Examples of javax.security.auth.login.Configuration

• javax.security.auth.login.Configuration
  A Configuration object is responsible for specifying which LoginModules should be used for a particular application, and in what order the LoginModules should be invoked.

  A login configuration contains the following information. Note that this example only represents the default syntax for the {@code Configuration}. Subclass implementations of this class may implement alternative syntaxes and may retrieve the {@code Configuration} from any source such as files, databases,or servers.

   Name { ModuleClass  Flag    ModuleOptions; ModuleClass  Flag    ModuleOptions; ModuleClass  Flag    ModuleOptions; }; Name { ModuleClass  Flag    ModuleOptions; ModuleClass  Flag    ModuleOptions; }; other { ModuleClass  Flag    ModuleOptions; ModuleClass  Flag    ModuleOptions; }; 

  Each entry in the {@code Configuration} is indexed via anapplication name, Name, and contains a list of LoginModules configured for that application. Each {@code LoginModule}is specified via its fully qualified class name. Authentication proceeds down the module list in the exact order specified. If an application does not have a specific entry, it defaults to the specific entry for "other".

  The Flag value controls the overall behavior as authentication proceeds down the stack. The following represents a description of the valid values for Flag and their respective semantics:

   1) Required     - The  {@code LoginModule} is required to succeed.If it succeeds or fails, authentication still continues to proceed down the  {@code LoginModule} list.2) Requisite    - The  {@code LoginModule} is required to succeed.If it succeeds, authentication continues down the {@code LoginModule} list.  If it fails,control immediately returns to the application (authentication does not proceed down the {@code LoginModule} list).3) Sufficient   - The  {@code LoginModule} is not required tosucceed.  If it does succeed, control immediately returns to the application (authentication does not proceed down the  {@code LoginModule} list).If it fails, authentication continues down the {@code LoginModule} list.4) Optional     - The  {@code LoginModule} is not required tosucceed.  If it succeeds or fails, authentication still continues to proceed down the {@code LoginModule} list.

  The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient {@code LoginModule} is configured and succeeds,then only the Required and Requisite LoginModules prior to that Sufficient {@code LoginModule} need to have succeeded forthe overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional {@code LoginModule} must succeed.

  ModuleOptions is a space separated list of {@code LoginModule}-specific values which are passed directly to the underlying LoginModules. Options are defined by the {@code LoginModule} itself, and control the behavior within it.For example, a {@code LoginModule} may define options to supportdebugging/testing capabilities. The correct way to specify options in the {@code Configuration} is by using the following key-value pairing:debug="true". The key and value should be separated by an 'equals' symbol, and the value should be surrounded by double quotes. If a String in the form, ${system.property}, occurs in the value, it will be expanded to the value of the system property. Note that there is no limit to the number of options a {@code LoginModule} may define.

  The following represents an example {@code Configuration} entrybased on the syntax above:

   Login { com.sun.security.auth.module.UnixLoginModule required; com.sun.security.auth.module.Krb5LoginModule optional useTicketCache="true" ticketCache="${user.home}${/}tickets"; }; 

  This {@code Configuration} specifies that an application named,"Login", requires users to first authenticate to the com.sun.security.auth.module.UnixLoginModule, which is required to succeed. Even if the UnixLoginModule authentication fails, the com.sun.security.auth.module.Krb5LoginModule still gets invoked. This helps hide the source of failure. Since the Krb5LoginModule is Optional, the overall authentication succeeds only if the UnixLoginModule (Required) succeeds.

  Also note that the LoginModule-specific options, useTicketCache="true" and ticketCache=${user.home}${/}tickets", are passed to the Krb5LoginModule. These options instruct the Krb5LoginModule to use the ticket cache at the specified location. The system properties, user.home and / (file.separator), are expanded to their respective values.

  There is only one Configuration object installed in the runtime at any given time. A Configuration object can be installed by calling the {@code setConfiguration} method. The installed Configuration objectcan be obtained by calling the {@code getConfiguration} method.

  If no Configuration object has been installed in the runtime, a call to {@code getConfiguration} installs an instance of the defaultConfiguration implementation (a default subclass implementation of this abstract class). The default Configuration implementation can be changed by setting the value of the {@code login.configuration.provider} security property to the fullyqualified name of the desired Configuration subclass implementation.

  Application code can directly subclass Configuration to provide a custom implementation. In addition, an instance of a Configuration object can be constructed by invoking one of the {@code getInstance} factory methodswith a standard type. The default policy type is "JavaLoginConfig". See the Configuration section in the Java Cryptography Architecture Standard Algorithm Name Documentation for a list of standard Configuration types. @see javax.security.auth.login.LoginContext @see java.security.Security security properties

      private Object target;
      private LoginContext loginContext;

      public JaasSecurityHandler(Object target, final String username, final String password) {
          this.target = target;
          Configuration jaasConfig = new JBossConfiguration();
          try {
              this.loginContext = new LoginContext(JBossConfiguration.JBOSS_ENTRY_NAME, null, new CallbackHandler() {

          @Override
          public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

      throws MBeanException, ReflectionException
   {
      Object value = null;
      if( method.equals("getConfiguration") )
      {
         Configuration currentConfig = (Configuration) args[0];
         value = this.getConfiguration(currentConfig);
      }
      return value;
   }

    *
    * @param loginConfig a reference to the {@code XMLLoginConfig} instance.
    */
   public synchronized void pushLoginConfig(XMLLoginConfig loginConfig)
   {
      Configuration prevConfig = null;
      if (!this.loginConfigStack.empty())
         prevConfig = this.loginConfigStack.peek();
      Configuration configuration = loginConfig.getConfiguration(prevConfig);
      Configuration.setConfiguration(configuration);
      this.loginConfigStack.push(configuration);
      log.debug("Installed JAAS configuration: " + configuration);
   }

         params={@ManagementParameter(name="objectName", description="The identifier of the MBean that contains the Configuration")},
         impact = Impact.WriteOnly)
   public synchronized void pushLoginConfig(String objectName) throws JMException, MalformedObjectNameException
   {
      ObjectName name = new ObjectName(objectName);
      Configuration prevConfig = null;
      if (!this.loginConfigStack.empty())
         prevConfig = this.loginConfigStack.peek();

      this.loginConfigStack.push(installConfig(name, prevConfig));
   }

            super.log.debug("Unable to pop configuration: configuration stack is empty");
         return;
      }

      // remove the current configuration from the stack.
      Configuration currentConfig = this.loginConfigStack.pop();
      if (!this.loginConfigStack.empty())
      {
         // if there is a previous configuration, install it as the current instance.
         Configuration previousConfig = this.loginConfigStack.peek();
         if (super.log.isDebugEnabled())
            super.log.debug("Installing previous configuration " + previousConfig.getClass().getName());
         Configuration.setConfiguration(previousConfig);
      }
      else
      {
         if(super.log.isDebugEnabled())

    */
   private Configuration installConfig(ObjectName name, Configuration prevConfig) throws JMException
   {
      Object[] args = {prevConfig};
      String[] signature = {"javax.security.auth.login.Configuration"};
      Configuration config = (Configuration) this.getMbeanServer().invoke(name, "getConfiguration", args, signature);
      Configuration.setConfiguration(config);
      log.debug("Installed JAAS Configuration service=" + name + ", config=" + config);
      return config;
   }

      Configuration.setConfiguration(config);
   }

   public void testSecurityDomainLoginModuleOption() throws Exception
   {
      Configuration config = Configuration.getConfiguration();
      String validSecurityDomain = "testUsersRoles";
      String invalidSecurityDomain = "doesNotExist";

      getLog().info("testSecurityDomainLoginModuleOption");

      //get the app configuration for a valid security domain...
      AppConfigurationEntry[] entries = config.getAppConfigurationEntry(validSecurityDomain);
      assertTrue("Entries not null",entries != null);

      //for each login module configured in domain, check that the option is set as expected.
      for (int i=0;i<entries.length;i++)
      {
   String loginModuleClass = entries[i].getLoginModuleName();
         String flag = entries[i].getControlFlag().toString();
   Map options = entries[i].getOptions();

   getLog().info(loginModuleClass + " is " + flag + "\nWith options...\n" + options);

   String option = (String)options.get(SecurityConstants.SECURITY_DOMAIN_OPTION);
   assertTrue("Security domain option has value \"" + option +
        "\", it should be \"" + validSecurityDomain + "\"",
        option.equals(validSecurityDomain));
      }

      //now get the app configuration for a domain that does not exist.
      entries = config.getAppConfigurationEntry(invalidSecurityDomain);
      assertTrue("Entries not null", entries != null);

      //for each login module config'ed in domain, check that the option is set as "other"
      for (int i=0;i<entries.length;i++)
      {

            username = principal.toString();
         }

         UsernamePasswordHandler handler = new UsernamePasswordHandler(username,
            credentials);
         Configuration conf = getConfiguration();
         // Do the JAAS login
         LoginContext lc = new LoginContext(protocol, null, handler, conf);
         lc.login();
      }
      catch(LoginException e)

    * Either call Configuration.getConfiguration() like LoginContext does, or if that fails due to no
    * auth.conf or whatever config file, then return DummyConfiguration which does what we expect for
    * UsernamePasswordHandler.
    */
   private Configuration getConfiguration() {
      Configuration conf = null;
      try {
        conf = Configuration.getConfiguration();
      } catch (Exception e) {
        if(e.getCause() instanceof IOException) { //no auth.conf or whatever so we make our own dummy
            conf = new DummyConfiguration();

 */
public class SecurityTest extends AbstractSeamTest
{
   private Configuration createMockJAASConfiguration()
   {
      return new Configuration()
      {
         private AppConfigurationEntry[] aces = { new AppConfigurationEntry(
               MockLoginModule.class.getName(),
               LoginModuleControlFlag.REQUIRED,
               new HashMap<String,String>()