Google Git
Sign in
apache / felix-site-pub / ce5028da261c6ed2e1928e6338c81e1f24559823 / . / documentation / subprojects / apache-felix-jaas.html
blob: 2202bb2ca650700040390bf81f9cfac4007c9849 [file] [log] [blame]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<head>
<title>Apache Felix - Apache Felix JAAS Support</title>
<link rel="icon" href="/res/favicon.ico">
<link rel="stylesheet" href="/res/site.css" type="text/css" media="all">
<link rel="stylesheet" href="/res/codehilite.css" type="text/css" media="all">
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
</head>
<body>
<div class="title">
<div class="logo">
<a href="https://felix.apache.org/">
<img border="0" alt="Apache Felix" src="/res/logo.png">
</a>
</div>
<div class="header">
<a href="https://www.apache.org/">
<img border="0" alt="Apache" src="/res/apache.png">
</a>
</div>
</div>
<div class="menu">
<style type="text/css">
/* The following code is added by mdx_elementid.py
It was originally lifted from http://subversion.apache.org/style/site.css */
/*
* Hide class="elementid-permalink", except when an enclosing heading
* has the :hover property.
*/
.headerlink, .elementid-permalink {
visibility: hidden;
}
h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
<p><a href="/news.html">News</a> <br />
<a href="/license.html">License</a> <br />
<a href="/downloads.cgi">Downloads</a> <br />
<a href="/documentation.html">Documentation</a> <br />
<a href="/documentation/community/project-info.html">Project Info</a> <br />
<a href="/documentation/community/contributing.html">Contributing</a> <br />
<a href="/sitemap.html">Site Map</a> <br />
<a href="https://www.apache.org/">ASF</a> <br />
<a href="https://www.apache.org/security/">Security</a> <br />
<a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a> <br />
<a href="https://www.apache.org/foundation/thanks.html">Sponsors</a> </p>
<iframe
src="https://www.apache.org/ads/button.html"
style="border-width:0; float: left"
frameborder="0"
scrolling="no"
width="135"
height="135">
</iframe>
</div>
<div class="main">
<div class="breadcrump" style="font-size: 80%;">
<a href="/">Home</a>&nbsp;&raquo&nbsp;<a href="/documentation.html">Documentation</a>
</div>
<h1>Apache Felix JAAS Support</h1>
<style type="text/css">
/* The following code is added by mdx_elementid.py
It was originally lifted from http://subversion.apache.org/style/site.css */
/*
* Hide class="elementid-permalink", except when an enclosing heading
* has the :hover property.
*/
.headerlink, .elementid-permalink {
visibility: hidden;
}
h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
<style type="text/css">
img {
width:auto;
}
</style>
<div class="toc">
<ul>
<li><a href="#the-problem">The Problem</a></li>
<li><a href="#usage">Usage</a><ul>
<li><a href="#loginmodule-registration">LoginModule registration</a><ul>
<li><a href="#a-osgi-configuration">A - OSGi Configuration</a><ul>
<li><a href="#manifest-header-entry">Manifest Header Entry</a></li>
<li><a href="#configuration">Configuration</a></li>
</ul>
</li>
<li><a href="#b-loginmodulefactory">B - LoginModuleFactory</a></li>
</ul>
</li>
<li><a href="#logincontext-creation-patterns">LoginContext creation patterns</a><ul>
<li><a href="#logincontextfactory-mode">LoginContextFactory Mode</a></li>
<li><a href="#configuration-spi-with-default-policy-mode">Configuration SPI with Default Policy Mode</a></li>
<li><a href="#replace-global-configuration-mode">Replace Global Configuration Mode</a></li>
<li><a href="#modified-boot-classpath-mode"><a name="boot-classpath"></a>Modified Boot Classpath Mode</a></li>
</ul>
</li>
<li><a href="#jaas-configuration-spi-settings"><a name="configuration-spi"></a>JAAS Configuration SPI Settings</a></li>
</ul>
</li>
<li><a href="#webconsole-plugin">WebConsole Plugin</a></li>
<li><a href="#resources">Resources</a></li>
</ul>
</div>
<p>Apache Felix JAAS support aims to simplify usage of JAAS in OSGi.</p>
<p>It supports following features</p>
<ol>
<li>It can work both in Standalone and AppServer deployments i.e. in those environment where global JAAS configuration
might be used by other applications and our usage of JAAS should not affect them</li>
<li>It enables usage of OSGi Configuration support to dynamically configure the login modules.</li>
<li>It allows LoginModule instances to be created via factories registered in OSGi Service Registry</li>
<li>It does not require the client to depend on any OSGi API</li>
<li>It works well with the dynamic nature of the OSGi env</li>
<li>Implementation depends only on Core OSGi API and ConfigAdmin (RFC 104)</li>
</ol>
<h2 id="the-problem">The Problem<a class="headerlink" href="#the-problem" title="Permanent link">&para;</a></h2>
<p>The basic problem when using JAAS in OSGi is that it creates the LoginModule instance using reflection. This poses
problem in OSGi env as the client bundle does not have the visibility of all the required LoginModule classes.</p>
<p>A typical use of JAAS login looks like below</p>
<div class="codehilite"><pre><span class="c1">// let the LoginContext instantiate a new Subject</span>
<span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">&quot;myApp&quot;</span><span class="o">);</span>
<span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span>
</pre></div>
<p>In this mode the <code>LoginContext</code> would access the global JAAS <code>Configuration</code> internally via <code>Configuration.getConfiguration()</code>.
It would then instantiate the LoginModule instance based on the configuration value. It uses the Thread Context ClassLoader (TCCL)
to create the instance. This approach fails to work when used in OSGi</p>
<ol>
<li>The Thread Context ClassLoader is not defined in general in an OSGi context. It can and has to be set by the caller
and OSGi cannot generally enforce that.</li>
<li>Instantiating a LoginModule generally requires access to internal implementation classes, by exporting these classes
an implementing bundle would break its encapsulation.</li>
<li>Even if an implementation class was exported, importing this class in a consumer bundle would bind it to the specific
implementation package provided, which violates the principle of loose coupling.</li>
</ol>
<h2 id="usage">Usage<a class="headerlink" href="#usage" title="Permanent link">&para;</a></h2>
<p>The JAAS support involves following parts</p>
<ol>
<li>LoginModule Registration - Mechanism by which LoginModule is registered with a given <code>realm</code>.</li>
<li>LoginContext Creation - Refers to the client code which constructs the LoginContext and then perform login operation</li>
</ol>
<p>In section below we would first provide details on various ways by which a <code>LoginModule</code> would be configured so that
it can participate in JAAS flow and then about various ways in which the client code can invoke the JAAS logic</p>
<h3 id="loginmodule-registration">LoginModule registration<a class="headerlink" href="#loginmodule-registration" title="Permanent link">&para;</a></h3>
<p>The login modules can be registered via two mechanism</p>
<ul>
<li>OSGi Configuration - LoginModule are registered via OSGi configuration</li>
<li>LoginModuleFactory - LoginModule are registered with the OSGi ServiceRegistry via <code>LoginModuleFactory</code></li>
</ul>
<h4 id="a-osgi-configuration">A - OSGi Configuration<a class="headerlink" href="#a-osgi-configuration" title="Permanent link">&para;</a></h4>
<p>LoginModules can also be configured via configuration which is somewhat similar to the file based configuration. It consist of two parts</p>
<ul>
<li>Information around which bundle provides a specific LoginModule module</li>
<li>Configuration required to be passed to that LoginModule</li>
</ul>
<h5 id="manifest-header-entry">Manifest Header Entry<a class="headerlink" href="#manifest-header-entry" title="Permanent link">&para;</a></h5>
<p>Any bundle which provides a LoginModule class needs to provide this information via <em>Jaas-ModuleClass</em> manifest header.</p>
<div class="codehilite"><pre><span class="nt">&lt;Jaas-ModuleClass&gt;</span>org.apache.felix.example.jaas.config.internal.SampleConfigLoginModule<span class="nt">&lt;/Jaas-ModuleClass&gt;</span>
</pre></div>
<h5 id="configuration">Configuration<a class="headerlink" href="#configuration" title="Permanent link">&para;</a></h5>
<p>JAAS module depends on OSGi Configuration for managing the LoginModule configuration. The configuration factory PID is
<code>org.apache.felix.jaas.Configuration.factory</code>.It provides the required metatype descriptor thus enabling configuration
via "Configuration" tab of Felix WebConsole</p>
<p><img src="jaas-config.png" /></p>
<p>Configuration properties</p>
<ul>
<li><code>jaas.classname</code> - Fully qualified name of the LoginModule class</li>
<li><code>jaas.controlFlag</code> - LoginControlFlag to use like required, optional, requisite, sufficient. Default is set to required</li>
<li><code>jaas.realmName</code> - JAAS Realm name. If specified then LoginModule would be registered against given realm otherwise it
is bound to a 'other' realm</li>
<li><code>jaas.ranking</code> - Ranking for the LoginModule. It would be used to order the various login modules. The entries are sorted
in a descending order (i.e. higher value ranked configurations come first)</li>
</ul>
<p>For an example refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/launcher/src/main/config/org.apache.felix.jaas.Configuration.factory-simple.cfg">Sample Configuration</a>. It configures a SampleConfigLoginModule for <code>sample</code> realm</p>
<h4 id="b-loginmodulefactory">B - LoginModuleFactory<a class="headerlink" href="#b-loginmodulefactory" title="Permanent link">&para;</a></h4>
<p>Any bundle which want to provide a LoginModule implementation would need to provide a factory service which implements the
<a href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> interface. The factory needs to be registeredwith following optional properties</p>
<ul>
<li><code>jaas.controlFlag</code> - LoginControlFlag to use like required, optional, requisite, sufficient. Default is set to required</li>
<li><code>jaas.realmName</code> - JAAS Realm name. If specified then LoginModule would be registered against given realm otherwise it
is bound to a 'other' realm.</li>
<li><code>service.ranking</code> - Ranking for the LoginModule. It would be used to order the various login modules.</li>
</ul>
<p>Interface</p>
<div class="codehilite"><pre><span class="cm">/**</span>
<span class="cm"> * A factory for creating {@link LoginModule} instances.</span>
<span class="cm"> */</span>
<span class="kd">public</span> <span class="kd">interface</span> <span class="nc">LoginModuleFactory</span>
<span class="o">{</span>
<span class="cm">/**</span>
<span class="cm"> * Property name specifying whether or not a &lt;code&gt;LoginModule&lt;/code&gt; is</span>
<span class="cm"> * REQUIRED, REQUISITE, SUFFICIENT or OPTIONAL. Refer to {@link javax.security.auth.login.Configuration}</span>
<span class="cm"> * for more details around the meaning of these flags</span>
<span class="cm"> *</span>
<span class="cm"> * By default the value is set to REQUIRED</span>
<span class="cm"> */</span>
<span class="n">String</span> <span class="n">JAAS_CONTROL_FLAG</span> <span class="o">=</span> <span class="s">&quot;jaas.controlFlag&quot;</span><span class="o">;</span>
<span class="cm">/**</span>
<span class="cm"> * Property name specifying the Realm name (or application name) against which the</span>
<span class="cm"> * LoginModule would be registered.</span>
<span class="cm"> *</span>
<span class="cm"> * &lt;p&gt;If no realm name is provided then LoginModule would registered with a default realm</span>
<span class="cm"> * as configured</span>
<span class="cm"> */</span>
<span class="n">String</span> <span class="n">JAAS_REALM_NAME</span> <span class="o">=</span> <span class="s">&quot;jaas.realmName&quot;</span><span class="o">;</span>
<span class="cm">/**</span>
<span class="cm"> * Creates the LoginModule instance</span>
<span class="cm"> * @return loginModule instance</span>
<span class="cm"> */</span>
<span class="n">LoginModule</span> <span class="nf">createLoginModule</span><span class="o">();</span>
<span class="o">}</span>
</pre></div>
<p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/lm-jdbc/src/main/java/org/apache/felix/example/jaas/jdbc/JdbcLoginModuleFactory.java">JdbcLoginModuleFactory</a> for one example of its usage. It constructs a JdbcLoginModule based on the
configuration and passes on the datasource.</p>
<h3 id="logincontext-creation-patterns">LoginContext creation patterns<a class="headerlink" href="#logincontext-creation-patterns" title="Permanent link">&para;</a></h3>
<p>There are various ways through which a JAAS Client can invoke the JAAS login.</p>
<h4 id="logincontextfactory-mode">LoginContextFactory Mode<a class="headerlink" href="#logincontextfactory-mode" title="Permanent link">&para;</a></h4>
<p>In this mode the client logic obtains a reference to the <code>org.apache.felix.jaas.LoginContextFactory</code> service
and then creates a <code>LoginContext</code> instance</p>
<div class="codehilite"><pre><span class="p">:</span><span class="n">java</span>
<span class="n">LoginContextFactory</span> <span class="n">loginContextFactory</span> <span class="p">=</span> <span class="p">...</span>
<span class="n">CallbackHandler</span> <span class="n">handler</span> <span class="p">=</span> <span class="p">...;</span>
<span class="n">Subject</span> <span class="n">subject</span> <span class="p">=</span> <span class="n">new</span> <span class="n">Subject</span><span class="p">();</span>
<span class="k">try</span>
<span class="p">{</span>
<span class="n">LoginContext</span> <span class="n">lc</span> <span class="p">=</span> <span class="n">loginContextFactory</span><span class="p">.</span><span class="n">createLoginContext</span><span class="p">(</span>&quot;<span class="n">sample</span>&quot;<span class="p">,</span><span class="n">subject</span><span class="p">,</span><span class="n">handler</span><span class="p">);</span>
<span class="n">lc</span><span class="p">.</span><span class="n">login</span><span class="p">();</span>
<span class="p">...</span>
<span class="p">}</span>
<span class="k">catch</span> <span class="p">(</span><span class="n">LoginException</span> <span class="n">e</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">handleAuthenticationFailure</span><span class="p">(</span><span class="n">e</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>
<p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/app/src/main/java/org/apache/felix/example/jaas/app/internal/FactoryDemoServlet.java">FactoryDemoServlet</a> for an example. Following points to be noted for this usage pattern</p>
<ul>
<li>Client code needs to depend on Apache Felix JAAS Support API</li>
<li>No need to manage Thread Context Classloader while invoking <code>LoginContext</code></li>
<li>No need to import LoginModule related packages</li>
</ul>
<h4 id="configuration-spi-with-default-policy-mode">Configuration SPI with Default Policy Mode<a class="headerlink" href="#configuration-spi-with-default-policy-mode" title="Permanent link">&para;</a></h4>
<p>In this mode the client logic explicitly fetch the JAAS Configuration and then pass it on to the LoginContext. In this
mode the <a href="#configuration-spi">JAAS Configuration Policy</a> is set to <code>Default</code>.</p>
<div class="codehilite"><pre><span class="n">CallbackHandler</span> <span class="n">handler</span> <span class="o">=</span> <span class="o">...;</span>
<span class="n">Subject</span> <span class="n">subject</span> <span class="o">=</span> <span class="k">new</span> <span class="n">Subject</span><span class="o">();</span>
<span class="kd">final</span> <span class="n">ClassLoader</span> <span class="n">cl</span> <span class="o">=</span> <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">getContextClassLoader</span><span class="o">();</span>
<span class="k">try</span>
<span class="o">{</span>
<span class="n">Configuration</span> <span class="n">config</span> <span class="o">=</span> <span class="n">Configuration</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span>
<span class="err">&#39;</span><span class="n">JavaLoginConfig</span><span class="err">&#39;</span><span class="o">,</span> <span class="c1">//Algorithm name</span>
<span class="kc">null</span><span class="o">,</span> <span class="c1">//Extra params to be passed. For this impl its null</span>
<span class="err">&#39;</span><span class="n">FelixJaasProvider</span><span class="err">&#39;</span> <span class="c1">//Name of the config provider</span>
<span class="o">);</span>
<span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">getClass</span><span class="o">().</span><span class="na">getClassLoader</span><span class="o">());</span>
<span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">&quot;sample&quot;</span><span class="o">,</span> <span class="n">subject</span><span class="o">,</span> <span class="n">handler</span><span class="o">,</span> <span class="n">config</span><span class="o">);</span>
<span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span>
<span class="o">...</span>
<span class="o">}</span>
<span class="k">finally</span>
<span class="o">{</span>
<span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">cl</span><span class="o">);</span>
<span class="o">}</span>
</pre></div>
<p>In above flow the <code>Configuration</code> instance is explicitly fetched and passed on to the</p>
<p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/app/src/main/java/org/apache/felix/example/jaas/app/internal/TCCLDemoServlet.java">TCCLDemoServlet</a> for an example. Following points to be noted for this usage pattern</p>
<ul>
<li>Client code needs to be aware of the name of the config provider.</li>
<li>Client bundle would need to have an import for package <code>org.apache.felix.jaas.boot</code>.
Refer to <a href="#boot-classpath">Boot classpath</a> section for more details</li>
<li>Global configuration is not modified so other users of JAAS are not affected</li>
</ul>
<h4 id="replace-global-configuration-mode">Replace Global Configuration Mode<a class="headerlink" href="#replace-global-configuration-mode" title="Permanent link">&para;</a></h4>
<p>In this mode the JAAS bundle would replace the Global configuration through Configuration.setConfiguration call. In this
mode the client code would use the normal LoginContext creation and the <a href="#configuration-spi">JAAS Configuration Policy</a>
is set to <code>Replace Global Configuration</code>.</p>
<div class="codehilite"><pre><span class="kd">final</span> <span class="n">ClassLoader</span> <span class="n">cl</span> <span class="o">=</span> <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">getContextClassLoader</span><span class="o">();</span>
<span class="k">try</span>
<span class="o">{</span>
<span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">getClass</span><span class="o">().</span><span class="na">getClassLoader</span><span class="o">());</span>
<span class="c1">// let the LoginContext instantiate a new Subject</span>
<span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">&quot;appName&quot;</span><span class="o">);</span>
<span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span>
<span class="o">}</span>
<span class="k">finally</span>
<span class="o">{</span>
<span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">cl</span><span class="o">);</span>
<span class="o">}</span>
</pre></div>
<p>Following points need to be considered this mode</p>
<ul>
<li>Client code is not aware of the provider name</li>
<li>Client bundle would need to have an import for package <code>org.apache.felix.jaas.boot</code>.
Refer to <a href="#boot-classpath">Boot classpath</a> section for more details</li>
<li>Global configuration is modified. So it might cause issue while running in co deployed scenarios like Application Server.</li>
</ul>
<p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/app/src/main/java/org/apache/felix/example/jaas/app/internal/GlobalConfigDemoServlet.java">GlobalConfigDemoServlet</a> for an example</p>
<h4 id="modified-boot-classpath-mode"><a name="boot-classpath"></a>Modified Boot Classpath Mode<a class="headerlink" href="#modified-boot-classpath-mode" title="Permanent link">&para;</a></h4>
<p>In previous modes (except the LoginContextFactory mode) the client code needs to switch the Thread Context Classloader (TCCL).
This is due the way JAAS logic instantiates the <code>LoginModule</code>. The Felix JAAS Support provides a <code>ProxyLoginModule</code> which
takes care of routing the LoginModule calls properly. However for this class to be visible to JAAS logic one of the
two approaches can be used</p>
<p><strong>Manage TCCL Explicitly</strong></p>
<p>The client bundle would need to</p>
<ol>
<li>Have an explicit import for <code>org.apache.felix.jaas.boot</code> package and</li>
<li>Manage TCCL explicitly which making JAAS related calls.<div class="codehilite"><pre><span class="kd">final</span> <span class="n">Thread</span> <span class="n">current</span> <span class="o">=</span> <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">();</span>
<span class="kd">final</span> <span class="n">ClassLoader</span> <span class="n">orig</span> <span class="o">=</span> <span class="n">current</span><span class="o">.</span><span class="na">getContextClassLoader</span><span class="o">();</span>
<span class="k">try</span> <span class="o">{</span>
<span class="n">current</span><span class="o">.</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">getClass</span><span class="o">().</span><span class="na">getClassLoader</span><span class="o">());</span>
<span class="n">loginContext</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="n">appName</span><span class="o">,</span> <span class="n">subject</span><span class="o">,</span><span class="n">callbackHandler</span><span class="o">,</span> <span class="n">config</span><span class="o">);</span>
</pre></div>
<p>} finally{
current.setContextClassLoader(orig);
}</p>
</li>
</ol>
<p>Note that in above flow the TCCL is managed explicitly</p>
<p><strong>Modify Boot Classpath</strong></p>
<p>Another way would involve modifying the boot classpath.</p>
<ol>
<li>Place the <code>org.apache.felix.jaas-xxx-boot.jar</code> in the boot classpath via <code>-Xbootclasspath:bootclasspath</code> option</li>
<li>Make the <code>org.apache.felix.jaas.boot</code> part of boot delegation list<div class="codehilite"><pre><span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">&quot;sample&quot;</span><span class="o">,</span> <span class="n">subject</span><span class="o">,</span> <span class="n">handler</span><span class="o">);</span>
<span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span>
</pre></div>
</li>
</ol>
<p>Note that in above code we do not have to manage TCCL and neither add an import to <code>org.apache.felix.jaas.boot</code> package</p>
<p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/app/src/main/java/org/apache/felix/example/jaas/app/internal/BootClasspathDemoServlet.java">BootClasspathDemoServlet</a> for code sample</p>
<h3 id="jaas-configuration-spi-settings"><a name="configuration-spi"></a>JAAS Configuration SPI Settings<a class="headerlink" href="#jaas-configuration-spi-settings" title="Permanent link">&para;</a></h3>
<p>There are various ways in which LoginContext can be created depending on the usage mode. The JAAS support exposes
following properties</p>
<p><img src="jaas-spi-config.png" align="center" /></p>
<ul>
<li><code>Default JAAS Realm</code> - Name of the realm to use in case a LoginModule does not provide an explicit realmName.
This is useful for single application mode where all LoginModule in an OSGi container are to be used. Usage of realm
help in global settings because same config file is used to capture settings for all applications running on same JVM</li>
<li><code>JAAS Config Provider name</code> - Name against which the Configuration SPI provider should register</li>
<li><code>Configuration Policy</code> - This would be explained in next section<ul>
<li><code>Default</code> - Global configuration is not touched. Client code are expected to use the Configuration Spi mode</li>
<li><code>Replace Global Configuration</code> - In this the global configuration is replaced with OSGi configuration. Client code
need not perform any special configuration handling. At most they need to switch the Thread Context Classloader</li>
<li><code>Proxy Global Configuration</code> - Similar to previous one but it saves the default configuration and does a fallback
check on that also. This should minimize any disruption in shared mode</li>
</ul>
</li>
</ul>
<h2 id="webconsole-plugin">WebConsole Plugin<a class="headerlink" href="#webconsole-plugin" title="Permanent link">&para;</a></h2>
<p>The runtime JAAS realm is exposed via a WebConsole Plugin.</p>
<p><img src="jaas-plugin.png" align="center"/></p>
<h2 id="resources">Resources<a class="headerlink" href="#resources" title="Permanent link">&para;</a></h2>
<ol>
<li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jaas/JAASRefGuide.html">Java JAAS Reference Guide</a></li>
<li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html">JAAS Login Configuration File</a></li>
</ol>
<div class="timestamp" style="margin-top: 30px; font-size: 80%; text-align: right;">
Rev. 1599411 by chetanm on Tue, 3 Jun 2014 05:34:14 +0000
</div>
<div class="trademarkFooter">
Apache Felix, Felix, Apache, the Apache feather logo, and the Apache Felix project
logo are trademarks of The Apache Software Foundation. All other marks mentioned
may be trademarks or registered trademarks of their respective owners.
</div>
</div>
</body>
</html>