AbstractLoginModule (Apache Jackrabbit 1.5.7 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.jackrabbit.core.security.authentication
Class AbstractLoginModule

java.lang.Object
  org.apache.jackrabbit.core.security.authentication.AbstractLoginModule

All Implemented Interfaces:: javax.security.auth.spi.LoginModule

Direct Known Subclasses:: DefaultLoginModule, SimpleLoginModule

public abstract class AbstractLoginModule
extends java.lang.Object
implements javax.security.auth.spi.LoginModule
extends java.lang.Object
implements javax.security.auth.spi.LoginModule

AbstractLoginModule provides the means for the common authentication tasks within the Repository.

On successfull authentication it associates the credentials to principals using the PrincipalProvider configured for this LoginModule

Jackrabbit distinguishes between Login and Impersonation dispatching the the correspoding Repository/Session methods to authenticate(java.security.Principal, javax.jcr.Credentials) and impersonate(java.security.Principal, javax.jcr.Credentials), respectively.
This LoginModule implements default behaviors for both methods.

See Also:: LoginModule

Field Summary
`protected java.lang.String`	`adminId`
`protected java.lang.String`	`anonymousId`
`protected javax.jcr.SimpleCredentials`	`credentials`
`protected java.security.Principal`	`principal`
`protected PrincipalProvider`	`principalProvider`
`protected javax.security.auth.Subject`	`subject`

Constructor Summary
`AbstractLoginModule()`

Method Summary
`boolean`	`abort()` Method to abort the authentication process (phase 2).
`protected boolean`	`authenticate(java.security.Principal principal, javax.jcr.Credentials credentials)`
`boolean`	`commit()` Method to commit the authentication process (phase 2).
`protected abstract void`	`doInit(javax.security.auth.callback.CallbackHandler callbackHandler, javax.jcr.Session session, java.util.Map options)` Implementations may set-up their own state.
`java.lang.String`	`getAdminId()` Returns the admin user id.
`java.lang.String`	`getAnonymousId()` Returns the anonymous user id.
`protected abstract Authentication`	`getAuthentication(java.security.Principal principal, javax.jcr.Credentials creds)`
`protected javax.jcr.Credentials`	`getCredentials()` Method tries to resolve the `Credentials` used for login.
`protected javax.security.auth.Subject`	`getImpersonatorSubject(javax.jcr.Credentials credentials)` Method tries to acquire an Impersonator in the follwing order: Try to access it from the `Credentials` via `SimpleCredentials.getAttribute(String)` Ask CallbackHandler for Impersonator with use of `ImpersonationCallback`.
`protected abstract java.security.Principal`	`getPrincipal(javax.jcr.Credentials credentials)` Authentication process associates a Principal to Credentials This method resolves the Principal for the given Credentials.
`java.lang.String`	`getPrincipalProvider()` Returns the configured name of the principal provider class.
`protected java.util.Set`	`getPrincipals()`
`protected java.lang.String`	`getUserID(javax.jcr.Credentials credentials)` Method supports tries to acquire a UserID in the follwing order: If passed credentials are `GuestCredentials` the anonymous user id is returned. Try to access it from the `Credentials` via `SimpleCredentials.getUserID()` Ask CallbackHandler for User-ID with use of `NameCallback`. Test if the 'sharedState' contains a login name. Fallback: return the anonymous UserID.
`protected abstract boolean`	`impersonate(java.security.Principal principal, javax.jcr.Credentials credentials)` Handles the impersonation of given Credentials. Current implementation takes `User` for the given Principal and delegates the check to `Impersonation.allows(javax.security.auth.Subject)` }
`void`	`initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options)` Initialize this LoginModule. This abstract implementation, initalizes the following fields for later use: `PrincipalManager` for group-membership resoultion `PrincipalProvider` for user-`Principal` resolution. `LoginModuleConfig.PARAM_ADMIN_ID` option is evaluated `LoginModuleConfig.PARAM_ANONYMOUS_ID` option is evaluated Implementations are called via `doInit(CallbackHandler, Session, Map)` to implement additional initalization
`protected boolean`	`isAnonymous(javax.jcr.Credentials credentials)` Indicate if the given Credentials are considered to be anonymous.
`protected boolean`	`isImpersonation(javax.jcr.Credentials credentials)` Test if the current request is an Impersonation attempt.
`protected boolean`	`isInitialized()` Returns `true` if this module has been successfully initialized.
`boolean`	`login()` Method to authenticate a `Subject` (phase 1). The login is devided into 3 Phases: 1) User-ID resolution In a first step it is tried to resolve a User-ID for further validation.
`boolean`	`logout()` Method which logs out a `Subject`.
`void`	`setAdminId(java.lang.String adminId)` Sets the administrator's user id.
`void`	`setAnonymousId(java.lang.String anonymousId)` Sets the anonymous user id.
`void`	`setPrincipalProvider(java.lang.String principalProvider)` Sets the configured name of the principal provider class

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

adminId

protected java.lang.String adminId

anonymousId

protected java.lang.String anonymousId

principal

protected java.security.Principal principal

credentials

protected javax.jcr.SimpleCredentials credentials

subject

protected javax.security.auth.Subject subject

principalProvider

protected PrincipalProvider principalProvider

Constructor Detail

AbstractLoginModule

public AbstractLoginModule()

Method Detail

initialize

public void initialize(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map sharedState,
                       java.util.Map options)

Initialize this LoginModule.
This abstract implementation, initalizes the following fields for later use:

PrincipalManager for group-membership resoultion
PrincipalProvider for user-Principal resolution.
LoginModuleConfig.PARAM_ADMIN_ID option is evaluated
LoginModuleConfig.PARAM_ANONYMOUS_ID option is evaluated

Implementations are called via doInit(CallbackHandler, Session, Map) to implement additional initalization

Specified by:: initialize in interface javax.security.auth.spi.LoginModule

Parameters:: subject - the Subject to be authenticated.; callbackHandler - a CallbackHandler for communicating with the end user (prompting for usernames and passwords, for example).; sharedState - state shared with other configured LoginModules.; options - options specified in the login Configuration for this particular LoginModule.
See Also:: LoginModule.initialize(Subject, CallbackHandler, Map, Map), doInit(CallbackHandler, Session, Map), isInitialized()

doInit

protected abstract void doInit(javax.security.auth.callback.CallbackHandler callbackHandler,
                               javax.jcr.Session session,
                               java.util.Map options)
                        throws javax.security.auth.login.LoginException

Implementations may set-up their own state. E. g. a DataSource if it is authorized against an external System

Parameters:: callbackHandler - as passed by LoginContext; session - to security-workspace of Jackrabbit; options - options from Logini config
Throws:: javax.security.auth.login.LoginException - in case initializeaiton failes

isInitialized

protected boolean isInitialized()

Returns true if this module has been successfully initialized.

Returns:: true if this module has been successfully initialized.
See Also:: LoginModule.initialize(Subject, CallbackHandler, Map, Map)

login

public boolean login()
              throws javax.security.auth.login.LoginException

Method to authenticate a Subject (phase 1).

The login is devided into 3 Phases:

1) User-ID resolution
In a first step it is tried to resolve a User-ID for further validation. As for JCR the identification is marked with the Credentials interface, credentials are accessed in this phase.
If no User-ID can be found, anonymous access is granted with the ID of the anonymous user (as defined in the security configuration). Anonymous access can be switched off removing the configuration entry.
This implementation uses two helper-methods, which allow for customization:

2) User-Principal resolution
In a second step it is tested, if the resolved User-ID belongs to a User known to the system, i.e. if the PrincipalProvider has a principal for the given ID and the principal can be found via PrincipalProvider.findPrincipals(String).
The provider implemenation can be set by the configuration option with the name principal_provider.class. If the option is missing, the system default prinvipal provider will be used.

3) Verfication
There are two cases, how the User-ID can be verfied: Either the login is the result of an impersonation request (see Session.impersonate(Credentials) or of a login to the Repository (Repository.login(Credentials)). The concrete implementation of the LoginModule is responsible for both impersonation and login:

Under the following conditions, the login process is aborted and the module is marked to be ignored:

No User-ID could be resolve, and anyonymous access is switched off
No Principal is found for the User-ID resolved

Under the follwoing conditions, the login process is marked to be invalid by throwing an LoginException:

It is an impersonation request, but the impersonator is not allowed to impersonate to the requested User-ID
The user tries to login, but the Credentials can not be verified.

The LoginModule keeps the Credentials and the Principal as instance fields, to mark that login has been successfull.

Specified by:: login in interface javax.security.auth.spi.LoginModule

Returns:: true if the authentication succeeded, or false if this LoginModule should be ignored.
Throws:: javax.security.auth.login.LoginException - if the authentication fails
See Also:: LoginModule.login(), getCredentials(), getUserID(Credentials), getImpersonatorSubject(Credentials)

commit

public boolean commit()
               throws javax.security.auth.login.LoginException

Method to commit the authentication process (phase 2).

This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates relevant Principals and Credentials with the Subject located in the LoginModule. If this LoginModule's own authentication attempted failed, then this method removes/destroys any state that was originally saved.

The login is considers as succeeded if the credentials field is set. If there is no principal set the login is considered as ignored.

The implementation stores the principal associated to the UserID and all the Groups it is member of. PrincipalManager.getGroupMembership(Principal) An instance of (#link SimpleCredentials} containing only the UserID used to login is set to the Subject's public Credentials.

Specified by:: commit in interface javax.security.auth.spi.LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: javax.security.auth.login.LoginException - if the commit fails
See Also:: LoginModule.commit(), login()

abort

public boolean abort()
              throws javax.security.auth.login.LoginException

Method to abort the authentication process (phase 2).

This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method cleans up any state that was originally saved.

Specified by:: abort in interface javax.security.auth.spi.LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: javax.security.auth.login.LoginException - if the abort fails

logout

public boolean logout()
               throws javax.security.auth.login.LoginException

Method which logs out a Subject.

An implementation of this method might remove/destroy a Subject's Principals and Credentials.

Specified by:: logout in interface javax.security.auth.spi.LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: javax.security.auth.login.LoginException - if the logout fails

authenticate

protected boolean authenticate(java.security.Principal principal,
                               javax.jcr.Credentials credentials)
                        throws javax.jcr.RepositoryException,
                               javax.security.auth.login.FailedLoginException

Parameters:: principal -; credentials -
Returns:: true if Credentails authenticate, false if no Authentication can handle the given Credentials
Throws:: javax.security.auth.login.FailedLoginException - if the authentication failed.; javax.jcr.RepositoryException
See Also:: getAuthentication(java.security.Principal, javax.jcr.Credentials), authenticate(java.security.Principal, javax.jcr.Credentials)

isImpersonation

protected boolean isImpersonation(javax.jcr.Credentials credentials)

Test if the current request is an Impersonation attempt. The default implementation returns true if an subject for the impersonation can be retrieved.

Parameters:: credentials - potentially containing impersonation data
Returns:: true if this is an impersonation attempt
See Also:: getImpersonatorSubject(Credentials)

impersonate

protected abstract boolean impersonate(java.security.Principal principal,
                                       javax.jcr.Credentials credentials)
                                throws javax.jcr.RepositoryException,
                                       javax.security.auth.login.LoginException

Handles the impersonation of given Credentials.

Current implementation takes User for the given Principal and delegates the check to Impersonation.allows(javax.security.auth.Subject) }

Parameters:: principal -; credentials -
Returns:: false, if there is no User to impersonate, true if impersonation is allowed
Throws:: javax.jcr.RepositoryException; javax.security.auth.login.FailedLoginException - if credentials don't allow to impersonate to principal; javax.security.auth.login.LoginException

getAuthentication

protected abstract Authentication getAuthentication(java.security.Principal principal,
                                                    javax.jcr.Credentials creds)
                                             throws javax.jcr.RepositoryException

Parameters:: principal -; creds -
Returns:
Throws:: javax.jcr.RepositoryException

getImpersonatorSubject

protected javax.security.auth.Subject getImpersonatorSubject(javax.jcr.Credentials credentials)

Method tries to acquire an Impersonator in the follwing order:

Try to access it from the Credentials via SimpleCredentials.getAttribute(String)
Ask CallbackHandler for Impersonator with use of ImpersonationCallback.

Parameters:: credentials - which, may contain an impersonation Subject
Returns:: impersonation subject or null if non contained
See Also:: login(), impersonate(java.security.Principal, javax.jcr.Credentials)

getCredentials

protected javax.jcr.Credentials getCredentials()

Method tries to resolve the Credentials used for login. It takes authentication-extension of an already authenticated Subject into accout.

Therefore the credentials are searchred as follows:

Test if the shared state contains credentials.
Ask CallbackHandler for Credentials with using a CredentialsCallback. Expects CredentialsCallback.getCredentials() to return an instance of Credentials.
Ask the Subject for its public SimpleCredentials see Subject.getPublicCredentials(Class), thus enabling to preauthenticate the Subject.

Returns:: Credentials or null if not found
See Also:: login()

getUserID

protected java.lang.String getUserID(javax.jcr.Credentials credentials)

Method supports tries to acquire a UserID in the follwing order:

If passed credentials are GuestCredentials the anonymous user id is returned.
Try to access it from the Credentials via SimpleCredentials.getUserID()
Ask CallbackHandler for User-ID with use of NameCallback.
Test if the 'sharedState' contains a login name.
Fallback: return the anonymous UserID.

Parameters:: credentials - which, may contain a User-ID
Returns:: The userId retrieved from the credentials or by any other means described above.
See Also:: login()

isAnonymous

protected boolean isAnonymous(javax.jcr.Credentials credentials)

Indicate if the given Credentials are considered to be anonymous.

Parameters:: credentials -
Returns:: true if is anonymous

getPrincipal

protected abstract java.security.Principal getPrincipal(javax.jcr.Credentials credentials)

Authentication process associates a Principal to Credentials
This method resolves the Principal for the given Credentials. If no valid Principal can be determined, the LoginModule should be ignored.

Parameters:: credentials -
Returns:: the principal associated with the given credentials or null.

getPrincipals

protected java.util.Set getPrincipals()

Returns:: a Collection of principals that contains the current user principal and all groups it is member of.

getAdminId

public java.lang.String getAdminId()

Returns the admin user id.

Returns:: admin user id

setAdminId

public void setAdminId(java.lang.String adminId)

Sets the administrator's user id.

Parameters:: adminId - the administrator's user id.

getAnonymousId

public java.lang.String getAnonymousId()

Returns the anonymous user id.

Returns:: anonymous user id

setAnonymousId

public void setAnonymousId(java.lang.String anonymousId)

Sets the anonymous user id.

Parameters:: anonymousId - anonymous user id

getPrincipalProvider

public java.lang.String getPrincipalProvider()

Returns the configured name of the principal provider class.

Returns:: name of the principal provider class.

setPrincipalProvider

public void setPrincipalProvider(java.lang.String principalProvider)

Sets the configured name of the principal provider class

Parameters:: principalProvider - Name of the principal provider class.