Package com.sun.enterprise.security.auth

Class WebAndEjbToJaasBridge

java.lang.Object

com.sun.enterprise.security.auth.WebAndEjbToJaasBridge

public final class WebAndEjbToJaasBridge
extends Object

This class contains a collection of methods that are used by the Web and EJB containers to interact with the JAAS based LoginModules and set the current (per thread) security context. The WebContainer uses these for the native Servlet authentication, which is distinct from the newer JASPIC Servlet Container Profile authentication.

Note that the JAAS system determines which LoginModule is ultimately being called, for instance the FileLoginModule. Actual LoginModules in Payara are each paired with a Payara Realm, for instance the FileLoginModule is paired with the FileRealm. The LoginModule typically does very little else than directly delegating to its peer Realm.

Also note that with few exceptions neither the LoginModule nor the Realm set the current security context, but only validate credentials and, if valid, return zero or more roles. The methods in this class set the security context if the JAAS credential validation succeeds.

All LoginModules used by Payara have the convention that* credentials are passed in via a Subject instance (instead of the usual CallbackHandler). The validation outcome is a boolean, but is being passed via an exception. No exception means success, while an exception means no success. If the LoginModule/Realm returned any roles they will put into the same Subject instance that was used to pass the credentials in.

Author:

Harpreet Singh ([email protected]), Jyri Virkki, Arjan Tijms (refactoring)

Method Summary

Modifier and Type	Method	Description
static void	doX500Login(Subject subject, String appModuleID)
static void	doX500Login(Subject subject, String realmName, String appModuleID)	A special case login for X500Name credentials.This is invoked for certificate login because the containers extract the X.500 name from the X.509 certificate before calling into this class.
static void	login(DigestCredentials digestCred)	Performs Digest authentication based on RFC 2617.
static void	login(String username, char[] password, String realmName)	This method is just a convenience wrapper for login(Subject, Class) method.
static void	login(Subject subject, Class<?> credentialClass)	This method performs the login on the server side.
static void	loginPrincipal(String username, String realmName)	This method is used for logging in a run As principal.
static void	logout()	This method logs out the user by clearing the security context.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

login

public static void login(String username,
                         char[] password,
                         String realmName)

This method is just a convenience wrapper for login(Subject, Class) method. It will construct a PasswordCredential class.

Parameters:

username -

password -

realmName - the name of the realm to login into, if realmName is null, we login into the default realm

login

public static void login(Subject subject,
                         Class<?> credentialClass)

This method performs the login on the server side.

This method is the main login method for Payara. It is called with a Subject and the type (class) of credential which should be checked. The Subject must contain a credential of the specified type or login will fail.

While the implementation has been cleaned up, the login process still consists of a number of special cases which are treated separately at the realm level. In the future tighter JAAS integration could clean some of this up.

The following credential types are recognized at this time:

• PasswordCredential - This is the general case for all login methods which rely on the client providing a name and password. It can be used with any realms/JAAS login modules which expect such data (e.g. file realm, LDAP realm, UNIX realm)
• X509CertificateCredential - Special case for SSL client auth. Here authentication has already been done by the SSL subsystem so this login only creates a security context based on the certificate data.
• AnonCredential - Unauthenticated session, set anonymous security context.
• GSSUPName - Retrieve user and realm and set security context.
• X500Name - Retrieve user and realm and set security context.

Parameters:

subject - the subject of the client

credentialClass - the class of the credential packaged in the subject.

Throws:

LoginException - when login fails

doX500Login

public static void doX500Login(Subject subject,
                               String appModuleID)

doX500Login

public static void doX500Login(Subject subject,
                               String realmName,
                               String appModuleID)

A special case login for X500Name credentials.This is invoked for certificate login because the containers extract the X.500 name from the X.509 certificate before calling into this class.

Parameters:

subject -

realmName -

appModuleID -

Throws:

LoginException - when login fails

login

public static void login(DigestCredentials digestCred)
                  throws LoginException

Performs Digest authentication based on RFC 2617. It

Parameters:

digestCred - DigestCredentials

Throws:

LoginException

loginPrincipal

public static void loginPrincipal(String username,
                                  String realmName)

This method is used for logging in a run As principal. It creates a JAAS subject whose credential is to type GSSUPName. This is used primarily for runas

Throws:

LoginException - if login fails

logout

public static void logout()

This method logs out the user by clearing the security context.

Throws:

LoginException - if logout fails