import com.sap.engine.interfaces.security.auth.AbstractLoginModule;

import javax.security.auth.callback.*;

import javax.security.auth.Subject;

import javax.security.auth.login.LoginException;

import java.util.Map;

/**

 * This is an example login module that uses the

 * AbstractLoginModule class.

 */

public class ExampleLoginModule extends AbstractLoginModule {

   /**

    * Initialize the login module with the relevant authentication

    * and state information.

    */

   public void initialize(

      Subject subject,

      CallbackHandler callbackHandler,

      Map sharedState,

      Map options) {

      super.initialize(subject, callbackHandler, sharedState, options);

      ...}

   /**

    * Set the user credentials. Authenticate a subject as the first

    * part of the authentication process.

    */

   public boolean login() throws javax.security.auth.login.LoginException {

      ...

      < handle user credentials >

      ...

      // After you have received the user name, refresh the user data

      // in the user store cache. If you do not do this, you may

      // receive outdated information about the user from the user

      // store.

      refreshUserInfo(name);

      try {

         // do some user check

      } catch (Exception e) {

         throwUserLoginException(e);

      }

      if (isUserAccountExpired(user, userContext)) {

         throwNewLoginException(

            "The user account "

               + name

               + " is either

         expired, or not valid yet.",

         LoginExceptionDetails.USER_IS_CURRENTLY_NOT_VALID);

      }

      checkUserLockStatus(< userContext >, < userInfo >);

      changePasswordIfNeeded(

         < userContext >,

         < userInfo >,

         < callbackHandler >);

      // Only one and exactly one login module from the

      // stack must put the user name in the shared

      // state. This user name is considered to represent the

      // authenticated user. For example if the

      // login is successful, method getRemoteUser() of the HTTP

      // request will retrieve exactly this name.

      if (sharedState.get(AbstractLoginModule.NAME) == null) {

         sharedState.put(AbstractLoginModule.NAME, < userName >);

         nameSet = true;

      }

      successful = true;

      return true;

   }

   /**

    * Commit the login. This is the second part of the authentication

    * process. If it is successful, the statistics for the user

    * are logged in a specified way, in order to manage

    * the login modules implementations on the 

    * SAP J2EE Engine.

    */

   public boolean commit() throws javax.security.auth.login.LoginException {

      ...if (successful) {

         // add credentials to subject

         ...writeLogonStatistics(

            true,

            < userName >,

            < currentTime >,

            < sharedState >);

         ...

         // If the login is successful, then the principal corresponding to the <userName> ( the

         // same user name that has been added to shared state ) must be added in the shared state

         // too. This principal is considered to be the main principal representing the user. For

         // example, this principal will be retrieved from method getUserPrincipal() of HTTP request.

         if (nameSet) {

            sharedState.put(

               AbstractLoginModule.PRINCIPAL,

               < userPrincipal >);

         }

      }

      ...}

   /**

    * Abort the authentication process.

    */

   public boolean abort() throws LoginException {

      ...

      writeLogonStatistics(

         false,

         < userName >,

         < currentTime >,

         < sharedState >);

      ...}

   /**

    * Log out the user. Also removes the principals and destroys or

    * removes the credentials that were associated with the user

    * during the commit phase.

    */

   public boolean logout() throws LoginException {

      ...

      // Remove credentials from subject

   }

}