org.picketlink.identity.federation.bindings.jboss.auth

Class SAML2LoginModule

java.lang.Object

org.jboss.security.auth.spi.AbstractServerLoginModule

org.jboss.security.auth.spi.UsernamePasswordLoginModule

org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule

All Implemented Interfaces:

LoginModule

public class SAML2LoginModule
extends UsernamePasswordLoginModule

Login Module that is capable of dealing with SAML2 cases

The password sent to this module should be ServiceProviderSAMLContext.EMPTY_PASSWORD

The username is available from ServiceProviderSAMLContext.getUserName() and roles is available from ServiceProviderSAMLContext.getRoles(). If the roles is null, then plugged in login modules in the stack have to provide the roles.

Since:

Feb 13, 2009

Author:

Anil.Saldhana@redhat.com

Field Summary

Fields

Modifier and Type	Field and Description
protected String	groupName

Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule

callbackHandler, jbossModuleName, log, loginOk, options, principalClassModuleName, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass

Constructor Summary

Constructors

Constructor and Description
SAML2LoginModule()

Method Summary

Modifier and Type	Method and Description
protected Group[]	getRoleSets() Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user.
protected String	getUsersPassword() Get the expected password for the current username available via the getUsername() method.
void	initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options) Override the superclass method to look for the following options after first invoking the super version.

Methods inherited from class org.jboss.security.auth.spi.UsernamePasswordLoginModule

createPasswordHash, getCredentials, getIdentity, getUnauthenticatedIdentity, getUsername, getUsernameAndPassword, getValidateError, login, safeClose, setValidateError, validatePassword

Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule

abort, addValidOptions, checkOptions, commit, createGroup, createIdentity, getCallerPrincipalGroup, getUseFirstPass, logout

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

groupName

protected String groupName

Constructor Detail

SAML2LoginModule

public SAML2LoginModule()

Method Detail

initialize

public void initialize(Subject subject,
                       CallbackHandler callbackHandler,
                       Map<String,?> sharedState,
                       Map<String,?> options)

Description copied from class: UsernamePasswordLoginModule

Override the superclass method to look for the following options after first invoking the super version.

Specified by:

initialize in interface LoginModule

Overrides:

initialize in class UsernamePasswordLoginModule

Parameters:

subject - the Subject to update after a successful login.

callbackHandler - the CallbackHandler that will be used to obtain the the user identity and credentials.

sharedState - a Map shared between all configured login module instances

options - : option: hashAlgorithm - the message digest algorithm used to hash passwords. If null then plain passwords will be used. option: hashCharset - the name of the charset/encoding to use when converting the password String to a byte array. Default is the platform's default encoding. option: hashEncoding - the string encoding format to use. Defaults to base64. option: ignorePasswordCase: A flag indicating if the password comparison should ignore case. option: digestCallback - The class name of the DigestCallback DigestCallback implementation that includes pre/post digest content like salts for hashing the input password. Only used if hashAlgorithm has been specified. option: hashStorePassword - A flag indicating if the store password returned from #getUsersPassword() should be hashed . option: hashUserPassword - A flag indicating if the user entered password should be hashed. option: storeDigestCallback - The class name of the DigestCallback DigestCallback implementation that includes pre/post digest content like salts for hashing the store/expected password. Only used if hashStorePassword or hashUserPassword is true and hashAlgorithm has been specified.

getRoleSets

protected Group[] getRoleSets()
                       throws LoginException

Description copied from class: AbstractServerLoginModule

Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user. Subclasses should create at least a Group named "Roles" that contains the roles assigned to the user. A second common group is "CallerPrincipal" that provides the application identity of the user rather than the security domain identity.

Specified by:

getRoleSets in class AbstractServerLoginModule

Returns:

Group[] containing the sets of roles

Throws:

LoginException

getUsersPassword

protected String getUsersPassword()
                           throws LoginException

Description copied from class: UsernamePasswordLoginModule

Get the expected password for the current username available via the getUsername() method. This is called from within the login() method after the CallbackHandler has returned the username and candidate password.

Specified by:

getUsersPassword in class UsernamePasswordLoginModule

Returns:

the valid password String

Throws:

LoginException