Examples of javax.security.auth.spi.LoginModule

• javax.security.auth.spi.LoginModule

  {@code LoginModule} describes the interfaceimplemented by authentication technology providers. LoginModules are plugged in under applications to provide a particular type of authentication.

  While applications write to the {@code LoginContext} API,authentication technology providers implement the {@code LoginModule} interface.A {@code Configuration} specifies the LoginModule(s)to be used with a particular login application. Therefore different LoginModules can be plugged in under the application without requiring any modifications to the application itself.

  The {@code LoginContext} is responsible for reading the{@code Configuration} and instantiating the appropriateLoginModules. Each {@code LoginModule} is initialized witha {@code Subject}, a {@code CallbackHandler}, shared {@code LoginModule} state, and LoginModule-specific options.The {@code Subject} represents the{@code Subject} currently being authenticated and is updatedwith relevant Credentials if authentication succeeds. LoginModules use the {@code CallbackHandler} tocommunicate with users. The {@code CallbackHandler} may beused to prompt for usernames and passwords, for example. Note that the {@code CallbackHandler} may be null. LoginModuleswhich absolutely require a {@code CallbackHandler} to authenticatethe {@code Subject} may throw a {@code LoginException}. LoginModules optionally use the shared state to share information or data among themselves.

  The LoginModule-specific options represent the options configured for this {@code LoginModule} by an administrator or userin the login {@code Configuration}. The options are defined by the {@code LoginModule} itselfand control the behavior within it. For example, a {@code LoginModule} may define options to support debugging/testingcapabilities. Options are defined using a key-value syntax, such as debug=true. The {@code LoginModule}stores the options as a {@code Map} so that the values maybe retrieved using the key. Note that there is no limit to the number of options a {@code LoginModule} chooses to define.

  The calling application sees the authentication process as a single operation. However, the authentication process within the {@code LoginModule} proceeds in two distinct phases.In the first phase, the LoginModule's {@code login} method gets invoked by the LoginContext's{@code login} method. The {@code login}method for the {@code LoginModule} then performsthe actual authentication (prompt for and verify a password for example) and saves its authentication status as private state information. Once finished, the LoginModule's {@code login}method either returns {@code true} (if it succeeded) or{@code false} (if it should be ignored), or throws a{@code LoginException} to specify a failure.In the failure case, the {@code LoginModule} must not retry theauthentication or introduce delays. The responsibility of such tasks belongs to the application. If the application attempts to retry the authentication, the LoginModule's {@code login} method will becalled again.

  In the second phase, if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded), then the {@code commit}method for the {@code LoginModule} gets invoked.The {@code commit} method for a {@code LoginModule} checks itsprivately saved state to see if its own authentication succeeded. If the overall {@code LoginContext} authentication succeededand the LoginModule's own authentication succeeded, then the {@code commit} method associates the relevantPrincipals (authenticated identities) and Credentials (authentication data such as cryptographic keys) with the {@code Subject}located within the {@code LoginModule}.

  If the LoginContext's overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed), then the {@code abort} method for each {@code LoginModule}gets invoked. In this case, the {@code LoginModule} removes/destroysany authentication state originally saved.

  Logging out a {@code Subject} involves only one phase.The {@code LoginContext} invokes the LoginModule's {@code logout}method. The {@code logout} method for the {@code LoginModule}then performs the logout procedures, such as removing Principals or Credentials from the {@code Subject} or logging session information.

  A {@code LoginModule} implementation must have a constructor withno arguments. This allows classes which load the {@code LoginModule}to instantiate it. @see javax.security.auth.login.LoginContext @see javax.security.auth.login.Configuration

    private void actionAttemptLogin(RealmData data, PortletRequest request, PortletSession session, String username, String password) {
        session.removeAttribute("TestLoginPrincipals");
        session.removeAttribute("TestLoginError");
        Map options = new HashMap();
        try {
            LoginModule module = loadModule(request, data, options);
            Subject sub = PortletManager.testLoginModule(request, module, options, username, password);
            session.setAttribute("TestLoginPrincipals", sub.getPrincipals());
        } catch (Exception e) {
            log.warn("Test login failed", e);
            session.setAttribute("TestLoginError", "Login Failed: " + (e.getMessage() == null ? "no message" : e.getMessage()));

                    if (realmName.equals(securityRealm.getRealmName())) {
                        AppConfigurationEntry entry = securityRealm.getAppConfigurationEntry();

                        final String finalClass = entry.getLoginModuleName();

                        LoginModule module = (LoginModule) AccessController.doPrivileged(new java.security.PrivilegedExceptionAction() {
                            public Object run() throws ClassNotFoundException, InstantiationException, IllegalAccessException {
                                return Class.forName(finalClass, true, classLoader).newInstance();
                            }
                        });
                        Subject subject = new Subject();
                        CallbackProxy callback = new CallbackProxy();
                        module.initialize(subject, callback, new HashMap(), entry.getOptions());

                        lm = allocateLoginModuleCacheObject(securityRealm.getMaxLoginModuleAge());
                        lm.setRealmName(realmName);
                        lm.setLoginModule(module);
                        lm.setSubject(subject);

    public Collection getCallbacks(LoginModuleId loginModuleId) throws ExpiredLoginModuleException {
        LoginModuleCacheObject lm = (LoginModuleCacheObject) loginCache.get(loginModuleId);
        if (lm == null) throw new ExpiredLoginModuleException();

        LoginModule module = lm.getLoginModule();
        CallbackProxy callback = (CallbackProxy) lm.getCallbackHandler();

        try {
            module.login();
        } catch (LoginException e) {
        }
        try {
            module.abort();
        } catch (LoginException e) {
        }
        ArrayList callbacks = new ArrayList();
        for (int i = 0; i < callback.callbacks.length; i++) {
            callbacks.add(callback.callbacks[i]);

    public boolean commit(LoginModuleId loginModuleId) throws LoginException {
        LoginModuleCacheObject lm = (LoginModuleCacheObject) loginCache.get(loginModuleId);
        if (lm == null) throw new ExpiredLoginModuleException();

        LoginModule module = lm.getLoginModule();
        if (!module.commit()) return false;

        Subject subject = lm.getSubject();
        RealmPrincipal principal;
        Set principals = new HashSet();
        Iterator iter = subject.getPrincipals().iterator();

    public boolean abort(LoginModuleId loginModuleId) throws LoginException {
        LoginModuleCacheObject lm = (LoginModuleCacheObject) loginCache.get(loginModuleId);
        if (lm == null) throw new ExpiredLoginModuleException();

        LoginModule module = lm.getLoginModule();

        return module.abort();
    }

        LoginModuleCacheObject lm = (LoginModuleCacheObject) loginCache.get(loginModuleId);
        if (lm == null) throw new ExpiredLoginModuleException();

        lm.getSubject().getPrincipals(RealmPrincipal.class).clear();

        LoginModule module = lm.getLoginModule();

        return module.logout();
    }

      {
         ClassLoader tcl = SecurityActions.getContextClassloader();
         try
         {
            Class clazz = tcl.loadClass(loginModuleName);
            LoginModule lm = (LoginModule) clazz.newInstance();
            lm.initialize(clientSubject, callbackHandler, new HashMap(), options);
            lm.login();
            lm.commit();
         }
         catch (Exception e)
         {
            throw new AuthException(e.getLocalizedMessage());
         }

     *             if the LoginModule could not be instantiated for any reason
     */
    protected Set<Principal> doJAASLogin(Class<? extends LoginModule> clazz, CallbackHandler handler, Map<String,String> options) throws WikiSecurityException
    {
        // Instantiate the login module
        LoginModule loginModule = null;
        try
        {
            loginModule = clazz.newInstance();
        }
        catch (InstantiationException e)
        {
            throw new WikiSecurityException(e.getMessage(), e );
        }
        catch (IllegalAccessException e)
        {
            throw new WikiSecurityException(e.getMessage(), e );
        }

        // Initialize the LoginModule
        Subject subject = new Subject();
        loginModule.initialize( subject, handler, EMPTY_MAP, options );

        // Try to log in:
        boolean loginSucceeded = false;
        boolean commitSucceeded = false;
        try
        {
            loginSucceeded = loginModule.login();
            if (loginSucceeded)
            {
                commitSucceeded = loginModule.commit();
            }
        }
        catch (LoginException e)
        {
            // Login or commit failed! No principal for you!

     * populates them, and sends them back to the server.
     */
    public Callback[] getServerLoginCallbacks(JaasSessionId sessionHandle, int loginModuleIndex) throws LoginException {
        JaasSecuritySession session = (JaasSecuritySession) activeLogins.get(sessionHandle);
        checkContext(session, loginModuleIndex);
        LoginModule module = session.getLoginModule(loginModuleIndex);

        session.getHandler().setExploring();
        try {
            module.initialize(session.getSubject(), session.getHandler(), new HashMap(), session.getOptions(loginModuleIndex));
        } catch (Exception e) {
            System.err.println("Failed to initialize module");
            e.printStackTrace();
        }
        try {
            module.login();
        } catch (LoginException e) {
        }
        try {
            module.abort();
        } catch (LoginException e) {
        }
        return session.getHandler().finalizeCallbackList();
    }

        for (int i = 0; i < proxies.length; i++) {
            if (config[i].isServerSide()) {
                proxies[i] = new ServerLoginProxy(config[i].getFlag(), subject, i, service, sessionHandle);
            } else {
                LoginModule source = config[i].getLoginModule(JaasLoginCoordinator.class.getClassLoader());
                if (config[i].isWrapPrincipals()) {
                    proxies[i] = new WrappingClientLoginModuleProxy(config[i].getFlag(), subject, source, config[i].getLoginDomainName(), realmName);
                } else {
                    proxies[i] = new ClientLoginModuleProxy(config[i].getFlag(), subject, source);
                }