SK.gnome.dwarf.auth.login
Class JDBCLoginModule

java.lang.Object
  SK.gnome.dwarf.auth.login.GenericLoginModule
      SK.gnome.dwarf.auth.login.JDBCLoginModule

All Implemented Interfaces:

javax.security.auth.spi.LoginModule

public class JDBCLoginModule

extends GenericLoginModule

This login module reads user data from a SQL database.

The JDBC-related parameters may be specified via the following option keys:

 option         type       default          description
 -----------------------------------------------------------------------------------------
 driver         required   -                JDBC driver class
 url            required   -                JDBC connection URL
 username       optional   -                JDBC connection username
 password       optional   -                JDBC connection password
 

At least three tables must be available for the login module - one with the user data, the second with the user roles and the third which maps the users to their roles.

The following sample SQL commands can be used to create the required database structure:

 CREATE Users (
   name VARCHAR(128) PRIMARY KEY,
   password VARCHAR(128) NOT NULL,
   fullname VARCHAR(128),
   accexpire DATETIME,
   pwdexpire DATETIME
 );

 CREATE Roles (
   name VARCHAR(20) PRIMARY KEY,
   description VARCHAR(255)
 );

 CREATE RoleMap (
   user VARCHAR(128) NOT NULL,
   role VARCHAR(20) NOT NULL
 );
 

The Users table contains information about the users, and the Roles table contains information about the user roles. The RoleMap table specifies relationship between users and their roles.

The following additional option keys may be used to change the default SQL table and column names:

 option         type       default          description
 -----------------------------------------------------------------------------------------
 users          optional   Users            user table
 roles          optional   RoleMap          role table
 nameCol        optional   name             user name column
 paswordCol     optional   password         password column
 fullNameCol    optional   fullname         full user name column
 accExpireCol   optional   accexpire        account expiration column
 pwdExpireCol   optional   pwdexpire        password expiration column
 roleUserCol    optional   user             user column in the role tabe
 roleNameCol    optional   role             role column in the role table
 

This module checks the account and password expiration times, if the corresponding column values are not NULL. The AccountExpiredException or CredentialExpiredException is thrown if the account or password is expired in the time when the user tries to login.

This module also supports the identification feature as described in the GenericLoginModule, but it does not support the case-insensitive logins.

Field Summary

Fields inherited from class SK.gnome.dwarf.auth.login.GenericLoginModule

encoder

Constructor Summary

JDBCLoginModule()

Method Summary

void	initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler cbHandler, java.util.Map sharedState, java.util.Map options) Initializes this login module.
protected java.security.Principal[]	validate(java.lang.String username, char[] password) Validates the given user.

Methods inherited from class SK.gnome.dwarf.auth.login.GenericLoginModule

abort, commit, debug, getBooleanOption, getIntOption, getStringOption, checkPassword, isDebugOn, isIdentOn, isIgnoreCaseOn, login, logout

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JDBCLoginModule

public JDBCLoginModule()

Method Detail

initialize

public void initialize(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler cbHandler,
                       java.util.Map sharedState,
                       java.util.Map options)

Description copied from class: GenericLoginModule

Initializes this login module.

Specified by:

initialize in interface javax.security.auth.spi.LoginModule

Overrides:

initialize in class GenericLoginModule

Parameters:

subject - the subject to be authenticated

cbHandler - the callbackHandler for getting the username and password

sharedState - shared login module state

options - options specified in the login configuration for this particular login module

validate

protected java.security.Principal[] validate(java.lang.String username,
                                             char[] password)
                                      throws javax.security.auth.login.LoginException

Description copied from class: GenericLoginModule

Validates the given user.

This method must validate a user according to the given username and password, and should return an array of principal objects representing the various user's identities. If no principals are found, an empty array must be returned. If the user could not be validated, a LoginException is thrown to indicate the failed login. Exception is then propagated to the calling LoginContext object.

It is recommended for the implementations to use the GenericLoginModule.checkPassword(String, char[]) method to validate the password using the current PasswordEncoder instance.

This method may be implemented in a way that if the password argument is null, it will bypass the password check and will test the user existence only. However, the subject procesed by this type of authentication must not be used to represent an authenticated user. The implementations must consult the ident option key prior to enabling this feature.

The ignorecase option key may be consulted by the implementing modules, too, for enabling the case-insensitive logins.

Specified by:

validate in class GenericLoginModule

Parameters:

username - the name of the user

password - the user password

Returns:

the array of principals representing the various user identities

Throws:

javax.security.auth.login.LoginException