@Override public boolean abort() throws LoginException { clear(); return true; }
private void clear() { username = null; userAuthenticated = false; closeContext(); }
openContext(); } catch (Exception ne) { FailedLoginException ex = new FailedLoginException("Error opening LDAP connection"); if (!isLoginPropertySet(USER_SEARCH_MATCHING)) return dn; userSearchMatchingFormat = new MessageFormat(getLDAPPropertyValue(USER_SEARCH_MATCHING)); userSearchSubtreeBool = Boolean.valueOf(getLDAPPropertyValue(USER_SEARCH_SUBTREE)).booleanValue(); String filter = userSearchMatchingFormat.format(new String[]{doRFC2254Encoding(username)}); SearchControls constraints = new SearchControls(); if (userSearchSubtreeBool) { if (isLoginPropertySet(USER_ROLE_NAME)) { list.add(getLDAPPropertyValue(USER_ROLE_NAME)); logger.debug("Get the user DN."); logger.debug("Looking for the user in LDAP with "); logger.debug(" base DN: " + getLDAPPropertyValue(USER_BASE)); logger.debug(" filter: " + filter); results = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction< NamingEnumeration<SearchResult>>) () -> context.search(getLDAPPropertyValue(USER_BASE), filter, constraints)); } catch (PrivilegedActionException e) { Exception cause = e.getException(); Name baseName = parser.parse(getLDAPPropertyValue(USER_BASE)); Name entryName = parser.parse(result.getName()); Name name = contextName.addAll(baseName);
try { Hashtable<String, String> env = new Hashtable<>(); env.put(Context.INITIAL_CONTEXT_FACTORY, getLDAPPropertyValue(INITIAL_CONTEXT_FACTORY)); env.put(Context.SECURITY_PROTOCOL, getLDAPPropertyValue(CONNECTION_PROTOCOL)); env.put(Context.PROVIDER_URL, getLDAPPropertyValue(CONNECTION_URL)); env.put(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION)); if (isLoginPropertySet(CONNECTION_POOL)) { env.put("com.sun.jndi.ldap.connect.pool", getLDAPPropertyValue(CONNECTION_POOL)); if (isLoginPropertySet(CONNECTION_TIMEOUT)) { env.put("com.sun.jndi.ldap.connect.timeout", getLDAPPropertyValue(CONNECTION_TIMEOUT)); if (getLDAPPropertyValue(REFERRAL) != null) { referral = getLDAPPropertyValue(REFERRAL); if ("GSSAPI".equalsIgnoreCase(getLDAPPropertyValue(AUTHENTICATION))) { final String configScope = isLoginPropertySet(SASL_LOGIN_CONFIG_SCOPE) ? getLDAPPropertyValue(SASL_LOGIN_CONFIG_SCOPE) : "broker-sasl-gssapi"; try { LoginContext loginContext = new LoginContext(configScope); if (isLoginPropertySet(CONNECTION_USERNAME)) { env.put(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME)); } else { throw new NamingException("Empty username is not allowed"); if (isLoginPropertySet(CONNECTION_PASSWORD)) { env.put(Context.SECURITY_CREDENTIALS, getPlainPassword(getLDAPPropertyValue(CONNECTION_PASSWORD))); } else {
protected boolean authenticate(String username, String password) throws LoginException { List<String> roles = new ArrayList<>(); try { String dn = resolveDN(username, roles); // check the credentials by binding to server if (bindUser(context, dn, password)) { // if authenticated add more roles resolveRolesForDN(context, dn, username, roles); } else { throw new FailedLoginException("Password does not match for user: " + username); } } catch (CommunicationException e) { closeContext(); FailedLoginException ex = new FailedLoginException("Error contacting LDAP"); ex.initCause(e); throw ex; } catch (NamingException e) { closeContext(); FailedLoginException ex = new FailedLoginException("Error contacting LDAP"); ex.initCause(e); throw ex; } return true; }
@Override public boolean commit() throws LoginException { boolean result = userAuthenticated; Set<UserPrincipal> authenticatedUsers = subject.getPrincipals(UserPrincipal.class); Set<Principal> principals = subject.getPrincipals(); if (result) { principals.add(new UserPrincipal(username)); } // assign roles to any other UserPrincipal for (UserPrincipal authenticatedUser : authenticatedUsers) { List<String> roles = new ArrayList<>(); try { String dn = resolveDN(authenticatedUser.getName(), roles); resolveRolesForDN(context, dn, authenticatedUser.getName(), roles); } catch (NamingException e) { closeContext(); FailedLoginException ex = new FailedLoginException("Error contacting LDAP"); ex.initCause(e); throw ex; } } for (RolePrincipal gp : groups) { principals.add(gp); } clear(); return result; }
if (!isLoginPropertySet(ROLE_SEARCH_MATCHING)) { return; boolean roleSearchSubtreeBool; boolean expandRolesBool; roleSearchMatchingFormat = new MessageFormat(getLDAPPropertyValue(ROLE_SEARCH_MATCHING)); roleSearchSubtreeBool = Boolean.valueOf(getLDAPPropertyValue(ROLE_SEARCH_SUBTREE)).booleanValue(); expandRolesBool = Boolean.valueOf(getLDAPPropertyValue(EXPAND_ROLES)).booleanValue(); final String filter = roleSearchMatchingFormat.format(new String[]{doRFC2254Encoding(dn), doRFC2254Encoding(username)}); logger.debug("Get user roles."); logger.debug("Looking for the user roles in LDAP with "); logger.debug(" base DN: " + getLDAPPropertyValue(ROLE_BASE)); logger.debug(" filter: " + filter); NamingEnumeration<SearchResult> results = null; try { results = Subject.doAs(brokerGssapiIdentity, (PrivilegedExceptionAction< NamingEnumeration<SearchResult>>) () -> context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints)); } catch (PrivilegedActionException e) { Exception cause = e.getException(); addRoleAttribute(result, currentRoles); MessageFormat expandRolesMatchingFormat = new MessageFormat(getLDAPPropertyValue(EXPAND_ROLES_MATCHING)); while (!pendingNameExpansion.isEmpty()) { String name = pendingNameExpansion.remove(); logger.debug("Get 'expanded' user roles.");
if (isLoginPropertySet(CONNECTION_USERNAME)) { context.addToEnvironment(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME)); } else { context.removeFromEnvironment(Context.SECURITY_PRINCIPAL); if (isLoginPropertySet(CONNECTION_PASSWORD)) { context.addToEnvironment(Context.SECURITY_CREDENTIALS, getPlainPassword(getLDAPPropertyValue(CONNECTION_PASSWORD))); } else { context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
new LDAPLoginProperty(CONNECTION_TIMEOUT, (String) options.get(CONNECTION_TIMEOUT))}; if (isLoginPropertySet(AUTHENTICATE_USER)) { authenticateUser = Boolean.valueOf(getLDAPPropertyValue(AUTHENTICATE_USER)); isRoleAttributeSet = isLoginPropertySet(ROLE_NAME); roleAttributeName = getLDAPPropertyValue(ROLE_NAME); codecClass = getLDAPPropertyValue(PASSWORD_CODEC);
@Test public void testPropertyConfigMap() throws Exception { LDAPLoginModule loginModule = new LDAPLoginModule(); JaasCallbackHandler callbackHandler = new JaasCallbackHandler(null, null, null); Field configMap = null; HashMap<String, Object> options = new HashMap<>(); for (Field field: loginModule.getClass().getDeclaredFields()) { if (Modifier.isStatic(field.getModifiers()) && Modifier.isFinal(field.getModifiers()) && field.getType().isAssignableFrom(String.class)) { field.setAccessible(true); options.put((String)field.get(loginModule), "SET"); } if (field.getName().equals("config")) { field.setAccessible(true); configMap = field; } } loginModule.initialize(new Subject(), callbackHandler, null, options); LDAPLoginProperty[] ldapProps = (LDAPLoginProperty[]) configMap.get(loginModule); for (String key: options.keySet()) { assertTrue("val set: " + key, presentInArray(ldapProps, key)); } }
private void resolveRolesForDN(DirContext context, String dn, String username, List<String> roles) throws NamingException { addRoles(context, dn, username, roles); if (logger.isDebugEnabled()) { logger.debug("Roles " + roles + " for user " + username); } for (String role : roles) { groups.add(new RolePrincipal(role)); } }
authenticate(username, password); userAuthenticated = true; return true;
@Test public void testCommitOnFailedLogin() throws LoginException { LoginModule loginModule = new LDAPLoginModule(); JaasCallbackHandler callbackHandler = new JaasCallbackHandler(null, null, null); loginModule.initialize(new Subject(), callbackHandler, null, new HashMap<String, Object>()); // login should return false due to null username assertFalse(loginModule.login()); // since login failed commit should return false as well assertFalse(loginModule.commit()); }
@Override public boolean logout() throws LoginException { clear(); return true; }