2362N/A * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * A Configuration object is responsible for specifying which LoginModules 0N/A * should be used for a particular application, and in what order the 0N/A * LoginModules should be invoked. 0N/A * <p> A login configuration contains the following information. 0N/A * Note that this example only represents the default syntax for the 0N/A * <code>Configuration</code>. Subclass implementations of this class 0N/A * may implement alternative syntaxes and may retrieve the 0N/A * <code>Configuration</code> from any source such as files, databases, 0N/A * ModuleClass Flag ModuleOptions; 0N/A * ModuleClass Flag ModuleOptions; 0N/A * ModuleClass Flag ModuleOptions; 0N/A * ModuleClass Flag ModuleOptions; 0N/A * ModuleClass Flag ModuleOptions; 0N/A * ModuleClass Flag ModuleOptions; 0N/A * ModuleClass Flag ModuleOptions; 0N/A * <p> Each entry in the <code>Configuration</code> is indexed via an 0N/A * application name, <i>Name</i>, and contains a list of 0N/A * LoginModules configured for that application. Each <code>LoginModule</code> 0N/A * is specified via its fully qualified class name. 0N/A * Authentication proceeds down the module list in the exact order specified. 0N/A * If an application does not have specific entry, 0N/A * it defaults to the specific entry for "<i>other</i>". 0N/A * <p> The <i>Flag</i> value controls the overall behavior as authentication 0N/A * proceeds down the stack. The following represents a description of the 0N/A * valid values for <i>Flag</i> and their respective semantics: 0N/A * 1) Required - The <code>LoginModule</code> is required to succeed. 0N/A * If it succeeds or fails, authentication still continues 0N/A * to proceed down the <code>LoginModule</code> list. 0N/A * 2) Requisite - The <code>LoginModule</code> is required to succeed. 0N/A * If it succeeds, authentication continues down the 0N/A * <code>LoginModule</code> list. If it fails, 0N/A * control immediately returns to the application 0N/A * (authentication does not proceed down the 0N/A * <code>LoginModule</code> list). 0N/A * 3) Sufficient - The <code>LoginModule</code> is not required to 0N/A * succeed. If it does succeed, control immediately 0N/A * returns to the application (authentication does not 0N/A * proceed down the <code>LoginModule</code> list). 0N/A * If it fails, authentication continues down the 0N/A * <code>LoginModule</code> list. 0N/A * 4) Optional - The <code>LoginModule</code> is not required to 0N/A * succeed. If it succeeds or fails, 0N/A * authentication still continues to proceed down the 0N/A * <code>LoginModule</code> list. 0N/A * <p> The overall authentication succeeds only if all <i>Required</i> and 0N/A * <i>Requisite</i> LoginModules succeed. If a <i>Sufficient</i> 0N/A * <code>LoginModule</code> is configured and succeeds, 0N/A * then only the <i>Required</i> and <i>Requisite</i> LoginModules prior to 0N/A * that <i>Sufficient</i> <code>LoginModule</code> need to have succeeded for 0N/A * the overall authentication to succeed. If no <i>Required</i> or 0N/A * <i>Requisite</i> LoginModules are configured for an application, 0N/A * then at least one <i>Sufficient</i> or <i>Optional</i> 0N/A * <code>LoginModule</code> must succeed. 0N/A * <p> <i>ModuleOptions</i> is a space separated list of 0N/A * <code>LoginModule</code>-specific values which are passed directly to 0N/A * the underlying LoginModules. Options are defined by the 0N/A * <code>LoginModule</code> itself, and control the behavior within it. 0N/A * For example, a <code>LoginModule</code> may define options to support 0N/A * <code>Configuration</code> is by using the following key-value pairing: 0N/A * <i>debug="true"</i>. The key and value should be separated by an 0N/A * 'equals' symbol, and the value should be surrounded by double quotes. 0N/A * If a String in the form, ${system.property}, occurs in the value, 0N/A * it will be expanded to the value of the system property. 0N/A * Note that there is no limit to the number of 0N/A * options a <code>LoginModule</code> may define. 0N/A * <p> The following represents an example <code>Configuration</code> entry 0N/A * based on the syntax above: 0N/A * com.sun.security.auth.module.UnixLoginModule required; 0N/A * com.sun.security.auth.module.Krb5LoginModule optional 0N/A * useTicketCache="true" 0N/A * ticketCache="${user.home}${/}tickets"; 0N/A * <p> This <code>Configuration</code> specifies that an application named, 0N/A * "Login", requires users to first authenticate to the 0N/A * <i>com.sun.security.auth.module.UnixLoginModule</i>, which is 0N/A * required to succeed. Even if the <i>UnixLoginModule</i> 0N/A * authentication fails, the 0N/A * <i>com.sun.security.auth.module.Krb5LoginModule</i> 0N/A * still gets invoked. This helps hide the source of failure. 0N/A * Since the <i>Krb5LoginModule</i> is <i>Optional</i>, the overall 0N/A * authentication succeeds only if the <i>UnixLoginModule</i> 0N/A * (<i>Required</i>) succeeds. 0N/A * <p> Also note that the LoginModule-specific options, 0N/A * <i>useTicketCache="true"</i> and 0N/A * <i>ticketCache=${user.home}${/}tickets"</i>, 0N/A * are passed to the <i>Krb5LoginModule</i>. 0N/A * These options instruct the <i>Krb5LoginModule</i> to 0N/A * use the ticket cache at the specified location. 0N/A * The system properties, <i>user.home</i> and <i>/</i> 0N/A * (file.separator), are expanded to their respective values. 0N/A * <p> There is only one Configuration object installed in the runtime at any 0N/A * given time. A Configuration object can be installed by calling the 0N/A * <code>setConfiguration</code> method. The installed Configuration object 0N/A * can be obtained by calling the <code>getConfiguration</code> method. 0N/A * <p> If no Configuration object has been installed in the runtime, a call to 0N/A * <code>getConfiguration</code> installs an instance of the default 0N/A * Configuration implementation (a default subclass implementation of this 0N/A * The default Configuration implementation can be changed by setting the value 0N/A * of the "login.configuration.provider" security property (in the Java 0N/A * security properties file) to the fully qualified name of the desired 0N/A * Configuration subclass implementation. The Java security properties file 0N/A * <JAVA_HOME> refers to the value of the java.home system property, 0N/A * and specifies the directory where the JRE is installed. 0N/A * <p> Application code can directly subclass Configuration to provide a custom 0N/A * implementation. In addition, an instance of a Configuration object can be 0N/A * constructed by invoking one of the <code>getInstance</code> factory methods 0N/A * with a standard type. The default policy type is "JavaLoginConfig". 0N/A * See the Configuration section in the <a href= 0N/A * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 0N/A * for a list of standard Configuration types. 0N/A * @see javax.security.auth.login.LoginContext 0N/A (
"createLoginConfiguration." +
type));
0N/A * Sole constructor. (For invocation by subclass constructors, typically 0N/A * Get the installed login Configuration. * @return the login Configuration. If a Configuration object was set * via the <code>Configuration.setConfiguration</code> method, * then that object is returned. Otherwise, a default * Configuration object is returned. * @exception SecurityException if the caller does not have permission * to retrieve the Configuration. (
"Configuration error:" +
(
"Configuration error: " +
* Set the login <code>Configuration</code>. * @param configuration the new <code>Configuration</code> * @exception SecurityException if the current thread does not have * Permission to set the <code>Configuration</code>. * Returns a Configuration object of the specified type. * <p> This method traverses the list of registered security providers, * starting with the most preferred Provider. * A new Configuration object encapsulating the * ConfigurationSpi implementation from the first * Provider that supports the specified type is returned. * <p> Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * @param type the specified Configuration type. See the Configuration * section in the <a href= * Java Cryptography Architecture Standard Algorithm Name * Documentation</a> for a list of standard Configuration types. * @param params parameters for the Configuration, which may be null. * @return the new Configuration object. * @exception SecurityException if the caller does not have permission * to get a Configuration instance for the specified type. * @exception NullPointerException if the specified type is null. * @exception IllegalArgumentException if the specified parameters * are not understood by the ConfigurationSpi implementation * from the selected Provider. * @exception NoSuchAlgorithmException if no Provider supports a * ConfigurationSpi implementation for the specified type. * Returns a Configuration object of the specified type. * <p> A new Configuration object encapsulating the * ConfigurationSpi implementation from the specified provider * is returned. The specified provider must be registered * <p> Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * @param type the specified Configuration type. See the Configuration * section in the <a href= * Java Cryptography Architecture Standard Algorithm Name * Documentation</a> for a list of standard Configuration types. * @param params parameters for the Configuration, which may be null. * @param provider the provider. * @return the new Configuration object. * @exception SecurityException if the caller does not have permission * to get a Configuration instance for the specified type. * @exception NullPointerException if the specified type is null. * @exception IllegalArgumentException if the specified provider * or if the specified parameters are not understood by * the ConfigurationSpi implementation from the specified provider. * @exception NoSuchProviderException if the specified provider is not * registered in the security provider list. * @exception NoSuchAlgorithmException if the specified provider does not * support a ConfigurationSpi implementation for the specified * Returns a Configuration object of the specified type. * <p> A new Configuration object encapsulating the * ConfigurationSpi implementation from the specified Provider * object is returned. Note that the specified Provider object * does not have to be registered in the provider list. * @param type the specified Configuration type. See the Configuration * section in the <a href= * Java Cryptography Architecture Standard Algorithm Name * Documentation</a> for a list of standard Configuration types. * @param params parameters for the Configuration, which may be null. * @param provider the Provider. * @return the new Configuration object. * @exception SecurityException if the caller does not have permission * to get a Configuration instance for the specified type. * @exception NullPointerException if the specified type is null. * @exception IllegalArgumentException if the specified Provider is null, * or if the specified parameters are not understood by * the ConfigurationSpi implementation from the specified Provider. * @exception NoSuchAlgorithmException if the specified Provider does not * support a ConfigurationSpi implementation for the specified * Return the Provider of this Configuration. * <p> This Configuration instance will only have a Provider if it * was obtained via a call to <code>Configuration.getInstance</code>. * Otherwise this method returns null. * @return the Provider of this Configuration, or null. * Return the type of this Configuration. * <p> This Configuration instance will only have a type if it * was obtained via a call to <code>Configuration.getInstance</code>. * Otherwise this method returns null. * @return the type of this Configuration, or null. * Return Configuration parameters. * <p> This Configuration instance will only have parameters if it * was obtained via a call to <code>Configuration.getInstance</code>. * Otherwise this method returns null. * @return Configuration parameters, or null. * Retrieve the AppConfigurationEntries for the specified <i>name</i> * from this Configuration. * @param name the name used to index the Configuration. * @return an array of AppConfigurationEntries for the specified <i>name</i> * from this Configuration, or null if there are no entries * for the specified <i>name</i> * Refresh and reload the Configuration. * <p> This method causes this Configuration object to refresh/reload its * contents in an implementation-dependent manner. * For example, if this Configuration object stores its entries in a file, * calling <code>refresh</code> may cause the file to be re-read. * <p> The default implementation of this method does nothing. * This method should be overridden if a refresh operation is supported * @exception SecurityException if the caller does not have permission * to refresh its Configuration. * This subclass is returned by the getInstance calls. All Configuration * calls are delegated to the underlying ConfigurationSpi. * This represents a marker interface for Configuration parameters.