Oracle神谕

public interface LoginModule

LoginModule describes the interface implemented by authentication technology providers. LoginModules are plugged in under applications to provide a particular type of authentication.

While applications write to the LoginContext API, authentication technology providers implement the LoginModule interface. A Configuration specifies the LoginModule(s) to be used with a particular login application. Therefore different LoginModules can be plugged in under the application without requiring any modifications to the application itself.

The LoginContext is responsible<负责> for reading the Configuration and instantiating the appropriate<适当的> LoginModules. Each LoginModule is initialized with a Subject, a CallbackHandler, shared LoginModule state, and LoginModule-specific options. The Subject represents the Subject currently being authenticated and is updated with relevant<相关> Credentials<凭证> if authentication succeeds. LoginModules use the CallbackHandler to communicate with users. The CallbackHandler may be used to prompt for usernames and passwords, for example. Note that the CallbackHandler may be null. LoginModules which absolutely require a CallbackHandler to authenticate<认证> the Subject may throw a LoginException. LoginModules optionally use the shared state to share information or data among themselves.

NameCallback:
PasswordCallback:

The LoginModule-specific options represent the options configured for this LoginModule by an administrator or user in the login Configuration. The options are defined by the LoginModule itself and control the behavior within it. For example, a LoginModule may define options to support debugging/testing capabilities<能力>. Options are defined using a key-value syntax, such as debug=true. The LoginModule stores the options as a Map so that the values may be retrieved using the key. Note that there is no limit to the number of options a LoginModule chooses to define.

The calling application sees the authentication process as a single operation. However, the authentication process within the LoginModule proceeds in two distinct phases. In the first phase, the LoginModule's login method gets invoked by the LoginContext's login method. The login method for the LoginModule then performs the actual authentication (prompt for and verify a password for example) and saves its authentication status as private state information. Once finished, the LoginModule's login method either returns true (if it succeeded) or false (if it should be ignored), or throws a LoginException to specify a failure. In the failure case, the LoginModule must not retry the authentication or introduce delays. The responsibility of such tasks belongs to the application. If the application attempts to retry the authentication, the LoginModule's login method will be called again.

In the second phase, if the LoginContext's overall<全面> authentication succeeded (the relevant REQUIRED, REQUISITE<需求>, SUFFICIENT<足够> and OPTIONAL LoginModules succeeded), then the commit method for the LoginModule gets invoked. The commit method for a LoginModule checks its privately saved state to see if its own authentication succeeded. If the overall LoginContext authentication succeeded and the LoginModule's own authentication succeeded, then the commit method associates the relevant<相关> Principals (authenticated identities) and Credentials<凭证> (authentication data such as cryptographic keys) with the Subject located within the LoginModule.

If the LoginContext's overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed), then the abort（异常） method for each LoginModule gets invoked. In this case, the LoginModule removes/destroys any authentication state originally saved.

Logging out a Subject involves only one phase. The LoginContext invokes the LoginModule's logout method. The logout method for the LoginModule then performs the logout procedures, such as removing Principals or Credentials from the Subject or logging session information.

A LoginModule implementation must have a constructor with no arguments<无参数构造子>. This allows classes which load the LoginModule to instantiate it.

security安全包应该是identity身份模块中很重要的组成部分，其中主要包含以下类：
一、AuthenticatedUser认证用户类：其中很简单，就是gettter和setter 方法，设置和获取authenticatedUser。
 　　其中的authenticatedUser是一个ThreadLocal。
二、IdentityLoginModule身份登陆模块类：
　　实现LoginModule接口。这个类和javax.security.auth.*等包结合非常紧密。
三、IdentityPolicy身份政策类：扩展Policy类。
四、IdentityService身份服务接口：验证用户和获取User
五、Password和Usename　JavaBean
------------------------------------------------------------

补充知识：
１.ThreadLocal
This class provides thread-local variables. These variables differ from their normal counterparts in that each thread that accesses one (via its get or set method) has its own, independently initialized copy of the variable. ThreadLocal instances are typically private static fields in classes that wish to associate state with a thread (e.g., a user ID or Transaction ID).
这支持支持thread-local 变量。这些变量不同于它们常用的对应物，在那每一个线程获得一个(依靠get或set方法)拥有它自己的，独立地初始化复制这个变量。ThreadLocal实例是典型地私有静态字段，它希望联系状态使用线程(例如；一个用户ID或事务ID)。

JBpm赋值包：
一、ExpressionAssignmentException类：表达式赋值异常类 扩展了RuntimeException
二、ExpressionAssignmentHandler类： 表达式赋值处理器类 实现AssignmentHandler接口。
　　主要字段：
　　　1.String expression;
            2.ExecutionContext executionContext
 　　   3.TermTokenizer tokenizer
            4.Entity entity
 　　语法：syntax : first-term --> next-term --> next-term --> ... --> next-term
　　　first-term ::= previous |
 *                swimlane(swimlane-name) |
 *                variable(variable-name) |
 *                user(user-name) |
 *                group(group-name)

* next-term ::= group(group-type) |
 *               member(role-name)

三、ExpressionSession接口
四、TermTokenizer类："-->"

PermissionUserType类是一个Hibernate组合用户自定义数据类型：
实现了抽象接口CompositeUserType：
其中实现的是一个String[] 数据类型，其中将Java的Permission对象和这个数据类型绑定在一起。

hbm.xml影射文件中
<set name="permissions" cascade="all" table="JBPM_ID_PERMISSIONS">
      <key column="ENTITY_" foreign-key="none" />
      <element type="org.jbpm.identity.hibernate.PermissionUserType">
        <column name="CLASS_"/>
        <column name="NAME_"/>
        <column name="ACTION_"/>
      </element>
    </set>   
一些特殊的组合，使用Hibernate的组合用户自定义类型，在使用上还是很方便的。目前的开发中似乎这个用的比较少，可是在特定场合下可能用的比较多的。

IdentitySessionFactory类基本上类似于Hibernate 的SessionFactory，Jbpm中很多采用了类似于SessionFactory的机制。其中有获取IndentitySession的几个方法。其中还有一个evictCachedIdentities()也不知道有什么用法，可能是将缓存中的数据进行清空的操作。

一、这个类实现了IndentityService接口和ExpressionSession接口：
1.IndentityService接口：
校验用户方法：Object verify(String userName, String pwd);
根据用户id获得User：User getUserById(Object userId);
2.ExpressionSession接口：
 Group getGroupByName(String groupName);
User getUserByName(String userName);
二、包含字段：
　　Session session
        Transaction transaction
三、方法：
１.其中的verify(String userName,String pwd)的处理是通过传递用户名和密码获得一个User列表，如果为空或者size()为０，返回异常，否则get(0)获得对象（User）。
２.采用了Session的get方法获取一个User
３.其中实现事务的开始、确认、回滚方法
４.实现了用户、组、实体的保存加载等方法
５.还有一堆的获得List的方法：

　　IdentitySchema 类主要用来生成SQL脚本<删除、创建、清除>建立数据表以及其他相关的数据库表的操作：
　　delimiter 定界符
Fields：
  private static final String IDENTITY_TABLE_PREFIX = "JBPM_ID_";
  Configuration configuration = null;
  Properties properties = null;
  Dialect dialect = null;
  Mapping mapping = null; 
  String[] createSql = null;　//创建SQL脚本
  String[] dropSql = null; //删除SQL脚本
  String[] cleanSql = null; //清除SQL脚本

　　通过这个类可以创建数据库表结构，通过Hibernate的configuration.generateSchemaCreationScript(dialect)来创建SQL表结构schema的SQL脚本，通过Jbpm特定的execute方法（JDBC），将传入的SQL脚本执行executeUpdate执行表结构的操作。
　　要完成这个操作，要先修改hibernate.cfg.xml配置文件。