<setAuthenticator>
Authenticator
whichs determines user name and password through its configuration, or prompts the
user interactively for user name and password through a SWING JOptionPane
.
An "authenticator" is used by all JRE URLConnection
s when a host asks for authentication, e.g. HTTP
"401:Unauthorized" and "407: Proxy Authentication Required". Also the <ftp2>
task uses the authenticator for
server authentication and proxy authentication.
The exact strategy of this authenticator is as follows:
requestingHost="..."
, requestingSite="..."
, requestingPort="..."
, requestingProtocol="..."
, requestingPrompt="..."
, requestingScheme="..."
, requestingUrl="..."
and requestorType="..."
of all <credentials>
subelements,
in the given order. This process stops at the first match.
<credentials>
subelement has both
userName="..."
and password="..."
configured, then that user name-password pair is returned.
JOptionPane
dialog for a user name and a password. (Iff the
matching <credentials>
subelement configured a userName="..."
, then that user name is pre-filled in.)
Iff cache="..."
is set to a value different from NONE
, then
the entered user name and/or password are remembered and pre-filled in the next time the authentication dialog
pops up. The "remembered" data is not persisted and is lost when the JVM terminates.
Iff store="..."
is set to a value different from NONE
, then
the entered user name and/or password are stored in a persistent "authentication store". That store is a
properties file in the user's home directory, and the passwords stored therein are encrypted with a secret key,
which is generated ad hoc and stored in another file in the user's home directory (the "key store"). The secret
key is protected by a password (called the "master password"), so that an attacker can not compromise the
passwords in the authentication store, even if he steals the key store file.
When the secret key is created, the user is prompted to choose the master password:
When a different JVM instance requires the secret key, it prompts the user to enter the master password:
Name | Description |
---|---|
cache="..."
|
Whether user names, user names and passwords, or none of both are remembered while the JVM is running. |
dialogLabel="..."
|
The text of the label in the authentication dialog, in MessageFormat format.
|
store="..."
|
Whether user names, user names and passwords, or none of both are persistently stored. |
Name | Description |
---|---|
<credentials>
|
Every time a server requests user name/password authentication, the <credentials> subelements are checked, and the first that matches the
request determines the user name and password.
|
Default values are underlined.
dialogLabel="value"
MessageFormat
format.
The following arguments are replaced within the message:
/
requesting-protocol/
requesting-host/
requesting-port/
requesting-scheme/
Example value: "PROXY/http/proxy.company.com/8080/Negotiate"
requestingHost="..."
requestingSite="..."
requestingPort="..."
requestingProtocol="..."
requestingPrompt="..."
requestingScheme="..."
requestingUrl="..."
requestorType="..."
* Where the above list presents two placeholders, they expand as follows:
null
or ""
or -1
, the two placeholders expand to "0"
and ""
.
"1"
and the value.
The default value is
<html> <table> {1, choice, 0#|1#'<tr><td>Host: </td><td>'{2}'</td></tr>'} {3, choice, 0#|1#'<tr><td>Site: </td><td>'{4}'</td></tr>'} {5, choice, 0#|1#'<tr><td>Port: </td><td>'{6}'</td></tr>'} {7, choice, 0#|1#'<tr><td>Protocol:</td><td>'{8}'</td></tr>'} {9, choice, 0#|1#'<tr><td>Prompt: </td><td>'{10}'</td></tr>'} {11, choice, 0#|1#'<tr><td>Scheme: </td><td>'{12}'</td></tr>'} {13, choice, 0#|1#'<tr><td>URL: </td><td>'{14}'</td></tr>'} {15, choice, 0#|1#'<tr><td>Type: </td><td>'{16}'</td></tr>'} </table> </html>
cache="NONE|USER_NAMES|USER_NAMES_AND_PASSWORDS"
<credentials>
<credentials>
subelements are checked, and the first that matches the request determines the user name and password. A <credentials>
subelement matches iff the requesting host, site, port, protocol, url, scheme and requestor type all match the respective attributes.
If no userName="..."
and/or no password="..."
are configured, then the user is prompted for the missing user name and/or password.
When this task is executed multiply, then the configured <credentials>
add up, i.e. previously configured credentials are never erased and always take precedence over newly configured ones.
requestingHost="regex"
requestingSite="regex"
InetAddress
pattern of the site. The default is "any site".
requestingPort="regex"
requestingProtocol="regex"
requestingPrompt="regex"
requestingScheme="regex"
requestingUrl="regex"
requestorType="regex"
PROXY
SERVER
The default is "any requestor type".
deny="true|false"
true
, then userName="..."
and password="..."
are ignored, and authentication is denied for this spec. The default is "false".
userName="user-name"
<credentials>
element matches. Value "-
" is equivalent to not configuring a user name.
password="password"
<credentials>
element matches. Value "-
" is equivalent to not configuring a password.
Copyright © 2019. All rights reserved.