Class AuthManager
getInstance()
)
used for all access to URLs that might require or allow authentication;
it will intercept accesses as required and retain authentication
information as required for use in subsequent HTTP(S) requests
so that the user does not have to keep supplying credentials
where they are already known.
An application should typically call
setUserInterface
on the default instance with an appropriate value near startup and
then use the same instance for all subsequent potentially authenticated
URL accesses.
To access (potentially) authenticated resources, client code
will usually just call openStream(URL)
or
one of the various overloaded connect
methods.
These are all convenience aliases for calls to the
makeConnection
method that actually manages
authentication and redirection for connecting to a given URL.
Currently no attempt is made to handle proxy-authentication (407).
- Since:
- 16 Jun 2020
- Author:
- Mark Taylor
-
Constructor Summary
ConstructorsConstructorDescriptionAuthManager
(UserInterface ui, AuthScheme[] schemes, Redirector dfltRedirector) Constructor. -
Method Summary
Modifier and TypeMethodDescriptionAttempts to establish authentication for an authcheck-type URL.void
clear()
Clears all authentication state from this manager.Opens a URL connection to a given URL, negotiating authentication and with default handling of 3xx redirection.connect
(URL url, UrlConnector connector) Opens a URL connection to a given URL with specified configuration, negotiating authentication and with default handling of 3xx redirection.connect
(URL url, UrlConnector connector, Redirector redirector) Opens a URL connection to a given URL with specified configuration, negotiating authentication and with configurable handling of 3xx redirection.followRedirects
(URLConnection conn, UrlConnector connector, Redirector redirector) Follows 3xx redirects, applying authentication as required.static AuthManager
Returns the default instance of this class.Returns a mutable ordered list of authentication schemes known by this manager.Returns the object that controls how the user is queried for credentials.makeConnection
(URL url, UrlConnector connector, Redirector redirector) Opens a URL connection to a given URL with specified configuration, negotiating authentication and with configurable handling of 3xx redirection.openStream
(URL url) Returns the content stream acquired by opening a URL.static void
setDefaultInstance
(AuthManager authManager) Resets the default AuthManager instance.void
Sets the object that controls how the user is queried for credentials.
-
Constructor Details
-
AuthManager
Constructor. Note that in most cases best practice would be to use thegetInstance()
method instead.- Parameters:
ui
- user interface implementation; if null, no authentication management is attemptedschemes
- list of known authentication schemes, ordered by preferencedfltRedirector
- handles default 3xx redirection behaviour
-
-
Method Details
-
setUserInterface
Sets the object that controls how the user is queried for credentials. If the value is null, then this object will not attempt any authentication management, and it will simply defer to normal JVM behaviour.- Parameters:
ui
- user interface to use if null, no authentication management is attempted
-
getUserInterface
Returns the object that controls how the user is queried for credentials. If the value is null, then this object will not attempt any authentication management, and it will simply defer to normal JVM behaviour.- Returns:
- user interface in use if null, no authentication management is attempted
-
getSchemes
Returns a mutable ordered list of authentication schemes known by this manager. Schemes earlier in this list are preferred over later ones.As well as being mutable this list is thread-safe.
- Returns:
- mutable list of schemes
-
clear
public void clear()Clears all authentication state from this manager. Any subsequent accesses to protected resources will require new credential acquisition. -
connect
Opens a URL connection to a given URL, negotiating authentication and with default handling of 3xx redirection. The return value is an open connection, that is one on whichconnect()
has been called.An IOException is only thrown in unexpected circumstances; connection failure is usually indicated by the status of the returned connection object.
- Parameters:
url
- target URL- Returns:
- open connection to URL, with authentication in place if applicable and possible
- Throws:
IOException
-
connect
Opens a URL connection to a given URL with specified configuration, negotiating authentication and with default handling of 3xx redirection. The return value is an open connection, that is one on whichconnect()
has been called.An IOException is only thrown in unexpected circumstances; connection failure is usually indicated by the status of the returned connection object.
- Parameters:
url
- target URLconnector
- obtains a connection from a URL; may be null for default behaviour- Returns:
- open connection to URL, with authentication in place if applicable and possible
- Throws:
IOException
-
connect
public URLConnection connect(URL url, UrlConnector connector, Redirector redirector) throws IOException Opens a URL connection to a given URL with specified configuration, negotiating authentication and with configurable handling of 3xx redirection. The return value is an open connection, that is one on whichconnect()
has been called.An IOException is only thrown in unexpected circumstances; connection failure is usually indicated by the status of the returned connection object.
- Parameters:
url
- target URLconnector
- obtains a connection from a URL; may be null for default behaviourredirector
- controls handling of 3xx redirection- Returns:
- open connection to URL, with authentication in place if applicable and possible
- Throws:
IOException
-
makeConnection
public AuthConnection makeConnection(URL url, UrlConnector connector, Redirector redirector) throws IOException Opens a URL connection to a given URL with specified configuration, negotiating authentication and with configurable handling of 3xx redirection. The return value is an AuthConnection which aggregates an open connection, that is one on whichconnect()
has been called, and the AuthContext which was used to open it.An IOException is only thrown in unexpected circumstances; connection failure is usually indicated by the status of the returned connection object.
- Parameters:
url
- target URLconnector
- obtains a connection from a URL; may be null for default behaviourredirector
- controls handling of 3xx redirection- Returns:
- object containing an open URLConnection with authentication in place if applicable and possible, and the AuthContext used to connect
- Throws:
IOException
-
openStream
Returns the content stream acquired by opening a URL. This convenience method is shorthand forconnect(url).getInputStream()
.- Parameters:
url
- target URL- Returns:
- an input stream for reading from the URL connection
- Throws:
IOException
- in case of failure, including authentication failure
-
followRedirects
public URLConnection followRedirects(URLConnection conn, UrlConnector connector, Redirector redirector) throws IOException Follows 3xx redirects, applying authentication as required.- Parameters:
conn
- initial URL connectionconnector
- obtains a connection from a URL; may be null for default behaviourredirector
- defines how redirection is done- Returns:
- connected connection following redirects; in case of no redirection, this will be the same as the input connection
- Throws:
IOException
-
authcheck
public AuthStatus authcheck(URL authcheckUrl, boolean isHead, boolean isForceLogin) throws IOException Attempts to establish authentication for an authcheck-type URL. If it has not already been done for the domain in question, this method may (depending on theisForceLogin
parameter) query the user for credentials as required, and has the side-effect of setting up authentication to related URLs for subsequent communication.Setting the
isForceLogin
parameter affects whether user interaction will take place. If true, then any previous credentials for challenges received are disregarded, and either a 200 or a 401/403 response will trigger user interaction (request for credentials), as long as challenges are present. If false, any existing credentials are used where applicable, and user interaction only takes place on a 401/403 response; so a request for credentials only takes place if it can't be avoided.The expected behaviour of this authcheck endpoint is as follows, in accordance with the (draft at time of writing) "SSO_next" proposal. Briefly, it behaves as other endpoints in the service except that a service allowing both authenticated and anonymous access should accompany 200 responses to anonymous access with an RFC7235 challenge. In more detail: if authenticated or unauthenticated access is attempted, it should provoke a 200/401/403 response, following normal HTTP rules, matching the behaviour that a similarly authenticated request would see when using the associated VO service. However, in the case of a service that permits both authenticated and anonymous access on the same endpoint, an anonymous request should provoke a 200 response with an accompanying WWW-Authenticate header (an authentication Challenge as defined in RFC7235 sec 4.1). Thus clients attempting authenticated or unauthenticated access must be prepared for
- 200 with or without a challenge
- 401 with a challenge
- 403 with or without a challenge
- 404
X-VO-Authenticated
header giving the authenticated user ID if authentication has been established. The response body is not defined by this proposal.- Parameters:
authcheckUrl
- URL at which an authcheck endpoint may be presentisHead
- if true use a HEAD request, if false use GETisForceLogin
- whether to force a new login where it could be avoided- Returns:
- characterisation of authentication status that has been established for the given URL, and will be used for compatible URLs in future if suitable
- Throws:
IOException
-
getInstance
Returns the default instance of this class. Note that the initial state of this instance has no user interface, meaning there is no change to normal JVM behaviour. To get this instance to manage authentication, it is necessary first to callsetUserInterface(uk.ac.starlink.auth.UserInterface)
.- Returns:
- default instance
-
setDefaultInstance
Resets the default AuthManager instance.- Parameters:
authManager
- new default instance
-