org.apereo.cas.authentication.handler.support

Class JaasAuthenticationHandler

java.lang.Object

org.apereo.cas.authentication.AbstractAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

org.apereo.cas.authentication.handler.support.JaasAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

public class JaasAuthenticationHandler
extends AbstractUsernamePasswordAuthenticationHandler

JAAS Authentication Handler for CAAS. This is a simple bridge from CAS' authentication to JAAS.

Using the JAAS Authentication Handler requires you to configure the appropriate JAAS modules. You can specify the location of a jass.conf file using the following VM parameter:

 -Djava.security.auth.login.config=$PATH_TO_JAAS_CONF/jaas.conf
 

This example jaas.conf would try Kerberos based authentication, then try LDAP authentication:

 CAS {
   com.sun.security.auth.module.Krb5LoginModule sufficient
     client=TRUE
     debug=FALSE
     useTicketCache=FALSE;
   edu.uconn.netid.jaas.LDAPLoginModule sufficient
     java.naming.provider.url="ldap://ldapserver.my.edu:389/dc=my,dc=edu"
     java.naming.security.principal="uid=jaasauth,dc=my,dc=edu"
     java.naming.security.credentials="password"
     Attribute="uid"
     startTLS="true";
 };
 

Since:

3.0.0

See Also:

CallbackHandler, PasswordCallback, NameCallback

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	JaasAuthenticationHandler.UsernamePasswordCallbackHandler A simple JAAS CallbackHandler which accepts a Name String and Password String in the constructor.

Field Summary

Fields inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

logger, principalFactory, servicesManager

Fields inherited from interface org.apereo.cas.authentication.AuthenticationHandler

SUCCESSFUL_AUTHENTICATION_HANDLERS

Constructor Summary

Constructors

Constructor and Description
JaasAuthenticationHandler() Instantiates a new Jaas authentication handler, and attempts to load/verify the configuration.

Method Summary

Modifier and Type	Method and Description
protected HandlerResult	authenticateUsernamePasswordInternal(UsernamePasswordCredential credential) Authenticates a username/password credential by an arbitrary strategy.
void	setKerberosKdcSystemProperty(java.lang.String kerberosKdcSystemProperty) Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file.
void	setKerberosRealmSystemProperty(java.lang.String kerberosRealmSystemProperty) Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file.
void	setRealm(java.lang.String realm)

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

doAuthentication, getPasswordPolicyConfiguration, setCredentialSelectionPredicate, setPasswordEncoder, setPasswordPolicyConfiguration, setPrincipalNameTransformer, supports

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

authenticate, createHandlerResult, postAuthenticate, preAuthenticate

Methods inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

getName, setName, setPrincipalFactory, setServicesManager

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JaasAuthenticationHandler

public JaasAuthenticationHandler()

Instantiates a new Jaas authentication handler, and attempts to load/verify the configuration.

Method Detail

authenticateUsernamePasswordInternal

protected HandlerResult authenticateUsernamePasswordInternal(UsernamePasswordCredential credential)
                                                      throws java.security.GeneralSecurityException,
                                                             PreventedException

Description copied from class: AbstractUsernamePasswordAuthenticationHandler

Authenticates a username/password credential by an arbitrary strategy.

Specified by:

authenticateUsernamePasswordInternal in class AbstractUsernamePasswordAuthenticationHandler

Parameters:

credential - the credential object bearing the transformed username and password.

Returns:

HandlerResult resolved from credential on authentication success or null if no principal could be resolved from the credential.

Throws:

java.security.GeneralSecurityException - On authentication failure.

PreventedException - On the indeterminate case when authentication is prevented.

setRealm

public void setRealm(java.lang.String realm)

setKerberosRealmSystemProperty

public void setKerberosRealmSystemProperty(java.lang.String kerberosRealmSystemProperty)

Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. However, if you like, you can instead specify the realm value by setting this following system property value.

If you set the realm property, you SHOULD also configure the setKerberosKdcSystemProperty(String).

Also note that if you set these properties, then no cross-realm authentication is possible unless a krb5.conf file is also provided from which the additional information required for cross-realm authentication may be obtained.

If you set values for these properties, then they override the default realm and KDC values specified in krb5.conf (if such a file is found). The krb5.conf file is still consulted if values for items other than the default realm and KDC are needed. If no krb5.conf file is found, then the default values used for these items are implementation-specific.

Parameters:

kerberosRealmSystemProperty - system property to indicate realm.

Since:

4.1.0

See Also:

Oracle documentation

setKerberosKdcSystemProperty

public void setKerberosKdcSystemProperty(java.lang.String kerberosKdcSystemProperty)

Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. However, if you like, you can instead specify the kdc value by setting this system property value.

If you set the realm property, you SHOULD also configure the setKerberosRealmSystemProperty(String).

Also note that if you set these properties, then no cross-realm authentication is possible unless a krb5.conf file is also provided from which the additional information required for cross-realm authentication may be obtained.

If you set values for these properties, then they override the default realm and KDC values specified in krb5.conf (if such a file is found). The krb5.conf file is still consulted if values for items other than the default realm and KDC are needed. If no krb5.conf file is found, then the default values used for these items are implementation-specific.

Parameters:

kerberosKdcSystemProperty - system property to indicate kdc

Since:

4.1.0

See Also:

Oracle documentation