Class KerberosIdentityAssertionPlugin
java.lang.Object
org.forgerock.openig.assertion.plugin.kerberos.KerberosIdentityAssertionPlugin
- All Implemented Interfaces:
IdentityAssertionPlugin
public final class KerberosIdentityAssertionPlugin
extends Object
implements IdentityAssertionPlugin
Provides support for validating a user's Kerberos token, works as an
IdentityAssertionPlugin for the
IdentityAssertionHandler. Loosely based on the AM Kerberos Node code
found in openam-auth-trees/auth-nodes/src/main/java/org/forgerock/openam/auth/nodes/KerberosNode.java.
NTLM (NT Lan Manager) tokens are not supported by this plugin.
For more context around the APIs used in this class:
- MIT Kerberos Reference
- Windows Kerberos Authentication
- Java Kerberos Requirements
- Java Kerberos Client Token Validation
- Java Troubleshooting
- Enabling debug logging
{
"type": "KerberosIdentityAssertionPlugin",
"config": {
"serviceLogin" : ref to ServiceLogin [REQUIRED - The {@link ServiceLogin } implementation
to use.]
"trustedRealms" : expression [OPTIONAL - Specifies a list of trusted realms for the
user Kerberos tickets. If a list of
trusted realms are configured, then
Kerberos tokens are only accepted if the
realm part of the user principal, from the
user’s Kerberos token, matches a trusted
realm from the list. Defaults to an empty
list and all realms being trusted.]
}
}
Example usage:
{
"type": "KerberosIdentityAssertionPlugin",
"config": {
"serviceLogin": "MyKeytabServiceLogin",
"trustedKerberosRealms": ["EXAMPLE.COM"]
}
}
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classCreates and initializes aKerberosIdentityAssertionPluginin a heap environment. -
Method Summary
Modifier and TypeMethodDescriptionReturn aFilterto deal with any pre-processing requirements such as challenging the user for credentials by returning aWWW-Authenticateheader.Preform some processing and return a set of claims to be returned in the Identity Assertion JWT.
-
Method Details
-
preProcessingFilter
Description copied from interface:IdentityAssertionPluginReturn aFilterto deal with any pre-processing requirements such as challenging the user for credentials by returning aWWW-Authenticateheader. The default implementation simply calls the nextHandlerwithout doing any processing. This filter is only triggered after the Identity Request JWT has been validated.- Specified by:
preProcessingFilterin interfaceIdentityAssertionPlugin- Returns:
- a
Filterto deal with any pre-processing requirements.
-
process
public Promise<IdentityAssertionClaims,IdentityAssertionPluginException> process(Context context, Request request) Description copied from interface:IdentityAssertionPluginPreform some processing and return a set of claims to be returned in the Identity Assertion JWT. The processing may include some form of local authentication and/or authorization.- Specified by:
processin interfaceIdentityAssertionPlugin- Parameters:
context- The context.request- The request.- Returns:
- An
IdentityAssertionClaimspromise that represents claims to be returned in the Assertion JWT.
-