org.eclipse.jetty.security

Class ConfigurableSpnegoLoginService

java.lang.Object

org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.component.ContainerLifeCycle

org.eclipse.jetty.security.ConfigurableSpnegoLoginService

All Implemented Interfaces:

LoginService, Container, Destroyable, Dumpable, LifeCycle

public class ConfigurableSpnegoLoginService
extends ContainerLifeCycle
implements LoginService

A configurable (as opposed to using system properties) SPNEGO LoginService.

At startup, this LoginService will login via JAAS the service principal, composed of the service name and the host name, for example HTTP/wonder.com, using a keyTab file as the service principal credentials.

Upon receiving an HTTP request, the server tries to authenticate the client calling login(String, Object, ServletRequest) where the GSS APIs are used to verify client tokens and (perhaps after a few round-trips) a GSSContext is established.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private static class	ConfigurableSpnegoLoginService.GSSContextHolder
private class	ConfigurableSpnegoLoginService.SpnegoConfiguration
private static class	ConfigurableSpnegoLoginService.SpnegoContext

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

AbstractLifeCycle.AbstractLifeCycleListener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container

Container.InheritedListener, Container.Listener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

LifeCycle.Listener

Field Summary

Fields

Modifier and Type	Field and Description
private AuthorizationService	_authorizationService
private ConfigurableSpnegoLoginService.SpnegoContext	_context
private org.ietf.jgss.GSSManager	_gssManager
private java.lang.String	_hostName
private IdentityService	_identityService
private java.nio.file.Path	_keyTabPath
private java.lang.String	_realm
private java.lang.String	_serviceName
private static Logger	LOG

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface org.eclipse.jetty.util.component.Dumpable

KEY

Constructor Summary

Constructors

Constructor and Description
ConfigurableSpnegoLoginService(java.lang.String realm, AuthorizationService authorizationService)

Method Summary

Modifier and Type	Method and Description
private java.security.PrivilegedAction<byte[]>	acceptGSSContext(org.ietf.jgss.GSSContext gssContext, byte[] token)
protected void	doStart() Starts the managed lifecycle beans in the order they were added.
java.lang.String	getHostName()
IdentityService	getIdentityService() Get the IdentityService associated with this Login Service.
java.nio.file.Path	getKeyTabPath()
java.lang.String	getName()
java.lang.String	getServiceName()
UserIdentity	login(java.lang.String username, java.lang.Object credentials, javax.servlet.ServletRequest req) Login a user.
void	logout(UserIdentity user)
private java.security.PrivilegedAction<org.ietf.jgss.GSSContext>	newGSSContext()
private java.security.PrivilegedAction<ConfigurableSpnegoLoginService.SpnegoContext>	newSpnegoContext(javax.security.auth.Subject subject)
void	setHostName(java.lang.String hostName)
void	setIdentityService(IdentityService identityService) Set the IdentityService associated with this Login Service.
void	setKeyTabPath(java.nio.file.Path keyTabFile)
void	setServiceName(java.lang.String serviceName)
private java.lang.String	toUserName(org.ietf.jgss.GSSContext gssContext)
boolean	validate(UserIdentity user) Validate a user identity.

Methods inherited from class org.eclipse.jetty.util.component.ContainerLifeCycle

addBean, addBean, addEventListener, addManaged, contains, destroy, doStop, dump, dump, dump, dump, dump, dumpBeans, dumpObject, dumpObjects, dumpStdErr, dumpThis, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, setStopTimeout, start, stop, unmanage, updateBean, updateBean, updateBeans

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.util.component.Dumpable

dumpContainer, dumpIterable, dumpMapEntries, dumpObjects, dumpSelf, named

Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

start, stop

Field Detail

LOG

private static final Logger LOG

_gssManager

private final org.ietf.jgss.GSSManager _gssManager

_realm

private final java.lang.String _realm

_authorizationService

private final AuthorizationService _authorizationService

_identityService

private IdentityService _identityService

_serviceName

private java.lang.String _serviceName

_keyTabPath

private java.nio.file.Path _keyTabPath

_hostName

private java.lang.String _hostName

_context

private ConfigurableSpnegoLoginService.SpnegoContext _context

Constructor Detail

ConfigurableSpnegoLoginService

public ConfigurableSpnegoLoginService(java.lang.String realm,
                                      AuthorizationService authorizationService)

Method Detail

getName

public java.lang.String getName()

Specified by:

getName in interface LoginService

Returns:

the realm name

getKeyTabPath

public java.nio.file.Path getKeyTabPath()

Returns:

the path of the keyTab file containing service credentials

setKeyTabPath

public void setKeyTabPath(java.nio.file.Path keyTabFile)

Parameters:

keyTabFile - the path of the keyTab file containing service credentials

getServiceName

public java.lang.String getServiceName()

Returns:

the service name, typically "HTTP"

See Also:

getHostName()

setServiceName

public void setServiceName(java.lang.String serviceName)

Parameters:

serviceName - the service name

See Also:

setHostName(String)

getHostName

public java.lang.String getHostName()

Returns:

the host name of the service

See Also:

setServiceName(String)

setHostName

public void setHostName(java.lang.String hostName)

Parameters:

hostName - the host name of the service

doStart

protected void doStart()
                throws java.lang.Exception

Description copied from class: ContainerLifeCycle

Starts the managed lifecycle beans in the order they were added.

Overrides:

doStart in class ContainerLifeCycle

Throws:

java.lang.Exception

newSpnegoContext

private java.security.PrivilegedAction<ConfigurableSpnegoLoginService.SpnegoContext> newSpnegoContext(javax.security.auth.Subject subject)

login

public UserIdentity login(java.lang.String username,
                          java.lang.Object credentials,
                          javax.servlet.ServletRequest req)

Description copied from interface: LoginService

Login a user.

Specified by:

login in interface LoginService

Parameters:

username - The user name

credentials - The users credentials

req - TODO

Returns:

A UserIdentity if the credentials matched, otherwise null

newGSSContext

private java.security.PrivilegedAction<org.ietf.jgss.GSSContext> newGSSContext()

acceptGSSContext

private java.security.PrivilegedAction<byte[]> acceptGSSContext(org.ietf.jgss.GSSContext gssContext,
                                                                byte[] token)

toUserName

private java.lang.String toUserName(org.ietf.jgss.GSSContext gssContext)

validate

public boolean validate(UserIdentity user)

Description copied from interface: LoginService

Validate a user identity. Validate that a UserIdentity previously created by a call to LoginService.login(String, Object, ServletRequest) is still valid.

Specified by:

validate in interface LoginService

Parameters:

user - The user to validate

Returns:

true if authentication has not been revoked for the user.

getIdentityService

public IdentityService getIdentityService()

Description copied from interface: LoginService

Get the IdentityService associated with this Login Service.

Specified by:

getIdentityService in interface LoginService

Returns:

the IdentityService associated with this Login Service.

setIdentityService

public void setIdentityService(IdentityService identityService)

Description copied from interface: LoginService

Set the IdentityService associated with this Login Service.

Specified by:

setIdentityService in interface LoginService

Parameters:

identityService - the IdentityService associated with this Login Service.

logout

public void logout(UserIdentity user)

Specified by:

logout in interface LoginService