Administration Guide > Pluggable Authentication Modules > Working with TDV and PAM > Creating a Principal Authentication Module
 
Creating a Principal Authentication Module
This section provides guidelines for creating a JAAS-based PAM.
The TDV uses authentication modules that JAAS (Java Authentication and Authorization Services, which contain zero-argument constructors.
Note: It is recommended that user-supplied LoginModule implementations avoid storing state in class variables.
To create the necessary JAR file
1. Create a manifest.mf file with the following name-value pairs:
Manifest-Version: 1.0
cisext-name: <name>
cisext-annotation: <description>
cisext-version: <integer_version_number>
cisext-introspectAll: true
cisext-dependencies: <dependencyName>:<version_number>
name: <fullpath_and_class_file_name>
cisext-introspect: true
 
2. Make sure the last line of the manifest file is empty.
3. Save the manifest file.
4. Create your JAAS login module class files using the following recommendations.
Value
Recommendation
Initialization
Initialization method. Whenever a user signs in to TDV, each registered LoginModule class is instantiated and its initialization method is called.
subject
A javax.security.auth.Subject instance in which the LoginModule might store principals, certificates or other security-related credentials.
callbackHandler
An instance of javax.security.auth.callback.CallbackHandler that might be used to retrieve the user's name and password, through the NameCallback and PasswordCallback classes. Passing any other Callback instances to the handler results in an UnsupportedCallbackException.
sharedState
All operating LoginModules are passed a copy of a Map<String,?> that has been initialized with all of the channel properties for that connection (HTML headers and others).
If you want an authentication module to validate a particular channel type, populate the extra Transport-Type channel property with one of these constants: http, jms or db (for JDBC/ODBC/ADO.NET).
options
Each LoginModule instance is passed a Map<String,?> containing its configuration parameters.
Login
The method where the module decides login status. The three possible outcomes are:
Pass—The login method returns TRUE.
Fail—The method throws a LoginException
Neither—The login module returns FALSE to disqualify itself from the sign-on process. For example, a LoginModule designed to validate JDBC connections where the user is authenticating through a Web service might then return FALSE.
Commit
If no exceptions occur, the sign-on is considered successful, and each module can add whatever security credentials it wants to the Subject instance identified in the initialize method.
Abort
If any LoginModule fails, that module's abort method is called to allow the module to release any resources it might be holding.
Logout
The method to call when the user signs out.
5. Save the class files and the manifest.mf file in a single JAR file.
6. Use server_util.sh to deploy the package that contains your PAM authentication. For instructions, see Deploying Pluggable Authentication Modules.