001package org.apache.archiva.redback.authentication; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * Unless required by applicable law or agreed to in writing, 014 * software distributed under the License is distributed on an 015 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 016 * KIND, either express or implied. See the License for the 017 * specific language governing permissions and limitations 018 * under the License. 019 */ 020 021/** 022 * These have the same meaning as for PAM modules 023 * 024 * <dl> 025 * <dt>required</dt> 026 * <dd>If a ‘required’ module returns a status that is not ‘success’, 027 * the operation will ultimately fail, but only after the modules below 028 * it are invoked. This seems senseless at first glance I suppose, but 029 * it serves the purpose of always acting the same way from the point 030 * of view of the user trying to utilize the service. The net effect is 031 * that it becomes impossible for a potential cracker to determine 032 * which module caused the failure – and the less information a 033 * malicious user has about your system, the better. Important to note 034 * is that even if all of the modules in the stack succeed, failure of 035 * one ‘required’ module means the operation will ultimately fail. Of 036 * course, if a required module succeeds, the operation can still fail 037 * if a ‘required’ module later in the stack fails.</dd> 038 * <dt>requisite</dt> 039 * <dd>If a ‘requisite’ module fails, the operation not only fails, but 040 * the operation is immediately terminated with a failure without 041 * invoking any other modules: ‘do not pass go, do not collect $200’, 042 * so to speak.</dd> 043 * <dt>sufficient</dt> 044 * <dd>If a sufficient module succeeds, it is enough to satisfy the 045 * requirements of sufficient modules in that realm for use of the 046 * service, and modules below it that are also listed as ‘sufficient’ 047 * are not invoked. If it fails, the operation fails unless a module 048 * invoked after it succeeds. Important to note is that if a ‘required’ 049 * module fails before a ‘sufficient’ one succeeds, the operation will 050 * fail anyway, ignoring the status of any ‘sufficient’ modules.</dd> 051 * <dt>optional</dt> 052 * <dd>An ‘optional’ module, according to the pam(8) manpage, will only 053 * cause an operation to fail if it’s the only module in the stack for 054 * that facility.</dd> 055 * </dl> 056 * 057 * @author Martin Stockhammer <martin_s@apache.org> 058 * @since 3.0 059 */ 060public enum AuthenticationControl 061{ 062 SUFFICIENT, OPTIONAL, REQUIRED, REQUISITE 063}