java.lang.Object
org.elasticsearch.xpack.core.security.authc.Realm
All Implemented Interfaces:
Comparable<Realm>

public abstract class Realm extends Object implements Comparable<Realm>
An authentication mechanism to which the default authentication org.elasticsearch.xpack.security.authc.AuthenticationService delegates the authentication process. Different realms may be defined, each may be based on different authentication mechanism supporting its own specific authentication token type.
  • Field Details

    • logger

      protected final org.apache.logging.log4j.Logger logger
    • config

      protected final RealmConfig config
  • Constructor Details

  • Method Details

    • type

      public String type()
      Returns:
      The type of this realm
    • name

      public String name()
      Returns:
      The name of this realm.
    • order

      public int order()
      Returns:
      The order of this realm within the executing realm chain.
    • getAuthenticationFailureHeaders

      public Map<String,List<String>> getAuthenticationFailureHeaders()
      Each realm can define response headers to be sent on failure.

      By default it adds 'WWW-Authenticate' header with auth scheme 'Basic'.

      Returns:
      Map of authentication failure response headers.
    • compareTo

      public final int compareTo(Realm other)
      Specified by:
      compareTo in interface Comparable<Realm>
    • supports

      public abstract boolean supports(AuthenticationToken token)
      Returns:
      true if this realm supports the given authentication token, false otherwise.
    • token

      public abstract AuthenticationToken token(ThreadContext context)
      Attempts to extract an authentication token from the given context. If an appropriate token is found it's returned, otherwise null is returned.
      Parameters:
      context - The context that will provide information about the incoming request
      Returns:
      The authentication token or null if not found
    • authenticate

      public abstract void authenticate(AuthenticationToken token, ActionListener<AuthenticationResult<User>> listener)
      Authenticates the given token in an asynchronous fashion.

      A successful authentication will call ActionListener.onResponse(Response) with a successful result, which includes the user associated with the given token.
      If the realm does not support, or cannot handle the token, it will call ActionListener.onResponse(Response) with a not-handled result. This can include cases where the token identifies as user that is not known by this realm.
      If the realm can handle the token, but authentication failed it will typically call ActionListener.onResponse(Response) with a failure result, which includes a diagnostic message regarding the failure. This can include cases where the token identifies a valid user, but has an invalid password.
      If the realm wishes to assert that it has the exclusive right to handle the provided token, but authentication was not successful it typically call ActionListener.onResponse(Response) with a termination result, which includes a diagnostic message regarding the failure. This can include cases where the token identifies a valid user, but has an invalid password and no other realm is allowed to authenticate that user.

      The remote address should be null if the request initiated from the local node.

      Parameters:
      token - The authentication token
      listener - The listener to pass the authentication result to
    • lookupUser

      public abstract void lookupUser(String username, ActionListener<User> listener)
      Looks up the user identified the String identifier. A successful lookup will call the ActionListener.onResponse(Response) with the User identified by the username. An unsuccessful lookup call with null as the argument. If lookup is not supported, simply return null when called.
      Parameters:
      username - the String identifier for the user
      listener - The listener to pass the lookup result to
    • usageStats

      public void usageStats(ActionListener<Map<String,Object>> listener)
    • setRealmRef

      public void setRealmRef(Authentication.RealmRef realmRef)
      Must be called only once by the realms initialization logic, soon after this Realm is constructed, in order to link in the realm domain details, which may refer to any of the other realms.
    • realmRef

      public Authentication.RealmRef realmRef()
    • toString

      public String toString()
      Overrides:
      toString in class Object
    • initialize

      public void initialize(Iterable<Realm> realms, XPackLicenseState licenseState)
      This allows realms to be aware of what other realms are configured.
      See Also: