5.12.2 Points to remember when implementing custom login modules

(1) Points to remember when implementing the LoginModule interface

• login method

  To support single sign-on, first determine if the user ID and password are not specified in sharedState. The name used to obtain the user ID and password from sharedState can be specified in the configuration file of the integrated user management framework.

• commit method

  Set the Principal object to Subject. When there are multiple Principal objects, WebSSOLoginModule and DelegationLoginModule use the first found Principal object to register the user ID in the integrated user management session. For single sign-on, it is used to recognize the first logged-in user ID.

• logout method

  The logout method deletes the Principal object and Credentials (such as user attributes) that are associated with the Subject by using the commit method. It also releases the resources secured by login.

  When the logout method is used, the following phenomena may occur.

  • No Credentials are assigned to the Subject when the logout method is invoked.

  • At the time of logout, the member attribute values that are set by the commit or login method of the custom login modules cannot be referenced.

  The phenomenon that no Credentials are assigned may be caused by the fact that no Credentials are contained in the serializable Subject object.

  On the other hand, the phenomenon such that the member attribute values cannot be referenced at the time of logout may be caused by the fact that the JAAS LoginContext (including LoginModule) is not a serialized object. As LoginContext stores the Subject object in HttpSession and generates a new login module instance from the Subject object to log out, the member attribute values set by the commit or login method cannot be referenced.

To Page Top

(2) Points to remember when implementing the Principal object

Implement the Principal object by inheriting the java.security.Principal and java.io.Serializable interfaces.

To Page Top