Class LoginModuleImpl
java.lang.Object
org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl
- All Implemented Interfaces:
LoginModule
Default login module implementation that authenticates JCR
Credentials
against the repository. Based on the credentials the Principal
s
associated with user are retrieved from a configurable
PrincipalProvider
.
Credentials
TheCredentials
are collected during login()
using the
following logic:
Credentials
as specified inRepository.login(javax.jcr.Credentials)
in which case they are retrieved from theCallbackHandler
.- A
AbstractLoginModule.SHARED_KEY_CREDENTIALS
entry in the shared state. The expected value is a validated singleCredentials
object. - If neither of the above variants provides Credentials this module
tries to obtain them from the subject. See also
Subject.getSubject(java.security.AccessControlContext)
LoginModule
currently supports the following
types of JCR Credentials:
The Credentials
obtained during the #login()
are added to
the shared state and - upon successful #commit()
to the Subject
.
Principals
Upon successful login the principals associated with the user are calculated (see alsoAbstractLoginModule.getPrincipals(String)
. These principals
are finally added to the subject during #commit()
.
Impersonation
Impersonation such as defined bySession.impersonate(javax.jcr.Credentials)
is covered by this login module by the means of ImpersonationCredentials
.
Impersonation will succeed if the base credentials
refer to a valid user that has not been disabled. If the authenticating
subject is not allowed to impersonate the specified user, the login attempt
will fail with LoginException
.
Please note, that a user will always be allowed to impersonate him/herself
irrespective of the impersonation definitions exposed by
User.getImpersonation()
-
Field Summary
FieldsFields inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected void
Clear state information that has been created duringLoginModule.login()
.boolean
commit()
boolean
login()
boolean
logout()
Besteffort default implementation ofLoginModule.logout()
, which removes all principals and all public credentials of typeCredentials
andAuthInfo
from the subject.Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo
-
Field Details
-
SUPPORTED_CREDENTIALS
-
-
Constructor Details
-
LoginModuleImpl
public LoginModuleImpl()
-
-
Method Details
-
login
- Throws:
LoginException
-
commit
public boolean commit() -
logout
Description copied from class:AbstractLoginModule
Besteffort default implementation ofLoginModule.logout()
, which removes all principals and all public credentials of typeCredentials
andAuthInfo
from the subject. It will returnfalse
, if either principal set or credentials set is empty. Note, that this implementation is not able to only remove those principals/credentials that have been added bythis
very login module instance. Therefore subclasses should overwrite this method to provide a fully compliant solution ofAbstractLoginModule.logout()
. They may however take advantage ofAbstractLoginModule.logout(Set, Set)
in order to simplify the implementation of a logout that is compatible with theLoginModule.logout()
contract incorporating the additional recommendations highlighted at JAAS LoginModule Dev Guide- Specified by:
logout
in interfaceLoginModule
- Overrides:
logout
in classAbstractLoginModule
- Returns:
true
if neither principals nor public credentials of typeCredentials
orAuthInfo
stored in theSubject
are empty;false
otherwise- Throws:
LoginException
- if the subject is readonly and destroyingDestroyable
credentials fails withDestroyFailedException
.
-
getSupportedCredentials
- Specified by:
getSupportedCredentials
in classAbstractLoginModule
- Returns:
- A set of supported credential classes.
-
clearState
protected void clearState()Description copied from class:AbstractLoginModule
Clear state information that has been created duringLoginModule.login()
.- Overrides:
clearState
in classAbstractLoginModule
-