     * Determines if the subject has a permission.
     *
     * @param subject the subject
     * @param role    the role
     * @throws AuthorizationException if the user does not have the permission or there is a general error performing authorization. If the user does
     *                                not have the permission, NotAuthorizedException will be thrown.
     */
    void checkPermission(SecuritySubject subject, String role) throws AuthorizationException;

    /**
     * Determines if the subject has the collection of permission.
     *
     * @param subject the subject
     * @param roles   the roles
     * @throws AuthorizationException if the user does not have the permissions or there is a general error performing authorization. If the user does
     *                                not have a permission, NotAuthorizedException will be thrown.
     */
    void checkPermissions(SecuritySubject subject, Collection<String> roles) throws AuthorizationException;

}