1 files changed, 54 insertions, 21 deletions

diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java
index 949c0f2b89..09bf6cf3b1 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/AuthenticationResult.java
@@ -7,9 +7,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
- * 
+ *
  *   http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@@ -20,15 +20,20 @@
  */
 package org.apache.qpid.server.security.auth;
 
-import javax.security.auth.Subject;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
 
 /**
- * Encapsulates the result of an attempt to authenticate.
+ * Encapsulates the result of an attempt to authenticate using an {@link AuthenticationManager}.
  * <p>
  * The authentication status describes the overall outcome.
  * <p>
  * <ol>
- *  <li>If authentication status is SUCCESS, the subject will be populated.
+ *  <li>If authentication status is SUCCESS, at least one {@link Principal} will be populated.
  *  </li>
  *  <li>If authentication status is CONTINUE, the authentication has failed because the user
  *      supplied incorrect credentials (etc).  If the authentication requires it, the next challenge
@@ -40,6 +45,8 @@ import javax.security.auth.Subject;
  *  </li>
  * </ol>
  *
+ * The main principal provided to the constructor is wrapped in an {@link AuthenticatedPrincipal}
+ * to make it easier for the rest of the application to identify it among the set of other principals.
  */
 public class AuthenticationResult
 {
@@ -56,37 +63,59 @@ public class AuthenticationResult
     private final AuthenticationStatus _status;
     private final byte[] _challenge;
     private final Exception _cause;
-    private final Subject _subject;
+    private final Set<Principal> _principals = new HashSet<Principal>();
+    private final Principal _mainPrincipal;
 
     public AuthenticationResult(final AuthenticationStatus status)
     {
         this(null, status, null);
     }
 
+    public AuthenticationResult(Principal mainPrincipal)
+    {
+        this(mainPrincipal, Collections.<Principal>emptySet());
+    }
+
+    public AuthenticationResult(Principal mainPrincipal, Set<Principal> otherPrincipals)
+    {
+        AuthenticatedPrincipal specialQpidAuthenticatedPrincipal = new AuthenticatedPrincipal(mainPrincipal);
+        _principals.addAll(otherPrincipals);
+        _principals.remove(mainPrincipal);
+        _principals.add(specialQpidAuthenticatedPrincipal);
+        _mainPrincipal = mainPrincipal;
+
+        _status = AuthenticationStatus.SUCCESS;
+        _challenge = null;
+        _cause = null;
+    }
+
     public AuthenticationResult(final byte[] challenge, final AuthenticationStatus status)
     {
-        this(challenge, status, null);
+        _challenge = challenge;
+        _status = status;
+        _cause = null;
+        _mainPrincipal = null;
     }
 
     public AuthenticationResult(final AuthenticationStatus error, final Exception cause)
     {
-        this(null, error, cause);
+        _status = error;
+        _challenge = null;
+        _cause = cause;
+        _mainPrincipal = null;
     }
 
     public AuthenticationResult(final byte[] challenge, final AuthenticationStatus status, final Exception cause)
     {
-        this._status = status;
-        this._challenge = challenge;
-        this._cause = cause;
-        this._subject = null;
-    }
+        if(status == AuthenticationStatus.SUCCESS)
+        {
+            throw new IllegalArgumentException("Successful authentication requires at least one principal");
+        }
 
-    public AuthenticationResult(final Subject subject)
-    {
-        this._status = AuthenticationStatus.SUCCESS;
-        this._challenge = null;
-        this._cause = null;
-        this._subject = subject;
+        _status = status;
+        _challenge = challenge;
+        _cause = cause;
+        _mainPrincipal = null;
     }
 
     public Exception getCause()
@@ -104,9 +133,13 @@ public class AuthenticationResult
         return _challenge;
     }
 
-    public Subject getSubject()
+    public Set<Principal> getPrincipals()
     {
-        return _subject;
+        return _principals;
     }
 
+    public Principal getMainPrincipal()
+    {
+        return _mainPrincipal;
+    }
 }