Class TokenLoginModule
- java.lang.Object
-
- org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
-
- org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule
-
- All Implemented Interfaces:
LoginModule
public final class TokenLoginModule extends AbstractLoginModule
LoginModule
implementation that is able to handle login request based onTokenCredentials
. In combination with another login module that handles otherCredentials
implementation this module will also take care of creating new login tokens and the corresponding credentials uponcommit()
that it will be able to deal with in subsequent login calls.Login and Commit
Login
ThisLoginModule
implementation performs the following tasks uponlogin()
.- Try to retrieve
TokenCredentials
credentials (see alsoAbstractLoginModule.getCredentials()
) - Validates the credentials based on the functionality provided by
Authentication.authenticate(javax.jcr.Credentials)
- Upon success it retrieves
userId
from theTokenInfo
and calculates the principals associated with that user, - and finally puts the credentials on the shared state.
TokenProvider
has been configuredlogin()
or if noTokenCredentials
can be obtained this module will returnfalse
.Commit
If login was successfully handled by this module thecommit()
will just populate the subject.If the login was successfully handled by another module in the chain, the
TokenLoginModule
will test if the login was associated with a request for login token generation. This mandates that there are credentials present on the shared state that fulfill the requirements defined byTokenProvider.doCreateToken(javax.jcr.Credentials)
.Example Configurations
The authentication configuration using thisLoginModule
could for example look as follows:TokenLoginModule in combination with another LoginModule
jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient; org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required; };
In this case the TokenLoginModule would handle any login issued withTokenCredentials
while the second module would take care any other credentials implementations as long they are supported by the module. In addition theTokenLoginModule
will issue a new token if the login succeeded and the credentials provided by the shared state can be used to issue a new login token (seeTokenProvider.doCreateToken(javax.jcr.Credentials)
.TokenLoginModule as single way to login
jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule required; };
If theTokenLoginModule
as single entry in the login configuration the login token must be generated by the application by callingTokenProvider.createToken(Credentials)
orTokenProvider.createToken(String, java.util.Map)
.
-
-
Field Summary
-
Fields inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject
-
-
Constructor Summary
Constructors Constructor Description TokenLoginModule()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
clearState()
Clear state information that has been created duringLoginModule.login()
.boolean
commit()
protected @NotNull Set<Class>
getSupportedCredentials()
boolean
login()
boolean
logout()
Besteffort default implementation ofLoginModule.logout()
, which removes all principals and all public credentials of typeCredentials
andAuthInfo
from the subject.-
Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo
-
-
-
-
Method Detail
-
login
public boolean login() throws LoginException
- Throws:
LoginException
-
commit
public boolean commit() throws LoginException
- Throws:
LoginException
-
logout
public boolean logout() throws LoginException
Description copied from class:AbstractLoginModule
Besteffort default implementation ofLoginModule.logout()
, which removes all principals and all public credentials of typeCredentials
andAuthInfo
from the subject. It will returnfalse
, if either principal set or credentials set is empty. Note, that this implementation is not able to only remove those principals/credentials that have been added bythis
very login module instance. Therefore subclasses should overwrite this method to provide a fully compliant solution ofAbstractLoginModule.logout()
. They may however take advantage ofAbstractLoginModule.logout(Set, Set)
in order to simplify the implementation of a logout that is compatible with theLoginModule.logout()
contract incorporating the additional recommendations highlighted at JAAS LoginModule Dev Guide- Specified by:
logout
in interfaceLoginModule
- Overrides:
logout
in classAbstractLoginModule
- Returns:
true
if neither principals nor public credentials of typeCredentials
orAuthInfo
stored in theSubject
are empty;false
otherwise- Throws:
LoginException
- if the subject is readonly and destroyingDestroyable
credentials fails withDestroyFailedException
.
-
getSupportedCredentials
@NotNull protected @NotNull Set<Class> getSupportedCredentials()
- Specified by:
getSupportedCredentials
in classAbstractLoginModule
- Returns:
- A set of supported credential classes.
-
clearState
protected void clearState()
Description copied from class:AbstractLoginModule
Clear state information that has been created duringLoginModule.login()
.- Overrides:
clearState
in classAbstractLoginModule
-
-