Package org.eclipse.jetty.jaas.spi

Class LdapLoginModule

  • All Implemented Interfaces:
    javax.security.auth.spi.LoginModule
    public class LdapLoginModule
extends AbstractLoginModule
    A LdapLoginModule for use with JAAS setups

    The jvm should be started with the following parameter: 

     -Djava.security.auth.login.config=etc/ldap-loginModule.conf
    and an example of the ldap-loginModule.conf would be: 
     ldaploginmodule {
    org.eclipse.jetty.server.server.plus.jaas.spi.LdapLoginModule required
    debug="true"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="ldap.example.com"
    port="389"
    bindDn="cn=Directory Manager"
    bindPassword="directory"
    authenticationMethod="simple"
    forceBindingLogin="false"
    userBaseDn="ou=people,dc=alcatel"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="inetOrgPerson"
    roleBaseDn="ou=groups,dc=example,dc=com"
    roleNameAttribute="cn"
    roleMemberAttribute="uniqueMember"
    roleObjectClass="groupOfUniqueNames";
    };

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private java.lang.String _authenticationMethod
      Context.SECURITY_AUTHENTICATION
      private java.lang.String _bindDn
      root DN used to connect to
      private java.lang.String _bindPassword
      password used to connect to the root ldap context
      private java.lang.String _contextFactory
      Context.INITIAL_CONTEXT_FACTORY
      private boolean _debug  
      private boolean _forceBindingLogin
      if the getUserInfo can pull a password off of the user then password comparison is an option for authn, to force binding login checks, set this to true
      private java.lang.String _hostname
      hostname of the ldap server
      private int _port
      port of the ldap server
      private java.lang.String _roleBaseDn
      base DN where role membership is to be searched from
      private java.lang.String _roleMemberAttribute
      name of the attribute that a username would be under a role class
      private java.lang.String _roleNameAttribute
      the name of the attribute that a role would be stored under
      private java.lang.String _roleObjectClass
      object class of roles
      private javax.naming.directory.DirContext _rootContext  
      private boolean _useLdaps
      When true changes the protocol to ldaps
      private java.lang.String _userBaseDn
      base DN where users are to be searched from
      private java.lang.String _userIdAttribute
      attribute that the principal is located
      private java.lang.String _userObjectClass
      object class of a user
      private java.lang.String _userPasswordAttribute
      name of the attribute that a users password is stored under
      private java.lang.String _userRdnAttribute
      attribute that the principal is located
      private static Logger LOG  

    • Constructor Summary

      Constructors 
      Constructor Description
      LdapLoginModule()  

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean abort()  
      private static java.lang.String base64ToHex​(java.lang.String src)  
      boolean bindingLogin​(java.lang.String username, java.lang.Object password)
      binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.
      boolean commit()  
      static java.lang.String convertCredentialLdapToJetty​(java.lang.String encryptedPassword)  
      protected boolean credentialLogin​(java.lang.Object webCredential)
      password supplied authentication check
      protected java.lang.String doRFC2254Encoding​(java.lang.String inputString)  
      private javax.naming.directory.SearchResult findUser​(java.lang.String username)  
      private javax.naming.directory.SearchResult findUser​(javax.naming.directory.DirContext dirContext, java.lang.String filter, java.lang.Object[] filterArguments)  
      java.util.Hashtable<java.lang.Object,​java.lang.Object> getEnvironment()
      get the context for connection
      private java.lang.String getOption​(java.util.Map<java.lang.String,​?> options, java.lang.String key, java.lang.String defaultValue)  
      private javax.naming.directory.Attributes getUserAttributes​(java.lang.String username)
      attempts to get the users LDAP attributes from the users context
      private java.lang.String getUserCredentials​(javax.naming.directory.Attributes attributes)  
      UserInfo getUserInfo​(java.lang.String username)
      get the available information about the user
      private java.util.List<java.lang.String> getUserRoles​(javax.naming.directory.DirContext dirContext, java.lang.String username, javax.naming.directory.Attributes attributes)
      attempts to get the users roles from the root context
      private java.util.List<java.lang.String> getUserRolesByDn​(javax.naming.directory.DirContext dirContext, java.lang.String userDn)  
      private static java.lang.String hexToBase64​(java.lang.String src)  
      void initialize​(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map<java.lang.String,​?> sharedState, java.util.Map<java.lang.String,​?> options)
      Init LoginModule.
      boolean login()
      since ldap uses a context bind for valid authentication checking, we override login()

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • LOG

        private static final Logger LOG

      • _hostname

        private java.lang.String _hostname
        hostname of the ldap server

      • _port

        private int _port
        port of the ldap server

      • _authenticationMethod

        private java.lang.String _authenticationMethod
        Context.SECURITY_AUTHENTICATION

      • _contextFactory

        private java.lang.String _contextFactory
        Context.INITIAL_CONTEXT_FACTORY

      • _bindDn

        private java.lang.String _bindDn
        root DN used to connect to

      • _bindPassword

        private java.lang.String _bindPassword
        password used to connect to the root ldap context

      • _userObjectClass

        private java.lang.String _userObjectClass
        object class of a user

      • _userRdnAttribute

        private java.lang.String _userRdnAttribute
        attribute that the principal is located

      • _userIdAttribute

        private java.lang.String _userIdAttribute
        attribute that the principal is located

      • _userPasswordAttribute

        private java.lang.String _userPasswordAttribute
        name of the attribute that a users password is stored under

        NOTE: not always accessible, see force binding login

      • _userBaseDn

        private java.lang.String _userBaseDn
        base DN where users are to be searched from

      • _roleBaseDn

        private java.lang.String _roleBaseDn
        base DN where role membership is to be searched from

      • _roleObjectClass

        private java.lang.String _roleObjectClass
        object class of roles

      • _roleMemberAttribute

        private java.lang.String _roleMemberAttribute
        name of the attribute that a username would be under a role class

      • _roleNameAttribute

        private java.lang.String _roleNameAttribute
        the name of the attribute that a role would be stored under

      • _debug

        private boolean _debug

      • _forceBindingLogin

        private boolean _forceBindingLogin
        if the getUserInfo can pull a password off of the user then password comparison is an option for authn, to force binding login checks, set this to true

      • _useLdaps

        private boolean _useLdaps
        When true changes the protocol to ldaps

      • _rootContext

        private javax.naming.directory.DirContext _rootContext

    • Constructor Detail

      • LdapLoginModule

        public LdapLoginModule()

    • Method Detail

      • getUserInfo

        public UserInfo getUserInfo​(java.lang.String username)
                     throws java.lang.Exception
        get the available information about the user

        for this LoginModule, the credential can be null which will result in a binding ldap authentication scenario

        roles are also an optional concept if required

        Specified by:
        getUserInfo in class AbstractLoginModule
        Parameters:
        username - the user name
        Returns:
        the userinfo for the username
        Throws:
        java.lang.Exception - if unable to get the user info

      • doRFC2254Encoding

        protected java.lang.String doRFC2254Encoding​(java.lang.String inputString)

      • getUserAttributes

        private javax.naming.directory.Attributes getUserAttributes​(java.lang.String username)
                                                     throws javax.security.auth.login.LoginException
        attempts to get the users LDAP attributes from the users context

        NOTE: this is not an user authenticated operation

        Returns:
        the Attributes from the user
        Throws:
        javax.security.auth.login.LoginException

      • getUserCredentials

        private java.lang.String getUserCredentials​(javax.naming.directory.Attributes attributes)
                                     throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • getUserRoles

        private java.util.List<java.lang.String> getUserRoles​(javax.naming.directory.DirContext dirContext,
                                                      java.lang.String username,
                                                      javax.naming.directory.Attributes attributes)
                                               throws javax.security.auth.login.LoginException,
                                                      javax.naming.NamingException
        attempts to get the users roles from the root context

        NOTE: this is not an user authenticated operation

        Throws:
        javax.security.auth.login.LoginException
        javax.naming.NamingException

      • getUserRolesByDn

        private java.util.List<java.lang.String> getUserRolesByDn​(javax.naming.directory.DirContext dirContext,
                                                          java.lang.String userDn)
                                                   throws javax.naming.NamingException
        Throws:
        javax.naming.NamingException

      • login

        public boolean login()
              throws javax.security.auth.login.LoginException
        since ldap uses a context bind for valid authentication checking, we override login()

        if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic

        Specified by:
        login in interface javax.security.auth.spi.LoginModule
        Overrides:
        login in class AbstractLoginModule
        Returns:
        true if authenticated, false otherwise
        Throws:
        javax.security.auth.login.LoginException - if unable to login
        See Also:
        LoginModule.login()

      • credentialLogin

        protected boolean credentialLogin​(java.lang.Object webCredential)
                           throws javax.security.auth.login.LoginException
        password supplied authentication check
        Parameters:
        webCredential - the web credential
        Returns:
        true if authenticated
        Throws:
        javax.security.auth.login.LoginException - if unable to login

      • bindingLogin

        public boolean bindingLogin​(java.lang.String username,
                            java.lang.Object password)
                     throws javax.security.auth.login.LoginException
        binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.
        Parameters:
        username - the user name
        password - the password
        Returns:
        true always
        Throws:
        javax.security.auth.login.LoginException - if unable to bind the login

      • findUser

        private javax.naming.directory.SearchResult findUser​(java.lang.String username)
                                              throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • findUser

        private javax.naming.directory.SearchResult findUser​(javax.naming.directory.DirContext dirContext,
                                                     java.lang.String filter,
                                                     java.lang.Object[] filterArguments)
                                              throws javax.security.auth.login.LoginException
        Throws:
        javax.security.auth.login.LoginException

      • initialize

        public void initialize​(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map<java.lang.String,​?> sharedState,
                       java.util.Map<java.lang.String,​?> options)
        Init LoginModule.

        Called once by JAAS after new instance is created.

        Specified by:
        initialize in interface javax.security.auth.spi.LoginModule
        Overrides:
        initialize in class AbstractLoginModule
        Parameters:
        subject - the subect
        callbackHandler - the callback handler
        sharedState - the shared state map
        options - the option map
        See Also:
        LoginModule.initialize(javax.security.auth.Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)

      • commit

        public boolean commit()
               throws javax.security.auth.login.LoginException
        Specified by:
        commit in interface javax.security.auth.spi.LoginModule
        Overrides:
        commit in class AbstractLoginModule
        Returns:
        true if committed, false if not (likely not authenticated)
        Throws:
        javax.security.auth.login.LoginException - if unable to commit
        See Also:
        LoginModule.commit()

      • abort

        public boolean abort()
              throws javax.security.auth.login.LoginException
        Specified by:
        abort in interface javax.security.auth.spi.LoginModule
        Overrides:
        abort in class AbstractLoginModule
        Throws:
        javax.security.auth.login.LoginException - if unable to abort
        See Also:
        LoginModule.abort()

      • getOption

        private java.lang.String getOption​(java.util.Map<java.lang.String,​?> options,
                                   java.lang.String key,
                                   java.lang.String defaultValue)

      • getEnvironment

        public java.util.Hashtable<java.lang.Object,​java.lang.Object> getEnvironment()
        get the context for connection
        Returns:
        the environment details for the context

      • convertCredentialLdapToJetty

        public static java.lang.String convertCredentialLdapToJetty​(java.lang.String encryptedPassword)

      • base64ToHex

        private static java.lang.String base64ToHex​(java.lang.String src)

      • hexToBase64

        private static java.lang.String hexToBase64​(java.lang.String src)