|
Generated by JDiff |
||||||||
PREV PACKAGE NEXT PACKAGE FRAMES NO FRAMES |
This file contains all the changes in documentation in the packagejavax.security.auth.login
as colored differences. Deletions are shownlike this, and additions are shown like this.
If no deletions or additions are shown in an entry, the HTML tags will be what has changed. The new HTML tags are shown in the differences. If no documentation existed, and then some was added in a later version, this change is noted in the appropriate class pages of differences, but the change is not shown on this page. Only changes in existing text are shown here. Similarly, documentation which was inherited from another class or interface is not shown here.
Note that an HTML error in the new documentation may cause the display of other documentation changes to be presented incorrectly. For instance, failure to close a <code> tag will cause all subsequent paragraphs to be displayed differently.
This class represents a singleLoginModule
entry configured for the application specified in thegetAppConfigurationEntry(String appName)
method in theConfiguration
class. Each respectiveAppConfigurationEntry
contains aLoginModule
name a control flag (specifying whether thisLoginModule
is REQUIRED REQUISITE SUFFICIENT or OPTIONAL) and LoginModule-specific options. Please refer to theConfiguration
class for more information on the different control flags and their semantics. @version 1.30 1231 02/0321/0102 @see javax.security.auth.login.Configuration
The
LoginContext
class describes the basic methods used to authenticate Subjects and provides a way to develop an application independent of the underlying authentication technology. AConfiguration
specifies the authentication technology orLoginModule
to be used with a particular application. Therefore different LoginModules can be plugged in under an application without requiring any modifications to the application itself.In addition to supporting pluggable authentication this class also supports the notion of stacked authentication. In other words an application may be configured to use more than one
LoginModule
. For example one could configure both a KerberosLoginModule
and a smart cardLoginModule
under an application.A typical caller instantiates this class and passes in a name and a
CallbackHandler
.LoginContext
uses the name as the index into theConfiguration
to determine which LoginModules should be used and which ones must succeed in order for the overall authentication to succeed. TheCallbackHandler
is passed to the underlying LoginModules so they may communicate and interact with users (prompting for a username and password via a graphical user interface for example).Once the caller has instantiated a
LoginContext
it invokes thelogin
method to authenticate aSubject
. Thislogin
method invokes thelogin
method from each of the LoginModules configured for the name specified by the caller. EachLoginModule
then performs its respective type of authentication (username/password smart card pin verification etc.). Note that the LoginModules will not attempt authentication retries or introduce delays if the authentication fails. Such tasks belong to the caller.Regardless of whether or not the overall authentication succeeded this
login
method completes a 2-phase authentication process by then calling either thecommit
method or theabort
method for each of the configured LoginModules. Thecommit
method for eachLoginModule
gets invoked if the overall authentication succeeded whereas theabort
method for eachLoginModule
gets invoked if the overall authentication failed. Each successful LoginModule'scommit
method associates the relevant Principals (authenticated identities) and Credentials (authentication data such as cryptographic keys) with theSubject
. Each LoginModule'sabort
method cleans up or removes/destroys any previously stored authentication state.If the
login
method returns without throwing an exception then the overall authentication succeeded. The caller can then retrieve the newly authenticatedSubject
by invoking thegetSubject
method. Principals and Credentials associated with theSubject
may be retrieved by invoking the Subject's respectivegetPrincipals
getPublicCredentials
andgetPrivateCredentials
methods.To logout the
Subject
the caller simply needs to invoke thelogout
method. As with thelogin
method thislogout
method invokes thelogout
method for eachLoginModule
configured for thisLoginContext
. Each LoginModule'slogout
method cleans up state and removes/destroys Principals and Credentials from theSubject
as appropriate.Each of the configured LoginModules invoked by the
LoginContext
is initialized with aSubject
to be authenticated aCallbackHandler
used to communicate with users sharedLoginModule
state and LoginModule-specific options. If theLoginContext
was not provided aSubject
then it instantiates one itself.Each
LoginModule
which successfully authenticates a user updates theSubject
with the relevant user information (Principals and Credentials). ThisSubject
can then be returned via thegetSubject
method from theLoginContext
class if the overall authentication succeeds. Note that LoginModules are always invoked from within anAccessController.doPrivileged
call. Therefore although LoginModules that perform security-sensitive tasks (such as connecting to remote hosts) need to be granted the relevant Permissions in the securityPolicy
the callers of the LoginModules do not require those Permissions.A
LoginContext
supports authentication retries by the calling application. For example a LoginContext'slogin
method may be invoked multiple times if the user incorrectly types in a password. However aLoginContext
should not be used to authenticate more than oneSubject
. A separateLoginContext
should be used to authenticate each differentSubject
.Multiple calls into the same
LoginContext
do not affect theLoginModule
state or the LoginModule-specific options. @version 1.92 1293 02/0321/0102 @see javax.security.auth.Subject @see javax.security.auth.callback.CallbackHandler @see javax.security.auth.login.Configuration @see javax.security.auth.spi.LoginModule