| com.nabhinc.portal.spi.BaseUserServiceImpl com.nabhinc.portal.spi.impl.ldap.AuthenticationServiceLDAPImpl
AuthenticationServiceLDAPImpl | public class AuthenticationServiceLDAPImpl extends BaseUserServiceImpl implements AuthenticationService(Code) | | Authentication service that works with a directory
server accessed via the Java Naming and Directory Interface (JNDI) APIs.
The following constraints are imposed on the data structure in the
underlying directory server:
- Each user that can be authenticated is represented by an individual
element in the top level
DirContext that is accessed
via the connectionURL property.
- If a socket connection can not be made to the
connectURL
an attempt will be made to use the alternateURL if it
exists.
- Each user element has a distinguished name that can be formed by
substituting the presented username into a pattern configured by the
userPattern property.
- Alternatively, if the
userPattern property is not
specified, a unique element can be located by searching the directory
context. In this case:
- The
userSearch pattern specifies the search filter
after substitution of the username.
- The
userBase property can be set to the element that
is the base of the subtree containing users. If not specified,
the search base is the top-level context.
- The
userSubtree property can be set to
true if you wish to search the entire subtree of the
directory context. The default value of false
requests a search of only the current level.
- The user may be authenticated by binding to the directory with the
username and password presented. This method is used when the
userPassword property is not specified.
- The user may be authenticated by retrieving the value of an attribute
from the directory and comparing it explicitly with the value presented
by the user. This method is used when the
userPassword
property is specified, in which case:
- The element for this user must contain an attribute named by the
userPassword property.
- The value of the user password attribute is either a cleartext
String, or the result of passing a cleartext String through the
RealmBase.digest() method (using the standard digest
support included in RealmBase ).
- The user is considered to be authenticated if the presented
credentials (after being passed through
RealmBase.digest() ) are equal to the retrieved value
for the user password attribute.
- Each group of users that has been assigned a particular role may be
represented by an individual element in the top level
DirContext that is accessed via the
connectionURL property. This element has the following
characteristics:
- The set of all possible groups of interest can be selected by a
search pattern configured by the
roleSearch
property.
- The
roleSearch pattern optionally includes pattern
replacements "{0}" for the distinguished name, and/or "{1}" for
the username, of the authenticated user for which roles will be
retrieved.
- The
roleBase property can be set to the element that
is the base of the search for matching roles. If not specified,
the entire context will be searched.
- The
roleSubtree property can be set to
true if you wish to search the entire subtree of the
directory context. The default value of false
requests a search of only the current level.
- The element includes an attribute (whose name is configured by
the
roleName property) containing the name of the
role represented by this element.
- In addition, roles may be represented by the values of an attribute
in the user's element whose name is configured by the
userRoleName property.
- Note that the standard
<security-role-ref> element in
the web application deployment descriptor allows applications to refer
to roles programmatically by names other than those used in the
directory server itself.
TODO - Support connection pooling (including message
format objects) so that authenticate() does not have to be
synchronized.
WARNING - There is a reported bug against the Netscape
provider code (com.netscape.jndi.ldap.LdapContextFactory) with respect to
successfully authenticated a non-existing user. The
report is here: http://issues.apache.org/bugzilla/show_bug.cgi?id=11210 .
With luck, Netscape has updated their provider code and this is not an
issue.
author: John Holman author: Padmanabh Dabke author: Craig R. McClanahan version: $Revision: 1.3 $ $Date: 2006/08/02 20:39:53 $ |
Field Summary | |
final public static String | DEREF_ALIASES Constant that holds the name of the environment property for specifying
the manner in which aliases should be dereferenced. | protected String | alternateURL An alternate URL, to which, we should connect if connectionURL fails. | protected String | authentication | protected int | connectionAttempt The number of connection attempts. | protected String | connectionName The connection username for the server we will contact. | protected String | connectionPassword The connection password for the server we will contact. | protected String | connectionURL The connection URL for the server we will contact. | protected DirContext | context The directory context linking us to our directory server. | protected String | contextFactory The JNDI context factory used to acquire our InitialContext. | protected int | curUserPattern The current user pattern to be used for lookup and binding of a user. | protected String | derefAliases How aliases should be dereferenced during search operations. | final protected static String | name Descriptive information about this Realm implementation. | protected String | protocol The protocol that will be used in the communication with the
directory server. | protected String | referrals How should we handle referrals? Microsoft Active Directory can't handle
the default case, so an application authenticating against AD must
set referrals to "follow". | protected String | roleBase The base element for role searches. | protected MessageFormat | roleFormat The MessageFormat object associated with the current
roleSearch . | protected String | roleName | protected String | roleSearch The message format used to select roles for a user, with "{0}" marking
the spot where the distinguished name of the user goes. | protected boolean | roleSubtree | protected String | userBase The base element for user searches. | protected String | userPassword The attribute name used to retrieve the user password. | protected String | userPattern The message format used to form the distinguished name of a
user, with "{0}" marking the spot where the specified username
goes. | protected String[] | userPatternArray A string of LDAP user patterns or paths, ":"-separated
These will be used to form the distinguished name of a
user, with "{0}" marking the spot where the specified username
goes. | protected MessageFormat[] | userPatternFormatArray An array of MessageFormat objects associated with the current
userPatternArray . | protected String | userRoleName | protected String | userSearch The message format used to search for a user, with "{0}" marking
the spot where the username goes. | protected MessageFormat | userSearchFormat The MessageFormat object associated with the current
userSearch . | protected boolean | userSubtree |
Method Summary | |
public LocalUserInfo | authenticate(String username, String credentials) Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null .
If there are any errors with the JDBC connection, executing
the query or anything we return null (don't authenticate). | public synchronized LocalUserInfo | authenticate(DirContext context, String username, String credentials) Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null . | public LocalUserInfo | authenticateUserByEmail(String userEmail, String password, Map paramMap) | public LocalUserInfo | authenticateUserByName(String userName, String password, Map paramMap) | protected boolean | bindAsUser(DirContext context, User user, String credentials) | protected boolean | checkCredentials(DirContext context, User user, String credentials) Check whether the given User can be authenticated with the
given credentials. | protected void | close(DirContext context) Close any open connection to the directory server for this Realm. | protected String | doRFC2254Encoding(String inString) Given an LDAP search string, returns the string with certain characters
escaped according to RFC 2254 guidelines. | public String | getAlternateURL() Getter for property alternateURL. | public String | getAuthentication() Return the type of authentication to use. | public String | getConnectionName() Return the connection username for this Realm. | public String | getConnectionPassword() Return the connection password for this Realm. | public String | getConnectionURL() Return the connection URL for this Realm. | public String | getContextFactory() Return the JNDI context factory for this Realm. | public java.lang.String | getDerefAliases() Return the derefAliases setting to be used. | protected Hashtable | getDirectoryContextEnvironment() Create our directory context configuration. | protected String | getName() Return a short name for this Realm implementation. | protected String | getPassword(String username) Return the password associated with the given principal's user name. | protected LocalUserInfo | getPrincipal(String username) Return the Principal associated with the given user name. | protected synchronized LocalUserInfo | getPrincipal(DirContext context, String username) Return the Principal associated with the given user name. | public String | getProtocol() Return the protocol to be used. | public String | getReferrals() Returns the current settings for handling JNDI referrals. | public String | getRoleBase() Return the base element for role searches. | public String | getRoleName() Return the role name attribute name for this Realm. | public String | getRoleSearch() Return the message format pattern for selecting roles in this Realm. | public boolean | getRoleSubtree() Return the "search subtree for roles" flag. | protected List | getRoles(DirContext context, User user) Return a List of roles associated with the given User. | protected User | getUser(DirContext context, String username) Return a User object containing information about the user
with the specified username, if found in the directory;
otherwise return null .
If the userPassword configuration attribute is
specified, the value of that attribute is retrieved from the
user's directory entry. | public String | getUserBase() Return the base element for user searches. | protected User | getUserByPattern(DirContext context, String username, String[] attrIds) Use the UserPattern configuration attribute to
locate the directory entry for the user with the specified
username and return a User object; otherwise return
null . | protected User | getUserBySearch(DirContext context, String username, String[] attrIds) Search the directory to return a User object containing
information about the user with the specified username, if
found in the directory; otherwise return null . | public String | getUserPassword() Return the password attribute used to retrieve the user password. | public String | getUserPattern() Return the message format pattern for selecting users in this Realm. | public String | getUserRoleName() Return the user role name attribute name for this Realm. | public String | getUserSearch() Return the message format pattern for selecting users in this Realm. | public boolean | getUserSubtree() Return the "search subtree for users" flag. | protected DirContext | open() Open (if necessary) and return a connection to the configured
directory server for this Realm. | protected String[] | parseUserPatternString(String userPatternString) Given a string containing LDAP patterns for user locations (separated by
parentheses in a pseudo-LDAP search string format -
"(location1)(location2)", returns an array of those paths. | protected void | release(DirContext context) Release our use of this connection so that it can be recycled. | public void | setAlternateURL(String alternateURL) Setter for property alternateURL. | public void | setAuthentication(String authentication) Set the type of authentication to use. | public void | setConnectionName(String connectionName) Set the connection username for this Realm. | public void | setConnectionPassword(String connectionPassword) Set the connection password for this Realm. | public void | setConnectionURL(String connectionURL) Set the connection URL for this Realm. | public void | setContextFactory(String contextFactory) Set the JNDI context factory for this Realm. | public void | setDerefAliases(java.lang.String derefAliases) Set the value for derefAliases to be used when searching the directory. | public void | setProtocol(String protocol) Set the protocol for this Realm. | public void | setReferrals(String referrals) How do we handle JNDI referrals? ignore, follow, or throw
(see javax.naming.Context.REFERRAL for more information). | public void | setRoleBase(String roleBase) Set the base element for role searches. | public void | setRoleName(String roleName) Set the role name attribute name for this Realm. | public void | setRoleSearch(String roleSearch) Set the message format pattern for selecting roles in this Realm. | public void | setRoleSubtree(boolean roleSubtree) Set the "search subtree for roles" flag. | public void | setUserBase(String userBase) Set the base element for user searches. | public void | setUserPassword(String userPassword) Set the password attribute used to retrieve the user password. | public void | setUserPattern(String userPattern) Set the message format pattern for selecting users in this Realm.
This may be one simple pattern, or multiple patterns to be tried,
separated by parentheses. | public void | setUserRoleName(String userRoleName) Set the user role name attribute name for this Realm. | public void | setUserSearch(String userSearch) Set the message format pattern for selecting users in this Realm. | public void | setUserSubtree(boolean userSubtree) Set the "search subtree for users" flag. |
DEREF_ALIASES | final public static String DEREF_ALIASES(Code) | | Constant that holds the name of the environment property for specifying
the manner in which aliases should be dereferenced.
|
alternateURL | protected String alternateURL(Code) | | An alternate URL, to which, we should connect if connectionURL fails.
|
authentication | protected String authentication(Code) | | The type of authentication to use
|
connectionAttempt | protected int connectionAttempt(Code) | | The number of connection attempts. If greater than zero we use the
alternate url.
|
connectionName | protected String connectionName(Code) | | The connection username for the server we will contact.
|
connectionPassword | protected String connectionPassword(Code) | | The connection password for the server we will contact.
|
connectionURL | protected String connectionURL(Code) | | The connection URL for the server we will contact.
|
context | protected DirContext context(Code) | | The directory context linking us to our directory server.
|
contextFactory | protected String contextFactory(Code) | | The JNDI context factory used to acquire our InitialContext. By
default, assumes use of an LDAP server using the standard JNDI LDAP
provider.
|
curUserPattern | protected int curUserPattern(Code) | | The current user pattern to be used for lookup and binding of a user.
|
derefAliases | protected String derefAliases(Code) | | How aliases should be dereferenced during search operations.
|
name | final protected static String name(Code) | | Descriptive information about this Realm implementation.
|
protocol | protected String protocol(Code) | | The protocol that will be used in the communication with the
directory server.
|
referrals | protected String referrals(Code) | | How should we handle referrals? Microsoft Active Directory can't handle
the default case, so an application authenticating against AD must
set referrals to "follow".
|
roleBase | protected String roleBase(Code) | | The base element for role searches.
|
roleFormat | protected MessageFormat roleFormat(Code) | | The MessageFormat object associated with the current
roleSearch .
|
roleName | protected String roleName(Code) | | The name of the attribute containing roles held elsewhere
|
roleSearch | protected String roleSearch(Code) | | The message format used to select roles for a user, with "{0}" marking
the spot where the distinguished name of the user goes.
|
roleSubtree | protected boolean roleSubtree(Code) | | Should we search the entire subtree for matching memberships?
|
userBase | protected String userBase(Code) | | The base element for user searches.
|
userPassword | protected String userPassword(Code) | | The attribute name used to retrieve the user password.
|
userPattern | protected String userPattern(Code) | | The message format used to form the distinguished name of a
user, with "{0}" marking the spot where the specified username
goes.
|
userPatternArray | protected String[] userPatternArray(Code) | | A string of LDAP user patterns or paths, ":"-separated
These will be used to form the distinguished name of a
user, with "{0}" marking the spot where the specified username
goes.
This is similar to userPattern, but allows for multiple searches
for a user.
|
userPatternFormatArray | protected MessageFormat[] userPatternFormatArray(Code) | | An array of MessageFormat objects associated with the current
userPatternArray .
|
userRoleName | protected String userRoleName(Code) | | The name of an attribute in the user's entry containing
roles for that user
|
userSearch | protected String userSearch(Code) | | The message format used to search for a user, with "{0}" marking
the spot where the username goes.
|
userSearchFormat | protected MessageFormat userSearchFormat(Code) | | The MessageFormat object associated with the current
userSearch .
|
userSubtree | protected boolean userSubtree(Code) | | Should we search the entire subtree for matching users?
|
authenticate | public LocalUserInfo authenticate(String username, String credentials) throws RemoteException(Code) | | Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null .
If there are any errors with the JDBC connection, executing
the query or anything we return null (don't authenticate). This
event is also logged, and the connection will be closed so that
a subsequent request will automatically re-open it.
Parameters: username - Username of the Principal to look up Parameters: credentials - Password or other credentials to use inauthenticating this username |
authenticate | public synchronized LocalUserInfo authenticate(DirContext context, String username, String credentials) throws NamingException(Code) | | Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null .
Parameters: context - The directory context Parameters: username - Username of the Principal to look up Parameters: credentials - Password or other credentials to use inauthenticating this username exception: NamingException - if a directory server error occurs |
bindAsUser | protected boolean bindAsUser(DirContext context, User user, String credentials) throws NamingException(Code) | | Check credentials by binding to the directory as the user
Parameters: context - The directory context Parameters: user - The User to be authenticated Parameters: credentials - Authentication credentials exception: NamingException - if a directory server error occurs |
checkCredentials | protected boolean checkCredentials(DirContext context, User user, String credentials) throws NamingException(Code) | | Check whether the given User can be authenticated with the
given credentials. If the userPassword
configuration attribute is specified, the credentials
previously retrieved from the directory are compared explicitly
with those presented by the user. Otherwise the presented
credentials are checked by binding to the directory as the
user.
Parameters: context - The directory context Parameters: user - The User to be authenticated Parameters: credentials - The credentials presented by the user exception: NamingException - if a directory server error occurs |
close | protected void close(DirContext context)(Code) | | Close any open connection to the directory server for this Realm.
Parameters: context - The directory context to be closed |
doRFC2254Encoding | protected String doRFC2254Encoding(String inString)(Code) | | Given an LDAP search string, returns the string with certain characters
escaped according to RFC 2254 guidelines.
The character mapping is as follows:
char -> Replacement
---------------------------
-> \2a
( -> \28
) -> \29
\ -> \5c
\0 -> \00
Parameters: inString - string to escape according to RFC 2254 guidelines String the escaped/encoded result |
getAlternateURL | public String getAlternateURL()(Code) | | Getter for property alternateURL.
Value of property alternateURL. |
getAuthentication | public String getAuthentication()(Code) | | Return the type of authentication to use.
|
getConnectionName | public String getConnectionName()(Code) | | Return the connection username for this Realm.
|
getConnectionPassword | public String getConnectionPassword()(Code) | | Return the connection password for this Realm.
|
getConnectionURL | public String getConnectionURL()(Code) | | Return the connection URL for this Realm.
|
getContextFactory | public String getContextFactory()(Code) | | Return the JNDI context factory for this Realm.
|
getDirectoryContextEnvironment | protected Hashtable getDirectoryContextEnvironment()(Code) | | Create our directory context configuration.
java.util.Hashtable the configuration for the directory context. |
getName | protected String getName()(Code) | | Return a short name for this Realm implementation.
|
getPassword | protected String getPassword(String username)(Code) | | Return the password associated with the given principal's user name.
|
getPrincipal | protected LocalUserInfo getPrincipal(String username)(Code) | | Return the Principal associated with the given user name.
|
getProtocol | public String getProtocol()(Code) | | Return the protocol to be used.
|
getReferrals | public String getReferrals()(Code) | | Returns the current settings for handling JNDI referrals.
|
getRoleBase | public String getRoleBase()(Code) | | Return the base element for role searches.
|
getRoleName | public String getRoleName()(Code) | | Return the role name attribute name for this Realm.
|
getRoleSearch | public String getRoleSearch()(Code) | | Return the message format pattern for selecting roles in this Realm.
|
getRoleSubtree | public boolean getRoleSubtree()(Code) | | Return the "search subtree for roles" flag.
|
getRoles | protected List getRoles(DirContext context, User user) throws NamingException(Code) | | Return a List of roles associated with the given User. Any
roles present in the user's directory entry are supplemented by
a directory search. If no roles are associated with this user,
a zero-length List is returned.
Parameters: context - The directory context we are searching Parameters: user - The User to be checked exception: NamingException - if a directory server error occurs |
getUser | protected User getUser(DirContext context, String username) throws NamingException(Code) | | Return a User object containing information about the user
with the specified username, if found in the directory;
otherwise return null .
If the userPassword configuration attribute is
specified, the value of that attribute is retrieved from the
user's directory entry. If the userRoleName
configuration attribute is specified, all values of that
attribute are retrieved from the directory entry.
Parameters: context - The directory context Parameters: username - Username to be looked up exception: NamingException - if a directory server error occurs |
getUserBase | public String getUserBase()(Code) | | Return the base element for user searches.
|
getUserByPattern | protected User getUserByPattern(DirContext context, String username, String[] attrIds) throws NamingException(Code) | | Use the UserPattern configuration attribute to
locate the directory entry for the user with the specified
username and return a User object; otherwise return
null .
Parameters: context - The directory context Parameters: username - The username Parameters: attrIds - String[]containing names of attributes toretrieve. exception: NamingException - if a directory server error occurs |
getUserBySearch | protected User getUserBySearch(DirContext context, String username, String[] attrIds) throws NamingException(Code) | | Search the directory to return a User object containing
information about the user with the specified username, if
found in the directory; otherwise return null .
Parameters: context - The directory context Parameters: username - The username Parameters: attrIds - String[]containing names of attributes to retrieve. exception: NamingException - if a directory server error occurs |
getUserPassword | public String getUserPassword()(Code) | | Return the password attribute used to retrieve the user password.
|
getUserPattern | public String getUserPattern()(Code) | | Return the message format pattern for selecting users in this Realm.
|
getUserRoleName | public String getUserRoleName()(Code) | | Return the user role name attribute name for this Realm.
|
getUserSearch | public String getUserSearch()(Code) | | Return the message format pattern for selecting users in this Realm.
|
getUserSubtree | public boolean getUserSubtree()(Code) | | Return the "search subtree for users" flag.
|
parseUserPatternString | protected String[] parseUserPatternString(String userPatternString)(Code) | | Given a string containing LDAP patterns for user locations (separated by
parentheses in a pseudo-LDAP search string format -
"(location1)(location2)", returns an array of those paths. Real LDAP
search strings are supported as well (though only the "|" "OR" type).
Parameters: userPatternString - - a string LDAP search paths surrounded byparentheses |
release | protected void release(DirContext context)(Code) | | Release our use of this connection so that it can be recycled.
Parameters: context - The directory context to release |
setAlternateURL | public void setAlternateURL(String alternateURL)(Code) | | Setter for property alternateURL.
Parameters: alternateURL - New value of property alternateURL. |
setAuthentication | public void setAuthentication(String authentication)(Code) | | Set the type of authentication to use.
Parameters: authentication - The authentication |
setConnectionName | public void setConnectionName(String connectionName)(Code) | | Set the connection username for this Realm.
Parameters: connectionName - The new connection username |
setConnectionPassword | public void setConnectionPassword(String connectionPassword)(Code) | | Set the connection password for this Realm.
Parameters: connectionPassword - The new connection password |
setConnectionURL | public void setConnectionURL(String connectionURL)(Code) | | Set the connection URL for this Realm.
Parameters: connectionURL - The new connection URL |
setContextFactory | public void setContextFactory(String contextFactory)(Code) | | Set the JNDI context factory for this Realm.
Parameters: contextFactory - The new context factory |
setDerefAliases | public void setDerefAliases(java.lang.String derefAliases)(Code) | | Set the value for derefAliases to be used when searching the directory.
Parameters: derefAliases - New value of property derefAliases. |
setProtocol | public void setProtocol(String protocol)(Code) | | Set the protocol for this Realm.
Parameters: protocol - The new protocol. |
setReferrals | public void setReferrals(String referrals)(Code) | | How do we handle JNDI referrals? ignore, follow, or throw
(see javax.naming.Context.REFERRAL for more information).
|
setRoleBase | public void setRoleBase(String roleBase)(Code) | | Set the base element for role searches.
Parameters: roleBase - The new base element |
setRoleName | public void setRoleName(String roleName)(Code) | | Set the role name attribute name for this Realm.
Parameters: roleName - The new role name attribute name |
setRoleSearch | public void setRoleSearch(String roleSearch)(Code) | | Set the message format pattern for selecting roles in this Realm.
Parameters: roleSearch - The new role search pattern |
setRoleSubtree | public void setRoleSubtree(boolean roleSubtree)(Code) | | Set the "search subtree for roles" flag.
Parameters: roleSubtree - The new search flag |
setUserBase | public void setUserBase(String userBase)(Code) | | Set the base element for user searches.
Parameters: userBase - The new base element |
setUserPassword | public void setUserPassword(String userPassword)(Code) | | Set the password attribute used to retrieve the user password.
Parameters: userPassword - The new password attribute |
setUserPattern | public void setUserPattern(String userPattern)(Code) | | Set the message format pattern for selecting users in this Realm.
This may be one simple pattern, or multiple patterns to be tried,
separated by parentheses. (for example, either "cn={0}", or
"(cn={0})(cn={0},o=myorg)" Full LDAP search strings are also supported,
but only the "OR", "|" syntax, so "(|(cn={0})(cn={0},o=myorg))" is
also valid. Complex search strings with &, etc are NOT supported.
Parameters: userPattern - The new user pattern |
setUserRoleName | public void setUserRoleName(String userRoleName)(Code) | | Set the user role name attribute name for this Realm.
Parameters: userRoleName - The new userRole name attribute name |
setUserSearch | public void setUserSearch(String userSearch)(Code) | | Set the message format pattern for selecting users in this Realm.
Parameters: userSearch - The new user search pattern |
setUserSubtree | public void setUserSubtree(boolean userSubtree)(Code) | | Set the "search subtree for users" flag.
Parameters: userSubtree - The new search flag |
|
|