001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 */ 019package org.apache.shiro.authc.pam; 020 021import org.apache.shiro.authc.AuthenticationException; 022import org.apache.shiro.authc.AuthenticationInfo; 023import org.apache.shiro.authc.AuthenticationToken; 024import org.apache.shiro.realm.Realm; 025import org.apache.shiro.subject.PrincipalCollection; 026 027import java.util.Collection; 028 029/** 030 * {@link AuthenticationStrategy} implementation that only accepts the account data from 031 * the first successfully consulted Realm and ignores all subsequent realms. This is slightly 032 * different behavior than {@link AtLeastOneSuccessfulStrategy}, so please review both to see 033 * which one meets your needs better. 034 * 035 * @see AtLeastOneSuccessfulStrategy AtLeastOneSuccessfulAuthenticationStrategy 036 * @since 0.9 037 */ 038public class FirstSuccessfulStrategy extends AbstractAuthenticationStrategy { 039 040 private boolean stopAfterFirstSuccess; 041 042 public void setStopAfterFirstSuccess(boolean stopAfterFirstSuccess) { 043 this.stopAfterFirstSuccess = stopAfterFirstSuccess; 044 } 045 046 public boolean getStopAfterFirstSuccess() { 047 return stopAfterFirstSuccess; 048 } 049 050 /** 051 * Returns {@code null} immediately, relying on this class's {@link #merge merge} implementation to return 052 * only the first {@code info} object it encounters, ignoring all subsequent ones. 053 */ 054 public AuthenticationInfo beforeAllAttempts(Collection<? extends Realm> realms, AuthenticationToken token) 055 throws AuthenticationException { 056 return null; 057 } 058 059 /** 060 * Throws ShortCircuitIterationException if stopAfterFirstSuccess is set and authentication is 061 * successful with a previously consulted realm. 062 * Returns the <code>aggregate</code> method argument, without modification 063 * otherwise. 064 */ 065 public AuthenticationInfo beforeAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo aggregate) 066 throws AuthenticationException { 067 if (getStopAfterFirstSuccess() && aggregate != null && !isEmpty(aggregate.getPrincipals())) { 068 throw new ShortCircuitIterationException(); 069 } 070 return aggregate; 071 } 072 073 private static boolean isEmpty(PrincipalCollection pc) { 074 return pc == null || pc.isEmpty(); 075 } 076 077 /** 078 * Returns the specified {@code aggregate} instance if is non null and valid (that is, has principals and they are 079 * not empty) immediately, or, if it is null or not valid, the {@code info} argument is returned instead. 080 * <p/> 081 * This logic ensures that the first valid info encountered is the one retained and all subsequent ones are ignored, 082 * since this strategy mandates that only the info from the first successfully authenticated realm be used. 083 */ 084 protected AuthenticationInfo merge(AuthenticationInfo info, AuthenticationInfo aggregate) { 085 if (aggregate != null && !isEmpty(aggregate.getPrincipals())) { 086 return aggregate; 087 } 088 return info != null ? info : aggregate; 089 } 090}