001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
010 * or http://forgerock.org/license/CDDLv1.0.html.
011 * See the License for the specific language governing permissions
012 * and limitations under the License.
013 *
014 * When distributing Covered Code, include this CDDL HEADER in each
015 * file and include the License file at legal-notices/CDDLv1_0.txt.
016 * If applicable, add the following below this CDDL HEADER, with the
017 * fields enclosed by brackets "[]" replaced with your own identifying
018 * information:
019 *      Portions Copyright [yyyy] [name of copyright owner]
020 *
021 * CDDL HEADER END
022 *
023 *
024 *      Copyright 2010 Sun Microsystems, Inc.
025 *      Portions Copyright 2014 ForgeRock AS
026 */
027
028package org.forgerock.opendj.ldap.requests;
029
030import org.forgerock.opendj.ldap.ConnectionSecurityLayer;
031import org.forgerock.opendj.ldap.LdapException;
032import org.forgerock.opendj.ldap.responses.BindResult;
033
034/**
035 * An authentication client which can be used to bind to a server. Specifically,
036 * a bind client manages the state associated with multi-stage authentication
037 * attempts and responds to any challenges returned by the server.
038 */
039public interface BindClient {
040    /**
041     * Disposes of any system resources or security-sensitive information that
042     * this bind client might be using. Invoking this method invalidates this
043     * instance.
044     */
045    void dispose();
046
047    /**
048     * Evaluates the provided bind result and returns {@code true} if
049     * authentication has completed successfully, or {@code false} if additional
050     * authentication steps are required (for example during a multi-stage SASL
051     * authentication attempt).
052     * <p>
053     * If additional steps are required then implementations must update their
054     * internal state based on information contained in the bind result (for
055     * example, using the server provided SASL credentials).
056     *
057     * @param result
058     *            The bind result to be evaluated.
059     * @return {@code true} if authentication has completed successfully, of
060     *         {@code false} if additional steps are required.
061     * @throws LdapException
062     *             If the evaluation failed for some reason and authentication
063     *             cannot continue.
064     */
065    boolean evaluateResult(BindResult result) throws LdapException;
066
067    /**
068     * Returns a connection security layer, but only if this bind client has
069     * negotiated integrity and/or privacy protection for the underlying
070     * connection. This method should only be called once authentication has
071     * completed.
072     *
073     * @return A connection security layer, or {@code null} if none was
074     *         negotiated.
075     */
076    ConnectionSecurityLayer getConnectionSecurityLayer();
077
078    /**
079     * Returns the next bind request which should be used for the next stage of
080     * authentication. Initially, this will be a copy of the original bind
081     * request used to create this bind client.
082     *
083     * @return The next bind request which should be used for the next stage of
084     *         authentication.
085     */
086    GenericBindRequest nextBindRequest();
087
088}