Class TokenLoginModule

  • All Implemented Interfaces:
    LoginModule

    public final class TokenLoginModule
    extends AbstractLoginModule
    LoginModule implementation that is able to handle login request based on TokenCredentials. In combination with another login module that handles other Credentials implementation this module will also take care of creating new login tokens and the corresponding credentials upon commit()that it will be able to deal with in subsequent login calls.

    Login and Commit

    Login

    This LoginModule implementation performs the following tasks upon login().
    1. Try to retrieve TokenCredentials credentials (see also AbstractLoginModule.getCredentials())
    2. Validates the credentials based on the functionality provided by Authentication.authenticate(javax.jcr.Credentials)
    3. Upon success it retrieves userId from the TokenInfo and calculates the principals associated with that user,
    4. and finally puts the credentials on the shared state.
    If no TokenProvider has been configured login() or if no TokenCredentials can be obtained this module will return false.

    Commit

    If login was successfully handled by this module the commit() will just populate the subject.

    If the login was successfully handled by another module in the chain, the TokenLoginModule will test if the login was associated with a request for login token generation. This mandates that there are credentials present on the shared state that fulfill the requirements defined by TokenProvider.doCreateToken(javax.jcr.Credentials).

    Example Configurations

    The authentication configuration using this LoginModule could for example look as follows:

    TokenLoginModule in combination with another LoginModule

        jackrabbit.oak {
                org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
                org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
        };
     
    In this case the TokenLoginModule would handle any login issued with TokenCredentials while the second module would take care any other credentials implementations as long they are supported by the module. In addition the TokenLoginModule will issue a new token if the login succeeded and the credentials provided by the shared state can be used to issue a new login token (see TokenProvider.doCreateToken(javax.jcr.Credentials).

    TokenLoginModule as single way to login

        jackrabbit.oak {
                org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule required;
        };
     
    If the TokenLoginModule as single entry in the login configuration the login token must be generated by the application by calling TokenProvider.createToken(Credentials) or TokenProvider.createToken(String, java.util.Map).