Package org.apache.jackrabbit.oak.security.authentication.token

Class TokenLoginModule

  • All Implemented Interfaces:
    javax.security.auth.spi.LoginModule
    public final class TokenLoginModule
extends AbstractLoginModule
    LoginModule implementation that is able to handle login request based on TokenCredentials. In combination with another login module that handles other Credentials implementation this module will also take care of creating new login tokens and the corresponding credentials upon commit()that it will be able to deal with in subsequent login calls.

    Login and Commit

    Login

    This LoginModule implementation performs the following tasks upon login().
    1. Try to retrieve TokenCredentials credentials (see also AbstractLoginModule.getCredentials())
    2. Validates the credentials based on the functionality provided by Authentication.authenticate(javax.jcr.Credentials)
    3. Upon success it retrieves userId from the TokenInfo and calculates the principals associated with that user,
    4. and finally puts the credentials on the shared state.
    If no TokenProvider has been configured login() or if no TokenCredentials can be obtained this module will return false.

    Commit

    If login was successfully handled by this module the commit() will just populate the subject.

    If the login was successfully handled by another module in the chain, the TokenLoginModule will test if the login was associated with a request for login token generation. This mandates that there are credentials present on the shared state that fulfill the requirements defined by TokenProvider.doCreateToken(javax.jcr.Credentials).

    Example Configurations

    The authentication configuration using this LoginModule could for example look as follows:

    TokenLoginModule in combination with another LoginModule

        jackrabbit.oak {
            org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
            org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
    };
    In this case the TokenLoginModule would handle any login issued with TokenCredentials while the second module would take care any other credentials implementations as long they are supported by the module. In addition the TokenLoginModule will issue a new token if the login succeeded and the credentials provided by the shared state can be used to issue a new login token (see TokenProvider.doCreateToken(javax.jcr.Credentials).

    TokenLoginModule as single way to login

        jackrabbit.oak {
            org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule required;
    };
    If the TokenLoginModule as single entry in the login configuration the login token must be generated by the application by calling TokenProvider.createToken(Credentials) or TokenProvider.createToken(String, java.util.Map).

    • Constructor Detail

      • TokenLoginModule

        public TokenLoginModule()

    • Method Detail

      • login

        public boolean login()
              throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • commit

        public boolean commit()
               throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • logout

        public boolean logout()
               throws javax.security.auth.login.LoginException
        Description copied from class: AbstractLoginModule
        Besteffort default implementation of LoginModule.logout(), which removes all principals and all public credentials of type Credentials and AuthInfo from the subject. It will return false, if either principal set or credentials set is empty. Note, that this implementation is not able to only remove those principals/credentials that have been added by this very login module instance. Therefore subclasses should overwrite this method to provide a fully compliant solution of AbstractLoginModule.logout(). They may however take advantage of AbstractLoginModule.logout(Set, Set) in order to simplify the implementation of a logout that is compatible with the LoginModule.logout() contract incorporating the additional recommendations highlighted at JAAS LoginModule Dev Guide
        Specified by:
        logout in interface javax.security.auth.spi.LoginModule
        Overrides:
        logout in class AbstractLoginModule
        Returns:
        true if neither principals nor public credentials of type Credentials or AuthInfo stored in the Subject are empty; false otherwise
        Throws:
        javax.security.auth.login.LoginException - if the subject is readonly and destroying Destroyable credentials fails with DestroyFailedException.

      • getSupportedCredentials

        @NotNull
protected @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()
        Specified by:
        getSupportedCredentials in class AbstractLoginModule
        Returns:
        A set of supported credential classes.