com.ibm.security.auth.module

Class Krb5LoginModule

  • java.lang.Object
    • com.ibm.security.auth.module.Krb5LoginModule
  • All Implemented Interfaces:
    javax.security.auth.spi.LoginModule


    public class Krb5LoginModule
    extends java.lang.Object
    implements javax.security.auth.spi.LoginModule

    A JAAS LoginModule for acquiring Kerberos credentials.

    Supported options (specified in a JAAS configuration file):

     1) Kerberos options
           principal=principalName
           credsType=initiator|acceptor|both (default=initiator)
           forwardable=true|false (default=false)
           proxiable=true|false (default=false)
           renewable=true|false (default=false)
           useCcache=URL
           useKeytab=URL
           useDefaultCcache=true|false (default=false)
           useDefaultKeytab=true|false (default=false)
          
      2) JAAS-suggested options:
           debug=true|false (default=unset, JGSS debug options used)
           tryFirstPass=true|false (default=false)
           useFirstPass=true|false (default=false)
           moduleBanner=true|false (default=false)
      NOTES:
     1) Default realm (which is obtained from the Kerberos config file) is
        used if the principal specified does not include a realm component.
     2) debug option: true is equivalent to com.ibm.jgss.debug=all
                      false is equivalent to com.ibm.jgss.debug=off
        The debug option affects debug from the Login module only;
        other subcomponents of JGSS are not affected.
     3) Boolean options can be set to "true" or "yes", "false" or "no"
     4) The keytab and ccache options take precedence over tryFirstPass.
        If a keytab or ccache option is set in addition to tryFirstPass,
        the keytab or ccache is used and the principal saved in the shared state
        if login is succesful. There will be no prompting for password if
        the login fails.
     5) The keytab and ccache options are incompatible with the
        useFirstPass option; specifying useFirstPass in conjunction with
        either a keytab or ccache option will cause an exception to be thrown.
     6) From the Java 1.4 JAAS guide:
     try_first_pass - If true, the first LoginModule in the stack
         saves the password entered, and subsequent LoginModules also
         try to use it. If authentication fails, the LoginModules prompt
         for a new password and retry the authentication.
      use_first_pass - If true, the first LoginModule in the stack
         saves the password entered, and subsequent LoginModules also
         try to use it. LoginModules do not prompt for a new password
         if authentication fails (authentication simply fails).
      moduleBanner - If true, then when invoking the CallbackHandler,
         the LoginModule provides a TextOutputCallback as the first Callback,
         which describes the LoginModule performing the authentication.
      debug - If true, instructs a LoginModule to output debugging information.
     

    • Constructor Summary

      Constructors 
      Constructor and Description
      Krb5LoginModule() 
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method and Description
      boolean abort()
      Abort the login
      boolean commit()
      commit the login for user
      void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) 
      boolean login()
      login
      boolean logout()
      Logout the user.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • Krb5LoginModule

        public Krb5LoginModule()
    • Method Detail

      • initialize

        public void initialize(javax.security.auth.Subject subject,
                               javax.security.auth.callback.CallbackHandler callbackHandler,
                               java.util.Map sharedState,
                               java.util.Map options)
        Specified by:
        initialize in interface javax.security.auth.spi.LoginModule
        Parameters:
        subject -
        callbackHandler -
        sharedState -
        options -
      • login

        public boolean login()
                      throws javax.security.auth.login.LoginException
        login
        Specified by:
        login in interface javax.security.auth.spi.LoginModule
        Returns:
        true if login is successful
        Throws:
        LoginException!
        javax.security.auth.login.LoginException
      • commit

        public boolean commit()
                       throws javax.security.auth.login.LoginException
        commit the login for user
        Specified by:
        commit in interface javax.security.auth.spi.LoginModule
        Returns:
        true if commit is successful
        Throws:
        javax.security.auth.login.LoginException
      • abort

        public boolean abort()
                      throws javax.security.auth.login.LoginException
        Abort the login
        Specified by:
        abort in interface javax.security.auth.spi.LoginModule
        Returns:
        true if abort is successful
        Throws:
        LoginException.
        javax.security.auth.login.LoginException
      • logout

        public boolean logout()
                       throws javax.security.auth.login.LoginException
        Logout the user.

        This method removes the Principal that was added by the commit method.

        Specified by:
        logout in interface javax.security.auth.spi.LoginModule
        Returns:
        true in all cases since this LoginModule should not be ignored.
        Throws:
        javax.security.auth.login.LoginException - if the logout fails.

© Portions Copyright 2003, 2015 IBM Corporation. All rights reserved.
© Portions Copyright 2003, 2015, Oracle and/or its affiliates. All rights reserved.