com.ibm.security.auth.module
Class Krb5LoginModule
java.lang.Object
|
+--com.ibm.security.auth.module.Krb5LoginModule
- All Implemented Interfaces:
- javax.security.auth.spi.LoginModule
- public class Krb5LoginModule
- extends java.lang.Object
- implements javax.security.auth.spi.LoginModule
A JAAS LoginModule
for acquiring Kerberos credentials.
Supported options (specified in a JAAS configuration file):
1) Kerberos options
principal=principalName
credsType=initiator|acceptor|both (default=initiator)
forwardable=true|false (default=false)
proxiable=true|false (default=false)
useCcache=URL
useKeytab=URL
useDefaultCcache=true|false (default=false)
useDefaultKeytab=true|false (default=false)
noAddress=true|false (default=false)
2) JAAS-suggested options:
debug=true|false (default=unset, JGSS debug options used)
tryFirstPass=true|false (default=false)
useFirstPass=true|false (default=false)
moduleBanner=true|false (default=false)
NOTES:
1) Default realm (which is obtained from the Kerberos config file) is
used if the principal specified does not include a realm component.
2) debug option: true is equivalent to com.ibm.jgss.debug=all
false is equivalent to com.ibm.jgss.debug=off
The debug option affects debug from the Login module only;
other subcomponents of JGSS are not affected.
3) Boolean options can be set to "true" or "yes", "false" or "no"
4) The keytab and ccache options take precedence over tryFirstPass.
If a keytab or ccache option is set in addition to tryFirstPass,
the keytab or ccache is used and the principal saved in the shared state
if login is succesful. There will be no prompting for password if
the login fails.
5) The keytab and ccache options are incompatible with the
useFirstPass option; specifying useFirstPass in conjunction with
either a keytab or ccache option will cause an exception to be thrown.
6) From the Java 1.4 JAAS guide:
try_first_pass - If true, the first LoginModule in the stack
saves the password entered, and subsequent LoginModules also
try to use it. If authentication fails, the LoginModules prompt
for a new password and retry the authentication.
use_first_pass - If true, the first LoginModule in the stack
saves the password entered, and subsequent LoginModules also
try to use it. LoginModules do not prompt for a new password
if authentication fails (authentication simply fails).
moduleBanner - If true, then when invoking the CallbackHandler,
the LoginModule provides a TextOutputCallback as the first Callback,
which describes the LoginModule performing the authentication.
debug - If true, instructs a LoginModule to output debugging information.
- Author:
- Thomas Owusu
Method Summary |
boolean |
abort()
|
boolean |
commit()
|
void |
initialize(javax.security.auth.Subject subject,
javax.security.auth.callback.CallbackHandler callbackHandler,
java.util.Map sharedState,
java.util.Map options)
|
boolean |
login()
|
boolean |
logout()
Logout the user. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Krb5LoginModule
public Krb5LoginModule()
initialize
public void initialize(javax.security.auth.Subject subject,
javax.security.auth.callback.CallbackHandler callbackHandler,
java.util.Map sharedState,
java.util.Map options)
- Specified by:
initialize
in interface javax.security.auth.spi.LoginModule
login
public boolean login()
throws javax.security.auth.login.LoginException
- Specified by:
login
in interface javax.security.auth.spi.LoginModule
commit
public boolean commit()
throws javax.security.auth.login.LoginException
- Specified by:
commit
in interface javax.security.auth.spi.LoginModule
abort
public boolean abort()
throws javax.security.auth.login.LoginException
- Specified by:
abort
in interface javax.security.auth.spi.LoginModule
logout
public boolean logout()
throws javax.security.auth.login.LoginException
- Logout the user.
This method removes the NTPrincipal
that was added by the commit
method.
- Specified by:
logout
in interface javax.security.auth.spi.LoginModule
- Returns:
- true in all cases since this
LoginModule
should not be ignored. - Throws:
javax.security.auth.login.LoginException
- if the logout fails.