@ProviderType
public abstract class AbstractLoginModule
extends java.lang.Object
implements javax.security.auth.spi.LoginModule
LoginModule
interface that can act
as base class for login modules that aim to authenticate subjects against
information stored in the content repository.
LoginModule
interface:
Initialize
:
Initialization of this abstract module sets the following protected instance
fields:
Configuration
.Logout
:
If the authenticated subject is not empty this logout implementation
attempts to clear both principals and public credentials and returns
true
.Abort
: Clears the state of this login
module by setting all private instance variables created in phase 1 or 2
to null
. Subclasses are in charge of releasing their own state
information by either overriding clearState()
.
clearState()
: Clears all private state information that has
be created during login. This method in called in abort()
and
subclasses are expected to override this method.getSupportedCredentials()
: Abstract method used by
getCredentials()
that reveals which credential implementations
are supported by the LoginModule
.getCredentials()
: Tries to retrieve valid (supported)
Credentials in the following order:
CredentialsCallback
,SHARED_KEY_CREDENTIALS
entry in the shared
state (see also getSharedCredentials()
and finally bygetSharedCredentials()
: This method returns credentials
passed to the login module with the share state. The key to share credentials
with a another module extending from this base class is
SHARED_KEY_CREDENTIALS
. Note, that this method does not verify
if the credentials provided by the shared state are
supported
.getSharedLoginName()
: If the shared state contains an entry
for SHARED_KEY_LOGIN_NAME
this method returns the value as login name.getSecurityProvider()
: Returns the configured security
provider or null
.getRoot()
: Provides access to the latest state of the
repository in order to retrieve user or principal information required to
authenticate the subject as well as to write back information during
LoginModule.commit()
.getUserManager()
: Returns an instance of the configured
UserManager
or null
.getPrincipalProvider()
: Returns an instance of the configured
principal provider or null
.getPrincipals(String)
: Utility that returns all principals
associated with a given user id. This method might be be called after
successful authentication in order to be able to populate the subject
during LoginModule.commit()
. The implementation is a shortcut for calling
getPrincipals(String userId
on the provider exposed by getPrincipalProvider()
Modifier and Type | Field and Description |
---|---|
protected javax.security.auth.callback.CallbackHandler |
callbackHandler |
protected ConfigurationParameters |
options |
static java.lang.String |
SHARED_KEY_ATTRIBUTES
Key of the sharedState entry referring to public attributes that are shared
between multiple login modules.
|
static java.lang.String |
SHARED_KEY_CREDENTIALS
Key of the sharedState entry referring to validated Credentials that is
shared between multiple login modules.
|
static java.lang.String |
SHARED_KEY_LOGIN_NAME
Key of the sharedState entry referring to a valid login ID that is shared
between multiple login modules.
|
static java.lang.String |
SHARED_KEY_PRE_AUTH_LOGIN
Key of the sharedState entry referring to pre authenticated login information that is shared
between multiple login modules.
|
protected java.util.Map |
sharedState |
protected javax.security.auth.Subject |
subject |
Constructor and Description |
---|
AbstractLoginModule() |
Modifier and Type | Method and Description |
---|---|
boolean |
abort() |
protected void |
clearState()
Clear state information that has been created during
LoginModule.login() . |
protected void |
closeSystemSession()
Close the system session acquired upon
getRoot() and reset the associated root field. |
protected @Nullable Credentials |
getCredentials()
Tries to retrieve valid (supported) Credentials:
using a
CredentialsCallback ,
looking for a SHARED_KEY_CREDENTIALS entry in the
shared state (see also getSharedCredentials() and finally by
searching for valid credentials in the subject.
|
protected @NotNull LoginModuleMonitor |
getLoginModuleMonitor() |
protected @Nullable PrincipalProvider |
getPrincipalProvider()
Retrieves the
PrincipalProvider that should be used to handle
this authentication. |
protected @NotNull java.util.Set<? extends java.security.Principal> |
getPrincipals(@NotNull java.security.Principal userPrincipal) |
protected @NotNull java.util.Set<? extends java.security.Principal> |
getPrincipals(@NotNull java.lang.String userId)
Retrieves all principals associated with the specified
userId for
the configured principal provider. |
protected @Nullable Root |
getRoot()
Tries to obtain a
Root object from the callback handler using
a new RepositoryCallback and keeps the value as private field. |
protected @Nullable SecurityProvider |
getSecurityProvider()
Tries to obtain the
SecurityProvider object from the callback
handler using a new SecurityProviderCallback and keeps the value as
private field. |
protected @Nullable Credentials |
getSharedCredentials() |
protected @Nullable java.lang.String |
getSharedLoginName() |
protected @Nullable PreAuthenticatedLogin |
getSharedPreAuthLogin() |
protected abstract @NotNull java.util.Set<java.lang.Class> |
getSupportedCredentials() |
protected @Nullable UserManager |
getUserManager()
Retrieves the
UserManager that should be used to handle
this authentication. |
protected @Nullable Whiteboard |
getWhiteboard()
Tries to obtain the
Whiteboard object from the callback
handler using a new WhiteboardCallback and keeps the value as
private field. |
void |
initialize(javax.security.auth.Subject subject,
javax.security.auth.callback.CallbackHandler callbackHandler,
java.util.Map<java.lang.String,?> sharedState,
java.util.Map<java.lang.String,?> options) |
boolean |
logout()
Besteffort default implementation of
LoginModule.logout() , which removes all principals and all public
credentials of type Credentials and AuthInfo from the subject. |
protected boolean |
logout(@Nullable java.util.Set<java.lang.Object> credentials,
@Nullable java.util.Set<? extends java.security.Principal> principals)
General logout-helper that will return
false if both credentials and principals are null . |
protected void |
onError() |
protected static void |
setAuthInfo(@NotNull AuthInfo authInfo,
@NotNull javax.security.auth.Subject subject) |
public static final java.lang.String SHARED_KEY_CREDENTIALS
public static final java.lang.String SHARED_KEY_LOGIN_NAME
public static final java.lang.String SHARED_KEY_ATTRIBUTES
public static final java.lang.String SHARED_KEY_PRE_AUTH_LOGIN
protected javax.security.auth.Subject subject
protected javax.security.auth.callback.CallbackHandler callbackHandler
protected java.util.Map sharedState
protected ConfigurationParameters options
public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map<java.lang.String,?> sharedState, java.util.Map<java.lang.String,?> options)
initialize
in interface javax.security.auth.spi.LoginModule
public boolean logout() throws javax.security.auth.login.LoginException
LoginModule.logout()
, which removes all principals and all public
credentials of type Credentials
and AuthInfo
from the subject.
It will return false
, if either principal set or credentials set is empty.
Note, that this implementation is not able to only remove those principals/credentials that have been added
by this
very login module instance. Therefore subclasses should overwrite this method to provide a fully
compliant solution of logout()
. They may however take advantage of logout(Set, Set)
in order to simplify the implementation of a logout that is compatible with the LoginModule.logout()
contract incorporating the additional recommendations highlighted at
JAAS LoginModule Dev Guidelogout
in interface javax.security.auth.spi.LoginModule
true
if neither principals nor public credentials of type Credentials
or AuthInfo
stored in the Subject
are empty; false
otherwisejavax.security.auth.login.LoginException
- if the subject is readonly and destroying Destroyable
credentials fails
with DestroyFailedException
.public boolean abort() throws javax.security.auth.login.LoginException
abort
in interface javax.security.auth.spi.LoginModule
javax.security.auth.login.LoginException
protected void clearState()
LoginModule.login()
.protected void closeSystemSession()
getRoot()
and reset the associated root field.
This method should be used instead of clearState()
, if LoginModule.login()
and LoginModule.commit()
were
successfully completed but the system session is not needed for a successful logout()
protected boolean logout(@Nullable @Nullable java.util.Set<java.lang.Object> credentials, @Nullable @Nullable java.util.Set<? extends java.security.Principal> principals) throws javax.security.auth.login.LoginException
false
if both credentials
and principals
are null
.
Note, that this implementation will only throw LoginException
if the subject
is marked readonly
and destroying Destroyable
credentials fails.credentials
- The set of credentials extracted by this instance during login/commit to be removed from Subject.getPublicCredentials()
principals
- A set of principals extracted by this instance during login/commit to be removed from Subject.getPrincipals()
true
if either the credential set or the principal set is not null
, false
otherwise.javax.security.auth.login.LoginException
- If the subject is readonly and an error occurs while destroying any of the given credentials.@NotNull protected abstract @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()
@Nullable protected @Nullable Credentials getCredentials()
CredentialsCallback
,SHARED_KEY_CREDENTIALS
entry in the
shared state (see also getSharedCredentials()
and finally bynull
.@Nullable protected @Nullable Credentials getSharedCredentials()
SHARED_KEY_CREDENTIALS
@Nullable protected @Nullable java.lang.String getSharedLoginName()
SHARED_KEY_LOGIN_NAME
@Nullable protected @Nullable PreAuthenticatedLogin getSharedPreAuthLogin()
null
SHARED_KEY_PRE_AUTH_LOGIN
@Nullable protected @Nullable SecurityProvider getSecurityProvider()
SecurityProvider
object from the callback
handler using a new SecurityProviderCallback and keeps the value as
private field. If the callback handler isn't able to handle the
SecurityProviderCallback this method returns null
.SecurityProvider
associated with this
LoginModule
or null
.@Nullable protected @Nullable Whiteboard getWhiteboard()
Whiteboard
object from the callback
handler using a new WhiteboardCallback and keeps the value as
private field. If the callback handler isn't able to handle the
WhiteboardCallback this method returns null
.Whiteboard
associated with this
LoginModule
or null
.@Nullable protected @Nullable Root getRoot()
Root
object from the callback handler using
a new RepositoryCallback and keeps the value as private field.
If the callback handler isn't able to handle the RepositoryCallback
this method returns null
.Root
associated with this LoginModule
or
null
.@Nullable protected @Nullable UserManager getUserManager()
UserManager
that should be used to handle
this authentication. If no user manager has been configure this
method returns null
.UserManager
or null
.@Nullable protected @Nullable PrincipalProvider getPrincipalProvider()
PrincipalProvider
that should be used to handle
this authentication. If no principal provider has been configure this
method returns null
.PrincipalProvider
or null
.@NotNull protected @NotNull java.util.Set<? extends java.security.Principal> getPrincipals(@NotNull @NotNull java.lang.String userId)
userId
for
the configured principal provider.userId
- The id of the user.userId
.getPrincipalProvider()
@NotNull protected @NotNull java.util.Set<? extends java.security.Principal> getPrincipals(@NotNull @NotNull java.security.Principal userPrincipal)
protected static void setAuthInfo(@NotNull @NotNull AuthInfo authInfo, @NotNull @NotNull javax.security.auth.Subject subject)
@NotNull protected @NotNull LoginModuleMonitor getLoginModuleMonitor()
protected void onError()
Copyright © 2012–2022 The Apache Software Foundation. All rights reserved.