java.lang.Object
org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl
All Implemented Interfaces:
LoginModule

public final class LoginModuleImpl extends AbstractLoginModule
Default login module implementation that authenticates JCR Credentials against the repository. Based on the credentials the Principals associated with user are retrieved from a configurable PrincipalProvider.

Credentials

The Credentials are collected during login() using the following logic: This implementation of the LoginModule currently supports the following types of JCR Credentials: The Credentials obtained during the #login() are added to the shared state and - upon successful #commit() to the Subject.

Principals

Upon successful login the principals associated with the user are calculated (see also AbstractLoginModule.getPrincipals(String). These principals are finally added to the subject during #commit().

Impersonation

Impersonation such as defined by Session.impersonate(javax.jcr.Credentials) is covered by this login module by the means of ImpersonationCredentials. Impersonation will succeed if the base credentials refer to a valid user that has not been disabled. If the authenticating subject is not allowed to impersonate the specified user, the login attempt will fail with LoginException.

Please note, that a user will always be allowed to impersonate him/herself irrespective of the impersonation definitions exposed by User.getImpersonation()