- java.lang.Object
- 
- com.sun.security.auth.module.JndiLoginModule
 
- 
- All Implemented Interfaces:
- LoginModule
 
 public class JndiLoginModule extends Object implements LoginModule The module prompts for a username and password and then verifies the password against the password stored in a directory service configured under JNDI.This LoginModuleinteroperates with any conformant JNDI service provider. To direct thisLoginModuleto use a specific JNDI service provider, two options must be specified in the loginConfigurationfor thisLoginModule.user.provider.url=name_service_url group.provider.url=name_service_urlname_service_url specifies the directory service and path where thisLoginModulecan access the relevant user and group information. Because thisLoginModuleonly performs one-level searches to find the relevant user information, theURLmust point to a directory one level above where the user and group information is stored in the directory service. For example, to instruct thisLoginModuleto contact a NIS server, the following URLs must be specified:user.provider.url="nis://NISServerHostName/NISDomain/user" group.provider.url="nis://NISServerHostName/NISDomain/system/group"NISServerHostName specifies the server host name of the NIS server (for example, nis.sun.com, and NISDomain specifies the domain for that NIS server (for example, jaas.sun.com. To contact an LDAP server, the following URLs must be specified:user.provider.url="ldap://LDAPServerHostName/LDAPName" group.provider.url="ldap://LDAPServerHostName/LDAPName"LDAPServerHostName specifies the server host name of the LDAP server, which may include a port number (for example, ldap.sun.com:389), and LDAPName specifies the entry name in the LDAP directory (for example, ou=People,o=Sun,c=US and ou=Groups,o=Sun,c=US for user and group information, respectively).The format in which the user's information must be stored in the directory service is specified in RFC 2307. Specifically, this LoginModulewill search for the user's entry in the directory service using the user's uid attribute, where uid=username. If the search succeeds, thisLoginModulewill then obtain the user's encrypted password from the retrieved entry using the userPassword attribute. ThisLoginModuleassumes that the password is stored as a byte array, which when converted to aString, has the following format:"{crypt}encrypted_password"The LDAP directory server must be configured to permit read access to the userPassword attribute. If the user entered a valid username and password, thisLoginModuleassociates aUnixPrincipal,UnixNumericUserPrincipal, and the relevant UnixNumericGroupPrincipals with theSubject.This LoginModule also recognizes the following Configurationoptions:debug if, true, debug messages are output to System.out. useFirstPass if, true, this LoginModule retrieves the username and password from the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, no attempt for a retry is made, and the failure is reported back to the calling application. tryFirstPass if, true, this LoginModule retrieves the the username and password from the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, the module uses the CallbackHandler to retrieve a new username and password, and another attempt to authenticate is made. If the authentication fails, the failure is reported back to the calling application. storePass if, true, this LoginModule stores the username and password obtained from the CallbackHandler in the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. This is not performed if existing values already exist for the username and password in the shared state, or if authentication fails. clearPass if, true, thisLoginModuleclears the username and password stored in the module's shared state after both phases of authentication (login and commit) have completed.
- 
- 
Field SummaryFields Modifier and Type Field Description StringGROUP_PROVIDERStringUSER_PROVIDERJNDI Provider
 - 
Constructor SummaryConstructors Constructor Description JndiLoginModule()
 - 
Method SummaryAll Methods Instance Methods Concrete Methods Modifier and Type Method Description booleanabort()This method is called if the LoginContext's overall authentication failed.booleancommit()Abstract method to commit the authentication process (phase 2).voidinitialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)Initialize thisLoginModule.booleanlogin()Prompt for username and password.booleanlogout()Logout a user.
 
- 
- 
- 
Field Detail- 
USER_PROVIDERpublic final String USER_PROVIDER JNDI Provider- See Also:
- Constant Field Values
 
 - 
GROUP_PROVIDERpublic final String GROUP_PROVIDER - See Also:
- Constant Field Values
 
 
- 
 - 
Method Detail- 
initializepublic void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options) Initialize thisLoginModule.- Specified by:
- initializein interface- LoginModule
- Parameters:
- subject- the- Subjectto be authenticated.
- callbackHandler- a- CallbackHandlerfor communicating with the end user (prompting for usernames and passwords, for example).
- sharedState- shared- LoginModulestate.
- options- options specified in the login- Configurationfor this particular- LoginModule.
 
 - 
loginpublic boolean login() throws LoginExceptionPrompt for username and password. Verify the password against the relevant name service.- Specified by:
- loginin interface- LoginModule
- Returns:
- true always, since this LoginModuleshould not be ignored.
- Throws:
- FailedLoginException- if the authentication fails.
- LoginException- if this- LoginModuleis unable to perform the authentication.
 
 - 
commitpublic boolean commit() throws LoginExceptionAbstract method to commit the authentication process (phase 2).This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded). If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the loginmethod), then this method associates aUnixPrincipalwith theSubjectlocated in theLoginModule. If this LoginModule's own authentication attempted failed, then this method removes any state that was originally saved.- Specified by:
- commitin interface- LoginModule
- Returns:
- true if this LoginModule's own login and commit attempts succeeded, or false otherwise.
- Throws:
- LoginException- if the commit fails
 
 - 
abortpublic boolean abort() throws LoginExceptionThis method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the loginandcommitmethods), then this method cleans up any state that was originally saved.- Specified by:
- abortin interface- LoginModule
- Returns:
- false if this LoginModule's own login and/or commit attempts failed, and true otherwise.
- Throws:
- LoginException- if the abort fails.
 
 - 
logoutpublic boolean logout() throws LoginExceptionLogout a user.This method removes the Principals that were added by the commitmethod.- Specified by:
- logoutin interface- LoginModule
- Returns:
- true in all cases since this LoginModuleshould not be ignored.
- Throws:
- LoginException- if the logout fails.
 
 
- 
 
-