001/**
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.activemq.shiro.authc;
018
019import org.apache.activemq.shiro.ConnectionReference;
020import org.apache.activemq.shiro.subject.SubjectConnectionReference;
021import org.apache.shiro.subject.Subject;
022
023/**
024 * An {@code AuthenticationPolicy} customizes the behavior of the {@link AuthenticationFilter}, such as whether or not
025 * authentication is required or how to represent trusted/known {@code Subject} identities.
026 * <p/>
027 * Most will find customizing properties on the {@link DefaultAuthenticationPolicy} easier than implementing this
028 * interface directly.
029 *
030 * @see DefaultAuthenticationPolicy
031 * @since 5.10.0
032 */
033public interface AuthenticationPolicy {
034
035    /**
036     * Allows customization of the {@code Subject} being built for the specified client
037     * connection.  This allows for any pre-existing connection-specific identity or state to be applied to the
038     * {@link Subject.Builder} before the {@code Subject} instance is actually created.
039     * <p/>
040     * <b>NOTE:</b> This method is called by the {@link org.apache.activemq.shiro.subject.SubjectFilter SubjectFilter} <em>before</em> the filter chain
041     * is executed (and before an authentication attempt occurs).  Implementations <b><em>MUST NOT</em></b>
042     * attempt to actually {@link org.apache.shiro.subject.Subject.Builder#buildSubject() build} the subject or perform
043     * an authentication attempt in this method.
044     *
045     * @param subjectBuilder the builder for the Subject that will be created representing the associated client connection
046     * @param ref            a reference to the client's connection metadata
047     * @see org.apache.activemq.shiro.subject.SubjectFilter
048     */
049    void customizeSubject(Subject.Builder subjectBuilder, ConnectionReference ref);
050
051    /**
052     * Returns {@code true} if the connection's {@code Subject} instance should be authenticated, {@code false} otherwise.
053     *
054     * @param ref the subject's connection
055     * @return {@code true} if the connection's {@code Subject} instance should be authenticated, {@code false} otherwise.
056     */
057    boolean isAuthenticationRequired(SubjectConnectionReference ref);
058}