* A CryptoSession is a session in which key transfers can be performed.
*
* Use {@link KeyManagerAPI#getCryptoSession(String)} to get a CryptoSession instance.
* This instance is a proxy which can be kept and never expires (though the underlying real session will expire if
* not used for some time). If the underlying real
* session expired, a new underlying session with a new cryptoSessionID
* will be created and bound to this CryptoSession instance.
*
* CryptoSessions are thread-safe.
*
null.
*/
String getAppServerID();
/**
* Get the base-url of the app-server-key-manager-channel. This is the part of the URL before the "/KeyManagerChannel" -
* e.g. if the REST URL of the KeyManagerChannel-service is
* "https://serverUsingCumulus4j.mydomain.org/org.cumulus4j.keymanager.back.webapp/KeyManagerChannel", then this must be
* "https://serverUsingCumulus4j.mydomain.org/org.cumulus4j.keymanager.back.webapp".
* @return the base-URL before the "/KeyManagerChannel".
*/
String getAppServerBaseURL();
/**
* * Acquire an unlocked underlying real session. *
* The application server is only able to request keys from the key manager, while a crypto-session is * acquired. It thus needs to be acquired, first, before it can be used for key transfers. *
* Important: It is essential that you call {@link #release()} once for every time you called acquire().
* You should therefore use a try-finally-block like this:
*
* String cryptoSessionID = session.acquire();
* try {
*
* // Do some operation that requires key access. For example
* // call an EJB method or perform a SOAP/REST request which
* // will make your app server read/write data.
*
* } finally {
* session.release();
* }
*
*
* If multiple threads use the same CryptoSession (recommended!), the underlying real session will be
* acquired (unlocked) when the first thread requires it and it will be locked again when the last thread calls
* release().
* However, releasing (locking) does not need to happen immediately. Instead it can be deferred a few seconds, in
* case a new acquire() would happen quickly again. This
* strategy is usually used with a remote key server (when latency makes acquiring/releasing a pretty expensive
* operation).
*
KeyManagerAPI if the current user's password was changed. But if the password
* is changed by another instance, this instance is locked out due to its outdated password.
* @throws IOException if communication with the key-store failed. This might be a socket error between
* client and remote key server or it might be a problem when reading/writing data in the local file system.
* @see #release()
*/
String acquire() throws AuthenticationException, IOException;
/**
* * Release the session, after it was previously {@link #acquire() acquired}. *
* For every call to {@link #acquire()}, there must be exactly one call to {@link #release()}. You should * therefore use a try-finally-block! *
* See {@link #acquire()} for further details. *
* * @throws AuthenticationException if the authentication fails. This might happen for example, when * a session was created and then the password was modified by another instance of {@link KeyManagerAPI}. * Calling {@link KeyManagerAPI#putUser(String, char[])} automatically updates the authentication information * of the currentKeyManagerAPI if the current user's password was changed. But if the password
* is changed by another instance, this instance is locked out due to its outdated password.
* @throws IOException if communication with the key-store failed. This might be a socket error between
* client and remote key server or it might be a problem when reading/writing data in the local file system.
* @see #acquire()
*/
void release() throws AuthenticationException, IOException;
}