Class LoginModuleImpl
- java.lang.Object
-
- org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
-
- org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl
-
- All Implemented Interfaces:
javax.security.auth.spi.LoginModule
public final class LoginModuleImpl extends org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
Default login module implementation that authenticates JCRCredentials
against the repository. Based on the credentials thePrincipal
s associated with user are retrieved from a configurablePrincipalProvider
.Credentials
TheCredentials
are collected duringlogin()
using the following logic:Credentials
as specified inRepository.login(javax.jcr.Credentials)
in which case they are retrieved from theCallbackHandler
.- A
AbstractLoginModule.SHARED_KEY_CREDENTIALS
entry in the shared state. The expected value is a validated singleCredentials
object. - If neither of the above variants provides Credentials this module
tries to obtain them from the subject. See also
Subject.getSubject(java.security.AccessControlContext)
LoginModule
currently supports the following types of JCR Credentials:SimpleCredentials
GuestCredentials
ImpersonationCredentials
Credentials
obtained during the#login()
are added to the shared state and - upon successful#commit()
to theSubject
.Principals
Upon successful login the principals associated with the user are calculated (see alsoAbstractLoginModule.getPrincipals(String)
. These principals are finally added to the subject during#commit()
.Impersonation
Impersonation such as defined bySession.impersonate(javax.jcr.Credentials)
is covered by this login module by the means ofImpersonationCredentials
. Impersonation will succeed if thebase credentials
refer to a valid user that has not been disabled. If the authenticating subject is not allowed to impersonate the specified user, the login attempt will fail withLoginException
.Please note, that a user will always be allowed to impersonate him/herself irrespective of the impersonation definitions exposed by
User.getImpersonation()
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.util.Set<java.lang.Class>
SUPPORTED_CREDENTIALS
-
Constructor Summary
Constructors Constructor Description LoginModuleImpl()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
clearState()
boolean
commit()
protected @NotNull java.util.Set<java.lang.Class>
getSupportedCredentials()
boolean
login()
boolean
logout()
-
Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo
-
-
-
-
Method Detail
-
login
public boolean login() throws javax.security.auth.login.LoginException
- Throws:
javax.security.auth.login.LoginException
-
commit
public boolean commit()
-
logout
public boolean logout() throws javax.security.auth.login.LoginException
- Specified by:
logout
in interfacejavax.security.auth.spi.LoginModule
- Overrides:
logout
in classorg.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
- Throws:
javax.security.auth.login.LoginException
-
getSupportedCredentials
@NotNull protected @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()
- Specified by:
getSupportedCredentials
in classorg.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
-
clearState
protected void clearState()
- Overrides:
clearState
in classorg.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
-
-