- java.lang.Object
-
- com.sun.security.auth.module.Krb5LoginModule
-
- 实现的所有接口
-
LoginModule
public class Krb5LoginModule extends Object implements LoginModule
此LoginModule
使用Kerberos协议对用户进行身份验证。Krb5LoginModule
的配置条目有几个选项可用于控制身份验证过程以及对Subject
的专用凭据集的添加。 无论这些选项如何,Subject
的主要集和私有凭证集仅在commit
时更新。 当commit
,KerberosPrincipal
被添加到Subject
的主体集中(除非将principal
指定为“*”)。 如果isInitiator
为true,则将KerberosTicket
添加到Subject
的专用凭证中。如果
KerberosLoginModule
的配置条目将选项storeKey
设置为true,则KerberosKey
或KeyTab
添加到主题的专用凭证中。KerberosKey
,主体的密钥将从用户的密码派生,KeyTab
是useKeyTab
设置为true时使用的密钥表。 除非主值为“*”,否则KeyTab
对象仅限于由指定的主体使用。LoginModule
识别doNotPrompt
选项。 如果设置为true,则不会提示用户输入密码。用户可以使用配置条目中的选项
ticketCache
指定票证缓存的位置。用户可以使用配置条目中的选项
keyTab
指定密钥表位置。可以使用选项
principal
在配置条目中指定主体名称。 主体名称可以是简单的用户名,服务名称,如host/mission.eng.sun.com
,或“*”。 也可以使用系统属性sun.security.krb5.principal
设置sun.security.krb5.principal
。 登录期间会检查此属性。 如果未设置此属性,则使用配置中的主体名称。 如果未设置principal属性且主条目也不存在,则会提示用户输入名称。 如果设置了此属性,并且useTicketCache
设置为true,则仅使用属于此主体的TGT。以下是
Krb5LoginModule
支持的配置选项列表:-
refreshKrb5Config
: -
Set this to true, if you want the configuration to be refreshed before the
login
method is called. -
useTicketCache
: -
Set this to true, if you want the TGT to be obtained from the ticket cache. Set this option to false if you do not want this module to use the ticket cache. (Default is False). This module will search for the ticket cache in the following locations: On Solaris and Linux it will look for the ticket cache in /tmp/krb5cc_
uid
where the uid is numeric user identifier. If the ticket cache is not available in the above location, or if we are on a Windows platform, it will look for the cache as {user.home}{file.separator}krb5cc_{user.name}. You can override the ticket cache location by usingticketCache
. For Windows, if a ticket cannot be retrieved from the file ticket cache, it will use Local Security Authority (LSA) API to get the TGT. -
ticketCache
: -
Set this to the name of the ticket cache that contains user's TGT. If this is set,
useTicketCache
must also be set to true; Otherwise a configuration error will be returned. -
renewTGT
: -
Set this to true, if you want to renew the TGT when it's more than half-way expired (the time until expiration is less than the time since start time). If this is set,
useTicketCache
must also be set to true; otherwise a configuration error will be returned. -
doNotPrompt
: - Set this to true if you do not want to be prompted for the password if credentials can not be obtained from the cache, the keytab, or through shared state.(Default is false) If set to true, credential must be obtained through cache, keytab, or shared state. Otherwise, authentication will fail.
-
useKeyTab
: -
Set this to true if you want the module to get the principal's key from the the keytab.(default value is False) If
keytab
is not set then the module will locate the keytab from the Kerberos configuration file. If it is not specified in the Kerberos configuration file then it will look for the file{user.home}{file.separator}
krb5.keytab. -
keyTab
: - Set this to the file name of the keytab to get principal's secret key.
-
storeKey
: -
Set this to true to if you want the keytab or the principal's key to be stored in the Subject's private credentials. For
isInitiator
being false, ifprincipal
is "*", theKeyTab
stored can be used by anyone, otherwise, it's restricted to be used by the specified principal only. -
principal
: -
The name of the principal that should be used. The principal can be a simple username such as "
testuser
" or a service name such as "host/testhost.eng.sun.com
". You can use theprincipal
option to set the principal when there are credentials for multiple principals in thekeyTab
or when you want a specific ticket cache only. The principal can also be set using the system propertysun.security.krb5.principal
. In addition, if this system property is defined, then it will be used. If this property is not set, then the principal name from the configuration will be used. The principal name can be set to "*" whenisInitiator
is false. In this case, the acceptor is not bound to a single principal. It can act as any principal an initiator requests if keys for that principal can be found. WhenisInitiator
is true, the principal name cannot be set to "*". -
isInitiator
: - Set this to true, if initiator. Set this to false, if acceptor only. (Default is true). Note: Do not set this value to false for initiators.
此
LoginModule
还识别以下附加的Configuration
选项,使您可以跨不同的身份验证模块共享用户名和密码:-
useFirstPass
: - if, true, this LoginModule retrieves the username and password from the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, no attempt for a retry is made, and the failure is reported back to the calling application.
-
tryFirstPass
: - if, true, this LoginModule retrieves the the username and password from the module's shared state using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, the module uses the CallbackHandler to retrieve a new username and password, and another attempt to authenticate is made. If the authentication fails, the failure is reported back to the calling application
-
storePass
: - if, true, this LoginModule stores the username and password obtained from the CallbackHandler in the modules shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. This is not performed if existing values already exist for the username and password in the shared state, or if authentication fails.
-
clearPass
: - if, true, this LoginModule clears the username and password stored in the module's shared state after both phases of authentication (login and commit) have completed.
如果已提供主体系属性或键,则忽略共享状态中“javax.security.auth.login.name”的值。
当提供多种检索票证或密钥的机制时,首选项顺序为:
- 票证缓存
- 密钥表
- 共享国家
- 用户提示
请注意,如果任何步骤失败,它将回退到下一步。 只有一个例外,如果共享状态步骤失败并且
useFirstPass = true
,则不会发出用户提示。JAAS配置文件中Krb5LoginModule的一些配置值示例,结果如下:
This is an illegal combination since none ofdoNotPrompt = true
useTicketCache, useKeyTab, useFirstPass
andtryFirstPass
is set and the user can not be prompted for the password.
This is an illegal combination sinceticketCache = <filename>
useTicketCache
is not set to true and the ticketCache is set. A configuration error will occur.
This is an illegal combination sincerenewTGT = true
useTicketCache
is not set to true and renewTGT is set. A configuration error will occur.
This is an illegal combination sincestoreKey = true useTicketCache = true doNotPrompt = true
storeKey
is set to true but the key can not be obtained either by prompting the user or from the keytab, or from the shared state. A configuration error will occur.
This is an illegal combination since useKeyTab is not set to true and the keyTab is set. A configuration error will occur.keyTab = <filename> doNotPrompt = true
Prompt the user for the principal name and the password. Use the authentication exchange to get TGT from the KDC and populate thedebug = true
Subject
with the principal and TGT. Output debug messages.
Check the default cache for TGT and populate theuseTicketCache = true doNotPrompt = true
Subject
with the principal and TGT. If the TGT is not available, do not prompt the user, instead fail the authentication.
Get the TGT from the default cache for the principal and populate the Subject's principal and private creds set. If ticket cache is not available or does not contain the principal's TGT authentication will fail.principal = <name> useTicketCache = true doNotPrompt = true
Search the cache for the principal's TGT. If it is not available use the key in the keytab to perform authentication exchange with the KDC and acquire the TGT. The Subject will be populated with the principal and the TGT. If the key is not available or valid then authentication will fail.useTicketCache = true ticketCache = <file name> useKeyTab = true keyTab = <keytab filename> principal = <principal name> doNotPrompt = true
The TGT will be obtained from the cache specified. The Kerberos principal name used will be the principal name in the Ticket cache. If the TGT is not available in the ticket cache the user will be prompted for the principal name and the password. The TGT will be obtained using the authentication exchange with the KDC. The Subject will be populated with the TGT.useTicketCache = true ticketCache = <filename>
The key for the principal will be retrieved from the keytab. If the key is not available in the keytab the user will be prompted for the principal's password. The Subject will be populated with the principal's key either from the keytab or derived from the password entered.useKeyTab = true keyTab=<keytab filename> principal = <principal name> storeKey = true
The user will be prompted for the service principal name. If the principal's longterm key is available in the keytab , it will be added to the Subject's private credentials. An authentication exchange will be attempted with the principal name and the key from the Keytab. If successful the TGT will be added to the Subject's private credentials set. Otherwise the authentication will fail.useKeyTab = true keyTab = <keytabname> storeKey = true doNotPrompt = false
The acceptor will be an unbound acceptor and it can act as any principal as long that principal has keys in the keytab.isInitiator = false useKeyTab = true keyTab = <keytabname> storeKey = true principal = *
The client's TGT will be retrieved from the ticket cache and added to theuseTicketCache = true ticketCache = <file name> useKeyTab = true keyTab = <file name> storeKey = true principal = <principal name>
Subject
's private credentials. If the TGT is not available in the ticket cache, or the TGT's client name does not match the principal name, Java will use a secret key to obtain the TGT using the authentication exchange and added to the Subject's private credentials. This secret key will be first retrieved from the keytab. If the key is not available, the user will be prompted for the password. In either case, the key derived from the password will be added to the Subject's private credentials set.
Configured to act as acceptor only, credentials are not acquired via AS exchange. For acceptors only, set this value to false. For initiators, do not set this value to false.isInitiator = false
Configured to act as initiator, credentials are acquired via AS exchange. For initiators, set this value to true, or leave this option unset, in which case default value (true) will be used.isInitiator = true
-
-
构造方法摘要
构造方法 构造器 描述 Krb5LoginModule()
-
方法摘要
所有方法 实例方法 具体的方法 变量和类型 方法 描述 boolean
abort()
如果LoginContext的整体身份验证失败,则调用此方法。boolean
commit()
如果LoginContext的整体身份验证成功(相关的REQUIRED,REQUISITE,SUFFICIENT和OPTIONAL LoginModules成功),则调用此方法。void
initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
初始化此LoginModule
。boolean
login()
验证用户boolean
logout()
注销用户。
-
-
-
方法详细信息
-
initialize
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
初始化此LoginModule
。- Specified by:
-
initialize
在界面LoginModule
- 参数
-
subject
- 要验证的Subject
。 -
callbackHandler
- 用于与最终用户通信的CallbackHandler
(例如,提示输入用户名和密码)。 -
sharedState
- 共享LoginModule
状态。 -
options
- 此特定LoginModule
的登录名Configuration
指定的选项。
-
login
public boolean login() throws LoginException
验证用户- Specified by:
-
login
在界面LoginModule
- 结果
-
在所有情况下
LoginModule
true,因为不应忽略此LoginModule
。 - 异常
-
FailedLoginException
- 如果身份验证失败。 -
LoginException
- 如果此LoginModule
无法执行身份验证。
-
commit
public boolean commit() throws LoginException
如果LoginContext的整体身份验证成功(相关的REQUIRED,REQUISITE,SUFFICIENT和OPTIONAL LoginModules成功),则调用此方法。如果此LoginModule自己的身份验证尝试成功(通过检索
login
方法保存的私有状态进行检查),则此方法将Krb5Principal
与位于Subject
中的LoginModule
相关联。 它将Kerberos凭据添加到Subject的私有凭证集。 如果此LoginModule自己的身份验证尝试失败,则此方法将删除最初保存的任何状态。- Specified by:
-
commit
在界面LoginModule
- 结果
- 如果此LoginModule自己的登录和提交尝试成功,则返回true,否则返回false。
- 异常
-
LoginException
- 如果提交失败。
-
abort
public boolean abort() throws LoginException
如果LoginContext的整体身份验证失败,则调用此方法。 (相关的必需,要求,充足和可选的LoginModule没有成功)。如果此LoginModule自己的身份验证尝试成功(通过检索
login
和commit
方法保存的私有状态进行检查),则此方法将清除最初保存的任何状态。- Specified by:
-
abort
在界面LoginModule
- 结果
- 如果此LoginModule自己的登录和/或提交尝试失败,则返回false,否则返回true。
- 异常
-
LoginException
- 如果中止失败。
-
logout
public boolean logout() throws LoginException
注销用户。这种方法消除了
Krb5Principal
,是由加入的commit
方法。- Specified by:
-
logout
,界面LoginModule
- 结果
-
在所有情况下
LoginModule
true,因为不应忽略此LoginModule
。 - 异常
-
LoginException
- 如果注销失败。
-
-