public abstract class AbstractLoginModule extends Object implements LoginModule
AbstractLoginModule
provides the means for the common
authentication tasks within the Repository.
On successful authentication it associates the credentials to principals
using the PrincipalProvider
configured for this LoginModule
Jackrabbit distinguishes between Login and Impersonation dispatching the
the corresponding Repository/Session methods to
authenticate(java.security.Principal, javax.jcr.Credentials)
and
impersonate(java.security.Principal, javax.jcr.Credentials)
, respectively.
This LoginModule implements default behavior for either method.
LoginModule
Modifier and Type | Field and Description |
---|---|
protected String |
adminId |
protected String |
anonymousId |
protected CallbackHandler |
callbackHandler |
protected SimpleCredentials |
credentials |
protected Principal |
principal |
protected PrincipalProvider |
principalProvider |
protected Map |
sharedState |
protected Subject |
subject |
Constructor and Description |
---|
AbstractLoginModule() |
Modifier and Type | Method and Description |
---|---|
boolean |
abort()
Method to abort the authentication process (phase 2).
|
protected boolean |
authenticate(Principal principal,
Credentials credentials) |
boolean |
commit()
Method to commit the authentication process (phase 2).
|
protected abstract void |
doInit(CallbackHandler callbackHandler,
Session session,
Map options)
Implementations may set-up their own state.
|
String |
getAdminId()
Returns the admin user id.
|
String |
getAnonymousId()
Returns the anonymous user id.
|
protected abstract Authentication |
getAuthentication(Principal principal,
Credentials creds)
Retrieve the
Authentication . |
protected Credentials |
getCredentials()
Method tries to resolve the
Credentials used for login. |
protected Subject |
getImpersonatorSubject(Credentials credentials)
Method tries to acquire an Impersonator in the following order:
Try to access it from the
Credentials via SimpleCredentials.getAttribute(String)
Ask CallbackHandler for Impersonator with use of ImpersonationCallback .
|
protected String |
getPreAuthAttributeName()
Deprecated.
For security reasons the support for the preAuth attribute
has been deprecated and will no longer be available in a subsequent release.
See also JCR-3293
|
protected abstract Principal |
getPrincipal(Credentials credentials)
Authentication process associates a Principal to Credentials
This method resolves the Principal for the given Credentials. |
String |
getPrincipalProvider()
Returns the configured name of the principal provider class.
|
protected Set<Principal> |
getPrincipals() |
protected String |
getUserID(Credentials credentials)
Method supports tries to acquire a UserID in the following order:
If passed credentials are
GuestCredentials the anonymous user id
is returned.
Try to access it from the Credentials via SimpleCredentials.getUserID()
Ask CallbackHandler for User-ID with use of NameCallback .
Test if the 'sharedState' contains a login name.
Fallback: return the anonymous UserID.
|
protected abstract boolean |
impersonate(Principal principal,
Credentials credentials)
Handles the impersonation of given Credentials.
|
void |
initialize(Subject subject,
CallbackHandler callbackHandler,
Map<String,?> sharedState,
Map<String,?> options)
Initialize this LoginModule and sets the following fields for later usage:
PrincipalProvider for user-Principal resolution.
LoginModuleConfig.PARAM_ADMIN_ID option is evaluated
LoginModuleConfig.PARAM_ANONYMOUS_ID option is evaluated
Implementations are called via
doInit(CallbackHandler, Session, Map) to implement
additional initialization |
protected boolean |
isAnonymous(Credentials credentials)
Indicate if the given Credentials are considered to be anonymous.
|
protected boolean |
isImpersonation(Credentials credentials)
Test if the current request is an Impersonation attempt.
|
protected boolean |
isInitialized()
Returns
true if this module has been successfully initialized. |
protected boolean |
isPreAuthenticated(Credentials creds)
Deprecated.
For security reasons the support for the preAuth attribute
has been deprecated and will no longer be available in a subsequent release.
See also JCR-3293
|
boolean |
login()
Method to authenticate a
Subject (phase 1). |
boolean |
logout() |
void |
setAdminId(String adminId)
Sets the administrator's user id.
|
void |
setAnonymousId(String anonymousId)
Sets the anonymous user id.
|
void |
setPrincipalProvider(String principalProvider)
Sets the configured name of the principal provider class
|
protected boolean |
supportsCredentials(Credentials creds)
Return a flag indicating whether the credentials are supported by
this login module.
|
protected String adminId
protected String anonymousId
protected CallbackHandler callbackHandler
protected Principal principal
protected SimpleCredentials credentials
protected Subject subject
protected PrincipalProvider principalProvider
protected Map sharedState
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
PrincipalProvider
for user-Principal
resolution.LoginModuleConfig.PARAM_ADMIN_ID
option is evaluatedLoginModuleConfig.PARAM_ANONYMOUS_ID
option is evaluateddoInit(CallbackHandler, Session, Map)
to implement
additional initializationinitialize
in interface LoginModule
subject
- the Subject
to be authenticated. callbackHandler
- a CallbackHandler
for communicating
with the end user (prompting for usernames and
passwords, for example). sharedState
- state shared with other configured
LoginModules.options
- options specified in the login Configuration
for this particular LoginModule
.LoginModule.initialize(Subject, CallbackHandler, Map, Map)
,
doInit(CallbackHandler, Session, Map)
,
isInitialized()
protected abstract void doInit(CallbackHandler callbackHandler, Session session, Map options) throws LoginException
callbackHandler
- as passed by LoginContext
session
- to security-workspace of Jackrabbitoptions
- options from LoginModule configLoginException
- in case initialization fails.protected boolean isInitialized()
true
if this module has been successfully initialized.true
if this module has been successfully initialized.LoginModule.initialize(Subject, CallbackHandler, Map, Map)
public boolean login() throws LoginException
Subject
(phase 1).
The login is divided into 3 Phases:
1) User-ID resolution
In a first step it is tried to resolve a User-ID for further validation.
As for JCR the identification is marked with the Credentials
interface, credentials are accessed in this phase.
If no User-ID can be found, anonymous access is granted with the ID of
the anonymous user (as defined in the security configuration).
Anonymous access can be switched off removing the configuration entry.
This implementation uses two helper-methods, which allow for
customization:
2) User-Principal resolution
In a second step it is tested, if the resolved User-ID belongs to a User
known to the system, i.e. if the PrincipalProvider
has a principal
for the given ID and the principal can be found via
PrincipalProvider.findPrincipals(String)
.
The provider implementation can be set by the LoginModule configuration.
If the option is missing, the system default principal provider will
be used.
3) Verification
There are four cases, how the User-ID can be verified:
The login is anonymous, pre-authenticated or the login is the result of
an impersonation request (see Session.impersonate(Credentials)
or of a login to the Repository (Repository.login(Credentials)
).
The concrete implementation of the LoginModule is responsible for all
four cases:
isAnonymous(Credentials)
isPreAuthenticated(Credentials)
authenticate(Principal, Credentials)
impersonate(Principal, Credentials)
The LoginModule keeps the Credentials and the Principal as instance fields, to mark that login has been successful.
login
in interface LoginModule
LoginModule
should be ignored.LoginException
- if the authentication failsLoginModule.login()
,
getCredentials()
,
getUserID(Credentials)
,
getImpersonatorSubject(Credentials)
public boolean commit() throws LoginException
This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).
If this LoginModule's own authentication attempt succeeded (checked
by retrieving the private state saved by the login
method),
then this method associates relevant Principals and Credentials with the
Subject
located in the LoginModule
. If this
LoginModule's own authentication attempted failed, then this method
removes/destroys any state that was originally saved.
The login is considered as succeeded if there is a principal set.
The implementation stores the principal associated to the UserID and all the Groups it is member of with the Subject and in addition adds an instance of (#link SimpleCredentials} to the Subject's public credentials.
commit
in interface LoginModule
LoginModule
should be ignored.LoginException
- if the commit failsLoginModule.commit()
public boolean abort() throws LoginException
This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).
If this LoginModule's own authentication attempt succeeded (checked
by retrieving the private state saved by the login
method),
then this method cleans up any state that was originally saved.
abort
in interface LoginModule
LoginModule
should be ignored.LoginException
- if the abort failsLoginModule.abort()
public boolean logout() throws LoginException
logout
in interface LoginModule
true
if this method succeeded,
or false
if this LoginModule
should be ignored.LoginException
- if the logout failsLoginModule.logout()
protected boolean authenticate(Principal principal, Credentials credentials) throws FailedLoginException, RepositoryException
principal
- Principal used to retrieve the Authentication
object.credentials
- Credentials used for the authentication.true
if Credentials authenticate,
false
if no Authentication
can handle
the given Credentials
FailedLoginException
- if the authentication failed.RepositoryException
- If another error occurs.getAuthentication(java.security.Principal, javax.jcr.Credentials)
,
authenticate(java.security.Principal, javax.jcr.Credentials)
protected boolean isImpersonation(Credentials credentials)
true
if an
subject
for the
impersonation can be retrieved.credentials
- potentially containing impersonation datagetImpersonatorSubject(Credentials)
protected abstract boolean impersonate(Principal principal, Credentials credentials) throws RepositoryException, LoginException
principal
- Principal to impersonate.credentials
- Credentials used to create the impersonation subject.LoginException
- If credentials don't allow to impersonate to principal.RepositoryException
- If another error occurs.protected abstract Authentication getAuthentication(Principal principal, Credentials creds) throws RepositoryException
Authentication
.principal
- A principal.creds
- The Credentials used for the login.RepositoryException
- If an error occurs.protected Subject getImpersonatorSubject(Credentials credentials)
Credentials
via SimpleCredentials.getAttribute(String)
ImpersonationCallback
.credentials
- which, may contain an impersonation Subjectlogin()
,
impersonate(java.security.Principal, javax.jcr.Credentials)
protected Credentials getCredentials()
Credentials
used for login. It takes
authentication-extension of an already authenticated Subject
into
account.
Therefore the credentials are retrieved as follows:
CredentialsCallback
. Expects CredentialsCallback.getCredentials()
to return an instance of Credentials
.SimpleCredentials
see
Subject.getPublicCredentials(Class)
, thus enabling to
pre-authenticate the Subject.login()
protected boolean supportsCredentials(Credentials creds)
SimpleCredentials
and GuestCredentials
.creds
- credentialstrue
if the credentials are supported;
false
otherwiseprotected String getUserID(Credentials credentials)
GuestCredentials
the anonymous user id
is returned.Credentials
via SimpleCredentials.getUserID()
NameCallback
.credentials
- which, may contain a User-IDlogin()
protected boolean isAnonymous(Credentials credentials)
credentials
- The Credentials to be tested.true
if is anonymous; false
otherwise.protected abstract Principal getPrincipal(Credentials credentials)
credentials
- Credentials used for to login.null
.protected Set<Principal> getPrincipals()
public String getAdminId()
public void setAdminId(String adminId)
adminId
- the administrator's user id.public String getAnonymousId()
public void setAnonymousId(String anonymousId)
anonymousId
- anonymous user idpublic String getPrincipalProvider()
public void setPrincipalProvider(String principalProvider)
principalProvider
- Name of the principal provider class.protected final String getPreAuthAttributeName()
This name is configured as the value of the LoginModule configuration
parameter trust_credentials_attribute
. If the configuration
parameter is missing (or empty) the name is not set and this method
returns null
.
isPreAuthenticated(Credentials)
protected boolean isPreAuthenticated(Credentials creds)
true
if the credentials should be considered as
pre-authenticated and a password check is not required.
This base class implementation returns true
if the
creds
object is a SimpleCredentials instance and the
configured trusted
credentials property
is set to a non-null
value in the
credentials attributes.
Extensions of this class may overwrite this method to apply more or different checks to the credentials.
creds
- The Credentials to checkgetPreAuthAttributeName()
Copyright © 2004–2022 The Apache Software Foundation. All rights reserved.