Package com.hazelcast.security.loginimpl

Class X509CertificateLoginModule

java.lang.Object

com.hazelcast.security.ClusterLoginModule

com.hazelcast.security.loginimpl.X509CertificateLoginModule

All Implemented Interfaces:

LoginModule

public class X509CertificateLoginModule
extends ClusterLoginModule

Hazelcast LoginModule implementation for use together with mutual TLS authentication. This login module leaves the authentication step on the TLS implementation and just verifies a X.509 certificate is present for the connection. The main usage of the login module is for the client authorization (assigning roles). The role names are parsed from a attribute in the X.500 certificate Subject name. Full Subject DN is used as a name in the ClusterIdentityPrincipal.

Samples:

 Client comes with a Certificate with Subject DN "CN=server,O=Hazelcast,C=US" and no option is specified for this login module.
 Assigned principals:
 - ClusterIdentityPrincipal: "CN=server,O=Hazelcast,C=US"
 - ClusterRolePrinpical: "server"
 - ClusterEndpointPrincipal: [IP address of the client]

 If option roleAttribute=O is used in the same scenario, then identity and endpoint will remain unchanged and role will change:
 - ClusterRolePrinpical: "Hazelcast"

 If option roleAttribute=SN is used in the same scenario, then no role will be assigned - i.e. no ClusterRolePrincipal
 in the Subject.

 If multiple values are present for the role attribute, then all values are assigned as a role name.
 E.g. "cn=X, cn=Y, cn=Z, ou=Engineering, o=ACME, c=CZ" with default role attribute value ("cn") will result in following
 role principals:
 - ClusterRolePrinpical: "X", "Y", "Z"
 

Field Summary

Fields

Modifier and Type	Field	Description
static final String	DEFAULT_ROLE_ATTRIBUTE	Default value for "roleAttribute" attribute.
static final String	OPTION_ROLE_ATTRIBUTE	Login module option name under which role name attribute is stored.

Fields inherited from class com.hazelcast.security.ClusterLoginModule

callbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject

Constructor Summary

Constructors

Constructor	Description
X509CertificateLoginModule()

Method Summary

Modifier and Type	Method	Description
protected String	getName()
boolean	onLogin()

Methods inherited from class com.hazelcast.security.ClusterLoginModule

abort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onInitialize, onLogout

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

OPTION_ROLE_ATTRIBUTE

public static final String OPTION_ROLE_ATTRIBUTE

Login module option name under which role name attribute is stored.

See Also:

• Constant Field Values

DEFAULT_ROLE_ATTRIBUTE

public static final String DEFAULT_ROLE_ATTRIBUTE

Default value for "roleAttribute" attribute.

See Also:

• Constant Field Values

Constructor Details

X509CertificateLoginModule

public X509CertificateLoginModule()

Method Details

onLogin

public boolean onLogin()
                throws LoginException

Specified by:

onLogin in class ClusterLoginModule

Throws:

LoginException

getName

protected String getName()

Specified by:

getName in class ClusterLoginModule