Creating a Principal Authentication Module
This section provides guidelines for creating a JAAS-based PAM.
The TDV uses authentication modules that JAAS (Java Authentication and Authorization Services, which contain zero-argument constructors.
Note: It is recommended that user-supplied LoginModule implementations avoid storing state in class variables.
To create the necessary JAR file
1. | Create a manifest.mf file with the following name-value pairs: |
Manifest-Version: 1.0
cisext-name: <name>
cisext-annotation: <description>
cisext-version: <integer_version_number>
cisext-introspectAll: true
cisext-dependencies: <dependencyName>:<version_number>
name: <fullpath_and_class_file_name>
cisext-introspect: true
2. | Make sure the last line of the manifest file is empty. |
3. | Save the manifest file. |
4. | Create your JAAS login module class files using the following recommendations. |
Value |
Recommendation |
|||||||||
Initialization method. Whenever a user signs in to TDV, each registered LoginModule class is instantiated and its initialization method is called. |
||||||||||
An instance of javax.security.auth.callback.CallbackHandler that might be used to retrieve the user's name and password, through the NameCallback and PasswordCallback classes. Passing any other Callback instances to the handler results in an UnsupportedCallbackException. |
||||||||||
All operating LoginModules are passed a copy of a Map<String,?> that has been initialized with all of the channel properties for that connection (HTML headers and others). If you want an authentication module to validate a particular channel type, populate the extra Transport-Type channel property with one of these constants: http, jms or db (for JDBC/ODBC/ADO.NET). |
||||||||||
Each LoginModule instance is passed a Map<String,?> containing its configuration parameters. |
||||||||||
The method where the module decides login status. The three possible outcomes are:
|
||||||||||
If no exceptions occur, the sign-on is considered successful, and each module can add whatever security credentials it wants to the Subject instance identified in the initialize method. |
||||||||||
If any LoginModule fails, that module's abort method is called to allow the module to release any resources it might be holding. |
||||||||||
The method to call when the user signs out. |
5. | Save the class files and the manifest.mf file in a single JAR file. |
6. | Use server_util.sh to deploy the package that contains your PAM authentication. For instructions, see Deploying Pluggable Authentication Modules. |