com.ibm.security.auth.module
Class KeyStoreLoginModule
- java.lang.Object
com.ibm.security.auth.module.KeyStoreLoginModule
- public class KeyStoreLoginModule
- extends java.lang.Object
- implements LoginModule
X500Principal
for the subject distinguished name of the
first certificate in the alias's credentials in the subject's principals,
the alias's certificate path in the subject's public credentials, and a
X500PrivateCredential
whose certificate is the first
certificate in the alias's certificate path and whose private key is the
alias's private key in the subject's private credentials. Recognizes the following options in the configuration file:
-
keyStoreURL
- A URL that specifies the location of the key store. Defaults to
a URL pointing to the .keystore file in the directory specified by the
user.home
system property. The input stream from this URL is passed to theKeyStore.load
method. "NONE" may be specified if anull
stream must be passed to theKeyStore.load
method. "NONE" should be specified if the KeyStore resides on a hardware token device, for example. -
keyStoreType
- The key store type. If not specified, defaults to the result of
calling
KeyStore.getDefaultType()
. If the type is "PKCS11", then keyStoreURL must be "NONE" and privateKeyPasswordURL must not be specified. -
keyStoreProvider
- The key store provider. If not specified, uses the standard search order to find the provider.
-
keyStoreAlias
- The alias in the key store to login as. Required when no callback handler is provided. No default value.
-
keyStorePasswordURL
- A URL that specifies the location of the key store password. Required
when no callback handler is provided and
protected
is false. No default value. -
privateKeyPasswordURL
- A URL that specifies the location of the specific private key password needed to access the private key for this alias. The keystore password is used if this value is needed and not specified.
-
protected
- This value should be set to "true" if the KeyStore has a separate, protected authentication path (for example, a dedicated PIN-pad attached to a smart card). Defaults to "false". If "true" keyStorePasswordURL and privateKeyPasswordURL must not be specified.
Constructor Summary
Constructor and Description |
---|
KeyStoreLoginModule()
|
Method Summary
Modifier and Type | Method and Description |
---|---|
|
abort()
This method is called if the LoginContext's
overall authentication failed.
|
|
commit()
Abstract method to commit the authentication process (phase 2).
|
|
initialize(Subject subject,CallbackHandler callbackHandler,java.util.Map<java.lang.String,?> sharedState,java.util.Map<java.lang.String,?> options)
Initialize this
LoginModule .
|
|
login()
Authenticate the user.
|
|
logout()
Logout a user.
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail
KeyStoreLoginModule
- public KeyStoreLoginModule()
Method Detail
initialize
- public void initialize(Subject subject,
- CallbackHandler callbackHandler,
- java.util.Map<java.lang.String,?> sharedState,
- java.util.Map<java.lang.String,?> options)
initialize
in interface LoginModule
subject
- the Subject
to be authenticated.
callbackHandler
- a CallbackHandler
for communicating
with the end user (prompting for usernames and
passwords, for example),
which may be null
.
sharedState
- shared LoginModule
state.
options
- options specified in the login
Configuration
for this particular
LoginModule
. login
- public boolean login()
- throws LoginException
Get the Keystore alias and relevant passwords. Retrieve the alias's principal and credentials from the Keystore.
login
in interface LoginModule
LoginModule
should not be ignored). FailedLoginException
- if the authentication fails.
LoginException
- if the authentication fails commit
- public boolean commit()
- throws LoginException
This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).
If this LoginModule's own authentication attempt
succeeded (checked by retrieving the private state saved by the
login
method), then this method associates a
X500Principal
for the subject distinguished name of the
first certificate in the alias's credentials in the subject's
principals,the alias's certificate path in the subject's public
credentials, and aX500PrivateCredential
whose certificate
is the first certificate in the alias's certificate path and whose
private key is the alias's private key in the subject's private
credentials. If this LoginModule's own
authentication attempted failed, then this method removes
any state that was originally saved.
commit
in interface LoginModule
LoginException
- if the commit fails abort
- public boolean abort()
- throws LoginException
This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).
If this LoginModule's own authentication attempt
succeeded (checked by retrieving the private state saved by the
login
and commit
methods),
then this method cleans up any state that was originally saved.
If the loaded KeyStore's provider extends
java.security.AuthProvider
,
then the provider's logout
method is invoked.
abort
in interface LoginModule
LoginException
- if the abort fails. logout
- public boolean logout()
- throws LoginException
This method removes the Principals, public credentials and the
private credentials that were added by the commit
method.
If the loaded KeyStore's provider extends
java.security.AuthProvider
,
then the provider's logout
method is invoked.
logout
in interface LoginModule
LoginModule
should not be ignored. LoginException
- if the logout fails.
LoginModule
.