- All Implemented Interfaces:
LoginModule
X500Principal for the subject distinguished name of the
first certificate in the alias's credentials in the subject's principals,
the alias's certificate path in the subject's public credentials, and a
X500PrivateCredential whose certificate is the first
certificate in the alias's certificate path and whose private key is the
alias's private key in the subject's private credentials. Recognizes the following options in the configuration file:
-
keyStoreURL - A URL that specifies the location of the key store. Defaults to
a URL pointing to the .keystore file in the directory specified by the
user.homesystem property. The input stream from this URL is passed to theKeyStore.loadmethod. "NONE" may be specified if anullstream must be passed to theKeyStore.loadmethod. "NONE" should be specified if the KeyStore resides on a hardware token device, for example. -
keyStoreType - The key store type. If not specified, defaults to the result of
calling
KeyStore.getDefaultType(). If the type is "PKCS11", then keyStoreURL must be "NONE" and privateKeyPasswordURL must not be specified. -
keyStoreProvider - The key store provider. If not specified, uses the standard search order to find the provider.
-
keyStoreAlias - The alias in the key store to login as. Required when no callback handler is provided. No default value.
-
keyStorePasswordURL - A URL that specifies the location of the key store password. Required
when no callback handler is provided and
protectedis false. No default value. -
privateKeyPasswordURL - A URL that specifies the location of the specific private key password needed to access the private key for this alias. The keystore password is used if this value is needed and not specified.
-
protected - This value should be set to "true" if the KeyStore has a separate, protected authentication path (for example, a dedicated PIN-pad attached to a smart card). Defaults to "false". If "true" keyStorePasswordURL and privateKeyPasswordURL must not be specified.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionbooleanabort()This method is called if the LoginContext's overall authentication failed.booleancommit()Abstract method to commit the authentication process (phase 2).voidinitialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) Initialize thisLoginModule.booleanlogin()Authenticate the user.booleanlogout()Logout a user.
-
Constructor Details
-
KeyStoreLoginModule
public KeyStoreLoginModule()Creates aKeyStoreLoginModule.
-
-
Method Details
-
initialize
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) Initialize thisLoginModule.- Specified by:
initializein interfaceLoginModule- Parameters:
subject- theSubjectto be authenticated.callbackHandler- aCallbackHandlerfor communicating with the end user (prompting for usernames and passwords, for example), which may benull.sharedState- sharedLoginModulestate.options- options specified in the loginConfigurationfor this particularLoginModule.
-
login
Authenticate the user.Get the Keystore alias and relevant passwords. Retrieve the alias's principal and credentials from the Keystore.
- Specified by:
loginin interfaceLoginModule- Returns:
- true in all cases (this
LoginModuleshould not be ignored). - Throws:
FailedLoginException- if the authentication fails.LoginException- if the authentication fails
-
commit
Abstract method to commit the authentication process (phase 2).This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).
If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the
loginmethod), then this method associates aX500Principalfor the subject distinguished name of the first certificate in the alias's credentials in the subject's principals,the alias's certificate path in the subject's public credentials, and aX500PrivateCredentialwhose certificate is the first certificate in the alias's certificate path and whose private key is the alias's private key in the subject's private credentials. If this LoginModule's own authentication attempted failed, then this method removes any state that was originally saved.- Specified by:
commitin interfaceLoginModule- Returns:
- true if this LoginModule's own login and commit attempts succeeded, or false otherwise.
- Throws:
LoginException- if the commit fails
-
abort
This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the
loginandcommitmethods), then this method cleans up any state that was originally saved.If the loaded KeyStore's provider extends
java.security.AuthProvider, then the provider'slogoutmethod is invoked.- Specified by:
abortin interfaceLoginModule- Returns:
- false if this LoginModule's own login and/or commit attempts failed, and true otherwise.
- Throws:
LoginException- if the abort fails.
-
logout
Logout a user.This method removes the Principals, public credentials and the private credentials that were added by the
commitmethod.If the loaded KeyStore's provider extends
java.security.AuthProvider, then the provider'slogoutmethod is invoked.- Specified by:
logoutin interfaceLoginModule- Returns:
- true in all cases since this
LoginModuleshould not be ignored. - Throws:
LoginException- if the logout fails.
-