001: /*
002: * Copyright 1999-2003 Sun Microsystems, Inc. All Rights Reserved.
003: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
004: *
005: * This code is free software; you can redistribute it and/or modify it
006: * under the terms of the GNU General Public License version 2 only, as
007: * published by the Free Software Foundation. Sun designates this
008: * particular file as subject to the "Classpath" exception as provided
009: * by Sun in the LICENSE file that accompanied this code.
010: *
011: * This code is distributed in the hope that it will be useful, but WITHOUT
012: * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
013: * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
014: * version 2 for more details (a copy is included in the LICENSE file that
015: * accompanied this code).
016: *
017: * You should have received a copy of the GNU General Public License version
018: * 2 along with this work; if not, write to the Free Software Foundation,
019: * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
020: *
021: * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
022: * CA 95054 USA or visit www.sun.com if you need additional information or
023: * have any questions.
024: */
025:
026: package com.sun.jndi.ldap.sasl;
027:
028: import java.io.*;
029: import java.util.Vector;
030: import java.util.Hashtable;
031: import java.util.StringTokenizer;
032:
033: import javax.naming.AuthenticationException;
034: import javax.naming.AuthenticationNotSupportedException;
035: import javax.naming.NamingException;
036:
037: import javax.naming.ldap.Control;
038:
039: import javax.security.auth.callback.CallbackHandler;
040: import javax.security.sasl.*;
041: import com.sun.jndi.ldap.Connection;
042: import com.sun.jndi.ldap.LdapClient;
043: import com.sun.jndi.ldap.LdapResult;
044:
045: /**
046: * Handles SASL support.
047: *
048: * @author Vincent Ryan
049: * @author Rosanna Lee
050: */
051:
052: final public class LdapSasl {
053: // SASL stuff
054: private static final String SASL_CALLBACK = "java.naming.security.sasl.callback";
055: private static final String SASL_AUTHZ_ID = "java.naming.security.sasl.authorizationId";
056: private static final String SASL_REALM = "java.naming.security.sasl.realm";
057:
058: private static final int LDAP_SUCCESS = 0;
059: private static final int LDAP_SASL_BIND_IN_PROGRESS = 14; // LDAPv3
060:
061: private LdapSasl() {
062: }
063:
064: /**
065: * Performs SASL bind.
066: * Creates a SaslClient by using a default CallbackHandler
067: * that uses the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS
068: * properties to satisfy the callbacks, and by using the
069: * SASL_AUTHZ_ID property as the authorization id. If the SASL_AUTHZ_ID
070: * property has not been set, Context.SECURITY_PRINCIPAL is used.
071: * If SASL_CALLBACK has been set, use that instead of the default
072: * CallbackHandler.
073: *<p>
074: * If bind is successful and the selected SASL mechanism has a security
075: * layer, set inStream and outStream to be filter streams that use
076: * the security layer. These will be used for subsequent communication
077: * with the server.
078: *<p>
079: * @param conn The non-null connection to use for sending an LDAP BIND
080: * @param server Non-null string name of host to connect to
081: * @param dn Non-null DN to bind as; also used as authentication ID
082: * @param pw Possibly null password; can be byte[], char[] or String
083: * @param authMech A non-null space-separated list of SASL authentication
084: * mechanisms.
085: * @param env The possibly null environment of the context, possibly containing
086: * properties for used by SASL mechanisms
087: * @param bindCtls The possibly null controls to accompany the bind
088: * @return LdapResult containing status of the bind
089: */
090: public static LdapResult saslBind(LdapClient clnt, Connection conn,
091: String server, String dn, Object pw, String authMech,
092: Hashtable env, Control[] bindCtls) throws IOException,
093: NamingException {
094:
095: SaslClient saslClnt = null;
096: boolean cleanupHandler = false;
097:
098: // Use supplied callback handler or create default
099: CallbackHandler cbh = (env != null) ? (CallbackHandler) env
100: .get(SASL_CALLBACK) : null;
101: if (cbh == null) {
102: cbh = new DefaultCallbackHandler(dn, pw, (String) env
103: .get(SASL_REALM));
104: cleanupHandler = true;
105: }
106:
107: // Prepare parameters for creating SASL client
108: String authzId = (env != null) ? (String) env
109: .get(SASL_AUTHZ_ID) : null;
110: String[] mechs = getSaslMechanismNames(authMech);
111:
112: try {
113: // Create SASL client to use using SASL package
114: saslClnt = Sasl.createSaslClient(mechs, authzId, "ldap",
115: server, env, cbh);
116:
117: if (saslClnt == null) {
118: throw new AuthenticationNotSupportedException(authMech);
119: }
120:
121: LdapResult res;
122: String mechName = saslClnt.getMechanismName();
123: byte[] response = saslClnt.hasInitialResponse() ? saslClnt
124: .evaluateChallenge(NO_BYTES) : null;
125:
126: res = clnt.ldapBind(null, response, bindCtls, mechName,
127: true);
128:
129: while (!saslClnt.isComplete()
130: && (res.status == LDAP_SASL_BIND_IN_PROGRESS || res.status == LDAP_SUCCESS)) {
131:
132: response = saslClnt
133: .evaluateChallenge(res.serverCreds != null ? res.serverCreds
134: : NO_BYTES);
135: if (res.status == LDAP_SUCCESS) {
136: if (response != null) {
137: throw new AuthenticationException(
138: "SASL client generated response after success");
139: }
140: break;
141: }
142: res = clnt.ldapBind(null, response, bindCtls, mechName,
143: true);
144: }
145:
146: if (res.status == LDAP_SUCCESS) {
147: if (!saslClnt.isComplete()) {
148: throw new AuthenticationException(
149: "SASL authentication not complete despite server claims");
150: }
151:
152: String qop = (String) saslClnt
153: .getNegotiatedProperty(Sasl.QOP);
154:
155: // If negotiated integrity or privacy,
156: if (qop != null
157: && (qop.equalsIgnoreCase("auth-int") || qop
158: .equalsIgnoreCase("auth-conf"))) {
159:
160: InputStream newIn = new SaslInputStream(saslClnt,
161: conn.inStream);
162: OutputStream newOut = new SaslOutputStream(
163: saslClnt, conn.outStream);
164:
165: conn.replaceStreams(newIn, newOut);
166: } else {
167: saslClnt.dispose();
168: }
169: }
170: return res;
171: } catch (SaslException e) {
172: NamingException ne = new AuthenticationException(authMech);
173: ne.setRootCause(e);
174: throw ne;
175: } finally {
176: if (cleanupHandler) {
177: ((DefaultCallbackHandler) cbh).clearPassword();
178: }
179: }
180: }
181:
182: /**
183: * Returns an array of SASL mechanisms given a string of space
184: * separated SASL mechanism names.
185: * @param The non-null string containing the mechanism names
186: * @return A non-null array of String; each element of the array
187: * contains a single mechanism name.
188: */
189: private static String[] getSaslMechanismNames(String str) {
190: StringTokenizer parser = new StringTokenizer(str);
191: Vector mechs = new Vector(10);
192: while (parser.hasMoreTokens()) {
193: mechs.addElement(parser.nextToken());
194: }
195: String[] mechNames = new String[mechs.size()];
196: for (int i = 0; i < mechs.size(); i++) {
197: mechNames[i] = (String) mechs.elementAt(i);
198: }
199: return mechNames;
200: }
201:
202: private static final byte[] NO_BYTES = new byte[0];
203: }
|