Package net.shibboleth.idp.authn.impl
Class KerberosCredentialValidator
- java.lang.Object
-
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
-
- net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
-
- net.shibboleth.idp.authn.AbstractCredentialValidator
-
- net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator
-
- net.shibboleth.idp.authn.impl.KerberosCredentialValidator
-
- All Implemented Interfaces:
CredentialValidator,PrincipalSupportingComponent,Component,DestructableComponent,IdentifiableComponent,IdentifiedComponent,InitializableComponent
@ThreadSafeAfterInit public class KerberosCredentialValidator extends AbstractUsernamePasswordCredentialValidator
A password validator that authenticates against Kerberos natively, with optional service ticket verification.- Since:
- 4.0.0
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description private classKerberosCredentialValidator.SimpleCallbackHandlerA callback handler that provides static name and password data to a JAAS login process.-
Nested classes/interfaces inherited from interface net.shibboleth.idp.authn.CredentialValidator
CredentialValidator.ErrorHandler, CredentialValidator.WarningHandler
-
-
Field Summary
Fields Modifier and Type Field Description private Map<String,String>clientOptionsJAAS options for client login.private StringkeytabPathPath to keytab for service principal.private org.slf4j.LoggerlogClass logger.private StringloginModuleClassNameClass name of JAAS LoginModule to acquire Kerberos credentials.private booleanpreserveTicketSave the TGT in the resulting Subject?private booleanrefreshKrb5ConfigRefresh the Kerberos config before running?private Map<String,String>serverOptionsJAAS options for server login.private StringservicePrincipalService principal to acquire a ticket for to verify KDC.
-
Constructor Summary
Constructors Constructor Description KerberosCredentialValidator()Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voiddoInitialize()protected SubjectdoValidate(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext, UsernamePasswordContext usernamePasswordContext, CredentialValidator.WarningHandler warningHandler, CredentialValidator.ErrorHandler errorHandler)protected SubjectpopulateSubject(Subject subject, UsernamePasswordContext usernamePasswordContext)voidsetKeytabPath(String path)Provides a keytab for the service principal to use to verify the KDC.voidsetLoginModuleClassName(String name)Set the name of the JAAS LoginModule to use to acquire Kerberos credentials.voidsetPreserveTicket(boolean flag)Set whether to save the TGT in the Subject.voidsetRefreshKrb5Config(boolean flag)Set whether to refresh the Kerberos configuration before running.voidsetServicePrincipal(String name)Set the name of a service principal to use to verify the KDC.private voidverifyKDC(Subject subject)Use credentials to acquire and verify a service ticket.-
Methods inherited from class net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator
applyTransforms, doValidate, removeContextAfterValidation, savePasswordToCredentialSet, setLowercase, setMatchExpression, setRemoveContextAfterValidation, setSavePasswordToCredentialSet, setTransforms, setTrim, setUppercase, setUsernamePasswordContextLookupStrategy
-
Methods inherited from class net.shibboleth.idp.authn.AbstractCredentialValidator
getLogPrefix, getSupportedPrincipals, isAcceptable, populateSubject, setActivationCondition, setId, setSupportedPrincipals, validate
-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
getId
-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent
getId
-
-
-
-
Field Detail
-
log
@Nonnull private final org.slf4j.Logger log
Class logger.
-
loginModuleClassName
@NonnullAfterInit @NotEmpty private String loginModuleClassName
Class name of JAAS LoginModule to acquire Kerberos credentials.
-
refreshKrb5Config
private boolean refreshKrb5Config
Refresh the Kerberos config before running?
-
preserveTicket
private boolean preserveTicket
Save the TGT in the resulting Subject?
-
servicePrincipal
private String servicePrincipal
Service principal to acquire a ticket for to verify KDC.
-
keytabPath
private String keytabPath
Path to keytab for service principal.
-
clientOptions
@NonnullAfterInit private Map<String,String> clientOptions
JAAS options for client login.
-
serverOptions
@NonnullAfterInit private Map<String,String> serverOptions
JAAS options for server login.
-
-
Method Detail
-
setLoginModuleClassName
public void setLoginModuleClassName(@Nonnull String name)Set the name of the JAAS LoginModule to use to acquire Kerberos credentials.- Parameters:
name- name of login module class
-
setRefreshKrb5Config
public void setRefreshKrb5Config(boolean flag)
Set whether to refresh the Kerberos configuration before running.- Parameters:
flag- flag to set
-
setPreserveTicket
public void setPreserveTicket(boolean flag)
Set whether to save the TGT in the Subject.- Parameters:
flag- flag to set
-
setServicePrincipal
public void setServicePrincipal(@Nullable String name)Set the name of a service principal to use to verify the KDC.If non-null, a keytab resource must also be set.
- Parameters:
name- name of service principal
-
setKeytabPath
public void setKeytabPath(@Nullable String path)Provides a keytab for the service principal to use to verify the KDC.- Parameters:
path- path to file containing a keytab
-
doInitialize
protected void doInitialize() throws ComponentInitializationException- Overrides:
doInitializein classAbstractIdentifiedInitializableComponent- Throws:
ComponentInitializationException
-
doValidate
protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull UsernamePasswordContext usernamePasswordContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception
- Specified by:
doValidatein classAbstractUsernamePasswordCredentialValidator- Throws:
Exception
-
populateSubject
@Nonnull protected Subject populateSubject(@Nonnull Subject subject, @Nonnull UsernamePasswordContext usernamePasswordContext)
- Overrides:
populateSubjectin classAbstractUsernamePasswordCredentialValidator
-
-