com.tivoli.pd.jazn.PDLoginModule
|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Object
public class PDLoginModule
This PDLoginModule represents the JAAS authentication
mechanism for Security Access Manager.
A CallbackHandler is required
to retrieve a Security Access Manager username and password pair.
The objective of the PDLoginModule class is to authenticate
a Security Access Manager user and create a PDPrincipal containing the user's
Security Access Manager credentials if authentication is successful.
This LoginModule recognizes the debug option. If set to true in the login Configuration, debug messages will be output to the output stream, System.out.
This LoginModule recognizes the nameOnly option. If set to true in the login Configuration, the login method will not prompt for a password through the Callback mechanism, but will only prompt for a name.
This LoginModule also recognizes the configURLName option.
This provides a mechanism for the administrator to configure this
LoginModule to construct its PDPrincipals with the specified configuration
(the result of running SvrSslCfg). If this parameter is omitted,
the LoginModule will use the default PDAuthorizationContext.
Modes: Local,Remote
| Constructor Summary | |
|---|---|
PDLoginModule()
|
|
| Method Summary | |
|---|---|
boolean |
abort()
Abort the authentication (second phase). |
boolean |
commit()
Commit the authentication (second phase). |
static PDAuthorizationContext |
getDefaultAuthorizationContext()
Get default Security Access Manager authorization context for for all instances of the PDLoginModule class. |
void |
initialize(javax.security.auth.Subject subject,
javax.security.auth.callback.CallbackHandler callbackHandler,
java.util.Map sharedState,
java.util.Map options)
Initialize this LoginModule. |
boolean |
login()
Authenticate the user (first phase). |
boolean |
logout()
Logout the user. |
static void |
setDefaultAuthorizationContext(PDAuthorizationContext ctxt)
Set default Security Access Manager authorization context for for all instances of the PDLoginModule class. |
| Methods inherited from class java.lang.Object |
|---|
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Constructor Detail |
|---|
public PDLoginModule()
| Method Detail |
|---|
public static void setDefaultAuthorizationContext(PDAuthorizationContext ctxt)
ctxt - the default authorization context.public static PDAuthorizationContext getDefaultAuthorizationContext()
public void initialize(javax.security.auth.Subject subject,
javax.security.auth.callback.CallbackHandler callbackHandler,
java.util.Map sharedState,
java.util.Map options)
LoginModule.
initialize in interface javax.security.auth.spi.LoginModulesubject - the Subject to be authenticated. callbackHandler - a CallbackHandler for communicating
with the end user (prompting for usernames and
passwords, for example). sharedState - shared LoginModule state. The shared state
may contain a PDAuthorizationContext that was previously constructed
and initialized using the configuration file URL option by another
PDLoginModule instance.options - options specified in the login Configuration
for this particular LoginModule.
public boolean login()
throws javax.security.auth.login.AccountExpiredException,
javax.security.auth.login.CredentialExpiredException,
javax.security.auth.login.FailedLoginException,
javax.security.auth.login.LoginException
This method attempts to validate the user with Security Access Manager and retrieve the user's credentials.
Before attempting the normal JAAS mechanism of prompting for user information through the CallbackHandler, this LoginModule will look for override information that may have been recorded in the LoginModule Subject and/or sharedState Map (see the initialize method). This override information would have been put there from LoginModules that were configured to be called before this one. The overrides that this LoginModule is prepared to process are PDPrincipal in the Subject, USER_DN, iv-user, and iv-creds in the sharedState Map. If a PDPrincipal is found in the Subject, it is the assumed to be the authenticated principal. No additional login processing is required. If USER_DN is found in the sharedState (and maps to a String), this is used as the definitive name for the user, and no prompting is done for a password, so credentials will simply be obtained from the server for this user. If USER_DN is not found, then we look for iv-user. If iv-user is found in the sharedState (and maps to a String), then we look for iv-creds in the sharedState. If iv-creds is found in the sharedState (and maps to a String), then this is used as credentials to construct a PDPrincipal. If iv-creds is not found, then iv-user is used as the definitive name for the user, and no prompting is done for a password, so credentials will simply be obtained from the server for this user.
If none of this override information is found in the sharedState, then normal processing takes place. The "normal" processing will be to prompt for user information through the CallbackHandler. If this LoginModule was configured with the "nameOnly" option, then we only perform a NameCallback, otherwise both a NameCallback and a PasswordCallback are performed. If we are not configured for "nameOnly", then the username and password are verified with the server. In either case, the credentials for this username are obtained from the server and a PDPrincipal is constructed.
login in interface javax.security.auth.spi.LoginModuleLoginModule
should not be ignored).
javax.security.auth.login.AccountExpiredException - if the account has been disabled.
javax.security.auth.login.CredentialExpiredException - if the password is rejected.
javax.security.auth.login.LoginException - if environmental or setup errors occur when trying to login.
javax.security.auth.login.FailedLoginException - if any other difficulties occur when trying to login.
public boolean commit()
throws javax.security.auth.login.LoginException
This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).
If this LoginModule's own authentication attempt
succeeded (the importing of the Security Access Manager authentication
information succeeded), then this method associates the Security Access Manager
Principals with the Subject currently tied to the
LoginModule. If this LoginModule's
authentication attempted failed, then this method removes
any state that was originally saved.
commit in interface javax.security.auth.spi.LoginModulejavax.security.auth.login.LoginException - if the commit fails
public boolean abort()
throws javax.security.auth.login.LoginException
This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).
This method cleans up any state that was originally saved
as part of the authentication attempt from the login
and commit methods.
abort in interface javax.security.auth.spi.LoginModulejavax.security.auth.login.LoginException - if the abort fails
public boolean logout()
throws javax.security.auth.login.LoginException
This method removes the Principals associated
with the Subject.
logout in interface javax.security.auth.spi.LoginModuleLoginModule
should not be ignored).
javax.security.auth.login.LoginException - if the logout fails
|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||