This LoginModule
interoperates with
any conformant JNDI service provider. To direct this
LoginModule
to use a specific JNDI service provider,
two options must be specified in the login Configuration
for this LoginModule
.
user.provider.url=name_service_url group.provider.url=name_service_urlname_service_url specifies the directory service and path where this
LoginModule
can access the relevant user and group information. Because this
LoginModule
only performs one-level searches to
find the relevant user information, the URL
must point to a directory one level above where the user and group
information is stored in the directory service.
For example, to instruct this LoginModule
to contact a NIS server, the following URLs must be specified:
user.provider.url="nis://NISServerHostName/NISDomain/user" group.provider.url="nis://NISServerHostName/NISDomain/system/group"NISServerHostName specifies the server host name of the NIS server (for example, nis.sun.com, and NISDomain specifies the domain for that NIS server (for example, jaas.sun.com. To contact an LDAP server, the following URLs must be specified:
user.provider.url="ldap://LDAPServerHostName/LDAPName" group.provider.url="ldap://LDAPServerHostName/LDAPName"LDAPServerHostName specifies the server host name of the LDAP server, which may include a port number (for example, ldap.sun.com:389), and LDAPName specifies the entry name in the LDAP directory (for example, ou=People,o=Sun,c=US and ou=Groups,o=Sun,c=US for user and group information, respectively).
The format in which the user's information must be stored in
the directory service is specified in RFC 2307. Specifically,
this LoginModule
will search for the user's entry in the
directory service using the user's uid attribute,
where uid=username. If the search succeeds,
this LoginModule
will then
obtain the user's encrypted password from the retrieved entry
using the userPassword attribute.
This LoginModule
assumes that the password is stored
as a byte array, which when converted to a String
,
has the following format:
"{crypt}encrypted_password"The LDAP directory server must be configured to permit read access to the userPassword attribute. If the user entered a valid username and password, this
LoginModule
associates a
UnixPrincipal
, UnixNumericUserPrincipal
,
and the relevant UnixNumericGroupPrincipals with the
Subject
.
This LoginModule also recognizes the following Configuration
options:
debug if, true, debug messages are output to System.out.
useFirstPass if, true, this LoginModule retrieves the
username and password from the module's shared state,
using "javax.security.auth.login.name" and
"javax.security.auth.login.password" as the respective
keys. The retrieved values are used for authentication.
If authentication fails, no attempt for a retry is made,
and the failure is reported back to the calling
application.
tryFirstPass if, true, this LoginModule retrieves the
the username and password from the module's shared state,
using "javax.security.auth.login.name" and
"javax.security.auth.login.password" as the respective
keys. The retrieved values are used for authentication.
If authentication fails, the module uses the
CallbackHandler to retrieve a new username and password,
and another attempt to authenticate is made.
If the authentication fails, the failure is reported
back to the calling application.
storePass if, true, this LoginModule stores the username and password
obtained from the CallbackHandler in the module's
shared state, using "javax.security.auth.login.name" and
"javax.security.auth.login.password" as the respective
keys. This is not performed if existing values already
exist for the username and password in the shared state,
or if authentication fails.
clearPass if, true, this LoginModule
clears the
username and password stored in the module's shared state
after both phases of authentication (login and commit)
have completed.
Modifier and Type | Field and Description |
---|---|
private CallbackHandler | |
private boolean | |
private boolean | |
private static final String | |
pack-priv DirContext | |
private boolean | |
private UnixNumericGroupPrincipal | |
private static final String | |
public final String | GROUP_PROVIDER
Directory service/path where this module can access the relevant group information. |
private String | |
private static final String | |
private Map | |
private char[] | |
private static final String | |
private Map | |
private boolean | |
private boolean | |
private Subject | |
private boolean | |
private LinkedList | |
private boolean | |
private UnixNumericUserPrincipal | |
private boolean | |
private static final String | |
public final String | USER_PROVIDER
Directory service/path where this module can access the relevant user information. |
private static final String | |
private static final String | |
private String | |
private UnixPrincipal | |
private String |
Access | Constructor and Description |
---|---|
public |
Modifier and Type | Method and Description |
---|---|
public boolean | Returns: false if this LoginModule's own login and/or commit attempts failed, and true otherwise.Implements javax. |
private void | attemptAuthentication(boolean
boolean that tells this method whether
to retrieve the password from the sharedState. getPasswdFromSharedState)Attempt authentication |
private void | |
public boolean | Returns: true if this LoginModule's own login and commit attempts succeeded, or false otherwise.Implements javax. |
private void | getUsernamePassword(boolean
boolean that tells this method whether
to retrieve the password from the sharedState. getPasswdFromSharedState)Get the username and password. |
public void | initialize(Subject
the subject, CallbackHandler Subject to be authenticated.a callbackHandler, Map<String, ?> CallbackHandler for communicating
with the end user (prompting for usernames and
passwords, for example).shared sharedState, Map<String, ?> LoginModule state.options specified in the login
options)Configuration for this particular
LoginModule .Implements javax. LoginModule .
|
public boolean | Returns: true always, since thisLoginModule
should not be ignored.Implements javax. |
public boolean | Returns: true in all cases since thisLoginModule
should not be ignored.Implements javax. |
private boolean | verifyPassword(String encryptedPassword, String password)
Verify a password against the encrypted passwd from /etc/shadow |
callbackHandler | back to summary |
---|---|
private CallbackHandler callbackHandler |
clearPass | back to summary |
---|---|
private boolean clearPass |
commitSucceeded | back to summary |
---|---|
private boolean commitSucceeded |
CRYPT | back to summary |
---|---|
private static final String CRYPT |
ctx | back to summary |
---|---|
pack-priv DirContext ctx |
debug | back to summary |
---|---|
private boolean debug |
GIDPrincipal | back to summary |
---|---|
private UnixNumericGroupPrincipal GIDPrincipal |
GROUP_ID | back to summary |
---|---|
private static final String GROUP_ID |
GROUP_PROVIDER | back to summary |
---|---|
public final String GROUP_PROVIDER Directory service/path where this module can access the relevant group information. |
groupProvider | back to summary |
---|---|
private String groupProvider |
NAME | back to summary |
---|---|
private static final String NAME |
options | back to summary |
---|---|
private Map<String, ?> options |
password | back to summary |
---|---|
private char[] password |
PWD | back to summary |
---|---|
private static final String PWD |
sharedState | back to summary |
---|---|
private Map<String, Object> sharedState |
storePass | back to summary |
---|---|
private boolean storePass |
strongDebug | back to summary |
---|---|
private boolean strongDebug |
subject | back to summary |
---|---|
private Subject subject |
succeeded | back to summary |
---|---|
private boolean succeeded |
supplementaryGroups | back to summary |
---|---|
private LinkedList<UnixNumericGroupPrincipal> supplementaryGroups |
tryFirstPass | back to summary |
---|---|
private boolean tryFirstPass |
UIDPrincipal | back to summary |
---|---|
private UnixNumericUserPrincipal UIDPrincipal |
useFirstPass | back to summary |
---|---|
private boolean useFirstPass |
USER_GID | back to summary |
---|---|
private static final String USER_GID |
USER_PROVIDER | back to summary |
---|---|
public final String USER_PROVIDER Directory service/path where this module can access the relevant user information. |
USER_PWD | back to summary |
---|---|
private static final String USER_PWD |
USER_UID | back to summary |
---|---|
private static final String USER_UID |
username | back to summary |
---|---|
private String username |
userPrincipal | back to summary |
---|---|
private UnixPrincipal userPrincipal |
userProvider | back to summary |
---|---|
private String userProvider |
JndiLoginModule | back to summary |
---|---|
public JndiLoginModule() Creates a |
abort | back to summary |
---|---|
public boolean abort() throws LoginException Implements javax. This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed). If this LoginModule's own authentication attempt
succeeded (checked by retrieving the private state saved by the
|
attemptAuthentication | back to summary |
---|---|
private void attemptAuthentication(boolean getPasswdFromSharedState) throws LoginException Attempt authentication
|
cleanState | back to summary |
---|---|
private void cleanState() Clean out state because of a failed authentication attempt |
commit | back to summary |
---|---|
public boolean commit() throws LoginException Implements javax. Abstract method to commit the authentication process (phase 2). This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded). If this LoginModule's own authentication attempt
succeeded (checked by retrieving the private state saved by the
|
getUsernamePassword | back to summary |
---|---|
private void getUsernamePassword(boolean getPasswdFromSharedState) throws LoginException Get the username and password. This method does not return any value. Instead, it sets global name and password variables. Also note that this method will set the username and password values in the shared state in case subsequent LoginModules want to use them via use/tryFirstPass.
|
initialize | back to summary |
---|---|
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) Implements javax. Initialize this
|
login | back to summary |
---|---|
public boolean login() throws LoginException Implements javax. Prompt for username and password. Verify the password against the relevant name service.
|
logout | back to summary |
---|---|
public boolean logout() throws LoginException Implements javax. Logout a user. This method removes the Principals
that were added by the
|
verifyPassword | back to summary |
---|---|
private boolean verifyPassword(String encryptedPassword, String password) Verify a password against the encrypted passwd from /etc/shadow |