Package org.apache.jackrabbit.oak.security.authentication.token

Class TokenLoginModule

java.lang.Object
org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule
All Implemented Interfaces:
LoginModule
public final class TokenLoginModule extends AbstractLoginModule
LoginModule implementation that is able to handle login request based on TokenCredentials. In combination with another login module that handles other Credentials implementation this module will also take care of creating new login tokens and the corresponding credentials upon commit()that it will be able to deal with in subsequent login calls.

Login and Commit

Login

This LoginModule implementation performs the following tasks upon login().
  1. Try to retrieve TokenCredentials credentials (see also AbstractLoginModule.getCredentials())
  2. Validates the credentials based on the functionality provided by Authentication.authenticate(javax.jcr.Credentials)
  3. Upon success it retrieves userId from the TokenInfo and calculates the principals associated with that user,
  4. and finally puts the credentials on the shared state.
If no TokenProvider has been configured login() or if no TokenCredentials can be obtained this module will return false.

Commit

If login was successfully handled by this module the commit() will just populate the subject.

If the login was successfully handled by another module in the chain, the TokenLoginModule will test if the login was associated with a request for login token generation. This mandates that there are credentials present on the shared state that fulfill the requirements defined by TokenProvider.doCreateToken(javax.jcr.Credentials).

Example Configurations

The authentication configuration using this LoginModule could for example look as follows:

TokenLoginModule in combination with another LoginModule

    jackrabbit.oak {
            org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
            org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
    };
In this case the TokenLoginModule would handle any login issued with TokenCredentials while the second module would take care any other credentials implementations as long they are supported by the module. In addition the TokenLoginModule will issue a new token if the login succeeded and the credentials provided by the shared state can be used to issue a new login token (see TokenProvider.doCreateToken(javax.jcr.Credentials).

TokenLoginModule as single way to login

    jackrabbit.oak {
            org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule required;
    };
If the TokenLoginModule as single entry in the login configuration the login token must be generated by the application by calling TokenProvider.createToken(Credentials) or TokenProvider.createToken(String, java.util.Map).