DigipassJdbcLoginModule (Cams API Documentation)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.cafesoft.cams.auth.login.module
Class DigipassJdbcLoginModule

java.lang.Object
  com.cafesoft.cams.auth.login.module.DigipassJdbcLoginModule

All Implemented Interfaces:: LoggerClient, ServiceClient, LoginModule

public class DigipassJdbcLoginModule
extends Object
implements LoginModule, ServiceClient, LoggerClient
extends Object
implements LoginModule, ServiceClient, LoggerClient

Implements the LoginModule interface found in JAAS to authenticate users with VASCO Digipass tokens against relational database using JDBC. The following process flow is used:

Always query the Digipass record values for the user, including:
- Serial number
- Authentication mode
- Digipass data blob
Determine if the authentication mode is response only (RO) or challenge/response (CR)
If RO, use the password to try to authenticate the user
If CR, and there is NO challenge, generate a challenge and return it to the user
If CR, and there is a challenge, use it and the password to try to authenticate the user
Always save the final Digipass data blob to the database to preserve state

See the VACMAN controller Java AAL2Wrap and KernelParms API javadoc, included with the VACMAN controller distribution. NOTE: You must deploy the aal2wrap.jar and operating system specific dlls/libraries into CAMS_HOME/lib. For Windows, use aal2sdk.dll and aal2sdk.lib. For Linux/UNIX, use libaal2sdk-3.5.0.so and libaal2sdk.so. All configuration parameters are listed below:

jdbcDriver - the JDBC Driver
jdbcUrl - the database JDBC URL
jdbcUsername - the database username
jdbcPassword - the user's password on the database server
getDigipassPreparedStatement - the prepared statement to get a user's DIGIPASS
saveDigipassPreparedStatement - the prepared statement to update a user's DIGIPASS
serialNumberColumn - the database column name for the DIGIPASS serial number
authenticationModeColumn - the database column name for the authentication mode for the digipass: RO - Response Only CR - Challenge Response (stubbed out, not fully implemented)
digipassDataColumn - the database column name for the DIGIPASS data blob.
accountExpiredPreparedStatement - (optional) the prepared statement to determine if the account has expired. Prepared statement must return a count of "1" if the account has expired, "0" if it has not. This prepared statement is executed conditionally after the password has been validated.
defaultRoles - (Optional) A list of one or more default roles separated by a comma to be added to the user session.
rolePreparedStatement - the prepared statement to execute to obtain the user's roles
roleColumn - the database column name for the role field
kernelParameters - the comma-delimited Vacman controller kernel parameters to use as integers or hex values, for example: "100,24,0,0,1,0,0,0,0,6,0,100,0,0,0x7FFFFF,0,0,0,0"
responseLength - the expected total length of the response after a challenge (4 for pre-pended challenge plus the length dynamic response)

Since:: 01/23/06
See Also:: Subject, CallbackHandler, LoginModule

Constructor Summary
`DigipassJdbcLoginModule()` Default LoginModule Constructor.

Method Summary
`boolean`	`abort()` Method to abort the authentication process (phase 2).
`boolean`	`commit()` Method to commit the authentication process (phase 2).
`void`	`initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)` Initialize this LoginModule.
`boolean`	`login()` Method to authenticate a `Subject` (phase 1).
`boolean`	`logout()` Method which logs out a `Subject`.
`void`	`setLogger(Logger logger)` Sets the logger.
`void`	`setServiceFinder(ServiceFinder finder)` Set the ServiceFinder.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

DigipassJdbcLoginModule

public DigipassJdbcLoginModule()

Default LoginModule Constructor.

Method Detail

setServiceFinder

public void setServiceFinder(ServiceFinder finder)

Set the ServiceFinder.

Specified by:: setServiceFinder in interface ServiceClient

Parameters:: finder - the class used by find Services by the ServiceClient.

setLogger

public void setLogger(Logger logger)

Sets the logger.

Specified by:: setLogger in interface LoggerClient

Parameters:: logger - logs messages

initialize

public void initialize(Subject subject,
                       CallbackHandler callbackHandler,
                       Map sharedState,
                       Map options)

Initialize this LoginModule.

This method is called by the LoginContext after this LoginModule has been instantiated. The purpose of this method is to initialize this LoginModule with the relevant information. If this LoginModule does not understand any of the data stored in sharedState or options parameters, they can be ignored.

Specified by:: initialize in interface LoginModule

Parameters:: subject - the Subject to be authenticated.; callbackHandler - a CallbackHandler for communicating with the end user (prompting for usernames and passwords, for example).; sharedState - state shared with other configured LoginModules.; options - options specified in the login Configuration for this particular LoginModule.

login

public boolean login()
              throws LoginException

Method to authenticate a Subject (phase 1).

The implementation of this method authenticates a Subject. For example, it may prompt for Subject information such as a username and password and then attempt to verify the password. This method saves the result of the authentication attempt as private state within the LoginModule.

Specified by:: login in interface LoginModule

Returns:: true if the authentication succeeded, or false if this LoginModule should be ignored.
Throws:: LoginException - if the authentication fails

commit

public boolean commit()
               throws LoginException

Method to commit the authentication process (phase 2).

This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates relevant Principals and Credentials with the Subject located in the LoginModule. If this LoginModule's own authentication attempted failed, then this method removes/destroys any state that was originally saved.

Specified by:: commit in interface LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: LoginException - if the commit fails

abort

public boolean abort()
              throws LoginException

Method to abort the authentication process (phase 2).

This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method cleans up any state that was originally saved.

Specified by:: abort in interface LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: LoginException - if the abort fails

logout

public boolean logout()
               throws LoginException

Method which logs out a Subject.

An implementation of this method might remove/destroy a Subject's Principals and Credentials.

Specified by:: logout in interface LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: LoginException - if the logout fails