org.jboss.soa.esb.services.security.auth.login
Class CertificateLoginModule

java.lang.Object
  org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule

All Implemented Interfaces:

javax.security.auth.spi.LoginModule

public class CertificateLoginModule
extends java.lang.Object
implements javax.security.auth.spi.LoginModule

A JAAS Login module that performs authentication by verifying that the certificate that is passed to the ESB by the calling client can be verified against a certificate in a local keystore.

Usage:

 CertLogin {
  org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule required keyStoreURL="file://keystore" keyStorePassword="jbossesb" rolesPropertiesFile="file://roles.properties";
 };
 

Option description:

keyStoreURL - URL or simply a path to a file on the local file system or on the classpath

keyStorePassword - password for the above keystore

rolesPropertiesFile - URL or simply a path to a file on the local file sytem of on the classpath that contains user to role mappings: user=role1,role2

Author:

Daniel Bevenius

Field Summary

static java.lang.String	KEYSTORE_PASSWORD
static java.lang.String	KEYSTORE_TYPE
static java.lang.String	KEYSTORE_URL
static java.lang.String	ROLE_PROPERTIES

Constructor Summary

CertificateLoginModule()

Method Summary

boolean	abort()
protected void	addRoles(javax.security.auth.Subject subject, java.security.Principal principal, java.security.cert.X509Certificate cert, java.util.Map<java.lang.String,?> options) The addRoles method add roles to the authenticated subject.
boolean	commit() If the login was successful this method adds principals and roles to the subject.
void	initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map<java.lang.String,?> sharedState, java.util.Map<java.lang.String,?> options) Initialized this login module.
boolean	login() Login performs the verification of the callers certificate against the alias that that is provided by the callback handler.
boolean	logout()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

KEYSTORE_URL

public static final java.lang.String KEYSTORE_URL

See Also:

Constant Field Values

KEYSTORE_PASSWORD

public static final java.lang.String KEYSTORE_PASSWORD

See Also:

Constant Field Values

KEYSTORE_TYPE

public static final java.lang.String KEYSTORE_TYPE

See Also:

Constant Field Values

ROLE_PROPERTIES

public static final java.lang.String ROLE_PROPERTIES

See Also:

Constant Field Values

Constructor Detail

CertificateLoginModule

public CertificateLoginModule()

Method Detail

initialize

public void initialize(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map<java.lang.String,?> sharedState,
                       java.util.Map<java.lang.String,?> options)

Initialized this login module. Simple stores the passed in fields and also validates the options.

Specified by:

initialize in interface javax.security.auth.spi.LoginModule

Parameters:

subject - The subject to authenticate/populate.

callbackHandler - The callbackhandler that will gather information required by this login module.

sharedState - State that is shared with other login modules. Used when modules are chained/stacked.

options - The options that were specified for this login module. See "Usage" section of this types javadoc.

login

public boolean login()
              throws javax.security.auth.login.LoginException

Login performs the verification of the callers certificate against the alias that that is provided by the callback handler.

Specified by:

login in interface javax.security.auth.spi.LoginModule

Returns:

true If the login was successful otherwise false.

Throws:

javax.security.auth.login.LoginException - If an error occurs while trying to perform the authentication.

commit

public boolean commit()
               throws javax.security.auth.login.LoginException

If the login was successful this method adds principals and roles to the subject. When adding a Principal we simply use the Common Name(CN) from the Distinguished Name(DN).

Specified by:

commit in interface javax.security.auth.spi.LoginModule

Throws:

javax.security.auth.login.LoginException

abort

public boolean abort()
              throws javax.security.auth.login.LoginException

Specified by:

abort in interface javax.security.auth.spi.LoginModule

Throws:

javax.security.auth.login.LoginException

logout

public boolean logout()
               throws javax.security.auth.login.LoginException

Specified by:

logout in interface javax.security.auth.spi.LoginModule

Throws:

javax.security.auth.login.LoginException

addRoles

protected void addRoles(javax.security.auth.Subject subject,
                        java.security.Principal principal,
                        java.security.cert.X509Certificate cert,
                        java.util.Map<java.lang.String,?> options)
                 throws javax.security.auth.login.LoginException

The addRoles method add roles to the authenticated subject. This method is protected to let users easliy override only this method if they need a different behaviour.

Parameters:

subject - The subject

principal - The authenticated principal

cert - The certificate that of the authenticated principal

options - The options that were specified to this login module.

Throws:

javax.security.auth.login.LoginException