public final class TokenLoginModule extends AbstractLoginModule
LoginModule implementation that is able to handle login request
based on TokenCredentials. In combination with another login module
that handles other Credentials implementation this module will also
take care of creating new login tokens and the corresponding credentials
upon commit()that it will be able to deal with in subsequent
login calls.
LoginModule implementation performs the following tasks upon
login().
TokenCredentials credentials (see also
AbstractLoginModule.getCredentials())TokenAuthentication.authenticate(javax.jcr.Credentials)userId from the TokenInfo
and calculates the principals associated with that user,TokenProvider has been configured login() or if
no TokenCredentials can be obtained this module will return false.
commit() will
just populate the subject.
If the login was successfully handled by another module in the chain, the
TokenLoginModule will test if the login was associated with a
request for login token generation. This mandates that there are credentials
present on the shared state that fulfill the requirements defined by
TokenProvider.doCreateToken(javax.jcr.Credentials).
LoginModule could for
example look as follows:
jackrabbit.oak {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
};
In this case the TokenLoginModule would handle any login issued with
TokenCredentials while the second module would take care any other
credentials implementations as long they are supported by the module. In
addition the TokenLoginModule will issue a new token if the login
succeeded and the credentials provided by the shared state can be used
to issue a new login token (see TokenProvider.doCreateToken(javax.jcr.Credentials).
jackrabbit.oak {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule required;
};
If the TokenLoginModule as single entry in the login configuration
the login token must be generated by the application by calling
TokenProvider.createToken(Credentials) or
TokenProvider.createToken(String, java.util.Map).callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject| Constructor and Description |
|---|
TokenLoginModule() |
| Modifier and Type | Method and Description |
|---|---|
protected void |
clearState()
Clear state information that has been created during
LoginModule.login(). |
boolean |
commit() |
protected @NotNull Set<Class> |
getSupportedCredentials() |
boolean |
login() |
boolean |
logout()
Besteffort default implementation of
LoginModule.logout(), which removes all principals and all public
credentials of type Credentials and AuthInfo from the subject. |
abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfopublic boolean login()
throws LoginException
LoginExceptionpublic boolean commit()
throws LoginException
LoginExceptionpublic boolean logout()
throws LoginException
AbstractLoginModuleLoginModule.logout(), which removes all principals and all public
credentials of type Credentials and AuthInfo from the subject.
It will return false, if either principal set or credentials set is empty.
Note, that this implementation is not able to only remove those principals/credentials that have been added
by this very login module instance. Therefore subclasses should overwrite this method to provide a fully
compliant solution of AbstractLoginModule.logout(). They may however take advantage of AbstractLoginModule.logout(Set, Set)
in order to simplify the implementation of a logout that is compatible with the LoginModule.logout()
contract incorporating the additional recommendations highlighted at
JAAS LoginModule Dev Guidelogout in interface LoginModulelogout in class AbstractLoginModuletrue if neither principals nor public credentials of type Credentials or AuthInfo
stored in the Subject are empty; false otherwiseLoginException - if the subject is readonly and destroying Destroyable credentials fails
with DestroyFailedException.@NotNull protected @NotNull Set<Class> getSupportedCredentials()
getSupportedCredentials in class AbstractLoginModuleprotected void clearState()
AbstractLoginModuleLoginModule.login().clearState in class AbstractLoginModuleCopyright © 2012–2020 The Apache Software Foundation. All rights reserved.