Class JaasAuthenticationProvider

java.lang.Object
org.springframework.security.authentication.jaas.AbstractJaasAuthenticationProvider
org.springframework.security.authentication.jaas.JaasAuthenticationProvider
All Implemented Interfaces:
EventListener, org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.ApplicationListener<SessionDestroyedEvent>, AuthenticationProvider

public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvider
An AuthenticationProvider implementation that retrieves user details from a JAAS login configuration.

This AuthenticationProvider is capable of validating UsernamePasswordAuthenticationToken requests contain the correct username and password.

This implementation is backed by a JAAS configuration. The loginConfig property must be set to a given JAAS configuration file. This setter accepts a Spring Resource instance. It should point to a JAAS configuration file containing an index matching the loginContextName property.

For example: If this JaasAuthenticationProvider were configured in a Spring WebApplicationContext the xml to set the loginConfiguration could be as follows...

 <property name="loginConfig">
   <value>/WEB-INF/login.conf</value>
 </property>
 

The loginContextName should coincide with a given index in the loginConfig specified. The loginConfig file used in the JUnit tests appears as the following...

 JAASTest {
   org.springframework.security.authentication.jaas.TestLoginModule required;
 };
 
Using the example login configuration above, the loginContextName property would be set as JAASTest...
  <property name="loginContextName"> <value>JAASTest</value> </property>
 

When using JAAS login modules as the authentication source, sometimes the LoginContext will require CallbackHandlers. The JaasAuthenticationProvider uses an internal CallbackHandler to wrap the JaasAuthenticationCallbackHandlers configured in the ApplicationContext. When the LoginContext calls the internal CallbackHandler, control is passed to each JaasAuthenticationCallbackHandler for each Callback passed.

JaasAuthenticationCallbackHandlers are passed to the JaasAuthenticationProvider through the callbackHandlers property.

 <property name="callbackHandlers">
   <list>
     <bean class="org.springframework.security.authentication.jaas.TestCallbackHandler"/>
     <bean class="org.springframework.security.authentication.jaas.JaasNameCallbackHandler"/>
     <bean class="org.springframework.security.authentication.jaas.JaasPasswordCallbackHandler"/>
  </list>
 </property>
 

After calling LoginContext.login(), the JaasAuthenticationProvider will retrieve the returned Principals from the Subject (LoginContext.getSubject().getPrincipals). Each returned principal is then passed to the configured AuthorityGranters. An AuthorityGranter is a mapping between a returned Principal, and a role name. If an AuthorityGranter wishes to grant an Authorization a role, it returns that role name from it's AuthorityGranter.grant(java.security.Principal) method. The returned role will be applied to the Authorization object as a GrantedAuthority.

AuthorityGranters are configured in spring xml as follows...

 <property name="authorityGranters">
   <list>
     <bean class="org.springframework.security.authentication.jaas.TestAuthorityGranter"/>
   </list>
  </property>
 
A configuration note: The JaasAuthenticationProvider uses the security properties "login.config.url.X" to configure jaas. If you would like to customize the way Jaas gets configured, create a subclass of this and override the configureJaas(Resource) method.