48 import com.sun.jmx.remote.util.ClassLogger;
49 import com.sun.jmx.remote.util.EnvHelp;
50 import sun.management.jmxremote.ConnectorBootstrap;
51
52 /**
53 * This {@link LoginModule} performs file-based authentication.
54 *
55 * <p> A supplied username and password is verified against the
56 * corresponding user credentials stored in a designated password file.
57 * If successful then a new {@link JMXPrincipal} is created with the
58 * user's name and it is associated with the current {@link Subject}.
59 * Such principals may be identified and granted management privileges in
60 * the access control file for JMX remote management or in a Java security
61 * policy.
62 *
63 * <p> The password file comprises a list of key-value pairs as specified in
64 * {@link Properties}. The key represents a user's name and the value is its
65 * associated cleartext password. By default, the following password file is
66 * used:
67 * <pre>
68 * ${java.home}/lib/management/jmxremote.password
69 * </pre>
70 * A different password file can be specified via the <code>passwordFile</code>
71 * configuration option.
72 *
73 * <p> This module recognizes the following <code>Configuration</code> options:
74 * <dl>
75 * <dt> <code>passwordFile</code> </dt>
76 * <dd> the path to an alternative password file. It is used instead of
77 * the default password file.</dd>
78 *
79 * <dt> <code>useFirstPass</code> </dt>
80 * <dd> if <code>true</code>, this module retrieves the username and password
81 * from the module's shared state, using "javax.security.auth.login.name"
82 * and "javax.security.auth.login.password" as the respective keys. The
83 * retrieved values are used for authentication. If authentication fails,
84 * no attempt for a retry is made, and the failure is reported back to
85 * the calling application.</dd>
86 *
87 * <dt> <code>tryFirstPass</code> </dt>
88 * <dd> if <code>true</code>, this module retrieves the username and password
96 *
97 * <dt> <code>storePass</code> </dt>
98 * <dd> if <code>true</code>, this module stores the username and password
99 * obtained from the CallbackHandler in the module's shared state, using
100 * "javax.security.auth.login.name" and
101 * "javax.security.auth.login.password" as the respective keys. This is
102 * not performed if existing values already exist for the username and
103 * password in the shared state, or if authentication fails.</dd>
104 *
105 * <dt> <code>clearPass</code> </dt>
106 * <dd> if <code>true</code>, this module clears the username and password
107 * stored in the module's shared state after both phases of authentication
108 * (login and commit) have completed.</dd>
109 * </dl>
110 */
111 public class FileLoginModule implements LoginModule {
112
113 // Location of the default password file
114 private static final String DEFAULT_PASSWORD_FILE_NAME =
115 AccessController.doPrivileged(new GetPropertyAction("java.home")) +
116 File.separatorChar + "lib" +
117 File.separatorChar + "management" + File.separatorChar +
118 ConnectorBootstrap.DefaultValues.PASSWORD_FILE_NAME;
119
120 // Key to retrieve the stored username
121 private static final String USERNAME_KEY =
122 "javax.security.auth.login.name";
123
124 // Key to retrieve the stored password
125 private static final String PASSWORD_KEY =
126 "javax.security.auth.login.password";
127
128 // Log messages
129 private static final ClassLogger logger =
130 new ClassLogger("javax.management.remote.misc", "FileLoginModule");
131
132 // Configurable options
133 private boolean useFirstPass = false;
134 private boolean tryFirstPass = false;
135 private boolean storePass = false;
136 private boolean clearPass = false;
|
48 import com.sun.jmx.remote.util.ClassLogger;
49 import com.sun.jmx.remote.util.EnvHelp;
50 import sun.management.jmxremote.ConnectorBootstrap;
51
52 /**
53 * This {@link LoginModule} performs file-based authentication.
54 *
55 * <p> A supplied username and password is verified against the
56 * corresponding user credentials stored in a designated password file.
57 * If successful then a new {@link JMXPrincipal} is created with the
58 * user's name and it is associated with the current {@link Subject}.
59 * Such principals may be identified and granted management privileges in
60 * the access control file for JMX remote management or in a Java security
61 * policy.
62 *
63 * <p> The password file comprises a list of key-value pairs as specified in
64 * {@link Properties}. The key represents a user's name and the value is its
65 * associated cleartext password. By default, the following password file is
66 * used:
67 * <pre>
68 * ${java.home}/conf/management/jmxremote.password
69 * </pre>
70 * A different password file can be specified via the <code>passwordFile</code>
71 * configuration option.
72 *
73 * <p> This module recognizes the following <code>Configuration</code> options:
74 * <dl>
75 * <dt> <code>passwordFile</code> </dt>
76 * <dd> the path to an alternative password file. It is used instead of
77 * the default password file.</dd>
78 *
79 * <dt> <code>useFirstPass</code> </dt>
80 * <dd> if <code>true</code>, this module retrieves the username and password
81 * from the module's shared state, using "javax.security.auth.login.name"
82 * and "javax.security.auth.login.password" as the respective keys. The
83 * retrieved values are used for authentication. If authentication fails,
84 * no attempt for a retry is made, and the failure is reported back to
85 * the calling application.</dd>
86 *
87 * <dt> <code>tryFirstPass</code> </dt>
88 * <dd> if <code>true</code>, this module retrieves the username and password
96 *
97 * <dt> <code>storePass</code> </dt>
98 * <dd> if <code>true</code>, this module stores the username and password
99 * obtained from the CallbackHandler in the module's shared state, using
100 * "javax.security.auth.login.name" and
101 * "javax.security.auth.login.password" as the respective keys. This is
102 * not performed if existing values already exist for the username and
103 * password in the shared state, or if authentication fails.</dd>
104 *
105 * <dt> <code>clearPass</code> </dt>
106 * <dd> if <code>true</code>, this module clears the username and password
107 * stored in the module's shared state after both phases of authentication
108 * (login and commit) have completed.</dd>
109 * </dl>
110 */
111 public class FileLoginModule implements LoginModule {
112
113 // Location of the default password file
114 private static final String DEFAULT_PASSWORD_FILE_NAME =
115 AccessController.doPrivileged(new GetPropertyAction("java.home")) +
116 File.separatorChar + "conf" +
117 File.separatorChar + "management" + File.separatorChar +
118 ConnectorBootstrap.DefaultValues.PASSWORD_FILE_NAME;
119
120 // Key to retrieve the stored username
121 private static final String USERNAME_KEY =
122 "javax.security.auth.login.name";
123
124 // Key to retrieve the stored password
125 private static final String PASSWORD_KEY =
126 "javax.security.auth.login.password";
127
128 // Log messages
129 private static final ClassLogger logger =
130 new ClassLogger("javax.management.remote.misc", "FileLoginModule");
131
132 // Configurable options
133 private boolean useFirstPass = false;
134 private boolean tryFirstPass = false;
135 private boolean storePass = false;
136 private boolean clearPass = false;
|