Interface AuthenticationManager

All Superinterfaces:

public interface AuthenticationManager extends Action
Action interface for external authentication. Action factories are called with a AuthenticationContext object as the InvokationContext.getClientContext(). Use AuthenticationContext.getLoginRequest() to get information about the login and password used for logging in.
  • Method Details

    • authenticate

      AuthenticatedUser authenticate()
      Try to authenticate a user given the login information passed to the factory in the AuthenticationContext. There are three outcomes from this method:
      • The login request was valid: An AuthenticatedUser object should be returned with at least the external id of the user.
      • The login request was invalid: An AuthenticationException (or a subclass) should be thrown
      • It was not possible to know if the request was invalid or not: null should be returned to let the authentication continue with another action or internal authentication.
      An AuthenticatedUser object if the user was authenticated, null if this action doesn't know if the login is valid or not
      AuthenticationException - If the user was not authenticated
    • vetoAuthenticatedUser

      default void vetoAuthenticatedUser(UserData user, AuthenticatedUser auth)
      This method is called if there are multiple installed external authentication managers and at least one of them accepted the user in the authenticate() method. If so, all other authentication managers will get a chance to throw in a veto. For example, an administrator account may be protected with a special authentication manager (for example, YubiKey) while regular users by a simpler method (for example, OTP). If the administrator tries to login with the OTP method then the Yubikey authentication manager may veto this by throwing an AuthenticationException from this method. Note that this method is NOT called on the authentication manager that authenticated a user by returning information from the authenticate() method. To provide backwards compatibility with existing authentication managers this method has a default implementation that doesn't do anything.
      user - The user that is trying to login
      auth - Information about the authentication