Package org.apache.jackrabbit.oak.security.authentication.user

Class LoginModuleImpl

java.lang.Object

org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl

All Implemented Interfaces:

LoginModule

public final class LoginModuleImpl
extends AbstractLoginModule

Default login module implementation that authenticates JCR Credentials against the repository. Based on the credentials the Principals associated with user are retrieved from a configurable PrincipalProvider.

Credentials

The Credentials are collected during login() using the following logic:

• Credentials as specified in Repository.login(javax.jcr.Credentials) in which case they are retrieved from the CallbackHandler.
• A AbstractLoginModule.SHARED_KEY_CREDENTIALS entry in the shared state. The expected value is a validated single Credentials object.
• If neither of the above variants provides Credentials this module tries to obtain them from the subject. See also Subject.getSubject(java.security.AccessControlContext)

This implementation of the LoginModule currently supports the following types of JCR Credentials:

• SimpleCredentials
• GuestCredentials
• ImpersonationCredentials

The Credentials obtained during the #login() are added to the shared state and - upon successful #commit() to the Subject.

Principals

Upon successful login the principals associated with the user are calculated (see also AbstractLoginModule.getPrincipals(String). These principals are finally added to the subject during #commit().

Impersonation

Impersonation such as defined by Session.impersonate(javax.jcr.Credentials) is covered by this login module by the means of ImpersonationCredentials. Impersonation will succeed if the base credentials refer to a valid user that has not been disabled. If the authenticating subject is not allowed to impersonate the specified user, the login attempt will fail with LoginException.

Please note, that a user will always be allowed to impersonate him/herself irrespective of the impersonation definitions exposed by User.getImpersonation()

Field Summary

Fields

Modifier and Type	Field	Description
protected static final Set<Class>	SUPPORTED_CREDENTIALS

Fields inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject

Constructor Summary

Constructors

Constructor	Description
LoginModuleImpl()

Method Summary

Modifier and Type	Method	Description
protected void	clearState()	Clear state information that has been created during LoginModule.login().
boolean	commit()
protected @NotNull Set<Class>	getSupportedCredentials()
boolean	login()
boolean	logout()	Besteffort default implementation of LoginModule.logout(), which removes all principals and all public credentials of type Credentials and AuthInfo from the subject.

Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

SUPPORTED_CREDENTIALS

protected static final Set<Class> SUPPORTED_CREDENTIALS

Constructor Details

LoginModuleImpl

public LoginModuleImpl()

Method Details

login

public boolean login()
              throws LoginException

Throws:

LoginException

commit

public boolean commit()

logout

public boolean logout()
               throws LoginException

Description copied from class: AbstractLoginModule

Besteffort default implementation of LoginModule.logout(), which removes all principals and all public credentials of type Credentials and AuthInfo from the subject. It will return false, if either principal set or credentials set is empty. Note, that this implementation is not able to only remove those principals/credentials that have been added by this very login module instance. Therefore subclasses should overwrite this method to provide a fully compliant solution of AbstractLoginModule.logout(). They may however take advantage of AbstractLoginModule.logout(Set, Set) in order to simplify the implementation of a logout that is compatible with the LoginModule.logout() contract incorporating the additional recommendations highlighted at JAAS LoginModule Dev Guide

Specified by:

logout in interface LoginModule

Overrides:

logout in class AbstractLoginModule

Returns:

true if neither principals nor public credentials of type Credentials or AuthInfo stored in the Subject are empty; false otherwise

Throws:

LoginException - if the subject is readonly and destroying Destroyable credentials fails with DestroyFailedException.

getSupportedCredentials

@NotNull
protected @NotNull Set<Class> getSupportedCredentials()

Specified by:

getSupportedCredentials in class AbstractLoginModule

Returns:

A set of supported credential classes.

clearState

protected void clearState()

Description copied from class: AbstractLoginModule

Clear state information that has been created during LoginModule.login().

Overrides:

clearState in class AbstractLoginModule