001    /*
002     * Licensed to the Apache Software Foundation (ASF) under one
003     * or more contributor license agreements.  See the NOTICE file
004     * distributed with this work for additional information
005     * regarding copyright ownership.  The ASF licenses this file
006     * to you under the Apache License, Version 2.0 (the
007     * "License"); you may not use this file except in compliance
008     * with the License.  You may obtain a copy of the License at
009     *
010     *     http://www.apache.org/licenses/LICENSE-2.0
011     *
012     * Unless required by applicable law or agreed to in writing,
013     * software distributed under the License is distributed on an
014     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     * KIND, either express or implied.  See the License for the
016     * specific language governing permissions and limitations
017     * under the License.
018     */
019    package org.apache.shiro.authc.pam;
020    
021    import org.apache.shiro.authc.AuthenticationException;
022    import org.apache.shiro.authc.AuthenticationInfo;
023    import org.apache.shiro.authc.AuthenticationToken;
024    import org.apache.shiro.util.CollectionUtils;
025    
026    /**
027     * <tt>AuthenticationStrategy</tt> implementation that requires <em>at least one</em> configured realm to
028     * successfully process the submitted <tt>AuthenticationToken</tt> during the log-in attempt.
029     * <p/>
030     * <p>This means any number of configured realms do not have to support the submitted log-in token, or they may
031     * be unable to acquire <tt>AuthenticationInfo</tt> for the token, but as long as at least one can do both, this
032     * Strategy implementation will allow the log-in process to be successful.
033     * <p/>
034     * <p>Note that this implementation will aggregate the account data from <em>all</em> successfully consulted
035     * realms during the authentication attempt. If you want only the account data from the first successfully
036     * consulted realm and want to ignore all subsequent realms, use the
037     * {@link FirstSuccessfulStrategy FirstSuccessfulAuthenticationStrategy} instead.
038     *
039     * @see FirstSuccessfulStrategy FirstSuccessfulAuthenticationStrategy
040     * @since 0.2
041     */
042    public class AtLeastOneSuccessfulStrategy extends AbstractAuthenticationStrategy {
043    
044        /**
045         * Ensures that the <code>aggregate</code> method argument is not <code>null</code> and
046         * <code>aggregate.{@link org.apache.shiro.authc.AuthenticationInfo#getPrincipals() getPrincipals()}</code>
047         * is not <code>null</code>, and if either is <code>null</code>, throws an AuthenticationException to indicate
048         * that none of the realms authenticated successfully.
049         */
050        public AuthenticationInfo afterAllAttempts(AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException {
051            //we know if one or more were able to succesfully authenticate if the aggregated account object does not
052            //contain null or empty data:
053            if (aggregate == null || CollectionUtils.isEmpty(aggregate.getPrincipals())) {
054                throw new AuthenticationException("Authentication token of type [" + token.getClass() + "] " +
055                        "could not be authenticated by any configured realms.  Please ensure that at least one realm can " +
056                        "authenticate these tokens.");
057            }
058    
059            return aggregate;
060        }
061    }