OpenJDK 1.22 · com.sun.security.auth.module.JndiLoginModule

The module prompts for a username and password and then verifies the password against the password stored in a directory service configured under JNDI.

This LoginModule interoperates with any conformant JNDI service provider. To direct this LoginModule to use a specific JNDI service provider, two options must be specified in the login Configuration for this LoginModule.

     user.provider.url=name_service_url
     group.provider.url=name_service_url

name_service_url specifies the directory service and path where this LoginModule can access the relevant user and group information. Because this LoginModule only performs one-level searches to find the relevant user information, the URL must point to a directory one level above where the user and group information is stored in the directory service. For example, to instruct this LoginModule to contact a NIS server, the following URLs must be specified:

   user.provider.url="nis://NISServerHostName/NISDomain/user"
   group.provider.url="nis://NISServerHostName/NISDomain/system/group"

NISServerHostName specifies the server host name of the NIS server (for example, nis.sun.com, and NISDomain specifies the domain for that NIS server (for example, jaas.sun.com. To contact an LDAP server, the following URLs must be specified:

   user.provider.url="ldap://LDAPServerHostName/LDAPName"
   group.provider.url="ldap://LDAPServerHostName/LDAPName"

LDAPServerHostName specifies the server host name of the LDAP server, which may include a port number (for example, ldap.sun.com:389), and LDAPName specifies the entry name in the LDAP directory (for example, ou=People,o=Sun,c=US and ou=Groups,o=Sun,c=US for user and group information, respectively).

The format in which the user's information must be stored in the directory service is specified in RFC 2307. Specifically, this LoginModule will search for the user's entry in the directory service using the user's uid attribute, where uid=username. If the search succeeds, this LoginModule will then obtain the user's encrypted password from the retrieved entry using the userPassword attribute. This LoginModule assumes that the password is stored as a byte array, which when converted to a String, has the following format:

     "{crypt}encrypted_password"

The LDAP directory server must be configured to permit read access to the userPassword attribute. If the user entered a valid username and password, this LoginModule associates a UnixPrincipal, UnixNumericUserPrincipal, and the relevant UnixNumericGroupPrincipals with the Subject.

This LoginModule also recognizes the following Configuration options:

   debug          if, true, debug messages are output to System.out.

   useFirstPass   if, true, this LoginModule retrieves the
                  username and password from the module's shared state,
                  using "javax.security.auth.login.name" and
                  "javax.security.auth.login.password" as the respective
                  keys.  The retrieved values are used for authentication.
                  If authentication fails, no attempt for a retry is made,
                  and the failure is reported back to the calling
                  application.

   tryFirstPass   if, true, this LoginModule retrieves the
                  the username and password from the module's shared state,
                  using "javax.security.auth.login.name" and
                  "javax.security.auth.login.password" as the respective
                  keys.  The retrieved values are used for authentication.
                  If authentication fails, the module uses the
                  CallbackHandler to retrieve a new username and password,
                  and another attempt to authenticate is made.
                  If the authentication fails, the failure is reported
                  back to the calling application.

   storePass      if, true, this LoginModule stores the username and password
                  obtained from the CallbackHandler in the module's
                  shared state, using "javax.security.auth.login.name" and
                  "javax.security.auth.login.password" as the respective
                  keys.  This is not performed if existing values already
                  exist for the username and password in the shared state,
                  or if authentication fails.

   clearPass     if, true, this LoginModule clears the
                 username and password stored in the module's shared state
                 after both phases of authentication (login and commit)
                 have completed.

Field Summary

Modifier and Type	Field and Description
private CallbackHandler	callbackHandler
private boolean	clearPass
private boolean	commitSucceeded
private static final String	CRYPT
pack-priv DirContext	ctx
private boolean	debug
private UnixNumericGroupPrincipal	GIDPrincipal
private static final String	GROUP_ID
public final String	GROUP_PROVIDER Directory service/path where this module can access the relevant group information.
private String	groupProvider
private static final String	NAME
private Map<String, ?>	options
private char[]	password
private static final String	PWD
private Map<String, Object>	sharedState
private boolean	storePass
private boolean	strongDebug
private Subject	subject
private boolean	succeeded
private LinkedList<UnixNumericGroupPrincipal>	supplementaryGroups
private boolean	tryFirstPass
private UnixNumericUserPrincipal	UIDPrincipal
private boolean	useFirstPass
private static final String	USER_GID
public final String	USER_PROVIDER Directory service/path where this module can access the relevant user information.
private static final String	USER_PWD
private static final String	USER_UID
private String	username
private UnixPrincipal	userPrincipal
private String	userProvider

Constructor Summary

Access	Constructor and Description
public	JndiLoginModule() Creates a `JndiLoginModule`.

Method Summary

Modifier and Type	Method and Description
public boolean	Returns: false if this LoginModule's own login and/or commit attempts failed, and true otherwise. abort() Implements javax.security.auth.spi.LoginModule.abort. This method is called if the LoginContext's overall authentication failed.
private void	attemptAuthentication(boolean boolean that tells this method whether to retrieve the password from the sharedState. getPasswdFromSharedState) Attempt authentication
private void	cleanState() Clean out state because of a failed authentication attempt
public boolean	Returns: true if this LoginModule's own login and commit attempts succeeded, or false otherwise. commit() Implements javax.security.auth.spi.LoginModule.commit. Abstract method to commit the authentication process (phase 2).
private void	getUsernamePassword(boolean boolean that tells this method whether to retrieve the password from the sharedState. getPasswdFromSharedState) Get the username and password.
public void	initialize(Subject the `Subject` to be authenticated. subject, CallbackHandler a `CallbackHandler` for communicating with the end user (prompting for usernames and passwords, for example). callbackHandler, Map<String, ?> shared `LoginModule` state. sharedState, Map<String, ?> options specified in the login `Configuration` for this particular `LoginModule`. options) Implements javax.security.auth.spi.LoginModule.initialize. Initialize this `LoginModule`.
public boolean	Returns: true always, since this `LoginModule` should not be ignored. login() Implements javax.security.auth.spi.LoginModule.login. Prompt for username and password.
public boolean	Returns: true in all cases since this `LoginModule` should not be ignored. logout() Implements javax.security.auth.spi.LoginModule.logout. Logout a user.
private boolean	verifyPassword(String encryptedPassword, String password) Verify a password against the encrypted passwd from /etc/shadow

Inherited from java.lang.Object:: clone equals finalize getClass hashCode notify notifyAll toString wait wait wait

Field Detail

callbackHandler	back to summary
private CallbackHandler callbackHandler

clearPass	back to summary
private boolean clearPass

commitSucceeded	back to summary
private boolean commitSucceeded

CRYPT	back to summary
private static final String CRYPT

ctx	back to summary
pack-priv DirContext ctx

debug	back to summary
private boolean debug

GIDPrincipal	back to summary
private UnixNumericGroupPrincipal GIDPrincipal

GROUP_ID	back to summary
private static final String GROUP_ID

GROUP_PROVIDER	back to summary
public final String GROUP_PROVIDER Directory service/path where this module can access the relevant group information.

groupProvider	back to summary
private String groupProvider

NAME	back to summary
private static final String NAME

options	back to summary
private Map<String, ?> options

password	back to summary
private char[] password

PWD	back to summary
private static final String PWD

sharedState	back to summary
private Map<String, Object> sharedState

storePass	back to summary
private boolean storePass

strongDebug	back to summary
private boolean strongDebug

subject	back to summary
private Subject subject

succeeded	back to summary
private boolean succeeded

supplementaryGroups	back to summary
private LinkedList<UnixNumericGroupPrincipal> supplementaryGroups

tryFirstPass	back to summary
private boolean tryFirstPass

UIDPrincipal	back to summary
private UnixNumericUserPrincipal UIDPrincipal

useFirstPass	back to summary
private boolean useFirstPass

USER_GID	back to summary
private static final String USER_GID

USER_PROVIDER	back to summary
public final String USER_PROVIDER Directory service/path where this module can access the relevant user information.

USER_PWD	back to summary
private static final String USER_PWD

USER_UID	back to summary
private static final String USER_UID

username	back to summary
private String username

userPrincipal	back to summary
private UnixPrincipal userPrincipal

userProvider	back to summary
private String userProvider

Constructor Detail

JndiLoginModule	back to summary
public JndiLoginModule() Creates a `JndiLoginModule`.

Method Detail

abort back to summary

abort	back to summary
public boolean abort() throws LoginException Implements javax.security.auth.spi.LoginModule.abort. This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed). If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the `login` and `commit` methods), then this method cleans up any state that was originally saved. Returns:boolean false if this LoginModule's own login and/or commit attempts failed, and true otherwise. Exceptions LoginException: if the abort fails.

public boolean abort() throws LoginException

Implements javax.security.auth.spi.LoginModule.abort.

This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login and commit methods), then this method cleans up any state that was originally saved.

Returns:boolean

false if this LoginModule's own login and/or commit attempts failed, and true otherwise.

Exceptions

LoginException:: if the abort fails.

attemptAuthentication	back to summary
private void attemptAuthentication(boolean getPasswdFromSharedState) throws LoginException Attempt authentication Parameters getPasswdFromSharedState:boolean boolean that tells this method whether to retrieve the password from the sharedState.

attemptAuthentication

back to summary

private void attemptAuthentication(boolean getPasswdFromSharedState) throws LoginException

Attempt authentication

Parameters

getPasswdFromSharedState:boolean: boolean that tells this method whether to retrieve the password from the sharedState.

cleanState	back to summary
private void cleanState() Clean out state because of a failed authentication attempt

commit back to summary

commit	back to summary
public boolean commit() throws LoginException Implements javax.security.auth.spi.LoginModule.commit. Abstract method to commit the authentication process (phase 2). This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded). If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the `login` method), then this method associates a `UnixPrincipal` with the `Subject` located in the `LoginModule`. If this LoginModule's own authentication attempted failed, then this method removes any state that was originally saved. Returns:boolean true if this LoginModule's own login and commit attempts succeeded, or false otherwise. Exceptions LoginException: if the commit fails

public boolean commit() throws LoginException

Implements javax.security.auth.spi.LoginModule.commit.

Abstract method to commit the authentication process (phase 2).

This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates a UnixPrincipal with the Subject located in the LoginModule. If this LoginModule's own authentication attempted failed, then this method removes any state that was originally saved.

Returns:boolean

true if this LoginModule's own login and commit attempts succeeded, or false otherwise.

Exceptions

LoginException:: if the commit fails

getUsernamePassword	back to summary
private void getUsernamePassword(boolean getPasswdFromSharedState) throws LoginException Get the username and password. This method does not return any value. Instead, it sets global name and password variables. Also note that this method will set the username and password values in the shared state in case subsequent LoginModules want to use them via use/tryFirstPass. Parameters getPasswdFromSharedState:boolean boolean that tells this method whether to retrieve the password from the sharedState.

getUsernamePassword

back to summary

private void getUsernamePassword(boolean getPasswdFromSharedState) throws LoginException

Get the username and password. This method does not return any value. Instead, it sets global name and password variables.

Also note that this method will set the username and password values in the shared state in case subsequent LoginModules want to use them via use/tryFirstPass.

Parameters

getPasswdFromSharedState:boolean: boolean that tells this method whether to retrieve the password from the sharedState.

initialize back to summary

initialize	back to summary
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) Implements javax.security.auth.spi.LoginModule.initialize. Initialize this `LoginModule`. Parameters subject:Subject the `Subject` to be authenticated. callbackHandler:CallbackHandler a `CallbackHandler` for communicating with the end user (prompting for usernames and passwords, for example). sharedState:Map<String, ?> shared `LoginModule` state. options:Map<String, ?> options specified in the login `Configuration` for this particular `LoginModule`. Annotations @SuppressWarnings:unchecked

public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options)

Implements javax.security.auth.spi.LoginModule.initialize.

Initialize this LoginModule.

Parameters

subject:Subject: the Subject to be authenticated.
callbackHandler:CallbackHandler: a CallbackHandler for communicating with the end user (prompting for usernames and passwords, for example).
sharedState:Map<String, ?>: shared LoginModule state.
options:Map<String, ?>: options specified in the login Configuration for this particular LoginModule.

Annotations

@SuppressWarnings:unchecked

login	back to summary
public boolean login() throws LoginException Implements javax.security.auth.spi.LoginModule.login. Prompt for username and password. Verify the password against the relevant name service. Returns:boolean true always, since this `LoginModule` should not be ignored. Exceptions LoginException: if this `LoginModule` is unable to perform the authentication. FailedLoginException: if the authentication fails.

public boolean login() throws LoginException

Implements javax.security.auth.spi.LoginModule.login.

Prompt for username and password. Verify the password against the relevant name service.

Returns:boolean

true always, since this LoginModule should not be ignored.

Exceptions

LoginException:: if this LoginModule is unable to perform the authentication.
FailedLoginException:: if the authentication fails.

logout back to summary

logout	back to summary
public boolean logout() throws LoginException Implements javax.security.auth.spi.LoginModule.logout. Logout a user. This method removes the Principals that were added by the `commit` method. Returns:boolean true in all cases since this `LoginModule` should not be ignored. Exceptions LoginException: if the logout fails.

public boolean logout() throws LoginException

Implements javax.security.auth.spi.LoginModule.logout.

Logout a user.

This method removes the Principals that were added by the commit method.

Returns:boolean

true in all cases since this LoginModule should not be ignored.

Exceptions

LoginException:: if the logout fails.

verifyPassword	back to summary
private boolean verifyPassword(String encryptedPassword, String password) Verify a password against the encrypted passwd from /etc/shadow

public Class JndiLoginModule

Field Summary

Constructor Summary

Method Summary

Field Detail

Constructor Detail

Method Detail