|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--javax.security.auth.login.Configuration
This is an abstract class for representing the configuration of
LoginModules under an application. The Configuration
specifies
which LoginModules should be used for a particular application, and in what
order the LoginModules should be invoked.
This abstract class needs to be subclassed to provide an implementation
which reads and loads the actual Configuration
.
When the LoginContext
needs to read the Configuration
to determine which LoginModules are configured for a particular
application, appName, it makes the following calls:
config = Configuration.getConfiguration(); entries = config.getAppConfigurationEntry(appName);
A login configuration contains the following information.
Note that this example only represents the default syntax for the
Configuration
. Subclass implementations of this class
may implement alternative syntaxes and may retrieve the
Configuration
from any source such as files, databases,
or servers.
Application { Module Flag ModuleOptions; Module Flag ModuleOptions; Module Flag ModuleOptions; }; Application { Module Flag ModuleOptions; Module Flag ModuleOptions; }; other { Module Flag ModuleOptions; Module Flag ModuleOptions; };
Each entry in the Configuration
is indexed via an
application name, Application, and contains a list of
LoginModules configured for that application. Authentication proceeds
down the list in the exact order specified. If an application
does not have specific entry, it defaults to the specific entry
for "other".
The Flag value controls the overall behavior as authentication proceeds down the stack. The following represents a description of the valid values for Flag and their respective semantics:
1) Required - TheLoginModule
is required to succeed. If it succeeds or fails, authentication still continues to proceed down theLoginModule
list. 2) Requisite - TheLoginModule
is required to succeed. If it succeeds, authentication continues down theLoginModule
list. If it fails, control immediately returns to the application (authentication does not proceed down theLoginModule
list). 3) Sufficient - TheLoginModule
is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down theLoginModule
list). If it fails, authentication continues down theLoginModule
list. 4) Optional - TheLoginModule
is not required to succeed. If it succeeds or fails, authentication still continues to proceed down theLoginModule
list.
The overall authentication succeeds only if all Required and
Requisite LoginModules succeed. If a Sufficient
LoginModule
is configured and succeeds,
then only the Required and Requisite LoginModules prior to
that Sufficient LoginModule
need to have succeeded for
the overall authentication to succeed. If no Required or
Requisite LoginModules are configured for an application,
then at least one Sufficient or Optional
LoginModule
must succeed.
ModuleOptions is a space separated list of
LoginModule
-specific values which are passed directly to
the underlying LoginModules. Options are defined by the
LoginModule
itself, and control the behavior within it.
For example, a LoginModule
may define options to support
debugging/testing capabilities. The correct way to specify options in the
Configuration
is by using the following key-value pairing:
debug=true. The key and value should be separated by an
'equals' symbol. Note that there is no limit to the number of
options a LoginModule
may define.
The following represents an example Configuration
entry
based on the syntax above:
Login { ibm.modules.SmartCard required; ibm.modules.Kerberos optional debug=true; };
This Configuration
specifies that an application named,
"Login", requires users to first authenticate to the
ibm.modules.SmartCard LoginModule
, which is
required to succeed. Even if the ibm.modules.SmartCard
authentication fails (an incorrect pin was entered), the
ibm.modules.Kerberos LoginModule
still gets invoked.
This helps hide the source of failure. Since the ibm.modules.Kerberos
LoginModule
is Optional, the overall
authentication succeeds only if the ibm.modules.SmartCard
LoginModule
(Required) succeeds.
Also note that the LoginModule-specific option, debug=true, is passed to the ibm.modules.Kerberos LoginModule. This turns on a debugging flag, which outputs helpful debugging information to a file.
The default Configuration implementation can be changed by setting the value of the "login.configuration.provider" security property (in the Java security properties file) to the fully qualified name of the desired Configuration implementation class. The Java security properties file is located in the file named <JAVA_HOME>/lib/security/java.security, where <JAVA_HOME> refers to the directory where the JDK was installed.
LoginContext
Constructor Summary | |
protected |
Configuration()
Sole constructor. |
Method Summary | |
abstract AppConfigurationEntry[] |
java.lang.String)">getAppConfigurationEntry(java.lang.String applicationName)
Retrieve an array of AppConfigurationEntries which corresponds to the configuration of LoginModules for this application. |
static Configuration |
getConfiguration()
Get the current Login Configuration. |
abstract void |
refresh()
Refresh and reload the Configuration. |
static void |
setConfiguration(Configuration configuration)
Set the current Login Configuration
|
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
protected Configuration()
Method Detail |
public static Configuration getConfiguration()
java.lang.SecurityException
- if the caller does not have permission
to retrieve the Configuration.public static void setConfiguration(Configuration configuration)
Configuration
configuration
- the new Configuration
java.lang.SecurityException
- if the current thread does not have
Permission to set the Configuration
.public abstract AppConfigurationEntry[] getAppConfigurationEntry(java.lang.String applicationName)
applicationName
- the name used to index the Configuration.public abstract void refresh()
This method causes this object to refresh/reload its current
Configuration. This is implementation-dependent.
For example, if the Configuration object is stored
a file, calling refresh
will cause the file to be re-read.
java.lang.SecurityException
- if the caller does not have permission
to refresh the Configuration.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |