Package org.apache.jackrabbit.oak.security.authentication.token

Class TokenLoginModule

  • All Implemented Interfaces:
    javax.security.auth.spi.LoginModule
    public final class TokenLoginModule
extends org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
    LoginModule implementation that is able to handle login request based on TokenCredentials. In combination with another login module that handles other Credentials implementation this module will also take care of creating new login tokens and the corresponding credentials upon commit()that it will be able to deal with in subsequent login calls.

    Login and Commit

    Login

    This LoginModule implementation performs the following tasks upon login().
    1. Try to retrieve TokenCredentials credentials (see also AbstractLoginModule.getCredentials())
    2. Validates the credentials based on the functionality provided by Authentication.authenticate(javax.jcr.Credentials)
    3. Upon success it retrieves userId from the TokenInfo and calculates the principals associated with that user,
    4. and finally puts the credentials on the shared state.
    If no TokenProvider has been configured login() or if no TokenCredentials can be obtained this module will return false.

    Commit

    If login was successfully handled by this module the commit() will just populate the subject.

    If the login was successfully handled by another module in the chain, the TokenLoginModule will test if the login was associated with a request for login token generation. This mandates that there are credentials present on the shared state that fulfill the requirements defined by TokenProvider.doCreateToken(javax.jcr.Credentials).

    Example Configurations

    The authentication configuration using this LoginModule could for example look as follows:

    TokenLoginModule in combination with another LoginModule

        jackrabbit.oak {
            org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
            org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
    };
    In this case the TokenLoginModule would handle any login issued with TokenCredentials while the second module would take care any other credentials implementations as long they are supported by the module. In addition the TokenLoginModule will issue a new token if the login succeeded and the credentials provided by the shared state can be used to issue a new login token (see TokenProvider.doCreateToken(javax.jcr.Credentials).

    TokenLoginModule as single way to login

        jackrabbit.oak {
            org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule required;
    };
    If the TokenLoginModule as single entry in the login configuration the login token must be generated by the application by calling TokenProvider.createToken(Credentials) or TokenProvider.createToken(String, java.util.Map).

    • Field Summary

      • Fields inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

        callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void clearState()  
      boolean commit()  
      protected @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()  
      boolean login()  
      boolean logout()  

      • Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

        abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • TokenLoginModule

        public TokenLoginModule()

    • Method Detail

      • login

        public boolean login()
              throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • commit

        public boolean commit()
               throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • logout

        public boolean logout()
               throws javax.security.auth.login.LoginException
        Specified by:
        logout in interface javax.security.auth.spi.LoginModule
        Overrides:
        logout in class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
        Throws:
        javax.security.auth.login.LoginException

      • getSupportedCredentials

        @NotNull
protected @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()
        Specified by:
        getSupportedCredentials in class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

      • clearState

        protected void clearState()
        Overrides:
        clearState in class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule