1. Home
  2. yubico-java-client
  3. jaas

    jaas

    These are JAAS-plugins for authentication using one time password tokens (YubiKeys primarily). For information about JAAS configuration, see http://download.oracle.com/javase/1.5.0/docs/api/javax/security/auth/login/Configuration.html

    YubikeyLoginModule :

    This JAAS plugin authenticates OTPs against the online Yubico validation servers. Client id and API key can be fetched from https://upgrade.yubico.com/getapikey/

    Parameters :
    clientId             Your Client API id for the validation service.
clientKey            Your Client API key for the validaiton service.
id2name_textfile     Filename with "public_id<SP>username" info about which
                     user owns what key.
verify_yubikey_owner default: "true". Only set to "false" in pre-production
                     environments, otherwise ANY Yubikey will be accepted
                     for ANY user!
auto_provision_owner default: "false". If set to "true", we will
                     automatically record any new Yubikeys used as belonging
                     to the user that first logged in with them.
id_realm             Something to append to the Yubikey public id when we
                     construct principals (e.g.
                     "@my-validation-service.example.org").
soft_fail_on_no_otps default: false. Should the JAAS login module return
                     failure or asked to be ignored in case no OTPs are
                     provided for validation?
wsapi_urls           default: the YubiCloud validation URL. A "|" delimeted
                     list of ykval wsapi 2.0 URLs to use for OTP validation.
sync_policy          default: none, let the server decide. a value between 0
                     and 100 indicating the percentage of synchronization
                     required by the client.
jacc                 default: false, if true module picks up the otp from j_otp
                     FORM authentication too
    Example configuration :
    YourApplicationAuth {
    com.yubico.jaas.YubikeyLoginModule required
        clientId="4711";
};

    HttpOathOtpLoginModule :

    This JAAS plugin validates OATH OTPs using HTTP. The username and password
entered in your application will be used to attempt a HTTP Basic Auth login
to an URL you specify, and if that succeeds and the resulting response contains
an expected string, authentication is granted.
    One tested backend solution for validation of the HOTPs is the Apache mod_authn_otp :
    http://code.google.com/p/mod-authn-otp/
    Parameters :
    protectedUrl     (required) The URL you have protected with OATH-HOTP HTTP
                 Basic Auth.
expectedOutput   Default is "Authenticated OK".
minLength        Default is 6.
maxLength        Default is 12 (6-8 bytes HOTP and 4 bytes PIN).
requireAllDigits Default is "true".
id_realm         Something to append to the username when we construct
                 principals (e.g. "@my-validation-service.example.org").
    Example configuration :
    YourApplicationAuth {
    com.yubico.jaas.HTTPOathHotpLoginModule sufficient
        protectedUrl = "http://auth.example.com/oath-protected/"
        expectedOutput = "User authenticated OK";
};