Package org.eclipse.jetty.jaas.spi
Class LdapLoginModule
java.lang.Object
org.eclipse.jetty.jaas.spi.AbstractLoginModule
org.eclipse.jetty.jaas.spi.LdapLoginModule
- All Implemented Interfaces:
LoginModule
A LdapLoginModule for use with JAAS setups
The jvm should be started with the following parameter:
-Djava.security.auth.login.config=etc/ldap-loginModule.confand an example of the ldap-loginModule.conf would be:
ldaploginmodule { org.eclipse.jetty.server.server.plus.jaas.spi.LdapLoginModule required debug="true" useLdaps="false" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" hostname="ldap.example.com" port="389" bindDn="cn=Directory Manager" bindPassword="directory" authenticationMethod="simple" forceBindingLogin="false" userBaseDn="ou=people,dc=alcatel" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="inetOrgPerson" roleBaseDn="ou=groups,dc=example,dc=com" roleNameAttribute="cn" roleMemberAttribute="uniqueMember" roleObjectClass="groupOfUniqueNames"; };
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule
AbstractLoginModule.JAASUserInfo
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate String
Context.SECURITY_AUTHENTICATIONprivate String
root DN used to connect toprivate String
password used to connect to the root ldap contextprivate String
Context.INITIAL_CONTEXT_FACTORYprivate boolean
private boolean
if the getUserInfo can pull a password off of the user then password comparison is an option for authn, to force binding login checks, set this to trueprivate String
hostname of the ldap serverprivate int
port of the ldap serverprivate String
base DN where role membership is to be searched fromprivate String
name of the attribute that a username would be under a role classprivate String
the name of the attribute that a role would be stored underprivate String
object class of rolesprivate DirContext
private boolean
When true changes the protocol to ldapsprivate String
base DN where users are to be searched fromprivate String
attribute that the principal is locatedprivate String
object class of a userprivate String
name of the attribute that a users password is stored underprivate String
attribute that the principal is locatedprivate static final Logger
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionboolean
abort()
private static String
base64ToHex
(String src) boolean
bindingLogin
(String username, Object password) binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.boolean
commit()
static String
convertCredentialLdapToJetty
(String encryptedPassword) protected boolean
credentialLogin
(Object webCredential) password supplied authentication checkprotected String
doRFC2254Encoding
(String inputString) private SearchResult
private SearchResult
findUser
(DirContext dirContext, String filter, Object[] filterArguments) get the context for connectionprivate String
private Attributes
getUserAttributes
(String username) attempts to get the users LDAP attributes from the users contextprivate String
getUserCredentials
(Attributes attributes) getUserInfo
(String username) get the available information about the usergetUserRoles
(DirContext dirContext, String username, Attributes attributes) attempts to get the users roles from the root contextgetUserRolesByDn
(DirContext dirContext, String userDn) private static String
hexToBase64
(String src) void
initialize
(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) Init LoginModule.boolean
login()
since ldap uses a context bind for valid authentication checking, we override login()Methods inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule
configureCallbacks, getCallbackHandler, getCurrentUser, getSubject, isAuthenticated, isCommitted, isIgnored, logout, setAuthenticated, setCallbackHandler, setCommitted, setCurrentUser, setSubject
-
Field Details
-
LOG
-
_hostname
hostname of the ldap server -
_port
private int _portport of the ldap server -
_authenticationMethod
Context.SECURITY_AUTHENTICATION -
_contextFactory
Context.INITIAL_CONTEXT_FACTORY -
_bindDn
root DN used to connect to -
_bindPassword
password used to connect to the root ldap context -
_userObjectClass
object class of a user -
_userRdnAttribute
attribute that the principal is located -
_userIdAttribute
attribute that the principal is located -
_userPasswordAttribute
name of the attribute that a users password is stored underNOTE: not always accessible, see force binding login
-
_userBaseDn
base DN where users are to be searched from -
_roleBaseDn
base DN where role membership is to be searched from -
_roleObjectClass
object class of roles -
_roleMemberAttribute
name of the attribute that a username would be under a role class -
_roleNameAttribute
the name of the attribute that a role would be stored under -
_debug
private boolean _debug -
_forceBindingLogin
private boolean _forceBindingLoginif the getUserInfo can pull a password off of the user then password comparison is an option for authn, to force binding login checks, set this to true -
_useLdaps
private boolean _useLdapsWhen true changes the protocol to ldaps -
_rootContext
-
-
Constructor Details
-
LdapLoginModule
public LdapLoginModule()
-
-
Method Details
-
getUserInfo
get the available information about the userfor this LoginModule, the credential can be null which will result in a binding ldap authentication scenario
roles are also an optional concept if required
- Specified by:
getUserInfo
in classAbstractLoginModule
- Parameters:
username
- the user name- Returns:
- the userinfo for the username
- Throws:
Exception
- if unable to get the user info
-
doRFC2254Encoding
-
getUserAttributes
attempts to get the users LDAP attributes from the users contextNOTE: this is not an user authenticated operation
- Returns:
- the
Attributes
from the user - Throws:
LoginException
-
getUserCredentials
- Throws:
LoginException
-
getUserRoles
private List<String> getUserRoles(DirContext dirContext, String username, Attributes attributes) throws LoginException, NamingException attempts to get the users roles from the root contextNOTE: this is not an user authenticated operation
- Throws:
LoginException
NamingException
-
getUserRolesByDn
- Throws:
NamingException
-
login
since ldap uses a context bind for valid authentication checking, we override login()if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic
- Specified by:
login
in interfaceLoginModule
- Overrides:
login
in classAbstractLoginModule
- Returns:
- true if authenticated, false otherwise
- Throws:
LoginException
- if unable to login- See Also:
-
credentialLogin
password supplied authentication check- Parameters:
webCredential
- the web credential- Returns:
- true if authenticated
- Throws:
LoginException
- if unable to login
-
bindingLogin
binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.- Parameters:
username
- the user namepassword
- the password- Returns:
- true always
- Throws:
LoginException
- if unable to bind the login
-
findUser
- Throws:
LoginException
-
findUser
private SearchResult findUser(DirContext dirContext, String filter, Object[] filterArguments) throws LoginException - Throws:
LoginException
-
initialize
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) Init LoginModule.Called once by JAAS after new instance is created.
- Specified by:
initialize
in interfaceLoginModule
- Overrides:
initialize
in classAbstractLoginModule
- Parameters:
subject
- the subectcallbackHandler
- the callback handlersharedState
- the shared state mapoptions
- the option map- See Also:
-
commit
- Specified by:
commit
in interfaceLoginModule
- Overrides:
commit
in classAbstractLoginModule
- Returns:
- true if committed, false if not (likely not authenticated)
- Throws:
LoginException
- if unable to commit- See Also:
-
abort
- Specified by:
abort
in interfaceLoginModule
- Overrides:
abort
in classAbstractLoginModule
- Throws:
LoginException
- if unable to abort- See Also:
-
getOption
-
getEnvironment
get the context for connection- Returns:
- the environment details for the context
-
convertCredentialLdapToJetty
-
base64ToHex
-
hexToBase64
-