|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object SK.gnome.dwarf.auth.login.GenericLoginModule SK.gnome.dwarf.auth.login.UnixLoginModule
The login module based on the standard Unix password files.
This module reads the user information from the traditional Unix password files, typically "/etc/password" and "/etc/shadow".
Location of the particular file is specified via the passwd, shadow and group option keys. The default values are "/etc/passwd", "/etc/shadow" and "/etc/group". The login module will automatically use the shadow password file if neccessary.
Passwords may be encrypted either using the DES algorithm, as provided by the legacy
Unix crypt function, or using the more secure MD5-based algorithm, as provided by
the md5-crypt function found on some *BSD systems. See the CryptPasswordEncoder
and MD5CryptPasswordEncoder
for more information. If the password encoder class is not
set via the encoder option key, the login module will choose automatically one of the
mentioned two encoders.
This login module returns an array of principals representing the user identities.
This array always contains one UserPrincipal
with the name of the user. Optionally,
it may contain several RolePrincipal
objects according to the user's roles.
This module also supports the identification feature as described in the
GenericLoginModule
, and it supports also the case-insensitive logins.
The account and password expiration feature is not yet supported.
Examples of configuration:
// sample setup for a Linux system: Test1 { SK.gnome.dwarf.auth.login.UnixLoginModule required; }; // sample setup for a FreeBSD system, which uses only MD5-based hash: Test2 { SK.gnome.dwarf.auth.login.UnixLoginModule required encoder="SK.gnome.dwarf.auth.login.MD5CryptPasswordEncoder" shadow="/etc/master.passwd"; };
Field Summary |
Fields inherited from class SK.gnome.dwarf.auth.login.GenericLoginModule |
encoder |
Constructor Summary | |
UnixLoginModule()
|
Method Summary | |
protected boolean |
checkPassword(java.lang.String encoded,
char[] plain)
Checks the given password. |
void |
initialize(javax.security.auth.Subject subject,
javax.security.auth.callback.CallbackHandler cbHandler,
java.util.Map sharedState,
java.util.Map options)
Initializes this login module. |
protected java.security.Principal[] |
validate(java.lang.String username,
char[] password)
Validates the given user. |
Methods inherited from class SK.gnome.dwarf.auth.login.GenericLoginModule |
abort, commit, debug, getBooleanOption, getIntOption, getStringOption, isDebugOn, isIdentOn, isIgnoreCaseOn, login, logout |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
public UnixLoginModule()
Method Detail |
public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler cbHandler, java.util.Map sharedState, java.util.Map options)
GenericLoginModule
initialize
in interface javax.security.auth.spi.LoginModule
initialize
in class GenericLoginModule
subject
- the subject to be authenticatedcbHandler
- the callbackHandler for getting the username and passwordsharedState
- shared login module stateoptions
- options specified in the login configuration for this particular
login moduleprotected boolean checkPassword(java.lang.String encoded, char[] plain) throws javax.security.auth.login.LoginException
GenericLoginModule
Checks whether or not the encoded password equals to the plain (non-encoded) password.
This method allows the login module to check passwords encoded by various different
algorithms by using a custom password encoder. The password encoder must be a class
implementing the PasswordEncoder
interface. The default encoder used is the
MD5PasswordEncoder
, and a custom encoder may be specified via the encoder
option key by providing its full class name.
This method calls the PasswordEncoder.compare(String, char[])
method of the
current PasswordEncoder
with the corresponding arguments.
checkPassword
in class GenericLoginModule
encoded
- the encoded passwordplain
- the plain (non-encoded) password
javax.security.auth.login.LoginException
- if an error ocurredprotected java.security.Principal[] validate(java.lang.String username, char[] password) throws javax.security.auth.login.LoginException
GenericLoginModule
This method must validate a user according to the given username and password, and should return an array of principal objects representing the various user's identities. If no principals are found, an empty array must be returned. If the user could not be validated, a LoginException is thrown to indicate the failed login. Exception is then propagated to the calling LoginContext object.
It is recommended for the implementations to use the GenericLoginModule.checkPassword(String, char[])
method to validate the password using the current PasswordEncoder
instance.
This method may be implemented in a way that if the password argument is null, it will bypass the password check and will test the user existence only. However, the subject procesed by this type of authentication must not be used to represent an authenticated user. The implementations must consult the ident option key prior to enabling this feature.
The ignorecase option key may be consulted by the implementing modules, too, for enabling the case-insensitive logins.
validate
in class GenericLoginModule
username
- the name of the userpassword
- the user password
javax.security.auth.login.LoginException
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |