Class AbstractLoginModule
- java.lang.Object
-
- org.apache.jackrabbit.core.security.authentication.AbstractLoginModule
-
- All Implemented Interfaces:
LoginModule
- Direct Known Subclasses:
DefaultLoginModule
,SimpleLoginModule
public abstract class AbstractLoginModule extends Object implements LoginModule
AbstractLoginModule
provides the means for the common authentication tasks within the Repository.On successful authentication it associates the credentials to principals using the
PrincipalProvider
configured for this LoginModuleJackrabbit distinguishes between Login and Impersonation dispatching the the corresponding Repository/Session methods to
authenticate(java.security.Principal, javax.jcr.Credentials)
andimpersonate(java.security.Principal, javax.jcr.Credentials)
, respectively.
This LoginModule implements default behavior for either method.- See Also:
LoginModule
-
-
Field Summary
Fields Modifier and Type Field Description protected String
adminId
protected String
anonymousId
protected CallbackHandler
callbackHandler
protected SimpleCredentials
credentials
protected Principal
principal
protected PrincipalProvider
principalProvider
protected Map
sharedState
protected Subject
subject
-
Constructor Summary
Constructors Constructor Description AbstractLoginModule()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Deprecated Methods Modifier and Type Method Description boolean
abort()
Method to abort the authentication process (phase 2).protected boolean
authenticate(Principal principal, Credentials credentials)
boolean
commit()
Method to commit the authentication process (phase 2).protected abstract void
doInit(CallbackHandler callbackHandler, Session session, Map options)
Implementations may set-up their own state.String
getAdminId()
Returns the admin user id.String
getAnonymousId()
Returns the anonymous user id.protected abstract Authentication
getAuthentication(Principal principal, Credentials creds)
Retrieve theAuthentication
.protected Credentials
getCredentials()
Method tries to resolve theCredentials
used for login.protected Subject
getImpersonatorSubject(Credentials credentials)
Method tries to acquire an Impersonator in the following order: Try to access it from theCredentials
viaSimpleCredentials.getAttribute(String)
Ask CallbackHandler for Impersonator with use ofImpersonationCallback
.protected String
getPreAuthAttributeName()
Deprecated.For security reasons the support for the preAuth attribute has been deprecated and will no longer be available in a subsequent release.protected abstract Principal
getPrincipal(Credentials credentials)
Authentication process associates a Principal to Credentials
This method resolves the Principal for the given Credentials.String
getPrincipalProvider()
Returns the configured name of the principal provider class.protected Set<Principal>
getPrincipals()
protected String
getUserID(Credentials credentials)
Method supports tries to acquire a UserID in the following order: If passed credentials areGuestCredentials
the anonymous user id is returned. Try to access it from theCredentials
viaSimpleCredentials.getUserID()
Ask CallbackHandler for User-ID with use ofNameCallback
. Test if the 'sharedState' contains a login name. Fallback: return the anonymous UserID.protected abstract boolean
impersonate(Principal principal, Credentials credentials)
Handles the impersonation of given Credentials.void
initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
Initialize this LoginModule and sets the following fields for later usage:PrincipalProvider
for user-Principal
resolution.LoginModuleConfig.PARAM_ADMIN_ID
option is evaluatedLoginModuleConfig.PARAM_ANONYMOUS_ID
option is evaluated Implementations are called viadoInit(CallbackHandler, Session, Map)
to implement additional initializationprotected boolean
isAnonymous(Credentials credentials)
Indicate if the given Credentials are considered to be anonymous.protected boolean
isImpersonation(Credentials credentials)
Test if the current request is an Impersonation attempt.protected boolean
isInitialized()
Returnstrue
if this module has been successfully initialized.protected boolean
isPreAuthenticated(Credentials creds)
Deprecated.For security reasons the support for the preAuth attribute has been deprecated and will no longer be available in a subsequent release.boolean
login()
Method to authenticate aSubject
(phase 1).boolean
logout()
void
setAdminId(String adminId)
Sets the administrator's user id.void
setAnonymousId(String anonymousId)
Sets the anonymous user id.void
setPrincipalProvider(String principalProvider)
Sets the configured name of the principal provider classprotected boolean
supportsCredentials(Credentials creds)
Return a flag indicating whether the credentials are supported by this login module.
-
-
-
Field Detail
-
adminId
protected String adminId
-
anonymousId
protected String anonymousId
-
callbackHandler
protected CallbackHandler callbackHandler
-
principal
protected Principal principal
-
credentials
protected SimpleCredentials credentials
-
subject
protected Subject subject
-
principalProvider
protected PrincipalProvider principalProvider
-
sharedState
protected Map sharedState
-
-
Method Detail
-
initialize
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
Initialize this LoginModule and sets the following fields for later usage:PrincipalProvider
for user-Principal
resolution.LoginModuleConfig.PARAM_ADMIN_ID
option is evaluatedLoginModuleConfig.PARAM_ANONYMOUS_ID
option is evaluated
doInit(CallbackHandler, Session, Map)
to implement additional initialization- Specified by:
initialize
in interfaceLoginModule
- Parameters:
subject
- theSubject
to be authenticated.callbackHandler
- aCallbackHandler
for communicating with the end user (prompting for usernames and passwords, for example).sharedState
- state shared with other configured LoginModules.options
- options specified in the loginConfiguration
for this particularLoginModule
.- See Also:
LoginModule.initialize(Subject, CallbackHandler, Map, Map)
,doInit(CallbackHandler, Session, Map)
,isInitialized()
-
doInit
protected abstract void doInit(CallbackHandler callbackHandler, Session session, Map options) throws LoginException
Implementations may set-up their own state.- Parameters:
callbackHandler
- as passed byLoginContext
session
- to security-workspace of Jackrabbitoptions
- options from LoginModule config- Throws:
LoginException
- in case initialization fails.
-
isInitialized
protected boolean isInitialized()
Returnstrue
if this module has been successfully initialized.- Returns:
true
if this module has been successfully initialized.- See Also:
LoginModule.initialize(Subject, CallbackHandler, Map, Map)
-
login
public boolean login() throws LoginException
Method to authenticate aSubject
(phase 1).The login is divided into 3 Phases:
1) User-ID resolution
In a first step it is tried to resolve a User-ID for further validation. As for JCR the identification is marked with theCredentials
interface, credentials are accessed in this phase.
If no User-ID can be found, anonymous access is granted with the ID of the anonymous user (as defined in the security configuration). Anonymous access can be switched off removing the configuration entry.
This implementation uses two helper-methods, which allow for customization:2) User-Principal resolution
In a second step it is tested, if the resolved User-ID belongs to a User known to the system, i.e. if thePrincipalProvider
has a principal for the given ID and the principal can be found viaPrincipalProvider.findPrincipals(String)
.
The provider implementation can be set by the LoginModule configuration. If the option is missing, the system default principal provider will be used.3) Verification
There are four cases, how the User-ID can be verified: The login is anonymous, pre-authenticated or the login is the result of an impersonation request (seeSession.impersonate(Credentials)
or of a login to the Repository (Repository.login(Credentials)
). The concrete implementation of the LoginModule is responsible for all four cases:isAnonymous(Credentials)
isPreAuthenticated(Credentials)
authenticate(Principal, Credentials)
impersonate(Principal, Credentials)
- No User-ID could be resolve, and anonymous access is switched off
- No Principal is found for the User-ID resolved
- It is an impersonation request, but the impersonator is not allowed to impersonate to the requested User-ID
- The user tries to login, but the Credentials can not be verified.
The LoginModule keeps the Credentials and the Principal as instance fields, to mark that login has been successful.
- Specified by:
login
in interfaceLoginModule
- Returns:
- true if the authentication succeeded, or false if this
LoginModule
should be ignored. - Throws:
LoginException
- if the authentication fails- See Also:
LoginModule.login()
,getCredentials()
,getUserID(Credentials)
,getImpersonatorSubject(Credentials)
-
commit
public boolean commit() throws LoginException
Method to commit the authentication process (phase 2).This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).
If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the
login
method), then this method associates relevant Principals and Credentials with theSubject
located in theLoginModule
. If this LoginModule's own authentication attempted failed, then this method removes/destroys any state that was originally saved.The login is considered as succeeded if there is a principal set.
The implementation stores the principal associated to the UserID and all the Groups it is member of with the Subject and in addition adds an instance of (#link SimpleCredentials} to the Subject's public credentials.
- Specified by:
commit
in interfaceLoginModule
- Returns:
- true if this method succeeded, or false if this
LoginModule
should be ignored. - Throws:
LoginException
- if the commit fails- See Also:
LoginModule.commit()
-
abort
public boolean abort() throws LoginException
Method to abort the authentication process (phase 2).This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).
If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the
login
method), then this method cleans up any state that was originally saved.- Specified by:
abort
in interfaceLoginModule
- Returns:
- true if this method succeeded, or false if this
LoginModule
should be ignored. - Throws:
LoginException
- if the abort fails- See Also:
LoginModule.abort()
-
logout
public boolean logout() throws LoginException
- Specified by:
logout
in interfaceLoginModule
- Returns:
true
if this method succeeded, orfalse
if thisLoginModule
should be ignored.- Throws:
LoginException
- if the logout fails- See Also:
LoginModule.logout()
-
authenticate
protected boolean authenticate(Principal principal, Credentials credentials) throws FailedLoginException, RepositoryException
- Parameters:
principal
- Principal used to retrieve theAuthentication
object.credentials
- Credentials used for the authentication.- Returns:
true
if Credentials authenticate,false
if noAuthentication
can handle the givenCredentials
- Throws:
FailedLoginException
- if the authentication failed.RepositoryException
- If another error occurs.- See Also:
getAuthentication(java.security.Principal, javax.jcr.Credentials)
,authenticate(java.security.Principal, javax.jcr.Credentials)
-
isImpersonation
protected boolean isImpersonation(Credentials credentials)
Test if the current request is an Impersonation attempt. The default implementation returnstrue
if ansubject
for the impersonation can be retrieved.- Parameters:
credentials
- potentially containing impersonation data- Returns:
- true if this is an impersonation attempt
- See Also:
getImpersonatorSubject(Credentials)
-
impersonate
protected abstract boolean impersonate(Principal principal, Credentials credentials) throws RepositoryException, LoginException
Handles the impersonation of given Credentials.- Parameters:
principal
- Principal to impersonate.credentials
- Credentials used to create the impersonation subject.- Returns:
- false, if there is no User to impersonate, true if impersonation is allowed
- Throws:
LoginException
- If credentials don't allow to impersonate to principal.RepositoryException
- If another error occurs.
-
getAuthentication
protected abstract Authentication getAuthentication(Principal principal, Credentials creds) throws RepositoryException
Retrieve theAuthentication
.- Parameters:
principal
- A principal.creds
- The Credentials used for the login.- Returns:
- Authentication object for the given principal / credentials.
- Throws:
RepositoryException
- If an error occurs.
-
getImpersonatorSubject
protected Subject getImpersonatorSubject(Credentials credentials)
Method tries to acquire an Impersonator in the following order:- Try to access it from the
Credentials
viaSimpleCredentials.getAttribute(String)
- Ask CallbackHandler for Impersonator with use of
ImpersonationCallback
.
- Parameters:
credentials
- which, may contain an impersonation Subject- Returns:
- impersonation subject or null if non contained
- See Also:
login()
,impersonate(java.security.Principal, javax.jcr.Credentials)
- Try to access it from the
-
getCredentials
protected Credentials getCredentials()
Method tries to resolve theCredentials
used for login. It takes authentication-extension of an already authenticatedSubject
into account.Therefore the credentials are retrieved as follows:
- Test if the shared state contains credentials.
- Ask CallbackHandler for Credentials with using a
CredentialsCallback
. ExpectsCredentialsCallback.getCredentials()
to return an instance ofCredentials
. - Ask the Subject for its public
SimpleCredentials
seeSubject.getPublicCredentials(Class)
, thus enabling to pre-authenticate the Subject.
- Returns:
- Credentials or null if not found
- See Also:
login()
-
supportsCredentials
protected boolean supportsCredentials(Credentials creds)
Return a flag indicating whether the credentials are supported by this login module. Default implementation supportsSimpleCredentials
andGuestCredentials
.- Parameters:
creds
- credentials- Returns:
true
if the credentials are supported;false
otherwise
-
getUserID
protected String getUserID(Credentials credentials)
Method supports tries to acquire a UserID in the following order:- If passed credentials are
GuestCredentials
the anonymous user id is returned. - Try to access it from the
Credentials
viaSimpleCredentials.getUserID()
- Ask CallbackHandler for User-ID with use of
NameCallback
. - Test if the 'sharedState' contains a login name.
- Fallback: return the anonymous UserID.
- Parameters:
credentials
- which, may contain a User-ID- Returns:
- The userId retrieved from the credentials or by any other means described above.
- See Also:
login()
- If passed credentials are
-
isAnonymous
protected boolean isAnonymous(Credentials credentials)
Indicate if the given Credentials are considered to be anonymous.- Parameters:
credentials
- The Credentials to be tested.- Returns:
true
if is anonymous;false
otherwise.
-
getPrincipal
protected abstract Principal getPrincipal(Credentials credentials)
Authentication process associates a Principal to Credentials
This method resolves the Principal for the given Credentials. If no valid Principal can be determined, the LoginModule should be ignored.- Parameters:
credentials
- Credentials used for to login.- Returns:
- the principal associated with the given credentials or
null
.
-
getPrincipals
protected Set<Principal> getPrincipals()
- Returns:
- a Collection of principals that contains the current user principal and all groups it is member of.
-
getAdminId
public String getAdminId()
Returns the admin user id.- Returns:
- admin user id
-
setAdminId
public void setAdminId(String adminId)
Sets the administrator's user id.- Parameters:
adminId
- the administrator's user id.
-
getAnonymousId
public String getAnonymousId()
Returns the anonymous user id.- Returns:
- anonymous user id
-
setAnonymousId
public void setAnonymousId(String anonymousId)
Sets the anonymous user id.- Parameters:
anonymousId
- anonymous user id
-
getPrincipalProvider
public String getPrincipalProvider()
Returns the configured name of the principal provider class.- Returns:
- name of the principal provider class.
-
setPrincipalProvider
public void setPrincipalProvider(String principalProvider)
Sets the configured name of the principal provider class- Parameters:
principalProvider
- Name of the principal provider class.
-
getPreAuthAttributeName
protected final String getPreAuthAttributeName()
Deprecated.For security reasons the support for the preAuth attribute has been deprecated and will no longer be available in a subsequent release. See also JCR-3293The name of the credentials attribute providing a hint that the credentials should be taken as is and the user requesting access has already been authenticated outside of this LoginModule.This name is configured as the value of the LoginModule configuration parameter
trust_credentials_attribute
. If the configuration parameter is missing (or empty) the name is not set and this method returnsnull
.- See Also:
isPreAuthenticated(Credentials)
-
isPreAuthenticated
protected boolean isPreAuthenticated(Credentials creds)
Deprecated.For security reasons the support for the preAuth attribute has been deprecated and will no longer be available in a subsequent release. See also JCR-3293Returnstrue
if the credentials should be considered as pre-authenticated and a password check is not required.This base class implementation returns
true
if thecreds
object is a SimpleCredentials instance and the configuredtrusted credentials property
is set to a non-null
value in the credentials attributes.Extensions of this class may overwrite this method to apply more or different checks to the credentials.
- Parameters:
creds
- The Credentials to check- See Also:
getPreAuthAttributeName()
-
-