com.sun.jmx.remote.security: public class: FileLoginModule

com.sun.jmx.remote.security
public class: FileLoginModule [javadoc | source]

java.lang.Object
   com.sun.jmx.remote.security.FileLoginModule

All Implemented Interfaces:
LoginModule

This LoginModule performs file-based authentication.

A supplied username and password is verified against the corresponding user credentials stored in a designated password file. If successful then a new JMXPrincipal is created with the user's name and it is associated with the current Subject . Such principals may be identified and granted management privileges in the access control file for JMX remote management or in a Java security policy.

The password file comprises a list of key-value pairs as specified in Properties . The key represents a user's name and the value is its associated cleartext password. By default, the following password file is used:

    ${java.home}/lib/management/jmxremote.password

A different password file can be specified via the passwordFile configuration option.

This module recognizes the following Configuration options:

passwordFile: the path to an alternative password file. It is used instead of the default password file.
useFirstPass: if true, this module retrieves the username and password from the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, no attempt for a retry is made, and the failure is reported back to the calling application.
tryFirstPass: if true, this module retrieves the username and password from the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, the module uses the CallbackHandler to retrieve a new username and password, and another attempt to authenticate is made. If the authentication fails, the failure is reported back to the calling application.
storePass: if true, this module stores the username and password obtained from the CallbackHandler in the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. This is not performed if existing values already exist for the username and password in the shared state, or if authentication fails.
clearPass: if true, this module clears the username and password stored in the module's shared state after both phases of authentication (login and commit) have completed.

Method from com.sun.jmx.remote.security.FileLoginModule Summary:
abort, commit, initialize, login, logout

Methods from java.lang.Object:
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from com.sun.jmx.remote.security.FileLoginModule Detail:
public boolean abort() throws LoginException { if (logger.debugOn()) { logger.debug("abort", "Authentication has not completed successfully"); } if (succeeded == false) { return false; } else if (succeeded == true && commitSucceeded == false) { // Clean out state succeeded = false; cleanState(); user = null; } else { // overall authentication succeeded and commit succeeded, // but someone else's commit failed logout(); } return true; } Abort user authentication (Authentication Phase 2). This method is called if the LoginContext's overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed). If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the `login` and `commit` methods), then this method cleans up any state that was originally saved.
public boolean commit() throws LoginException { if (succeeded == false) { return false; } else { if (subject.isReadOnly()) { cleanState(); throw new LoginException("Subject is read-only"); } // add Principals to the Subject if (!subject.getPrincipals().contains(user)) { subject.getPrincipals().add(user); } if (logger.debugOn()) { logger.debug("commit", "Authentication has completed successfully"); } } // in any case, clean out state cleanState(); commitSucceeded = true; return true; } Complete user authentication (Authentication Phase 2). This method is called if the LoginContext's overall authentication has succeeded (all the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules have succeeded). If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the `login` method), then this method associates a `JMXPrincipal` with the `Subject` located in the `LoginModule`. If this LoginModule's own authentication attempted failed, then this method removes any state that was originally saved.
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { this.subject = subject; this.callbackHandler = callbackHandler; this.sharedState = Util.cast(sharedState); this.options = options; // initialize any configured options tryFirstPass = "true".equalsIgnoreCase((String)options.get("tryFirstPass")); useFirstPass = "true".equalsIgnoreCase((String)options.get("useFirstPass")); storePass = "true".equalsIgnoreCase((String)options.get("storePass")); clearPass = "true".equalsIgnoreCase((String)options.get("clearPass")); passwordFile = (String)options.get("passwordFile"); passwordFileDisplayName = passwordFile; userSuppliedPasswordFile = true; // set the location of the password file if (passwordFile == null) { passwordFile = DEFAULT_PASSWORD_FILE_NAME; userSuppliedPasswordFile = false; try { System.getProperty("java.home"); hasJavaHomePermission = true; passwordFileDisplayName = passwordFile; } catch (SecurityException e) { hasJavaHomePermission = false; passwordFileDisplayName = ConnectorBootstrap.DefaultValues.PASSWORD_FILE_NAME; } } } Initialize this `LoginModule`.
public boolean login() throws LoginException { try { loadPasswordFile(); } catch (IOException ioe) { LoginException le = new LoginException( "Error: unable to load the password file: " + passwordFileDisplayName); throw EnvHelp.initCause(le, ioe); } if (userCredentials == null) { throw new LoginException ("Error: unable to locate the users' credentials."); } if (logger.debugOn()) { logger.debug("login", "Using password file: " + passwordFileDisplayName); } // attempt the authentication if (tryFirstPass) { try { // attempt the authentication by getting the // username and password from shared state attemptAuthentication(true); // authentication succeeded succeeded = true; if (logger.debugOn()) { logger.debug("login", "Authentication using cached password has succeeded"); } return true; } catch (LoginException le) { // authentication failed -- try again below by prompting cleanState(); logger.debug("login", "Authentication using cached password has failed"); } } else if (useFirstPass) { try { // attempt the authentication by getting the // username and password from shared state attemptAuthentication(true); // authentication succeeded succeeded = true; if (logger.debugOn()) { logger.debug("login", "Authentication using cached password has succeeded"); } return true; } catch (LoginException le) { // authentication failed cleanState(); logger.debug("login", "Authentication using cached password has failed"); throw le; } } if (logger.debugOn()) { logger.debug("login", "Acquiring password"); } // attempt the authentication using the supplied username and password try { attemptAuthentication(false); // authentication succeeded succeeded = true; if (logger.debugOn()) { logger.debug("login", "Authentication has succeeded"); } return true; } catch (LoginException le) { cleanState(); logger.debug("login", "Authentication has failed"); throw le; } } Begin user authentication (Authentication Phase 1). Acquire the user's name and password and verify them against the corresponding credentials from the password file.
public boolean logout() throws LoginException { if (subject.isReadOnly()) { cleanState(); throw new LoginException ("Subject is read-only"); } subject.getPrincipals().remove(user); // clean out state cleanState(); succeeded = false; commitSucceeded = false; user = null; if (logger.debugOn()) { logger.debug("logout", "Subject is being logged out"); } return true; } Logout a user. This method removes the Principals that were added by the `commit` method.

Method from com.sun.jmx.remote.security.FileLoginModule Detail:

 public boolean abort() throws LoginException {
        if (logger.debugOn()) {
            logger.debug("abort",
                "Authentication has not completed successfully");
        }
        if (succeeded == false) {
            return false;
        } else if (succeeded == true && commitSucceeded == false) {
            // Clean out state
            succeeded = false;
            cleanState();
            user = null;
        } else {
            // overall authentication succeeded and commit succeeded,
            // but someone else's commit failed
            logout();
        }
        return true;
}

This method is called if the LoginContext's overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login and commit methods), then this method cleans up any state that was originally saved.

 public boolean commit() throws LoginException {
        if (succeeded == false) {
            return false;
        } else {
            if (subject.isReadOnly()) {
                cleanState();
                throw new LoginException("Subject is read-only");
            }
            // add Principals to the Subject
            if (!subject.getPrincipals().contains(user)) {
                subject.getPrincipals().add(user);
            }
            if (logger.debugOn()) {
                logger.debug("commit",
                    "Authentication has completed successfully");
            }
        }
        // in any case, clean out state
        cleanState();
        commitSucceeded = true;
        return true;
}

This method is called if the LoginContext's overall authentication has succeeded (all the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules have succeeded).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates a JMXPrincipal with the Subject located in the LoginModule. If this LoginModule's own authentication attempted failed, then this method removes any state that was originally saved.

 public  void initialize(Subject subject,
    CallbackHandler callbackHandler,
    Map<String, ?> sharedState,
    Map<String, ?> options) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = Util.cast(sharedState);
        this.options = options;
        // initialize any configured options
        tryFirstPass =
                "true".equalsIgnoreCase((String)options.get("tryFirstPass"));
        useFirstPass =
                "true".equalsIgnoreCase((String)options.get("useFirstPass"));
        storePass =
                "true".equalsIgnoreCase((String)options.get("storePass"));
        clearPass =
                "true".equalsIgnoreCase((String)options.get("clearPass"));
        passwordFile = (String)options.get("passwordFile");
        passwordFileDisplayName = passwordFile;
        userSuppliedPasswordFile = true;
        // set the location of the password file
        if (passwordFile == null) {
            passwordFile = DEFAULT_PASSWORD_FILE_NAME;
            userSuppliedPasswordFile = false;
            try {
                System.getProperty("java.home");
                hasJavaHomePermission = true;
                passwordFileDisplayName = passwordFile;
            } catch (SecurityException e) {
                hasJavaHomePermission = false;
                passwordFileDisplayName =
                        ConnectorBootstrap.DefaultValues.PASSWORD_FILE_NAME;
            }
        }
}

LoginModule

 public boolean login() throws LoginException {
        try {
            loadPasswordFile();
        } catch (IOException ioe) {
            LoginException le = new LoginException(
                    "Error: unable to load the password file: " +
                    passwordFileDisplayName);
            throw EnvHelp.initCause(le, ioe);
        }
        if (userCredentials == null) {
            throw new LoginException
                ("Error: unable to locate the users' credentials.");
        }
        if (logger.debugOn()) {
            logger.debug("login",
                    "Using password file: " + passwordFileDisplayName);
        }
        // attempt the authentication
        if (tryFirstPass) {
            try {
                // attempt the authentication by getting the
                // username and password from shared state
                attemptAuthentication(true);
                // authentication succeeded
                succeeded = true;
                if (logger.debugOn()) {
                    logger.debug("login",
                        "Authentication using cached password has succeeded");
                }
                return true;
            } catch (LoginException le) {
                // authentication failed -- try again below by prompting
                cleanState();
                logger.debug("login",
                    "Authentication using cached password has failed");
            }
        } else if (useFirstPass) {
            try {
                // attempt the authentication by getting the
                // username and password from shared state
                attemptAuthentication(true);
                // authentication succeeded
                succeeded = true;
                if (logger.debugOn()) {
                    logger.debug("login",
                        "Authentication using cached password has succeeded");
                }
                return true;
            } catch (LoginException le) {
                // authentication failed
                cleanState();
                logger.debug("login",
                    "Authentication using cached password has failed");
                throw le;
            }
        }
        if (logger.debugOn()) {
            logger.debug("login", "Acquiring password");
        }
        // attempt the authentication using the supplied username and password
        try {
            attemptAuthentication(false);
            // authentication succeeded
            succeeded = true;
            if (logger.debugOn()) {
                logger.debug("login", "Authentication has succeeded");
            }
            return true;
        } catch (LoginException le) {
            cleanState();
            logger.debug("login", "Authentication has failed");
            throw le;
        }
}

Acquire the user's name and password and verify them against the corresponding credentials from the password file.

 public boolean logout() throws LoginException {
        if (subject.isReadOnly()) {
            cleanState();
            throw new LoginException ("Subject is read-only");
        }
        subject.getPrincipals().remove(user);
        // clean out state
        cleanState();
        succeeded = false;
        commitSucceeded = false;
        user = null;
        if (logger.debugOn()) {
            logger.debug("logout", "Subject is being logged out");
        }
        return true;
}

This method removes the Principals that were added by the commit method.