Login Module Overview

For authentication purpose, Jetspeed 2 provide a default login module implementation. Login modules provide a standard way to expose authentication services for java application. More information about login modules can be found in the JDK LoginModule interface documentation.

Login Module Configuration

Configuration is central to JAAS authentication. By default, Jetspeed 2 is configured to use its DefaultLoginModule implementation. The configuration file (login.conf) for the login module ship with the jetspeed2-security-{version}.jar component and provide the following configuration:

Jetspeed {
   org.apache.jetspeed.security.impl.DefaultLoginModule required;

In order to override this configuration, you can place your own login.conf file in your web application class path under WEB-INF/classes. The location of the login.conf file is configured in the security-providers.xml as described below. For more information on how to configure the security providers, see the configuration section.

<!-- Security: Default Authentication Provider -->
<bean id="org.apache.jetspeed.security.AuthenticationProvider" 
    <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg>
  	<constructor-arg index="1"><value>The default authenticator</value></constructor-arg>
  	<constructor-arg index="2"><value>login.conf</value></constructor-arg>
  	<constructor-arg index="3">
  	    <ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/>
  	<constructor-arg index="4">
  	    <ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/>

The AuthenticationProvider configures the LoginModule to be used by the application by setting the System property java.security.auth.login.config to the login.conf specified in the component configuration.

Login Module Implementation

The DefaultLoginModule implementation is illustrated by the class diagram below:

The roles of the classes used to implement the DefaultLoginModule are:

Class Description
org.apache.jetspeed.security.impl.DefaultLoginModule The javax.security.auth.spi.LoginModule implementation. The DefaultLoginModule authentication decision is encapsulated behind the UserManager interface which leverages the SPI implementation to decide which authenticator should be used in order to authenticate a user against a specific system of record. For more information on how to implement your own authenticator, see the authentication SPI documentation.
org.apache.jetspeed.security.LoginModuleProxy A utility component used to expose the UserManager to the DefaultLoginModule.
org.apache.jetspeed.security.User The User is an interface that holds the javax.security.auth.Subject and his/her java.util.prefs.Preferences. The UserManager upon user authentication populates the user subject with all user java.security.Principal. Jetspeed 2 implements 3 types of principals:
  • UserPrincipal: The principal holding the user unique identifier for the application.
  • RolePrincipal: The principal representing a role for the system.
  • GroupPrincipal: The principal representing a group for the system.
org.apache.jetspeed.security.UserManager The interface exposing all user operations. This interfaces fronts the aggregates various SPI to provide developers with the ability to map users to their specific system of record.