Package com.atlassian.crowd.manager.authentication

Interface TokenAuthenticationManager

public interface TokenAuthenticationManager

  • Method Details

    • authenticateApplication

      Token authenticateApplication(Application application, com.atlassian.crowd.model.authentication.ApplicationAuthenticationContext authenticationContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException
      Authenticates an application and generates an authentication token.
      Parameters:
      application - the application being authenticated
      authenticationContext - application authentication credentials.
      tokenLifetime - Requested lifetime of the token
      Returns:
      generated authentication token.
      Throws:
      InvalidAuthenticationException - authentication was not successful because either the application does not exist, the password is incorrect, the application is inactive or there was a problem generating the authentication token.

    • authenticateApplicationWithoutValidatingPassword

      Token authenticateApplicationWithoutValidatingPassword(Application application, com.atlassian.crowd.model.authentication.ApplicationAuthenticationContext authenticationContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException
      Authenticates an application and generates an authentication token, ignoring the credentials.

      This method should only be used to generate a token for an application that has already authenticated via some other means (eg. TLS client certificates) as this method bypasses any password checks.

      Parameters:
      application - the application being authenticated
      authenticationContext - application authentication credentials.
      tokenLifetime - Requested lifetime of the token
      Returns:
      generated authentication token.
      Throws:
      InvalidAuthenticationException - authentication was not successful because either the application does not exist, the application is inactive or there was a problem generating the authentication token.
      Since:
      2.9

    • authenticateUser

      Token authenticateUser(Application application, com.atlassian.crowd.model.authentication.UserAuthenticationContext authenticateContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException, ExpiredCredentialException
      Authenticates a user and and generates an authentication token. The password of the user is validated before generating a token.

      The RemoteDirectory.authenticate(String, com.atlassian.crowd.embedded.api.PasswordCredential) method is iteratively called for each assigned directory. If the user does not exist in one directory, the directory is skipped and the next one is examined. If the user does not exist in any of the assigned directories then an InvalidAuthenticationException is thrown.

      Parameters:
      application -
      authenticateContext - The authentication details for the user.
      tokenLifetime - Requested lifetime of the token
      Returns:
      The authenticated token for the user.
      Throws:
      InvalidAuthenticationException - The authentication was not successful.
      OperationFailedException - error thrown by directory implementation when attempting to find or authenticate the user.
      InactiveAccountException - user account is inactive.
      ApplicationAccessDeniedException - user does not have access to authenticate with application.
      ExpiredCredentialException - the user's credentials have expired. The user must change their credentials in order to successfully authenticate.

    • authenticateUserWithoutValidatingPassword

      Token authenticateUserWithoutValidatingPassword(Application application, com.atlassian.crowd.model.authentication.UserAuthenticationContext authenticateContext) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException
      Feigns the authentication process for a user and creates a token for the authentication without validating the password.

      This method should only be used to generate a token for a user that has already authenticated credentials via some other means (eg. SharePoint NTLM connector) as this method bypasses any password checks.

      If you want actual password authentication, use the authenticateUser(Application, UserAuthenticationContext, TokenLifetime) method.

      Parameters:
      application -
      authenticateContext - The authentication details for the user.
      Returns:
      The authenticated token for the user.
      Throws:
      InvalidAuthenticationException - if the authentication was not successful.
      OperationFailedException - if the error thrown by directory implementation when attempting to find or authenticate the user.
      InactiveAccountException - if the user account is inactive.
      ApplicationAccessDeniedException - if the user does not have access to authenticate with application.

    • validateApplicationToken

      Token validateApplicationToken(String tokenKey, com.atlassian.crowd.model.authentication.ValidationFactor[] validationFactors) throws InvalidTokenException
      Validates an application token key given validation factors.
      Parameters:
      tokenKey - returns a valid token corresponding to the tokenKey.
      validationFactors - validation factors for generating the token hash.
      Returns:
      validated token.
      Throws:
      InvalidTokenException - if the tokenKey or corresponding client validation factors do not represent a valid application token.

    • validateUserToken

      Token validateUserToken(Application application, String userTokenKey, com.atlassian.crowd.model.authentication.ValidationFactor[] validationFactors) throws InvalidTokenException, ApplicationAccessDeniedException, OperationFailedException
      Validates a user token key given validation factors and checks that the user is allowed to authenticate with the specified application
      Parameters:
      application - the application performing the authentication
      userTokenKey - returns a valid token corresponding to the tokenKey.
      validationFactors - validation factors for generating the token hash.
      Returns:
      validated authentication token.
      Throws:
      InvalidTokenException - if the userTokenKey or corresponding validationFactors do not represent a valid SSO token.
      OperationFailedException - there was an error communicating with an underlying directory when determining if a user is allowed to authenticate with the application (eg. if a user has the appropriate group memberships).
      ApplicationAccessDeniedException - the user is not allowed to authenticate with the application.

    • invalidateToken

      Optional<Token> invalidateToken(String token)
      Attempts to invalidate a Token based on the passed in Token key (random hash).

      If the token does not exist (ie. already invalidated) this method returns Optional.empty(). If an existing token is successfully invalidated, a TokenInvalidatedEvent is fired, and the invalidated token is returned

      Parameters:
      token - the token key (random hash) to invalidate.

    • invalidateAllTokens

      void invalidateAllTokens()
      Invalidates all user and application tokens. This means it will also invalidate the token of the calling application.

    • removeExpiredTokens

      void removeExpiredTokens()
      Removes all tokens that have exceeded their expiry time.

      NOTE: Do not call this method from the web layer, as this is wrapped in a Spring managed transaction.

    • findUserByToken

      User findUserByToken(Token token, Application application) throws InvalidTokenException, OperationFailedException
      Will find a user via the passed in token.
      Parameters:
      token - the token
      application - the application to do the lookup for
      Returns:
      the User associated to the given token
      Throws:
      InvalidTokenException - if the User or Directory cannot be found that relates to the given token, or the token is associated to an Application and not a User
      OperationFailedException - if there was an issue accessing the user from the underlying directory

    • findUserTokenByKey

      Token findUserTokenByKey(String tokenKey, Application application) throws InvalidTokenException, ApplicationAccessDeniedException, OperationFailedException
      Returns the token matching a given key
      Parameters:
      tokenKey - the token key
      application - the application to do the lookup for
      Returns:
      the Token with the given token key
      Throws:
      InvalidTokenException - if the token cannot be found by the give key, or the token is associated to an Application and not a User
      OperationFailedException - if there was an issue accessing the user from the underlying directory
      ApplicationAccessDeniedException - the user is not allowed to authenticate with the application.

    • findAuthorisedApplications

      List<Application> findAuthorisedApplications(User user, String applicationName) throws OperationFailedException, DirectoryNotFoundException, ApplicationNotFoundException
      Returns a list of applications a user is authorised to authenticate with.

      NOTE: this is a potentially expensive call, iterating all applications and all group mappings for each application and determining group membership, ie. expense = number of applications * number of group mappings per application.

      Parameters:
      user - user to search for.
      applicationName - name of the current application
      Returns:
      list of applications.
      Throws:
      OperationFailedException - if there was an error querying directory.
      DirectoryNotFoundException - if the directory could not be found.
      ApplicationNotFoundException - if the application could not be found

    • invalidateTokensForUser

      void invalidateTokensForUser(String username, @Nullable String exclusionToken, String applicationName) throws UserNotFoundException, ApplicationNotFoundException
      Invalidates all sessions for a user, possibly excluding a specific one.
      Parameters:
      applicationName - name of the current application
      exclusionToken - the random hash of a token to leave valid
      Throws:
      UserNotFoundException
      ApplicationNotFoundException

    • getTokenExpiryTime

      Date getTokenExpiryTime(Token token)
      Returns the expiry time of a token.
      Parameters:
      token - a token
      Returns:
      the expiry time for the given token