public abstract class AbstractJaasAuthenticationProvider extends java.lang.Object implements AuthenticationProvider, org.springframework.context.ApplicationEventPublisherAware, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationListener<SessionDestroyedEvent>
AuthenticationProvider
implementation that retrieves user details from a
JAAS login configuration.
This AuthenticationProvider
is capable of validating
UsernamePasswordAuthenticationToken
requests contain the correct username and password.
This implementation is backed by a
JAAS configuration that is provided by a subclass's implementation of
createLoginContext(CallbackHandler)
.
When using JAAS login modules as the authentication source, sometimes the LoginContext will require CallbackHandlers. The
AbstractJaasAuthenticationProvider uses an internal CallbackHandler to wrap the JaasAuthenticationCallbackHandler
s configured
in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
control is passed to each JaasAuthenticationCallbackHandler
for each Callback
passed.
JaasAuthenticationCallbackHandler
s are passed to the
AbstractJaasAuthenticationProvider through the
callbackHandlers
property.
<property name="callbackHandlers"> <list> <bean class="org.springframework.security.authentication.jaas.TestCallbackHandler"/> <bean class="org.springframework.security.authentication.jaas.JaasNameCallbackHandler
"/> <bean class="org.springframework.security.authentication.jaas.JaasPasswordCallbackHandler
"/> </list> </property>
After calling LoginContext.login(), the AbstractJaasAuthenticationProvider will
retrieve the returned Principals from the Subject
(LoginContext.getSubject().getPrincipals). Each returned principal is then passed to
the configured AuthorityGranter
s. An AuthorityGranter is a mapping between a
returned Principal, and a role name. If an AuthorityGranter wishes to grant an
Authorization a role, it returns that role name from it's
AuthorityGranter.grant(java.security.Principal)
method. The returned role will
be applied to the Authorization object as a GrantedAuthority
.
AuthorityGranters are configured in spring xml as follows...
<property name="authorityGranters"> <list> <bean class="org.springframework.security.authentication.jaas.TestAuthorityGranter"/> </list> </property>
Modifier and Type | Field and Description |
---|---|
protected org.apache.commons.logging.Log |
log |
Constructor and Description |
---|
AbstractJaasAuthenticationProvider() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet()
Validates the required properties are set.
|
Authentication |
authenticate(Authentication auth)
Attempts to login the user given the Authentication objects principal and
credential
|
protected abstract javax.security.auth.login.LoginContext |
createLoginContext(javax.security.auth.callback.CallbackHandler handler)
Creates the LoginContext to be used for authentication.
|
protected org.springframework.context.ApplicationEventPublisher |
getApplicationEventPublisher() |
protected void |
handleLogout(SessionDestroyedEvent event)
Handles the logout by getting the security contexts for the destroyed session and
invoking
LoginContext.logout() for any which contain a
JaasAuthenticationToken . |
void |
onApplicationEvent(SessionDestroyedEvent event) |
protected void |
publishFailureEvent(UsernamePasswordAuthenticationToken token,
AuthenticationException ase)
Publishes the
JaasAuthenticationFailedEvent . |
protected void |
publishSuccessEvent(UsernamePasswordAuthenticationToken token)
Publishes the
JaasAuthenticationSuccessEvent . |
void |
setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher) |
void |
setAuthorityGranters(AuthorityGranter[] authorityGranters)
Set the AuthorityGranters that should be consulted for role names to be granted to
the Authentication.
|
void |
setCallbackHandlers(JaasAuthenticationCallbackHandler[] callbackHandlers)
Set the JAASAuthentcationCallbackHandler array to handle callback objects generated
by the LoginContext.login method.
|
void |
setLoginContextName(java.lang.String loginContextName)
Set the loginContextName, this name is used as the index to the configuration
specified in the loginConfig property.
|
void |
setLoginExceptionResolver(LoginExceptionResolver loginExceptionResolver) |
boolean |
supports(java.lang.Class<?> aClass)
Returns
true if this AuthenticationProvider supports the
indicated Authentication object. |
public void afterPropertiesSet() throws java.lang.Exception
setCallbackHandlers(JaasAuthenticationCallbackHandler[])
has not been
called with valid handlers, initializes to use JaasNameCallbackHandler
and
JaasPasswordCallbackHandler
.afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
java.lang.Exception
public Authentication authenticate(Authentication auth) throws AuthenticationException
authenticate
in interface AuthenticationProvider
auth
- The Authentication object to be authenticated.AuthenticationException
- This implementation does not handle 'locked' or
'disabled' accounts. This method only throws a AuthenticationServiceException, with
the message of the LoginException that will be thrown, should the
loginContext.login() method fail.protected abstract javax.security.auth.login.LoginContext createLoginContext(javax.security.auth.callback.CallbackHandler handler) throws javax.security.auth.login.LoginException
handler
- The CallbackHandler that should be used for the LoginContext (never
null
).javax.security.auth.login.LoginException
protected void handleLogout(SessionDestroyedEvent event)
LoginContext.logout()
for any which contain a
JaasAuthenticationToken
.event
- the session event which contains the current sessionpublic void onApplicationEvent(SessionDestroyedEvent event)
onApplicationEvent
in interface org.springframework.context.ApplicationListener<SessionDestroyedEvent>
protected void publishFailureEvent(UsernamePasswordAuthenticationToken token, AuthenticationException ase)
JaasAuthenticationFailedEvent
. Can be overridden by
subclasses for different functionalitytoken
- The authentication token being processedase
- The exception that caused the authentication failureprotected void publishSuccessEvent(UsernamePasswordAuthenticationToken token)
JaasAuthenticationSuccessEvent
. Can be overridden by
subclasses for different functionality.token
- The token being processedpublic void setAuthorityGranters(AuthorityGranter[] authorityGranters)
authorityGranters
- AuthorityGranter arrayJaasAuthenticationProvider
public void setCallbackHandlers(JaasAuthenticationCallbackHandler[] callbackHandlers)
callbackHandlers
- Array of JAASAuthenticationCallbackHandlerspublic void setLoginContextName(java.lang.String loginContextName)
loginContextName
- public void setLoginExceptionResolver(LoginExceptionResolver loginExceptionResolver)
public boolean supports(java.lang.Class<?> aClass)
AuthenticationProvider
true
if this AuthenticationProvider
supports the
indicated Authentication
object.
Returning true
does not guarantee an
AuthenticationProvider
will be able to authenticate the presented
instance of the Authentication
class. It simply indicates it can
support closer evaluation of it. An AuthenticationProvider
can still
return null
from the AuthenticationProvider.authenticate(Authentication)
method to
indicate another AuthenticationProvider
should be tried.
Selection of an AuthenticationProvider
capable of performing
authentication is conducted at runtime the ProviderManager
.
supports
in interface AuthenticationProvider
true
if the implementation can more closely evaluate the
Authentication
class presentedpublic void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
setApplicationEventPublisher
in interface org.springframework.context.ApplicationEventPublisherAware
protected org.springframework.context.ApplicationEventPublisher getApplicationEventPublisher()