LoginModulePlugin interface defines the API to be
* implemented by a pluggable login module. Instances of this interface are
* returned by the {@link LoginModulePluginFactory#create(Credentials)} method.
*
* @see DefaultLoginModulePlugin
* @see LoginModulePluginFactory
*/
public interface LoginModulePlugin {
/**
* Returned by the {@link #impersonate(Principal, Credentials)} method if
* impersonation should be handled by the DefaultLoginModule.
*/
static final int IMPERSONATION_DEFAULT = 0;
/**
* Returned by the {@link #impersonate(Principal, Credentials)} method if
* impersonation was handled by the login plugin and succeeded.
*/
static final int IMPERSONATION_SUCCESS = 1;
/**
* Returned by the {@link #impersonate(Principal, Credentials)} method if
* impersonation was handled by the login plugin and failed. The
* DefaultLoginModule is not asked for impersonation in this
* case.
*/
static final int IMPERSONATION_FAILED = 2;
/**
* Sets up the sate of this login module. If the instance throws any
* Exception during setup it will be ignored for the login
* processing.
*/
void init(CallbackHandler callbackHandler, Session session,
Map options) throws LoginException;
/**
* Informs the plugin that the overall login process has succeeded and
* should now be finalized. This allows the implementation to cleanup any
* state which has been created during the login process.
*
* Regardless of the outcome of this method, the commit method
* of the DefaultLoginModule is always called. The result of
* the overall commit process is the worst result of both methods.
*/
boolean commit() throws LoginException;
/**
* Informs the plugin that the overall login process has failed and should
* not be finalized. This allows the implementation to cleanup any state
* which has been created during the login process.
*
* Regardless of the outcome of this method, the abort method
* of the DefaultLoginModule is always called. The result of
* the overall abort process is the worst result of both methods.
*/
boolean abort() throws LoginException;
/**
* Returns the user ID encoded in the given credentials or null
* if this plugin does not support these Credentials.
*
* This method is generally called by the DefaultLoginModule if
* the {@link #getPrincipal(Credentials)} method returns null.
*
* If null is returned the user ID is expected to be provided
* by the AbstractLoginModule.getUserId(Credentials) method.
*/
String getUserId(Credentials credentials);
/**
* Return a Principal object or null.
*
* If null is returned the Principal will be provided by the
* DefaultLoginModule.getPrincipal method.
*
* Generally this method should return null unless the login
* module has a way of providing a Principal which may be used as the basis
* for authentication decisions in the repository.
*
* @return an instance of the Principal associated with these Credentials or
* null
*/
Principal getPrincipal(Credentials credentials);
/**
* Allows for adding additional {@link Principal} objects, such as groups or
* roles, to the {@link Subject}.
*
* @param principals original collection of principals
*/
void addPrincipals(Settrue.
* If the credentials don't identify the principal the method returns
* false in which case the the authenticate method
* of the DefaultLoginModule is called.
*
* @return true if the credentials identify the principal.
* Otherwise false to indicate the plugin cannot
* identify the principal from the credentials.
*/
boolean authenticate(User user, Principal principal, Credentials credentials);
/**
* Returns a code indicating either the status of the impersonation attempt,
* or {@link #IMPERSONATION_DEFAULT} if the impersonation should be handled
* by the DefaultLoginModule.impersonate method.
*
* @return one of {@link #IMPERSONATION_DEFAULT},
* {@link #IMPERSONATION_SUCCESS} or {@link #IMPERSONATION_FAILED}
*/
int impersonate(Principal principal, Credentials credentials)
throws RepositoryException, FailedLoginException;
}