Package com.hazelcast.security.loginimpl
Class X509CertificateLoginModule
java.lang.Object
com.hazelcast.security.ClusterLoginModule
com.hazelcast.security.loginimpl.X509CertificateLoginModule
- All Implemented Interfaces:
- LoginModule
Hazelcast LoginModule implementation for use together with mutual TLS authentication. This login module leaves the
 authentication step on the TLS implementation and just verifies a X.509 certificate is present for the connection. The main
 usage of the login module is for the client authorization (assigning roles). The role names are parsed from a attribute in
 the X.500 certificate Subject name. Full Subject DN is used as a name in the 
ClusterIdentityPrincipal.
 Samples:
 Client comes with a Certificate with Subject DN "CN=server,O=Hazelcast,C=US" and no option is specified for this login module.
 Assigned principals:
 - ClusterIdentityPrincipal: "CN=server,O=Hazelcast,C=US"
 - ClusterRolePrinpical: "server"
 - ClusterEndpointPrincipal: [IP address of the client]
 If option roleAttribute=O is used in the same scenario, then identity and endpoint will remain unchanged and role will change:
 - ClusterRolePrinpical: "Hazelcast"
 If option roleAttribute=SN is used in the same scenario, then no role will be assigned - i.e. no ClusterRolePrincipal
 in the Subject.
 If multiple values are present for the role attribute, then all values are assigned as a role name.
 E.g. "cn=X, cn=Y, cn=Z, ou=Engineering, o=ACME, c=CZ" with default role attribute value ("cn") will result in following
 role principals:
 - ClusterRolePrinpical: "X", "Y", "Z"
 - 
Field SummaryFieldsModifier and TypeFieldDescriptionstatic final StringDefault value for "roleAttribute" attribute.static final StringLogin module option name under which role name attribute is stored.Fields inherited from class com.hazelcast.security.ClusterLoginModulecallbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject
- 
Constructor SummaryConstructors
- 
Method SummaryMethods inherited from class com.hazelcast.security.ClusterLoginModuleabort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onInitialize, onLogout
- 
Field Details- 
OPTION_ROLE_ATTRIBUTELogin module option name under which role name attribute is stored.- See Also:
 
- 
DEFAULT_ROLE_ATTRIBUTEDefault value for "roleAttribute" attribute.- See Also:
 
 
- 
- 
Constructor Details- 
X509CertificateLoginModulepublic X509CertificateLoginModule()
 
- 
- 
Method Details- 
onLogin- Specified by:
- onLoginin class- ClusterLoginModule
- Throws:
- LoginException
 
- 
getName- Specified by:
- getNamein class- ClusterLoginModule
 
 
-