org.apache.jackrabbit.core.security.authentication

Class DefaultLoginModule

java.lang.Object

org.apache.jackrabbit.core.security.authentication.AbstractLoginModule

org.apache.jackrabbit.core.security.authentication.DefaultLoginModule

All Implemented Interfaces:

LoginModule

public class DefaultLoginModule
extends AbstractLoginModule

The DefaultLoginModule authenticates Credentials related to a User of the Repository
In any other case it is marked to be ignored.

This Module can deal with the following credentials

• SimpleCredentials -> handled by SimpleCredentialsAuthentication.
• TokenCredentials -> handled by TokenBasedAuthentication.

In both cases the login is successful if the system contains a non-disabled, valid user that matches the given credentials.

Correspondingly impersonation is delegated to the User's Impersonation object.

See Also:

AbstractLoginModule

Field Summary

Fields

Modifier and Type	Field and Description
protected org.apache.jackrabbit.api.security.user.User	user The user object retrieved during the authentication process.

Fields inherited from class org.apache.jackrabbit.core.security.authentication.AbstractLoginModule

adminId, anonymousId, callbackHandler, credentials, principal, principalProvider, sharedState, subject

Constructor Summary

Constructors

Constructor and Description
DefaultLoginModule()

Method Summary

Modifier and Type	Method and Description
boolean	commit() Method to commit the authentication process (phase 2).
protected void	doInit(CallbackHandler callbackHandler, Session session, Map options) Retrieves the user manager from the specified session.
protected Authentication	getAuthentication(Principal principal, Credentials creds) Retrieve the Authentication.
protected Principal	getPrincipal(Credentials credentials) Resolves the userID from the given credentials and obtains the principal from the User object associated with the given userID.
long	getTokenExpiration()
protected String	getUserID(Credentials credentials) Method supports tries to acquire a UserID in the following order: If passed credentials are GuestCredentials the anonymous user id is returned. Try to access it from the Credentials via SimpleCredentials.getUserID() Ask CallbackHandler for User-ID with use of NameCallback. Test if the 'sharedState' contains a login name. Fallback: return the anonymous UserID.
protected boolean	impersonate(Principal principal, Credentials credentials) Handles the impersonation of given Credentials.
boolean	isDisableTokenAuth() Return a flag indicating if token based authentication is disabled.
void	setDisableTokenAuth(boolean disableTokenAuth) Set a flag indicating if token based authentication is disabled.
void	setTokenExpiration(long tokenExpiration)
protected boolean	supportsCredentials(Credentials creds) Return a flag indicating whether the credentials are supported by this login module.

Methods inherited from class org.apache.jackrabbit.core.security.authentication.AbstractLoginModule

abort, authenticate, getAdminId, getAnonymousId, getCredentials, getImpersonatorSubject, getPreAuthAttributeName, getPrincipalProvider, getPrincipals, initialize, isAnonymous, isImpersonation, isInitialized, isPreAuthenticated, login, logout, setAdminId, setAnonymousId, setPrincipalProvider

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

user

protected org.apache.jackrabbit.api.security.user.User user

The user object retrieved during the authentication process.

Constructor Detail

DefaultLoginModule

public DefaultLoginModule()

Method Detail

commit

public boolean commit()
               throws LoginException

Description copied from class: AbstractLoginModule

Method to commit the authentication process (phase 2).

This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates relevant Principals and Credentials with the Subject located in the LoginModule. If this LoginModule's own authentication attempted failed, then this method removes/destroys any state that was originally saved.

The login is considered as succeeded if there is a principal set.

The implementation stores the principal associated to the UserID and all the Groups it is member of with the Subject and in addition adds an instance of (#link SimpleCredentials} to the Subject's public credentials.

Specified by:

commit in interface LoginModule

Overrides:

commit in class AbstractLoginModule

Returns:

true if this method succeeded, or false if this LoginModule should be ignored.

Throws:

LoginException - if the commit fails

See Also:

LoginModule.commit()

doInit

protected void doInit(CallbackHandler callbackHandler,
                      Session session,
                      Map options)
               throws LoginException

Retrieves the user manager from the specified session. If this fails this login modules initialization must fail.

Specified by:

doInit in class AbstractLoginModule

Parameters:

callbackHandler - as passed by LoginContext

session - to security-workspace of Jackrabbit

options - options from LoginModule config

Throws:

LoginException - in case initialization fails.

See Also:

AbstractLoginModule.doInit(CallbackHandler, Session, Map)

getPrincipal

protected Principal getPrincipal(Credentials credentials)

Resolves the userID from the given credentials and obtains the principal from the User object associated with the given userID. If the the userID cannot be resolved to a User or if obtaining the principal fail, null is returned.

Specified by:

getPrincipal in class AbstractLoginModule

Parameters:

credentials - Credentials to retrieve the principal for.

Returns:

a user principal or null.

See Also:

AbstractLoginModule.getPrincipal(Credentials)

supportsCredentials

protected boolean supportsCredentials(Credentials creds)

Description copied from class: AbstractLoginModule

Return a flag indicating whether the credentials are supported by this login module. Default implementation supports SimpleCredentials and GuestCredentials.

Overrides:

supportsCredentials in class AbstractLoginModule

Parameters:

creds - credentials

Returns:

true if the credentials are supported; false otherwise

See Also:

AbstractLoginModule.supportsCredentials(javax.jcr.Credentials)

getUserID

protected String getUserID(Credentials credentials)

Description copied from class: AbstractLoginModule

Method supports tries to acquire a UserID in the following order:

1. If passed credentials are GuestCredentials the anonymous user id is returned.
2. Try to access it from the Credentials via SimpleCredentials.getUserID()
3. Ask CallbackHandler for User-ID with use of NameCallback.
4. Test if the 'sharedState' contains a login name.
5. Fallback: return the anonymous UserID.

Overrides:

getUserID in class AbstractLoginModule

Parameters:

credentials - which, may contain a User-ID

Returns:

The userId retrieved from the credentials or by any other means described above.

See Also:

AbstractLoginModule.getUserID(javax.jcr.Credentials)

getAuthentication

protected Authentication getAuthentication(Principal principal,
                                           Credentials creds)
                                    throws RepositoryException

Description copied from class: AbstractLoginModule

Retrieve the Authentication.

Specified by:

getAuthentication in class AbstractLoginModule

Parameters:

principal - A principal.

creds - The Credentials used for the login.

Returns:

Authentication object for the given principal / credentials.

Throws:

RepositoryException - If an error occurs.

See Also:

AbstractLoginModule.getAuthentication(Principal, Credentials)

impersonate

protected boolean impersonate(Principal principal,
                              Credentials credentials)
                       throws RepositoryException,
                              FailedLoginException

Handles the impersonation of given Credentials.

Current implementation takes User for the given Principal and delegates the check to Impersonation.allows(javax.security.auth.Subject)

Specified by:

impersonate in class AbstractLoginModule

Parameters:

principal - Principal to impersonate.

credentials - Credentials used to create the impersonation subject.

Returns:

false, if there is no User to impersonate, true if impersonation is allowed

Throws:

RepositoryException

FailedLoginException - if credentials don't allow to impersonate to principal

See Also:

AbstractLoginModule.impersonate(Principal, Credentials)

isDisableTokenAuth

public boolean isDisableTokenAuth()

Return a flag indicating if token based authentication is disabled.

Returns:

true if token based authentication is disabled; false otherwise.

setDisableTokenAuth

public void setDisableTokenAuth(boolean disableTokenAuth)

Set a flag indicating if token based authentication is disabled.

Parameters:

disableTokenAuth - true to disable token based authentication; false otherwise

getTokenExpiration

public long getTokenExpiration()

Returns:

The configured expiration time for login tokens in milliseconds.

setTokenExpiration

public void setTokenExpiration(long tokenExpiration)

Parameters:

tokenExpiration - Sets the configured expiration time (in milliseconds) of login tokens.