public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvider
AuthenticationProvider
implementation that retrieves user details from a
JAAS login configuration.
This AuthenticationProvider
is capable of validating
UsernamePasswordAuthenticationToken
requests contain the correct username and password.
This implementation is backed by a
JAAS configuration. The loginConfig property must be set to a given JAAS
configuration file. This setter accepts a Spring
Resource
instance. It should point to a JAAS
configuration file containing an index matching the
loginContextName
property.
For example: If this JaasAuthenticationProvider were configured in a Spring WebApplicationContext the xml to set the loginConfiguration could be as follows...
<property name="loginConfig"> <value>/WEB-INF/login.conf</value> </property>
The loginContextName should coincide with a given index in the loginConfig specifed. The loginConfig file used in the JUnit tests appears as the following...
JAASTest { org.springframework.security.authentication.jaas.TestLoginModule required; };Using the example login configuration above, the loginContextName property would be set as JAASTest...
<property name="loginContextName"> <value>JAASTest</value> </property>
When using JAAS login modules as the authentication source, sometimes the
LoginContext will require CallbackHandlers. The JaasAuthenticationProvider
uses an internal CallbackHandler to wrap the JaasAuthenticationCallbackHandler
s configured
in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
control is passed to each JaasAuthenticationCallbackHandler
for each Callback
passed.
JaasAuthenticationCallbackHandler
s are passed to the JaasAuthenticationProvider
through the
callbackHandlers
property.
<property name="callbackHandlers"> <list> <bean class="org.springframework.security.authentication.jaas.TestCallbackHandler"/> <bean class="org.springframework.security.authentication.jaas.JaasNameCallbackHandler
"/> <bean class="org.springframework.security.authentication.jaas.JaasPasswordCallbackHandler
"/> </list> </property>
After calling LoginContext.login(), the JaasAuthenticationProvider will retrieve the
returned Principals from the Subject (LoginContext.getSubject().getPrincipals). Each
returned principal is then passed to the configured AuthorityGranter
s. An
AuthorityGranter is a mapping between a returned Principal, and a role name. If an
AuthorityGranter wishes to grant an Authorization a role, it returns that role name
from it's AuthorityGranter.grant(java.security.Principal)
method. The returned
role will be applied to the Authorization object as a GrantedAuthority
.
AuthorityGranters are configured in spring xml as follows...
<property name="authorityGranters"> <list> <bean class="org.springframework.security.authentication.jaas.TestAuthorityGranter"/> </list> </property>A configuration note: The JaasAuthenticationProvider uses the security properties "login.config.url.X" to configure jaas. If you would like to customize the way Jaas gets configured, create a subclass of this and override the
configureJaas(Resource)
method.Modifier and Type | Field and Description |
---|---|
protected static org.apache.commons.logging.Log |
log |
Constructor and Description |
---|
JaasAuthenticationProvider() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet()
Validates the required properties are set.
|
protected void |
configureJaas(Resource loginConfig)
Hook method for configuring Jaas.
|
protected LoginContext |
createLoginContext(CallbackHandler handler)
Creates the LoginContext to be used for authentication.
|
Resource |
getLoginConfig() |
protected void |
publishFailureEvent(UsernamePasswordAuthenticationToken token,
AuthenticationException ase)
Publishes the
JaasAuthenticationFailedEvent . |
void |
setLoginConfig(Resource loginConfig)
Set the JAAS login configuration file.
|
void |
setRefreshConfigurationOnStartup(boolean refresh)
If set, a call to
Configuration#refresh() will be made by
#configureJaas(Resource) method. |
authenticate, getApplicationEventPublisher, handleLogout, onApplicationEvent, publishSuccessEvent, setApplicationEventPublisher, setAuthorityGranters, setCallbackHandlers, setLoginContextName, setLoginExceptionResolver, supports
public void afterPropertiesSet() throws Exception
AbstractJaasAuthenticationProvider
AbstractJaasAuthenticationProvider.setCallbackHandlers(JaasAuthenticationCallbackHandler[])
has not been
called with valid handlers, initializes to use JaasNameCallbackHandler
and
JaasPasswordCallbackHandler
.afterPropertiesSet
in interface InitializingBean
afterPropertiesSet
in class AbstractJaasAuthenticationProvider
Exception
protected LoginContext createLoginContext(CallbackHandler handler) throws LoginException
AbstractJaasAuthenticationProvider
createLoginContext
in class AbstractJaasAuthenticationProvider
handler
- The CallbackHandler that should be used for the LoginContext (never
null
).LoginException
protected void configureJaas(Resource loginConfig) throws IOException
loginConfig
- URL to Jaas login configurationIOException
- if there is a problem reading the config resource.protected void publishFailureEvent(UsernamePasswordAuthenticationToken token, AuthenticationException ase)
JaasAuthenticationFailedEvent
. Can be overridden by
subclasses for different functionalitypublishFailureEvent
in class AbstractJaasAuthenticationProvider
token
- The authentication token being processedase
- The excetion that caused the authentication failurepublic Resource getLoginConfig()
public void setLoginConfig(Resource loginConfig)
loginConfig
- public void setRefreshConfigurationOnStartup(boolean refresh)
Configuration#refresh()
will be made by
#configureJaas(Resource)
method. Defaults to true
.refresh
- set to false
to disable reloading of the configuration. May
be useful in some environments.