Package com.hazelcast.security.loginimpl
Class GssApiLoginModule
java.lang.Object
com.hazelcast.security.ClusterLoginModule
com.hazelcast.security.loginimpl.GssApiLoginModule
- All Implemented Interfaces:
LoginModule
Hazelcast GSS-API LoginModule implementation.
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
Option name which allows (together with theOPTION_PRINCIPAL
) simplification of security realm configurations.static final String
Option name which allows (together with theOPTION_KEYTAB_FILE
) simplification of security realm configurations.static final String
Name of the option which allows disabling some of the checks on incoming token (e.g. passes authentication even if the mutual authentication is required by the token).static final String
Option name for referencing Security realm name in Hazelcast configuration.static final String
Option name which allows cutting off the Kerberos realm part from authenticated name.Fields inherited from class com.hazelcast.security.ClusterLoginModule
callbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected String
getAuthenticatedName
(GSSContext gssContext) protected String
getName()
protected void
boolean
onLogin()
Methods inherited from class com.hazelcast.security.ClusterLoginModule
abort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onLogout
-
Field Details
-
OPTION_RELAX_FLAGS_CHECK
Name of the option which allows disabling some of the checks on incoming token (e.g. passes authentication even if the mutual authentication is required by the token).- See Also:
-
OPTION_SECURITY_REALM
Option name for referencing Security realm name in Hazelcast configuration. The realm's authentication configuration (when defined) will be used to fill theSubject
with Kerberos credentials (e.g. KeyTab entry).- See Also:
-
OPTION_USE_NAME_WITHOUT_REALM
Option name which allows cutting off the Kerberos realm part from authenticated name. When the property value is set totrue
, the'@REALM'
part is removed from the name (e.g.jduke@ACME.COM
becomesjduke
).- See Also:
-
OPTION_KEYTAB_FILE
Option name which allows (together with theOPTION_PRINCIPAL
) simplification of security realm configurations. For basic scenarios you don't need to specify theOPTION_SECURITY_REALM
, but you can instead define directly kerberos principal name and keytab file path with credentials for given principal.This property is only used when the
OPTION_SECURITY_REALM
is not configured.- See Also:
-
OPTION_PRINCIPAL
Option name which allows (together with theOPTION_KEYTAB_FILE
) simplification of security realm configurations. For basic scenarios you don't need to specify theOPTION_SECURITY_REALM
, but you can instead define directly kerberos principal name and keytab file path with credentials for given principal.This property is only used when the
OPTION_SECURITY_REALM
is not configured.- See Also:
-
-
Constructor Details
-
GssApiLoginModule
public GssApiLoginModule()
-
-
Method Details
-
onInitialize
protected void onInitialize()- Overrides:
onInitialize
in classClusterLoginModule
-
onLogin
- Specified by:
onLogin
in classClusterLoginModule
- Throws:
LoginException
-
getAuthenticatedName
- Throws:
GSSException
-
getName
- Specified by:
getName
in classClusterLoginModule
-