com.ibm.security.auth.module
Class Krb5LoginModule

java.lang.Object
  extended by com.ibm.security.auth.module.Krb5LoginModule
All Implemented Interfaces:
javax.security.auth.spi.LoginModule

public class Krb5LoginModule
extends java.lang.Object
implements javax.security.auth.spi.LoginModule

A JAAS LoginModule for acquiring Kerberos credentials.

Supported options (specified in a JAAS configuration file):

 1) Kerberos options
       principal=principalName
       credsType=initiator|acceptor|both (default=initiator)
       forwardable=true|false (default=false)
       proxiable=true|false (default=false)
       renewable=true|false (default=false)
       useCcache=URL
       useKeytab=URL
       useDefaultCcache=true|false (default=false)
       useDefaultKeytab=true|false (default=false)
       noAddress=true|false (default=false)
  2) JAAS-suggested options:
       debug=true|false (default=unset, JGSS debug options used)
       tryFirstPass=true|false (default=false)
       useFirstPass=true|false (default=false)
       moduleBanner=true|false (default=false)
  NOTES:
 1) Default realm (which is obtained from the Kerberos config file) is
    used if the principal specified does not include a realm component.
 2) debug option: true is equivalent to com.ibm.jgss.debug=all
                  false is equivalent to com.ibm.jgss.debug=off
    The debug option affects debug from the Login module only;
    other subcomponents of JGSS are not affected.
 3) Boolean options can be set to "true" or "yes", "false" or "no"
 4) The keytab and ccache options take precedence over tryFirstPass.
    If a keytab or ccache option is set in addition to tryFirstPass,
    the keytab or ccache is used and the principal saved in the shared state
    if login is succesful. There will be no prompting for password if
    the login fails.
 5) The keytab and ccache options are incompatible with the
    useFirstPass option; specifying useFirstPass in conjunction with
    either a keytab or ccache option will cause an exception to be thrown.
 6) From the Java 1.4 JAAS guide:
 try_first_pass - If true, the first LoginModule in the stack
     saves the password entered, and subsequent LoginModules also
     try to use it. If authentication fails, the LoginModules prompt
     for a new password and retry the authentication.
  use_first_pass - If true, the first LoginModule in the stack
     saves the password entered, and subsequent LoginModules also
     try to use it. LoginModules do not prompt for a new password
     if authentication fails (authentication simply fails).
  moduleBanner - If true, then when invoking the CallbackHandler,
     the LoginModule provides a TextOutputCallback as the first Callback,
     which describes the LoginModule performing the authentication.
  debug - If true, instructs a LoginModule to output debugging information.
 

Author:
Thomas Owusu

Constructor Summary
Krb5LoginModule()
           
 
Method Summary
 boolean abort()
          DOCUMENT ME!
 boolean commit()
          DOCUMENT ME!
 void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options)
          DOCUMENT ME!
 boolean login()
          DOCUMENT ME!
 boolean logout()
          Logout the user.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

Krb5LoginModule

public Krb5LoginModule()
Method Detail

initialize

public void initialize(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map sharedState,
                       java.util.Map options)
DOCUMENT ME!

Specified by:
initialize in interface javax.security.auth.spi.LoginModule
Parameters:
subject - DOCUMENT ME!
callbackHandler - DOCUMENT ME!
sharedState - DOCUMENT ME!
options - DOCUMENT ME!

login

public boolean login()
              throws javax.security.auth.login.LoginException
DOCUMENT ME!

Specified by:
login in interface javax.security.auth.spi.LoginModule
Returns:
DOCUMENT ME!
Throws:
javax.security.auth.login.LoginException - DOCUMENT ME!

commit

public boolean commit()
               throws javax.security.auth.login.LoginException
DOCUMENT ME!

Specified by:
commit in interface javax.security.auth.spi.LoginModule
Returns:
DOCUMENT ME!
Throws:
javax.security.auth.login.LoginException - DOCUMENT ME!

abort

public boolean abort()
              throws javax.security.auth.login.LoginException
DOCUMENT ME!

Specified by:
abort in interface javax.security.auth.spi.LoginModule
Returns:
DOCUMENT ME!
Throws:
javax.security.auth.login.LoginException - DOCUMENT ME!

logout

public boolean logout()
               throws javax.security.auth.login.LoginException
Logout the user.

This method removes the NTPrincipal that was added by the commit method.

Specified by:
logout in interface javax.security.auth.spi.LoginModule
Returns:
true in all cases since this LoginModule should not be ignored.
Throws:
javax.security.auth.login.LoginException - if the logout fails.