Package org.apache.jackrabbit.oak.security.authentication.user

Class LoginModuleImpl

  • All Implemented Interfaces:
    javax.security.auth.spi.LoginModule
    public final class LoginModuleImpl
extends org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
    Default login module implementation that authenticates JCR Credentials against the repository. Based on the credentials the Principals associated with user are retrieved from a configurable PrincipalProvider.

    Credentials

    The Credentials are collected during login() using the following logic:
    • Credentials as specified in Repository.login(javax.jcr.Credentials) in which case they are retrieved from the CallbackHandler.
    • A AbstractLoginModule.SHARED_KEY_CREDENTIALS entry in the shared state. The expected value is a validated single Credentials object.
    • If neither of the above variants provides Credentials this module tries to obtain them from the subject. See also Subject.getSubject(java.security.AccessControlContext)
    This implementation of the LoginModule currently supports the following types of JCR Credentials: The Credentials obtained during the #login() are added to the shared state and - upon successful #commit() to the Subject.

    Principals

    Upon successful login the principals associated with the user are calculated (see also AbstractLoginModule.getPrincipals(String). These principals are finally added to the subject during #commit().

    Impersonation

    Impersonation such as defined by Session.impersonate(javax.jcr.Credentials) is covered by this login module by the means of ImpersonationCredentials. Impersonation will succeed if the base credentials refer to a valid user that has not been disabled. If the authenticating subject is not allowed to impersonate the specified user, the login attempt will fail with LoginException.

    Please note, that a user will always be allowed to impersonate him/herself irrespective of the impersonation definitions exposed by User.getImpersonation()

    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected static java.util.Set<java.lang.Class> SUPPORTED_CREDENTIALS  

      • Fields inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

        callbackHandler, options, SHARED_KEY_ATTRIBUTES, SHARED_KEY_CREDENTIALS, SHARED_KEY_LOGIN_NAME, SHARED_KEY_PRE_AUTH_LOGIN, sharedState, subject

    • Constructor Summary

      Constructors 
      Constructor Description
      LoginModuleImpl()  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void clearState()  
      boolean commit()  
      protected @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()  
      boolean login()  
      boolean logout()  

      • Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

        abort, closeSystemSession, getCredentials, getLoginModuleMonitor, getPrincipalProvider, getPrincipals, getPrincipals, getRoot, getSecurityProvider, getSharedCredentials, getSharedLoginName, getSharedPreAuthLogin, getUserManager, getWhiteboard, initialize, logout, onError, setAuthInfo

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • SUPPORTED_CREDENTIALS

        protected static final java.util.Set<java.lang.Class> SUPPORTED_CREDENTIALS

    • Constructor Detail

      • LoginModuleImpl

        public LoginModuleImpl()

    • Method Detail

      • login

        public boolean login()
              throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • commit

        public boolean commit()

      • logout

        public boolean logout()
               throws javax.security.auth.login.LoginException
        Specified by:
        logout in interface javax.security.auth.spi.LoginModule
        Overrides:
        logout in class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
        Throws:
        javax.security.auth.login.LoginException

      • getSupportedCredentials

        @NotNull
protected @NotNull java.util.Set<java.lang.Class> getSupportedCredentials()
        Specified by:
        getSupportedCredentials in class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule

      • clearState

        protected void clearState()
        Overrides:
        clearState in class org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule