org.apache.jackrabbit.oak.security.authentication.user

Class LoginModuleImpl

java.lang.Object

org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl

All Implemented Interfaces:

LoginModule

public final class LoginModuleImpl
extends AbstractLoginModule

Default login module implementation that authenticates JCR Credentials against the repository. Based on the credentials the Principals associated with user are retrieved from a configurable PrincipalProvider.

Credentials

The Credentials are collected during login() using the following logic:

• Credentials as specified in Repository.login(javax.jcr.Credentials) in which case they are retrieved from the CallbackHandler.
• A AbstractLoginModule.SHARED_KEY_CREDENTIALS entry in the shared state. The expected value is a validated single Credentials object.
• If neither of the above variants provides Credentials this module tries to obtain them from the subject. See also Subject.getSubject(java.security.AccessControlContext)

This implementation of the LoginModule currently supports the following types of JCR Credentials:

• SimpleCredentials
• GuestCredentials
• ImpersonationCredentials

The Credentials obtained during the #login() are added to the shared state and - upon successful #commit() to the Subject.

Principals

Upon successful login the principals associated with the user are calculated (see also AbstractLoginModule.getPrincipals(String). These principals are finally added to the subject during #commit().

Impersonation

Impersonation such as defined by Session.impersonate(javax.jcr.Credentials) is covered by this login module by the means of ImpersonationCredentials. Impersonation will succeed if the base credentials refer to a valid user that has not been disabled. If the authenticating subject is not allowed to impersonate the specified user, the login attempt will fail with LoginException.

Please note, that a user will always be allowed to impersonate him/herself irrespective of the impersonation definitions exposed by User.getImpersonation()

Field Summary

Fields

Modifier and Type	Field and Description
protected static Set<Class>	SUPPORTED_CREDENTIALS

Fields inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject

Constructor Summary

Constructors

Constructor and Description
LoginModuleImpl()

Method Summary

Modifier and Type	Method and Description
protected void	clearState() Clear state information that has been created during LoginModule.login().
boolean	commit()
protected @NotNull Set<Class>	getSupportedCredentials()
boolean	login()

Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

abort, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SUPPORTED_CREDENTIALS

protected static final Set<Class> SUPPORTED_CREDENTIALS

Constructor Detail

LoginModuleImpl

public LoginModuleImpl()

Method Detail

login

public boolean login()
              throws LoginException

Throws:

LoginException

commit

public boolean commit()

getSupportedCredentials

@NotNull
protected @NotNull Set<Class> getSupportedCredentials()

Specified by:

getSupportedCredentials in class AbstractLoginModule

Returns:

A set of supported credential classes.

clearState

protected void clearState()

Description copied from class: AbstractLoginModule

Clear state information that has been created during LoginModule.login().

Overrides:

clearState in class AbstractLoginModule