Package org.wildfly.security.auth.realm

Class FileSystemSecurityRealm

java.lang.Object
org.wildfly.security.auth.realm.FileSystemSecurityRealm
All Implemented Interfaces:
CacheableSecurityRealm, ModifiableSecurityRealm, SecurityRealm
public final class FileSystemSecurityRealm extends Object implements ModifiableSecurityRealm, CacheableSecurityRealm
A simple filesystem-backed security realm.
Author:
David M. Lloyd

  • Constructor Details

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, boolean encoded, Encoding hashEncoding, Charset hashCharset, Supplier<Provider[]> providers, SecretKey secretKey, PrivateKey privateKey, PublicKey publicKey)
      Construct a new instance. Construction with enabled security manager requires createSecurityRealm ElytronPermission.
      Parameters:
      root - the root path of the identity store
      nameRewriter - the name rewriter to apply to looked up names
      levels - the number of levels of directory hashing to apply
      encoded - whether identity names should be BASE32 encoded before using as filename (only applies if the security realm is unencrypted)
      hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default.
      hashEncoding - the string format for the hashed passwords. Uses Base64 by default.
      providers - The providers supplier
      secretKey - the SecretKey used to encrypt and decrypt the security realm (if null, the security realm will be unencrypted)
      privateKey - the PrivateKey used to verify the integrity of the security realm (if null, the security realm will not verify integrity)
      publicKey - the PublicKey used to verify the integrity of the security realm (if null, the security realm will not verify integrity)

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, boolean encoded, Encoding hashEncoding, Charset hashCharset, SecretKey secretKey)
      Construct a new instance. Construction with enabled security manager requires createSecurityRealm ElytronPermission.
      Parameters:
      root - the root path of the identity store
      nameRewriter - the name rewriter to apply to looked up names
      levels - the number of levels of directory hashing to apply
      encoded - whether identity names should be BASE32 encoded before using as filename
      hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default.
      hashEncoding - the string format for the hashed passwords. Uses Base64 by default.
      secretKey - the SecretKey used to encrypt and decrypt the security realm (if null, the security realm will be unencrypted)

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, boolean encoded, Encoding hashEncoding, Charset hashCharset)
      Construct a new instance. Construction with enabled security manager requires createSecurityRealm ElytronPermission.
      Parameters:
      root - the root path of the identity store
      nameRewriter - the name rewriter to apply to looked up names
      levels - the number of levels of directory hashing to apply
      encoded - whether identity names should be BASE32 encoded before using as filename
      hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default.
      hashEncoding - the string format for the hashed passwords. Uses Base64 by default.

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, boolean encoded)
      Construct a new instance. Construction with enabled security manager requires createSecurityRealm ElytronPermission.
      Parameters:
      root - the root path of the identity store
      nameRewriter - the name rewriter to apply to looked up names
      levels - the number of levels of directory hashing to apply
      encoded - whether identity names should by BASE32 encoded before using as filename

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels)
      Construct a new instance.
      Parameters:
      root - the root path of the identity store
      nameRewriter - the name rewriter to apply to looked up names
      levels - the number of levels of directory hashing to apply

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, NameRewriter nameRewriter, int levels, Encoding hashEncoding, Charset hashCharset)
      Construct a new instance.
      Parameters:
      root - the root path of the identity store
      nameRewriter - the name rewriter to apply to looked up names
      levels - the number of levels of directory hashing to apply
      hashEncoding - the string format for hashed passwords. Uses Base64 by default.
      hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default and must not be null.

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, int levels)
      Construct a new instance.
      Parameters:
      root - the root path of the identity store
      levels - the number of levels of directory hashing to apply

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, int levels, Encoding hashEncoding, Charset hashCharset)
      Construct a new instance.
      Parameters:
      root - the root path of the identity store
      levels - the number of levels of directory hashing to apply
      hashEncoding - the string format for hashed passwords. Uses Base64 by default.
      hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default and must not be null.

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root)
      Construct a new instance with 2 levels of hashing.
      Parameters:
      root - the root path of the identity store

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, Encoding hashEncoding, Charset hashCharset)
      Construct a new instance with 2 levels of hashing.
      Parameters:
      root - the root path of the identity store
      hashEncoding - the string format for hashed passwords. Uses Base64 by default.
      hashCharset - the character set to use when converting password strings to a byte array. Uses UTF-8 by default and must not be null

    • FileSystemSecurityRealm

      public FileSystemSecurityRealm(Path root, int levels, Supplier<Provider[]> providers)

  • Method Details

    • builder

      public static FileSystemSecurityRealmBuilder builder()
      Construct a new instance of the FileSystemSecurityRealmBuilder.
      Returns:
      the new FileSystemSecurityRealmBuilder instance

    • hasIntegrityEnabled

      public boolean hasIntegrityEnabled()
      Checks if the FileSystemSecurityRealm has Integrity checking enabled
      Returns:
      true if Integrity checking is enabled, and false otherwise

    • getHashCharset

      public Charset getHashCharset()

    • getRealmIdentity

      public RealmIdentity getRealmIdentity(Principal principal)
      Description copied from interface: SecurityRealm
      Get a handle for to the identity for the given principal in the context of this security realm. Any validation / name mapping is an implementation detail for the realm. The identity may or may not exist. The returned handle must be cleaned up by a call to RealmIdentity.dispose().
      Specified by:
      getRealmIdentity in interface SecurityRealm
      Parameters:
      principal - the principal which identifies the identity within the realm (must not be null)
      Returns:
      the RealmIdentity for the provided principal (not null)

    • getRealmIdentityForUpdate

      public ModifiableRealmIdentity getRealmIdentityForUpdate(Principal principal)
      Description copied from interface: ModifiableSecurityRealm
      Get an update handle for to the identity for the given principal in the context of this security realm. Any validation / name mapping is an implementation detail for the realm. The identity may or may not exist. The returned handle must be cleaned up by a call to RealmIdentity.dispose(). During the lifespan of a ModifiableRealmIdentity, no other updates or authentications may take place for the corresponding realm identity, thus care should be taken to minimize the duration of the identity's lifespan.

      If there is not enough information to locate an identity compatible with this realm, ModifiableRealmIdentity.NON_EXISTENT may be returned.

      Specified by:
      getRealmIdentityForUpdate in interface ModifiableSecurityRealm
      Parameters:
      principal - the principal to use to locate the ModifiableRealmIdentity handle (must not be null)
      Returns:
      the ModifiableRealmIdentity for the provided information (not null)

    • registerIdentityChangeListener

      public void registerIdentityChangeListener(Consumer<Principal> listener)
      Description copied from interface: CacheableSecurityRealm
      Register a listener that should be invoked by this realm in order to notify the caching layer about changes to a specific identity.
      Specified by:
      registerIdentityChangeListener in interface CacheableSecurityRealm
      Parameters:
      listener - the listener

    • getRealmIdentityIterator

      public ModifiableRealmIdentityIterator getRealmIdentityIterator() throws RealmUnavailableException
      Description copied from interface: ModifiableSecurityRealm
      Get an iterator over all of this realm's identities.
      Specified by:
      getRealmIdentityIterator in interface ModifiableSecurityRealm
      Returns:
      the identity iterator
      Throws:
      RealmUnavailableException - if the realm fails for some reason

    • getCredentialAcquireSupport

      public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException
      Description copied from interface: SecurityRealm
      Determine whether a credential of the given type and algorithm is definitely obtainable, possibly obtainable (for] some identities), or definitely not obtainable.
      Specified by:
      getCredentialAcquireSupport in interface SecurityRealm
      Parameters:
      credentialType - the exact credential type (must not be null)
      algorithmName - the algorithm name, or null if any algorithm is acceptable or the credential type does not support algorithm names
      parameterSpec - the algorithm parameters to match, or null if any parameters are acceptable or the credential type does not support algorithm parameters
      Returns:
      the level of support for this credential
      Throws:
      RealmUnavailableException - if the realm is not able to handle requests for any reason

    • getEvidenceVerifySupport

      public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName) throws RealmUnavailableException
      Description copied from interface: SecurityRealm
      Determine whether a given type of evidence is definitely verifiable, possibly verifiable (for some identities), or definitely not verifiable.
      Specified by:
      getEvidenceVerifySupport in interface SecurityRealm
      Parameters:
      evidenceType - the type of evidence to be verified (must not be null)
      algorithmName - the algorithm name, or null if any algorithm is acceptable or the evidence type does not support algorithm names
      Returns:
      the level of support for this evidence type
      Throws:
      RealmUnavailableException - if the realm is not able to handle requests for any reason

    • updateRealmKeyPair

      public void updateRealmKeyPair() throws RealmUnavailableException
      Re-generate the signatures for all the identities in this realm. This method is intended to be called after updating the key pair used by this realm.
      Throws:
      RealmUnavailableException - if the realm is not able to handle requests for any reason

    • verifyRealmIntegrity

      public FileSystemSecurityRealm.IntegrityResult verifyRealmIntegrity() throws RealmUnavailableException
      Verify the integrity of each identity file in this realm.
      Returns:
      true if the integrity of all the identity files in the realm is successfully verified and false otherwise
      Throws:
      RealmUnavailableException