001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.shiro.authc.pam;
020
021import org.apache.shiro.authc.AuthenticationException;
022import org.apache.shiro.authc.AuthenticationInfo;
023import org.apache.shiro.authc.AuthenticationToken;
024import org.apache.shiro.util.CollectionUtils;
025
026/**
027 * <tt>AuthenticationStrategy</tt> implementation that requires <em>at least one</em> configured realm to
028 * successfully process the submitted <tt>AuthenticationToken</tt> during the log-in attempt.
029 * <p/>
030 * <p>This means any number of configured realms do not have to support the submitted log-in token, or they may
031 * be unable to acquire <tt>AuthenticationInfo</tt> for the token, but as long as at least one can do both, this
032 * Strategy implementation will allow the log-in process to be successful.
033 * <p/>
034 * <p>Note that this implementation will aggregate the account data from <em>all</em> successfully consulted
035 * realms during the authentication attempt. If you want only the account data from the first successfully
036 * consulted realm and want to ignore all subsequent realms, use the
037 * {@link FirstSuccessfulStrategy FirstSuccessfulAuthenticationStrategy} instead.
038 *
039 * @see FirstSuccessfulStrategy FirstSuccessfulAuthenticationStrategy
040 * @since 0.2
041 */
042public class AtLeastOneSuccessfulStrategy extends AbstractAuthenticationStrategy {
043
044    /**
045     * Ensures that the <code>aggregate</code> method argument is not <code>null</code> and
046     * <code>aggregate.{@link org.apache.shiro.authc.AuthenticationInfo#getPrincipals() getPrincipals()}</code>
047     * is not <code>null</code>, and if either is <code>null</code>, throws an AuthenticationException to indicate
048     * that none of the realms authenticated successfully.
049     */
050    public AuthenticationInfo afterAllAttempts(AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException {
051        //we know if one or more were able to succesfully authenticate if the aggregated account object does not
052        //contain null or empty data:
053        if (aggregate == null || CollectionUtils.isEmpty(aggregate.getPrincipals())) {
054            throw new AuthenticationException("Authentication token of type [" + token.getClass() + "] " +
055                    "could not be authenticated by any configured realms.  Please ensure that at least one realm can " +
056                    "authenticate these tokens.");
057        }
058
059        return aggregate;
060    }
061}