public final class TokenLoginModule extends AbstractLoginModule
LoginModule
implementation that is able to handle login request
based on TokenCredentials
. In combination with another login module
that handles other Credentials
implementation this module will also
take care of creating new login tokens and the corresponding credentials
upon commit()
that it will be able to deal with in subsequent
login calls.
LoginModule
implementation performs the following tasks upon
login()
.
TokenCredentials
credentials (see also
AbstractLoginModule.getCredentials()
)TokenAuthentication.authenticate(javax.jcr.Credentials)
userId
from the TokenInfo
and calculates the principals associated with that user,TokenProvider
has been configured login()
or if
no TokenCredentials
can be obtained this module will return false
.
commit()
will
just populate the subject.
If the login was successfully handled by another module in the chain, the
TokenLoginModule
will test if the login was associated with a
request for login token generation. This mandates that there are credentials
present on the shared state that fulfill the requirements defined by
TokenProvider.doCreateToken(javax.jcr.Credentials)
.
LoginModule
could for
example look as follows:
jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient; org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required; };In this case the TokenLoginModule would handle any login issued with
TokenCredentials
while the second module would take care any other
credentials implementations as long they are supported by the module. In
addition the TokenLoginModule
will issue a new token if the login
succeeded and the credentials provided by the shared state can be used
to issue a new login token (see TokenProvider.doCreateToken(javax.jcr.Credentials)
.
jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule required; };If the
TokenLoginModule
as single entry in the login configuration
the login token must be generated by the application by calling
TokenProvider.createToken(Credentials)
or
TokenProvider.createToken(String, java.util.Map)
.callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject
Constructor and Description |
---|
TokenLoginModule() |
Modifier and Type | Method and Description |
---|---|
protected void |
clearState()
Clear state information that has been created during
LoginModule.login() . |
boolean |
commit() |
protected @NotNull java.util.Set<java.lang.Class> |
getSupportedCredentials() |
boolean |
login() |
boolean |
logout()
Besteffort default implementation of
LoginModule.logout() , which removes all principals and all public
credentials of type Credentials and AuthInfo from the subject. |
abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo
public boolean login() throws javax.security.auth.login.LoginException
javax.security.auth.login.LoginException
public boolean commit() throws javax.security.auth.login.LoginException
javax.security.auth.login.LoginException
public boolean logout() throws javax.security.auth.login.LoginException
AbstractLoginModule
LoginModule.logout()
, which removes all principals and all public
credentials of type Credentials
and AuthInfo
from the subject.
It will return false
, if either principal set or credentials set is empty.
Note, that this implementation is not able to only remove those principals/credentials that have been added
by this
very login module instance. Therefore subclasses should overwrite this method to provide a fully
compliant solution of AbstractLoginModule.logout()
. They may however take advantage of AbstractLoginModule.logout(Set, Set)
in order to simplify the implementation of a logout that is compatible with the LoginModule.logout()
contract incorporating the additional recommendations highlighted at
JAAS LoginModule Dev Guidelogout
in interface javax.security.auth.spi.LoginModule
logout
in class AbstractLoginModule
true
if neither principals nor public credentials of type Credentials
or AuthInfo
stored in the Subject
are empty; false
otherwisejavax.security.auth.login.LoginException
- if the subject is readonly and destroying Destroyable
credentials fails
with DestroyFailedException
.@NotNull protected @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()
getSupportedCredentials
in class AbstractLoginModule
protected void clearState()
AbstractLoginModule
LoginModule.login()
.clearState
in class AbstractLoginModule
Copyright © 2012–2022 The Apache Software Foundation. All rights reserved.