Package com.hazelcast.security.loginimpl
Class GssApiLoginModule
java.lang.Object
com.hazelcast.security.ClusterLoginModule
com.hazelcast.security.loginimpl.GssApiLoginModule
- All Implemented Interfaces:
LoginModule
Hazelcast GSS-API LoginModule implementation.
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringOption name which allows (together with theOPTION_PRINCIPAL) simplification of security realm configurations.static final StringOption name which allows (together with theOPTION_KEYTAB_FILE) simplification of security realm configurations.static final StringName of the option which allows disabling some of the checks on incoming token (e.g.static final StringOption name for referencing Security realm name in Hazelcast configuration.static final StringOption name which allows cutting off the Kerberos realm part from authenticated name.Fields inherited from class com.hazelcast.security.ClusterLoginModule
callbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected StringgetAuthenticatedName(GSSContext gssContext) protected StringgetName()protected voidbooleanonLogin()Methods inherited from class com.hazelcast.security.ClusterLoginModule
abort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onLogout
-
Field Details
-
OPTION_RELAX_FLAGS_CHECK
Name of the option which allows disabling some of the checks on incoming token (e.g. passes authentication even if the mutual authentication is required by the token).- See Also:
-
OPTION_SECURITY_REALM
Option name for referencing Security realm name in Hazelcast configuration. The realm's authentication configuration (when defined) will be used to fill theSubjectwith Kerberos credentials (e.g. KeyTab entry).- See Also:
-
OPTION_USE_NAME_WITHOUT_REALM
Option name which allows cutting off the Kerberos realm part from authenticated name. When the property value is set totrue, the'@REALM'part is removed from the name (e.g.jduke@ACME.COMbecomesjduke).- See Also:
-
OPTION_KEYTAB_FILE
Option name which allows (together with theOPTION_PRINCIPAL) simplification of security realm configurations. For basic scenarios you don't need to specify theOPTION_SECURITY_REALM, but you can instead define directly kerberos principal name and keytab file path with credentials for given principal.This property is only used when the
OPTION_SECURITY_REALMis not configured.- See Also:
-
OPTION_PRINCIPAL
Option name which allows (together with theOPTION_KEYTAB_FILE) simplification of security realm configurations. For basic scenarios you don't need to specify theOPTION_SECURITY_REALM, but you can instead define directly kerberos principal name and keytab file path with credentials for given principal.This property is only used when the
OPTION_SECURITY_REALMis not configured.- See Also:
-
-
Constructor Details
-
GssApiLoginModule
public GssApiLoginModule()
-
-
Method Details
-
onInitialize
protected void onInitialize()- Overrides:
onInitializein classClusterLoginModule
-
onLogin
- Specified by:
onLoginin classClusterLoginModule- Throws:
LoginException
-
getAuthenticatedName
- Throws:
GSSException
-
getName
- Specified by:
getNamein classClusterLoginModule
-