Interface AuthenticationFailureHandler

All Known Implementing Classes:
DefaultAuthenticationFailureHandler

public interface AuthenticationFailureHandler
A AuthenticationFailureHandler is responsible for the handling of a request that has failed authentication. This must consist of returning an exception and this exception can have headers to indicate authentication is required or another HTTP operation such as a redirect.

For example, when using Basic authentication, most clients wait to send credentials until they have been challenged for them. In this workflow a client makes a request, the server responds with a 401 status with the header WWW-Authenticate: Basic realm=auth-realm, and then the client will send credentials. The same scheme also applies for other methods of authentication, with changes to the value provided in the WWW-Authenticate header.

Additionally, some methods of authentication may require a different status code. When using an single sign on system, clients will often retrieve a token from a single sign on system that is presented to the server and verified. When a client does not provide such a token, then the server can choose to redirect the client to the single sign on system to retrieve a token. This can be accomplished in the AuthenticationFailureHandler by setting the RestStatus.FOUND with a Location header that contains the location to redirect the user to.

  • Method Details

    • failedAuthentication

      ElasticsearchSecurityException failedAuthentication(HttpPreRequest request, AuthenticationToken token, ThreadContext context)
      This method is called when there has been an authentication failure for the given REST request and authentication token.
      Parameters:
      request - The request that was being authenticated when the exception occurred
      token - The token that was extracted from the request
      context - The context of the request that failed authentication that could not be authenticated
      Returns:
      ElasticsearchSecurityException with the appropriate headers and message
    • failedAuthentication

      ElasticsearchSecurityException failedAuthentication(TransportMessage message, AuthenticationToken token, String action, ThreadContext context)
      This method is called when there has been an authentication failure for the given message and token
      Parameters:
      message - The transport message that could not be authenticated
      token - The token that was extracted from the message
      action - The name of the action that the message is trying to perform
      context - The context of the request that failed authentication that could not be authenticated
      Returns:
      ElasticsearchSecurityException with the appropriate headers and message
    • exceptionProcessingRequest

      ElasticsearchSecurityException exceptionProcessingRequest(HttpPreRequest request, Exception e, ThreadContext context)
      The method is called when an exception has occurred while processing the REST request. This could be an error that occurred while attempting to extract a token or while attempting to authenticate the request
      Parameters:
      request - The request that was being authenticated when the exception occurred
      e - The exception that was thrown
      context - The context of the request that failed authentication that could not be authenticated
      Returns:
      ElasticsearchSecurityException with the appropriate headers and message
    • exceptionProcessingRequest

      ElasticsearchSecurityException exceptionProcessingRequest(TransportMessage message, String action, Exception e, ThreadContext context)
      The method is called when an exception has occurred while processing the transport message. This could be an error that occurred while attempting to extract a token or while attempting to authenticate the request
      Parameters:
      message - The message that was being authenticated when the exception occurred
      action - The name of the action that the message is trying to perform
      e - The exception that was thrown
      context - The context of the request that failed authentication that could not be authenticated
      Returns:
      ElasticsearchSecurityException with the appropriate headers and message
    • missingToken

      This method is called when a REST request is received and no authentication token could be extracted AND anonymous access is disabled. If anonymous access is enabled, this method will not be called
      Parameters:
      request - The request that did not have a token
      context - The context of the request that failed authentication that could not be authenticated
      Returns:
      ElasticsearchSecurityException with the appropriate headers and message
    • missingToken

      ElasticsearchSecurityException missingToken(TransportMessage message, String action, ThreadContext context)
      This method is called when a transport message is received and no authentication token could be extracted AND anonymous access is disabled. If anonymous access is enabled this method will not be called
      Parameters:
      message - The message that did not have a token
      action - The name of the action that the message is trying to perform
      context - The context of the request that failed authentication that could not be authenticated
      Returns:
      ElasticsearchSecurityException with the appropriate headers and message
    • authenticationRequired

      ElasticsearchSecurityException authenticationRequired(String action, ThreadContext context)
      This method is called when anonymous access is enabled, a request does not pass authorization with the anonymous user, AND the anonymous service is configured to throw an authentication exception instead of an authorization exception
      Parameters:
      action - the action that failed authorization for anonymous access
      context - The context of the request that failed authentication that could not be authenticated
      Returns:
      ElasticsearchSecurityException with the appropriate headers and message