net.sourceforge.jradiusclient.jaas: public class: RadiusLoginModule

net.sourceforge.jradiusclient.jaas
public class: RadiusLoginModule [javadoc | source]

java.lang.Object
   net.sourceforge.jradiusclient.jaas.RadiusLoginModule

All Implemented Interfaces:
LoginModule

This is an implementation of javax.security.auth.spi.LoginModule specific to using a RADIUS Server for authentication.

author:

 -  href="mailto:bloihl@users.sourceforge.net">Robert J. Loihl

version: $ - Revision: 1.2 $










    







    
Field Summary
public static final   int  MAX_CHALLENGE_ATTEMPTS     











    









    
Method from net.sourceforge.jradiusclient.jaas.RadiusLoginModule Summary:

abort,   commit,   initialize,   login,   logout
Methods from java.lang.Object:

clone,   equals,   finalize,   getClass,   hashCode,   notify,   notifyAll,   toString,   wait,   wait,   wait
Method from net.sourceforge.jradiusclient.jaas.RadiusLoginModule Detail:
 public boolean abort() throws LoginException {
        if(!this.authenticationSucceeded){
            return false;
        }else if(this.authenticationSucceeded && !this.authenticationCommitted){
            //Radius authentication succeeded but overall authentication failed
            this.authenticationSucceeded = false;
            this.userName = null;
            this.radiusClient = null;
            this.userPrincipal = null;
            this.challengedAttempts = 0;
        }else{
            //overall authentication succeeded and our commit succeeded,
            //but someone else's commit failed
            this.logout();
        }
        return true;
}
Method to abort the authentication process (phase 2). This method gets
called if the LoginContext's overall authentication process failed
(i.e. one of the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL
LoginModules did not succeed). It also cleans up any
internal state saved by the login method.
 public boolean commit() throws LoginException {
        if(!this.authenticationSucceeded){
            return false;
        } else {
            //add a principal to the subject
            this.userPrincipal = new RadiusPrincipal(this.userName);
            if(!this.radiusSubject.getPrincipals().contains(this.userPrincipal)){
                this.radiusSubject.getPrincipals().add(this.userPrincipal);
            }
            //now clean out state
            this.userName = null;//???
            this.radiusClient = null;//????
            this.challengedAttempts = 0;
            this.authenticationCommitted = true;
        }
        return true;
}
Method to commit the authentication process (phase 2). This method gets
called if the LoginContext's overall authentication process succeeded
(i.e. all of the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL
LoginModules succeeded).
If this LoginModule's own authentication attempt succeeded (checked by
retrieving the private state saved by the login method), then this
method associates relevant Principals and Credentials with the Subject
located in the LoginModule. If this LoginModule's own authentication
attempt failed, then this method cleans up any internal state saved by
the login method. (TODO perform
a RADIUS accounting request to notify RADIUS server of login time.)
 public  void initialize(Subject subject,
    CallbackHandler callbackHandler,
    Map sharedState,
    Map options) {
        this.radiusSubject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = sharedState;
        this.moduleOptions = options;
}
Initialize this LoginModule.
This method is called by the LoginContext after this LoginModule has
been instantiated. The purpose of this method is to initialize this
LoginModule with the relevant information. If this LoginModule does not
understand any of the data stored in sharedState or options parameters,
they can be ignored. There MUST be the following parameters specified in
the options:


hostname - the fully qualified name or IP address of the RADIUS Server
shared secret - the secret shared between us and the RADIUS Server

The following parameters MAY be specified, but they must be supplied together:


Authenication Port - The port the RADIUS Server is listening on for
authentication
Accounting Port - The port the RADIUS Server is listening on for
accounting requests
 public boolean login() throws LoginException {
        //perform callbacks
        if (this.callbackHandler == null) {
            throw new LoginException("Error: No callback handler installed to gather username and password.");
        }
        // create callbacks
        NameCallback nameCallback = new NameCallback("User Name: ");
        PasswordCallback passwordCallback = new PasswordCallback("Password: ",true);//turn on password echo(?)
        RadiusCallback radiusCallback = new RadiusCallback();
        Callback[] callbacks = new Callback[3];
        callbacks[0] = nameCallback;
        callbacks[1] = passwordCallback;
        callbacks[2] = radiusCallback;
        try {
            // send callbacks to callback handler
            this.callbackHandler.handle(callbacks);
        } catch(IOException ioex) {
            throw new LoginException(ioex.getMessage());
        } catch(UnsupportedCallbackException uscbex) {
            StringBuffer sb = new StringBuffer("Error: callback ");
            sb.append(uscbex.getCallback().toString());
            sb.append(" not supported.");
            throw new LoginException(sb.toString());
        }
        this.userName = nameCallback.getName();
        char[] userPassword = passwordCallback.getPassword();
        if(userPassword == null){
            //treat a null password as a zero length password
            userPassword = new char[0];
        }
        //finally clear the password
        passwordCallback.clearPassword();
        //now authenticate
        try{
            this.radiusClient = new RadiusClient(radiusCallback.getHostName(),
                                                 radiusCallback.getAuthPort(),
                                                 radiusCallback.getAcctPort(),
                                                 radiusCallback.getSharedSecret(),
                                                 this.userName,
                                                 radiusCallback.getTimeout());
            this.authenticate(userPassword, radiusCallback.getCallingStationID(), radiusCallback.getNumRetries() );
        }catch(InvalidParameterException ivpex){
            StringBuffer sb1 = new StringBuffer("Configuration of the RADIUS client is incorrect. ");
            sb1.append(ivpex.getMessage());
            throw new LoginException(sb1.toString());
        }catch(SocketException sex){
            StringBuffer sb2 = new StringBuffer("Configuration of the RADIUS client is incorrect. ");
            sb2.append(sex.getMessage());
            throw new LoginException(sb2.toString());
        }catch(NoSuchAlgorithmException nsaex){
            StringBuffer sb3 = new StringBuffer("Configuration of the RADIUS client is incorrect. ");
            sb3.append(nsaex.getMessage());
            throw new LoginException(sb3.toString());
        }
        //finally clear the password in memory
        for(int i = 0; i <  userPassword.length;i++){
            userPassword[i] = ' ';
        }
        userPassword = null;
        this.authenticationSucceeded = true;
        //everything went well, return true
        return true;
}
Authenticates this Subject against a RADIUS Server (phase 1). It uses
the callbacks to request a UserName and a Password, and possibly requests
a response to a challenge recieved from the RADIUS server.
 public boolean logout() throws LoginException {
        this.radiusSubject.getPrincipals().remove(this.userPrincipal);
        this.authenticationCommitted = false;
        this.authenticationSucceeded = false;
        this.userName = null;
        this.radiusClient = null;
        this.userPrincipal = null;
        this.challengedAttempts = 0;
        return true;
}
This method logs out a Subject (TODO perform
a RADIUS accounting request to notify RADIUS server of logout time.)