Package org.apache.jackrabbit.oak.security.authentication.user

Class LoginModuleImpl

  • All Implemented Interfaces:
    javax.security.auth.spi.LoginModule
    public final class LoginModuleImpl
extends AbstractLoginModule
    Default login module implementation that authenticates JCR Credentials against the repository. Based on the credentials the Principals associated with user are retrieved from a configurable PrincipalProvider.

    Credentials

    The Credentials are collected during login() using the following logic:
    • Credentials as specified in Repository.login(javax.jcr.Credentials) in which case they are retrieved from the CallbackHandler.
    • A AbstractLoginModule.SHARED_KEY_CREDENTIALS entry in the shared state. The expected value is a validated single Credentials object.
    • If neither of the above variants provides Credentials this module tries to obtain them from the subject. See also Subject.getSubject(java.security.AccessControlContext)
    This implementation of the LoginModule currently supports the following types of JCR Credentials: The Credentials obtained during the #login() are added to the shared state and - upon successful #commit() to the Subject.

    Principals

    Upon successful login the principals associated with the user are calculated (see also AbstractLoginModule.getPrincipals(String). These principals are finally added to the subject during #commit().

    Impersonation

    Impersonation such as defined by Session.impersonate(javax.jcr.Credentials) is covered by this login module by the means of ImpersonationCredentials. Impersonation will succeed if the base credentials refer to a valid user that has not been disabled. If the authenticating subject is not allowed to impersonate the specified user, the login attempt will fail with LoginException.

    Please note, that a user will always be allowed to impersonate him/herself irrespective of the impersonation definitions exposed by User.getImpersonation()

    • Field Detail

      • SUPPORTED_CREDENTIALS

        protected static final java.util.Set<java.lang.Class> SUPPORTED_CREDENTIALS

    • Constructor Detail

      • LoginModuleImpl

        public LoginModuleImpl()

    • Method Detail

      • login

        public boolean login()
              throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • commit

        public boolean commit()

      • logout

        public boolean logout()
               throws javax.security.auth.login.LoginException
        Description copied from class: AbstractLoginModule
        Besteffort default implementation of LoginModule.logout(), which removes all principals and all public credentials of type Credentials and AuthInfo from the subject. It will return false, if either principal set or credentials set is empty. Note, that this implementation is not able to only remove those principals/credentials that have been added by this very login module instance. Therefore subclasses should overwrite this method to provide a fully compliant solution of AbstractLoginModule.logout(). They may however take advantage of AbstractLoginModule.logout(Set, Set) in order to simplify the implementation of a logout that is compatible with the LoginModule.logout() contract incorporating the additional recommendations highlighted at JAAS LoginModule Dev Guide
        Specified by:
        logout in interface javax.security.auth.spi.LoginModule
        Overrides:
        logout in class AbstractLoginModule
        Returns:
        true if neither principals nor public credentials of type Credentials or AuthInfo stored in the Subject are empty; false otherwise
        Throws:
        javax.security.auth.login.LoginException - if the subject is readonly and destroying Destroyable credentials fails with DestroyFailedException.

      • getSupportedCredentials

        @NotNull
protected @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()
        Specified by:
        getSupportedCredentials in class AbstractLoginModule
        Returns:
        A set of supported credential classes.