001: package org.esupportail.cas.server.handlers.database;
002:
003: import java.sql.Connection;
004: import java.sql.ResultSet;
005: import java.sql.SQLException;
006: import java.sql.Statement;
007:
008: import org.dom4j.Element;
009: import org.esupportail.cas.server.util.RedundantHandler;
010: import org.esupportail.cas.server.util.crypt.Crypt;
011: import org.esupportail.cas.server.util.log.Log;
012:
013: /**
014: * This class also implements a database server class, which can
015: * authenticate users by searching into a database. It is used by
016: * SearchDatabaseHandler.
017: *
018: * @author Pascal Aubry <pascal.aubry at univ-rennes1.fr>
019: * @author Jean-Baptiste Daniel <danielj at users.sourceforge.net>
020: * @author Arunas Stockus <arunas.stockus at univ-lr.fr>
021: */
022: public final class QueryDatabaseServer extends DatabaseServer {
023:
024: /**
025: * Constructor.
026: *
027: * @param handlerDebug debugging mode of the handler
028: * @param handler the handler the server will be used by
029: * @param serverElement the XML element that declares the server
030: * @throws Exception Exception
031: */
032: public QueryDatabaseServer(final Boolean handlerDebug,
033: final RedundantHandler handler, final Element serverElement)
034: throws Exception {
035: super (handlerDebug, handler, serverElement);
036: traceBegin();
037: traceEnd();
038: }
039:
040: /**
041: * Try to authenticate a user (by searching into the handler's database).
042: *
043: * @param username the user's name
044: * @param password the user's password
045: *
046: * @return Server.AUTHENTICATE_SUCCESS, Server.AUTHENTICATE_NOAUTH
047: * or Server.AUTHENTICATE_FAILURE.
048: */
049: public int authenticate(final String username, final String password) {
050: Connection connection = null;
051: traceBegin();
052:
053: if (username.indexOf('\'') != -1) {
054: Log
055: .info("Username \""
056: + username
057: + "\" contains a single quote, this could be an attack.");
058: trace("Usernames containing single quotes are rejected.");
059: traceEnd("AUTHENTICATE_NOAUTH");
060: return AUTHENTICATE_NOAUTH;
061: }
062:
063: QueryDatabaseHandler handler = (QueryDatabaseHandler) getHandler();
064:
065: try {
066:
067: connection = connect(handler.getBindUsername(), handler
068: .getBindPassword());
069: switch (getConnectError()) {
070: case CONNECT_NOAUTH:
071: case CONNECT_FAILURE:
072: trace("Connection failed.");
073: traceEnd("AUTHENTICATE_FAILURE");
074: return AUTHENTICATE_FAILURE;
075: default: //CONNECT_SUCCESS
076: break;
077: }
078:
079: trace("Create an SQL statement...");
080: Statement statement = connection.createStatement();
081:
082: String sqlQuery = handler.getUserSqlQuery(username);
083:
084: trace("Execute the query (" + sqlQuery + ")...");
085: ResultSet statementResult = statement
086: .executeQuery(sqlQuery);
087:
088: if (statementResult.next()) {
089:
090: String encryption = handler.getEncryption();
091: trace("Username found, checking password ("
092: + encryption + ")...");
093: // now for each result, encrypt the password (if needed) and compare
094: String encryptedPassword = statementResult.getString(1);
095: if (Crypt
096: .match(encryption, password, encryptedPassword)) {
097: // username/password matches
098: trace("Password matches.");
099: trace("Closing the connection...");
100: connection.close();
101: traceEnd("AUTHENTICATE_SUCCESS");
102: return AUTHENTICATE_SUCCESS;
103: } else {
104: trace("Username found but password does not match.");
105: }
106: }
107: // no match found
108: trace("Search failed.");
109: trace("Closing the connection...");
110: connection.close();
111: traceEnd("AUTHENTICATE_NOAUTH");
112: return AUTHENTICATE_NOAUTH;
113:
114: } catch (Exception e) {
115: // something went wrong
116: trace("Search failure: " + e.toString());
117: try {
118: trace("Closing the connection...");
119: connection.close();
120: } catch (SQLException e1) {
121: Log.warn("Connection could not be closed.");
122: }
123: traceEnd("AUTHENTICATE_FAILURE");
124: return AUTHENTICATE_FAILURE;
125: }
126:
127: }
128:
129: }
|