ValidateUsernamePasswordAgainstKerberos (Shibboleth IdP :: Authentication Implementation 3.4.1 API)

java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>
  - - org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>
    - - net.shibboleth.idp.profile.AbstractProfileAction<InboundMessageType,OutboundMessageType>
      - net.shibboleth.idp.authn.AbstractAuthenticationAction<InboundMessageType,OutboundMessageType>
        
        net.shibboleth.idp.authn.AbstractValidationAction
        
        net.shibboleth.idp.authn.AbstractUsernamePasswordValidationAction
        
        net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstKerberos

All Implemented Interfaces:

PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action
```
public class ValidateUsernamePasswordAgainstKerberos
extends AbstractUsernamePasswordValidationAction
```
An action that checks for a UsernamePasswordContext and directly produces an AuthenticationResult based on that identity by acquiring a TGT and optional service ticket from Kerberos.
Event:

EventIds.PROCEED_EVENT_ID, AuthnEventIds.AUTHN_EXCEPTION, AuthnEventIds.INVALID_CREDENTIALS

Precondition:
```
ProfileRequestContext.getSubcontext(AuthenticationContext.class, false).getAttemptedFlow() != null
```
Postcondition:

If AuthenticationContext.getSubcontext(UsernamePasswordContext.class, false) != null, then an AuthenticationResult is saved to the AuthenticationContext on a successful login. On a failed login, the AbstractValidationAction.handleError( ProfileRequestContext, AuthenticationContext, Exception, String) method is called.

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`private class`	`ValidateUsernamePasswordAgainstKerberos.SimpleCallbackHandler` A callback handler that provides static name and password data to a JAAS login process.

Field Summary

Fields
Modifier and Type	Field and Description
`private Map<String,String>`	`clientOptions` JAAS options for client login.
`private static String`	`DEFAULT_METRIC_NAME` Default prefix for metrics.
`private String`	`keytabPath` Path to keytab for service principal.
`private org.slf4j.Logger`	`log` Class logger.
`private String`	`loginModuleClassName` Class name of JAAS LoginModule to acquire Kerberos credentials.
`private boolean`	`preserveTicket` Save the TGT in the resulting Subject?
`private boolean`	`refreshKrb5Config` Refresh the Kerberos config before running?
`private Map<String,String>`	`serverOptions` JAAS options for server login.
`private String`	`servicePrincipal` Service principal to acquire a ticket for to verify KDC.

Constructor Summary

Constructors
Constructor and Description

ValidateUsernamePasswordAgainstKerberos()
Constructor.

Constructors
Constructor and Description
`ValidateUsernamePasswordAgainstKerberos()` Constructor.

Method Summary

Methods
Modifier and Type	Method and Description
`protected void`	`doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`protected void`	`doInitialize()`
`protected Subject`	`populateSubject(Subject subject)`
`void`	`setKeytabPath(String path)` Provides a keytab for the service principal to use to verify the KDC.
`void`	`setLoginModuleClassName(String name)` Set the name of the JAAS LoginModule to use to acquire Kerberos credentials.
`void`	`setPreserveTicket(boolean flag)` Set whether to save the TGT in the Subject.
`void`	`setRefreshKrb5Config(boolean flag)` Set whether to refresh the Kerberos configuration before running.
`void`	`setServicePrincipal(String name)` Set the name of a service principal to use to verify the KDC.
`private void`	`verifyKDC()` Use credentials to acquire and verify a service ticket.

Methods inherited from class net.shibboleth.idp.authn.AbstractUsernamePasswordValidationAction
doPreExecute, getLockoutManager, getUsernamePasswordContext, recordFailure, recordSuccess, removeContextAfterValidation, savePasswordToCredentialSet, setLockoutManager, setMatchExpression, setRemoveContextAfterValidation, setSavePasswordToCredentialSet

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction
doExecute, doPreExecute, setLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

- Field Detail
  - DEFAULT_METRIC_NAME
```
@Nonnull
@NotEmpty
private static final String DEFAULT_METRIC_NAME
```
    Default prefix for metrics.
    
    See Also:
    Constant Field Values
  - log
```
@Nonnull
private final org.slf4j.Logger log
```
    Class logger.
  - loginModuleClassName
```
@NonnullAfterInit
@NotEmpty
private String loginModuleClassName
```
    Class name of JAAS LoginModule to acquire Kerberos credentials.
  - refreshKrb5Config
```
private boolean refreshKrb5Config
```
    Refresh the Kerberos config before running?
  - preserveTicket
```
private boolean preserveTicket
```
    Save the TGT in the resulting Subject?
  - servicePrincipal
```
private String servicePrincipal
```
    Service principal to acquire a ticket for to verify KDC.
  - keytabPath
```
private String keytabPath
```
    Path to keytab for service principal.
  - clientOptions
```
@NonnullAfterInit
private Map<String,String> clientOptions
```
    JAAS options for client login.
  - serverOptions
```
@NonnullAfterInit
private Map<String,String> serverOptions
```
    JAAS options for server login.
- Constructor Detail
  - ValidateUsernamePasswordAgainstKerberos
```
public ValidateUsernamePasswordAgainstKerberos()
```
    Constructor.
- Method Detail
  - setLoginModuleClassName
```
public void setLoginModuleClassName(@Nonnull
                           String name)
```
    Set the name of the JAAS LoginModule to use to acquire Kerberos credentials.
    
    Parameters:
    name - name of login module class
  - setRefreshKrb5Config
```
public void setRefreshKrb5Config(boolean flag)
```
    Set whether to refresh the Kerberos configuration before running.
    
    Parameters:
    flag - flag to set
  - setPreserveTicket
```
public void setPreserveTicket(boolean flag)
```
    Set whether to save the TGT in the Subject.
    
    Parameters:
    flag - flag to set
  - setServicePrincipal
```
public void setServicePrincipal(@Nullable
                       String name)
```
    Set the name of a service principal to use to verify the KDC.
    If non-null, a keytab resource must also be set.
    
    Parameters:
    name - name of service principal
  - setKeytabPath
```
public void setKeytabPath(@Nullable
                 String path)
```
    Provides a keytab for the service principal to use to verify the KDC.
    
    Parameters:
    path - path to file containing a keytab
  - doInitialize
```
protected void doInitialize()
                     throws ComponentInitializationException
```
    Overrides:
    
    doInitialize in class AbstractInitializableComponent
    
    Throws:
    
    ComponentInitializationException
  - doExecute
```
protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext,
             @Nonnull
             AuthenticationContext authenticationContext)
```
    Overrides:
    
    doExecute in class AbstractAuthenticationAction
  - populateSubject
```
@Nonnull
protected Subject populateSubject(@Nonnull
                              Subject subject)
```
    Overrides:
    
    populateSubject in class AbstractUsernamePasswordValidationAction
  - verifyKDC
```
private void verifyKDC()
                throws Exception
```
    Use credentials to acquire and verify a service ticket.
    
    Throws:
    
    Exception - if an error occurs

Class ValidateUsernamePasswordAgainstKerberos

Nested Class Summary

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.authn.AbstractUsernamePasswordValidationAction

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

Field Detail

DEFAULT_METRIC_NAME

log

loginModuleClassName

refreshKrb5Config

preserveTicket

servicePrincipal

keytabPath

clientOptions

serverOptions

Constructor Detail

ValidateUsernamePasswordAgainstKerberos

Method Detail

setLoginModuleClassName

setRefreshKrb5Config

setPreserveTicket

setServicePrincipal

setKeytabPath

doInitialize

doExecute

populateSubject

verifyKDC