org.picketlink.trust.jbossws.jaas

Class SAMLRoleLoginModule

java.lang.Object

org.jboss.security.auth.spi.AbstractServerLoginModule

org.picketlink.trust.jbossws.jaas.SAMLRoleLoginModule

All Implemented Interfaces:

LoginModule

public class SAMLRoleLoginModule
extends AbstractServerLoginModule

A login module that extracts the roles from the SAML assertion that has been set in the Subject. This module is always a follow up to other modules such as JBWSTokenIssuingLoginModule

This login module checks the Subject for a SamlCredential in the public credentials section. From the credential, we extract the assertion. The assertion should contain the roles.

Since:

Jun 6, 2011

Author:

Anil.Saldhana@redhat.com

Field Summary

Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule

callbackHandler, jbossModuleName, log, loginOk, options, principalClassModuleName, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass

Constructor Summary

Constructors

Constructor and Description
SAMLRoleLoginModule()

Method Summary

Modifier and Type	Method and Description
boolean	commit() Method to commit the authentication process (phase 2).
protected Principal	getIdentity() We first check the shared state for the principal.
protected Group[]	getRoleSets() Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user.

Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule

abort, addValidOptions, checkOptions, createGroup, createIdentity, getCallerPrincipalGroup, getUnauthenticatedIdentity, getUseFirstPass, initialize, login, logout

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SAMLRoleLoginModule

public SAMLRoleLoginModule()

Method Detail

commit

public boolean commit()
               throws LoginException

Description copied from class: AbstractServerLoginModule

Method to commit the authentication process (phase 2). If the login method completed successfully as indicated by loginOk == true, this method adds the getIdentity() value to the subject getPrincipals() Set. It also adds the members of each Group returned by getRoleSets() to the subject getPrincipals() Set.

Specified by:

commit in interface LoginModule

Overrides:

commit in class AbstractServerLoginModule

Returns:

true always.

Throws:

LoginException

See Also:

Subject;, Group;

getIdentity

protected Principal getIdentity()

We first check the shared state for the principal. If not, we look inside the subject for a non-Group Principal

Specified by:

getIdentity in class AbstractServerLoginModule

getRoleSets

protected Group[] getRoleSets()
                       throws LoginException

Description copied from class: AbstractServerLoginModule

Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user. Subclasses should create at least a Group named "Roles" that contains the roles assigned to the user. A second common group is "CallerPrincipal" that provides the application identity of the user rather than the security domain identity.

Specified by:

getRoleSets in class AbstractServerLoginModule

Returns:

Group[] containing the sets of roles

Throws:

LoginException