Interface ClaimSource

  • All Superinterfaces:
    Serializable

    public interface ClaimSource
    extends Serializable
    This is charged with modelling the source for sets of claims. Note that the contract of the standard implementation is to have a no argument constructor that has a JSON object injected as the configuration.

    Created by Jeff Gaynor
    on 8/17/15 at 2:28 PM

    • Method Detail

      • setConfiguration

        void setConfiguration​(ClaimSourceConfiguration configuration)
        This passes in a JSONObject that is in turn used to configure the source. It is up to the implementaton to make sense of this.
        Parameters:
        configuration -
      • hasConfiguration

        boolean hasConfiguration()
      • process

        net.sf.json.JSONObject process​(net.sf.json.JSONObject claims,
                                       ServiceTransaction transaction)
                                throws UnsupportedScopeException
        A UserInfo object and the current service transaction are supplied. The contract is that this handler will receive a claims object with standard information in place for the request, but may then populate a claims object and return it. It is up to the source to run the pre and post processors before actually invoking the claims.
        Parameters:
        claims -
        transaction -
        Returns:
        Throws:
        UnsupportedScopeException
      • setScopes

        void setScopes​(Collection<String> scopes)
        Set the scopes for this source.
        Parameters:
        scopes -
      • getScopes

        Collection<String> getScopes()
        A list of scopes that this source supports. Any scope that is not recognized by this source should be rejected.
        Returns:
      • getClaims

        Collection<String> getClaims()
        in order to support server discovery, every plugin must enumerate whatever claims it may serve. This is not a guarantee that all of these claims will be delivered, just that they might be.
        Returns:
      • isEnabled

        boolean isEnabled()
      • isRunOnlyAtAuthorization

        boolean isRunOnlyAtAuthorization()
        Whether to run this during the authorization phase or not. That means it will either run in the authorization servlet or, if there is an external authorization application (e.g. Shibboleth) it will be invoked when the transaction has been created. Normally this is set true if there is some state (such as reading claims from HTTP headers) that will not exist after the authorization has happened. The other option (when this is false) is to be invoked immediately before the access token is issued. Note that if there are out of band operations (e.g. CILogon makes several calls to the backend database as it gets the user information together) then all of those should be done by the time the access token is issued.
        Returns:
      • getPreProcessor

        edu.uiuc.ncsa.security.util.functor.parser.FunctorScript getPreProcessor()
        This is the preprocessor after it has run. It is not available until execution time since it has to be constructed on the fly from the current state of the claims.
        Returns:
      • getPostProcessor

        edu.uiuc.ncsa.security.util.functor.parser.FunctorScript getPostProcessor()
        See comment in getPreProcessor().
        Returns:
      • fromQDL

        void fromQDL​(org.qdl_lang.variables.QDLStem stem)
      • toQDL

        org.qdl_lang.variables.QDLStem toQDL()