Class TokenLoginModule
- java.lang.Object
-
- org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
-
- org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule
-
- All Implemented Interfaces:
LoginModule
public final class TokenLoginModule extends AbstractLoginModule
LoginModuleimplementation that is able to handle login request based onTokenCredentials. In combination with another login module that handles otherCredentialsimplementation this module will also take care of creating new login tokens and the corresponding credentials uponcommit()that it will be able to deal with in subsequent login calls.Login and Commit
Login
ThisLoginModuleimplementation performs the following tasks uponlogin().- Try to retrieve
TokenCredentialscredentials (see alsoAbstractLoginModule.getCredentials()) - Validates the credentials based on the functionality provided by
Authentication.authenticate(javax.jcr.Credentials) - Upon success it retrieves
userIdfrom theTokenInfoand calculates the principals associated with that user, - and finally puts the credentials on the shared state.
TokenProviderhas been configuredlogin()or if noTokenCredentialscan be obtained this module will returnfalse.Commit
If login was successfully handled by this module thecommit()will just populate the subject.If the login was successfully handled by another module in the chain, the
TokenLoginModulewill test if the login was associated with a request for login token generation. This mandates that there are credentials present on the shared state that fulfill the requirements defined byTokenProvider.doCreateToken(javax.jcr.Credentials).Example Configurations
The authentication configuration using thisLoginModulecould for example look as follows:TokenLoginModule in combination with another LoginModule
jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient; org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required; };In this case the TokenLoginModule would handle any login issued withTokenCredentialswhile the second module would take care any other credentials implementations as long they are supported by the module. In addition theTokenLoginModulewill issue a new token if the login succeeded and the credentials provided by the shared state can be used to issue a new login token (seeTokenProvider.doCreateToken(javax.jcr.Credentials).TokenLoginModule as single way to login
jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule required; };If theTokenLoginModuleas single entry in the login configuration the login token must be generated by the application by callingTokenProvider.createToken(Credentials)orTokenProvider.createToken(String, java.util.Map).
-
-
Field Summary
-
Fields inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject
-
-
Constructor Summary
Constructors Constructor Description TokenLoginModule()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voidclearState()Clear state information that has been created duringLoginModule.login().booleancommit()protected @NotNull Set<Class>getSupportedCredentials()booleanlogin()booleanlogout()Besteffort default implementation ofLoginModule.logout(), which removes all principals and all public credentials of typeCredentialsandAuthInfofrom the subject.-
Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo
-
-
-
-
Method Detail
-
login
public boolean login() throws LoginException- Throws:
LoginException
-
commit
public boolean commit() throws LoginException- Throws:
LoginException
-
logout
public boolean logout() throws LoginExceptionDescription copied from class:AbstractLoginModuleBesteffort default implementation ofLoginModule.logout(), which removes all principals and all public credentials of typeCredentialsandAuthInfofrom the subject. It will returnfalse, if either principal set or credentials set is empty. Note, that this implementation is not able to only remove those principals/credentials that have been added bythisvery login module instance. Therefore subclasses should overwrite this method to provide a fully compliant solution ofAbstractLoginModule.logout(). They may however take advantage ofAbstractLoginModule.logout(Set, Set)in order to simplify the implementation of a logout that is compatible with theLoginModule.logout()contract incorporating the additional recommendations highlighted at JAAS LoginModule Dev Guide- Specified by:
logoutin interfaceLoginModule- Overrides:
logoutin classAbstractLoginModule- Returns:
trueif neither principals nor public credentials of typeCredentialsorAuthInfostored in theSubjectare empty;falseotherwise- Throws:
LoginException- if the subject is readonly and destroyingDestroyablecredentials fails withDestroyFailedException.
-
getSupportedCredentials
@NotNull protected @NotNull Set<Class> getSupportedCredentials()
- Specified by:
getSupportedCredentialsin classAbstractLoginModule- Returns:
- A set of supported credential classes.
-
clearState
protected void clearState()
Description copied from class:AbstractLoginModuleClear state information that has been created duringLoginModule.login().- Overrides:
clearStatein classAbstractLoginModule
-
-