Module ibm.security.auth

Package com.ibm.security.auth.module

Class JAASLoginModule

java.lang.Object

com.ibm.security.auth.module.JAASLoginModule

All Implemented Interfaces:

LoginModule

public class JAASLoginModule
extends Object
implements LoginModule

This JAASLoginModule class provides a login module to authenticate OS/390 users with RACF using OS/390 principals and credentials. As a result of a successful login, a Principal, com.ibm.security.auth.UsernamePrincipal will be assigned to the Subject.

One use of this capability might be to log in as a a particlur user and then perform a ThreadSubject.doAs((LoginContext)lc.getSubject(), PrivilegedAction there>. This would run the PrivilegedAction as that user, from the perspective of both JAVA and OS/390.

This LoginModule may actually be used in either of two ways. If no CallbackHandlers were specified on the creation of the code>LoginContext that is constructing this LoginModule then this queries the underlying OS for the current identity. If, however, CallbackHandlers were specified, then this LoginModule drives a NameCallback and a PasswordCallback to get enough information to perform an OS-level login.

This LoginModule recognizes the debug option. If set to true in the login module Configuration, debug messages will be output to the output stream, System.out.

This LoginModule does not share state information.

See Also:

• LoginModule

Constructor Summary

Constructors

Constructor	Description
JAASLoginModule()	Constructs a JAASLoginModule object.

Method Summary

Modifier and Type	Method	Description
boolean	abort()	Abort the authentication process (phase 2).
boolean	commit()	Commit the authentication process (phase 2).
void	initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)	Initialize this LoginModule.
boolean	login()	Authenticate a Subject (phase 1).
boolean	logout()	Logout the user.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

JAASLoginModule

public JAASLoginModule()

Constructs a JAASLoginModule object.

Method Details

initialize

public void initialize(Subject subject,
 CallbackHandler callbackHandler,
 Map<String,?> sharedState,
 Map<String,?> options)

Initialize this LoginModule.

Specified by:

initialize in interface LoginModule

Parameters:

subject - The Subject to be authenticated.

callbackHandler - A CallbackHandler for communicating with the end user (i.e. prompting for usernames and passwords).

sharedState - State shared with other configured LoginModules (ignored)

options - Options specified in the login Configuration for for this particular LoginModule.

login

public boolean login()
              throws LoginException

Authenticate a Subject (phase 1).

If no CallbackHandlers were specified on the creation of the code>LoginContext that is constructing this LoginModule then this queries the underlying OS for the current identity and creates a UsernamePrincipal.

If CallbackHandlers were specified on the creation of the code>LoginContext that is constructing this LoginModule then this method authenticates a Subject by obtaining a user id a password via the CallBackHandler, verifies the information with RACF, and creates a UsernamePrincipal if successful.

This method saves the result of the authentication process as private state.

Specified by:

login in interface LoginModule

Returns:

true if authentication is successful; false if it is not.

Throws:

FailedLoginException - If the authentication fails.

LoginException - If this LoginModule is unable to perform the authentication.

commit

public boolean commit()
               throws LoginException

Commit the authentication process (phase 2).

This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates a UsernamePrincipal with the Subject located in the LoginModuleContext. If this LoginModule's own authentication attempted failed, then this method removes any state that was originally saved.

Specified by:

commit in interface LoginModule

Returns:

true if this LoginModule's own login and commit attempts succeeded, or false otherwise.

Throws:

LoginException - If the commit fails.

abort

public boolean abort()
              throws LoginException

Abort the authentication process (phase 2).

This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login and commit methods), then this method cleans up any state that was originally saved.

Specified by:

abort in interface LoginModule

Returns:

false if this LoginModule's own login and/or commit attempts failed, and true otherwise.

Throws:

LoginException - If the abort fails.

logout

public boolean logout()
               throws LoginException

Logout the user.

This method removes the UsernamePrincipal that may have been added by the commit method.

Specified by:

logout in interface LoginModule

Returns:

true in all cases.

Throws:

LoginException - If the logout fails.