org.apache.shiro.authc.pam
Class ModularRealmAuthenticator

java.lang.Object
  extended by org.apache.shiro.authc.AbstractAuthenticator
      extended by org.apache.shiro.authc.pam.ModularRealmAuthenticator
All Implemented Interfaces:
Authenticator, LogoutAware

public class ModularRealmAuthenticator
extends AbstractAuthenticator

A ModularRealmAuthenticator delgates account lookups to a pluggable (modular) collection of Realms. This enables PAM (Pluggable Authentication Module) behavior in Shiro. In addition to authorization duties, a Shiro Realm can also be thought of a PAM 'module'.

Using this Authenticator allows you to "plug-in" your own Realms as you see fit. Common realms are those based on accessing LDAP, relational databases, file systems, etc.

If only one realm is configured (this is often the case for most applications), authentication success is naturally only dependent upon invoking this one Realm's Realm.getAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken) method.

But if two or more realms are configured, PAM behavior is implemented by iterating over the collection of realms and interacting with each over the course of the authentication attempt. As this is more complicated, this authenticator allows customized behavior for interpreting what happens when interacting with multiple realms - for example, you might require all realms to be successful during the attempt, or perhaps only at least one must be successful, or some other interpretation. This customized behavior can be performed via the use of a AuthenticationStrategy, which you can inject as a property of this class.

The strategy object provides callback methods that allow you to determine what constitutes a success or failure in a multi-realm (PAM) scenario. And because this only makes sense in a mult-realm scenario, the strategy object is only utilized when more than one Realm is configured.

As most multi-realm applications require at least one Realm authenticates successfully, the default implementation is the AtLeastOneSuccessfulStrategy.

Since:
0.1
See Also:
setRealms(java.util.Collection), AtLeastOneSuccessfulStrategy, AllSuccessfulStrategy, FirstSuccessfulStrategy

Constructor Summary
ModularRealmAuthenticator()
          Default no-argument constructor which enables an AtLeastOneSuccessfulStrategy by default.
 
Method Summary
protected  void assertRealmsConfigured()
           
protected  AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken)
          Attempts to authenticate the given token by iterating over the internal collection of Realms.
protected  AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token)
          Performs the multi-realm authentication attempt by calling back to a AuthenticationStrategy object as each realm is consulted for AuthenticationInfo for the specified token.
protected  AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token)
          Performs the authentication attempt by interacting with the single configured realm, which is significantly simpler than performing multi-realm logic.
 AuthenticationStrategy getAuthenticationStrategy()
          Returns the AuthenticationStrategy utilized by this modular authenticator during a multi-realm log-in attempt.
protected  Collection<Realm> getRealms()
          Returns the realm(s) used by this Authenticator during an authentication attempt.
 void onLogout(PrincipalCollection principals)
          First calls super.onLogout(principals) to ensure a logout notification is issued, and for each wrapped Realm that implements the LogoutAware interface, calls ((LogoutAware)realm).onLogout(principals) to allow each realm the opportunity to perform logout/cleanup operations during an user-logout.
 void setAuthenticationStrategy(AuthenticationStrategy authenticationStrategy)
          Allows overriding the default AuthenticationStrategy utilized during multi-realm log-in attempts.
 void setRealms(Collection<Realm> realms)
          Sets all realms used by this Authenticator, providing PAM (Pluggable Authentication Module) configuration.
 
Methods inherited from class org.apache.shiro.authc.AbstractAuthenticator
authenticate, getAuthenticationListeners, notifyFailure, notifyLogout, notifySuccess, setAuthenticationListeners
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ModularRealmAuthenticator

public ModularRealmAuthenticator()
Default no-argument constructor which enables an AtLeastOneSuccessfulStrategy by default.

Method Detail

setRealms

public void setRealms(Collection<Realm> realms)
Sets all realms used by this Authenticator, providing PAM (Pluggable Authentication Module) configuration.

Parameters:
realms - the realms to consult during authentication attempts.

getRealms

protected Collection<Realm> getRealms()
Returns the realm(s) used by this Authenticator during an authentication attempt.

Returns:
the realm(s) used by this Authenticator during an authentication attempt.

getAuthenticationStrategy

public AuthenticationStrategy getAuthenticationStrategy()
Returns the AuthenticationStrategy utilized by this modular authenticator during a multi-realm log-in attempt. This object is only used when two or more Realms are configured.

Unless overridden by the setAuthenticationStrategy(AuthenticationStrategy) method, the default implementation is the AtLeastOneSuccessfulStrategy.

Returns:
the AuthenticationStrategy utilized by this modular authenticator during a log-in attempt.
Since:
0.2

setAuthenticationStrategy

public void setAuthenticationStrategy(AuthenticationStrategy authenticationStrategy)
Allows overriding the default AuthenticationStrategy utilized during multi-realm log-in attempts. This object is only used when two or more Realms are configured.

Parameters:
authenticationStrategy - the strategy implementation to use during log-in attempts.
Since:
0.2

assertRealmsConfigured

protected void assertRealmsConfigured()
                               throws IllegalStateException
Throws:
IllegalStateException

doSingleRealmAuthentication

protected AuthenticationInfo doSingleRealmAuthentication(Realm realm,
                                                         AuthenticationToken token)
Performs the authentication attempt by interacting with the single configured realm, which is significantly simpler than performing multi-realm logic.

Parameters:
realm - the realm to consult for AuthenticationInfo.
token - the submitted AuthenticationToken representing the subject's (user's) log-in principals and credentials.
Returns:
the AuthenticationInfo associated with the user account corresponding to the specified token

doMultiRealmAuthentication

protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms,
                                                        AuthenticationToken token)
Performs the multi-realm authentication attempt by calling back to a AuthenticationStrategy object as each realm is consulted for AuthenticationInfo for the specified token.

Parameters:
realms - the multiple realms configured on this Authenticator instance.
token - the submitted AuthenticationToken representing the subject's (user's) log-in principals and credentials.
Returns:
an aggregated AuthenticationInfo instance representing account data across all the successfully consulted realms.

doAuthenticate

protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken)
                                     throws AuthenticationException
Attempts to authenticate the given token by iterating over the internal collection of Realms. For each realm, first the Realm.supports(org.apache.shiro.authc.AuthenticationToken) method will be called to determine if the realm supports the authenticationToken method argument.

If a realm does support the token, its Realm.getAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken) method will be called. If the realm returns a non-null account, the token will be considered authenticated for that realm and the account data recorded. If the realm returns null, the next realm will be consulted. If no realms support the token or all supporting realms return null, an AuthenticationException will be thrown to indicate that the user could not be authenticated.

After all realms have been consulted, the information from each realm is aggregated into a single AuthenticationInfo object and returned.

Specified by:
doAuthenticate in class AbstractAuthenticator
Parameters:
authenticationToken - the token containing the authentication principal and credentials for the user being authenticated.
Returns:
account information attributed to the authenticated user.
Throws:
IllegalStateException - if no realms have been configured at the time this method is invoked
AuthenticationException - if the user could not be authenticated or the user is denied authentication for the given principal and credentials.

onLogout

public void onLogout(PrincipalCollection principals)
First calls super.onLogout(principals) to ensure a logout notification is issued, and for each wrapped Realm that implements the LogoutAware interface, calls ((LogoutAware)realm).onLogout(principals) to allow each realm the opportunity to perform logout/cleanup operations during an user-logout.

Shiro's Realm implementations all implement the LogoutAware interface by default and can be overridden for realm-specific logout logic.

Specified by:
onLogout in interface LogoutAware
Overrides:
onLogout in class AbstractAuthenticator
Parameters:
principals - the application-specific Subject/user identifier.


Copyright © 2004-2014 The Apache Software Foundation. All Rights Reserved.