that this module stored. It may throw a LoginException if it encounters an error. To write a login module, you must have an available class that implements the Principal interface. There are several in the JAAS API, although they tend to be login module−specific. We mentioned the Solaris and NT principal classes earlier; the only other available class is the X500Principal class com.sun.security.auth.X500Principal . This is an appropriate choice if your login module will be providing X500 names, but in most cases youll need to write your own principal class. Heres a simple implementation: package javasec.samples.ch15; import java.security.; import java.io.; public class SimplePrincipal implements Principal, Serializable { private String name; public SimplePrincipalString s { name = s; } public String getName { return name; } Simple Principal objects are equal if they contain the same name. public boolean equalsObject o { if o instanceof SimplePrincipal return false; return SimplePrincipal o.name.equalsname; } } Note that the principal is serializable. Well say more about that at the end of the chapter. Heres the simple login module code: package javasec.samples.ch15; import java.util.; import java.io.IOException; import javax.security.auth.; import javax.security.auth.callback.; import javax.security.auth.login.; import javax.security.auth.spi.; public class SimpleLoginModule implements LoginModule { private Subject subject; private CallbackHandler callbackHandler; private SimplePrincipal principal; private boolean debug; State information for the currently authenticated user. private String userName = null; private boolean succeeded = false; private boolean commitSucceeded = false; public void initializeSubject s, CallbackHandler cb, Map sharedMap, Map options { subject = s; callbackHandler = cb; Initialize any configured options. debug = true.equalsIgnoreCaseStringoptions.getdebug; We dont use the shared map to cache results between attempts, but if we did wed need to save it here. } public boolean login throws LoginException { if debug System.err.printlnSimpleLoginModule: Login; This is where wed normally do authentication. If necessary, we could instantiate callback objects and put them in an array and call the callback handler. We could also retrieve information from the sharedMap if we cached a previous login attempt. Normally, wed set this from the getName method of the name callback, or from the user environment. userName = defaultUser; Wed set this based on a password match. If we get credentials from the user environment, it will always be true. succeeded = true; return true; } public boolean commit throws LoginException { if debug System.err.printlnSimpleLoginModule: Commit; if succeeded { We didnt authenticate the user, but someone else did. Clean up our state, but dont add our principal to the subject. userName = null; return false; } principal = new SimplePrincipaluserName; defaultUser might already be in the subject if another module authenticated him. if subject.getPrincipals .containsprincipal { subject.getPrincipals .addprincipal; } Clean up our internal state. userName = null; commitSucceeded = true; return true; } public boolean abort throws LoginException { if debug System.err.printlnSimpleLoginModule: Abort; if succeeded == false