Package org.eclipse.jetty.jaas.spi
Class LdapLoginModule
- java.lang.Object
-
- org.eclipse.jetty.jaas.spi.AbstractLoginModule
-
- org.eclipse.jetty.jaas.spi.LdapLoginModule
-
- All Implemented Interfaces:
LoginModule
public class LdapLoginModule extends AbstractLoginModule
A LdapLoginModule for use with JAAS setupsThe jvm should be started with the following parameter:
-Djava.security.auth.login.config=etc/ldap-loginModule.conf
and an example of the ldap-loginModule.conf would be:ldaploginmodule { org.eclipse.jetty.server.server.plus.jaas.spi.LdapLoginModule required debug="true" useLdaps="false" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" hostname="ldap.example.com" port="389" bindDn="cn=Directory Manager" bindPassword="directory" authenticationMethod="simple" forceBindingLogin="false" userBaseDn="ou=people,dc=alcatel" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="inetOrgPerson" roleBaseDn="ou=groups,dc=example,dc=com" roleNameAttribute="cn" roleMemberAttribute="uniqueMember" roleObjectClass="groupOfUniqueNames"; };
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description classLdapLoginModule.LDAPUserInfo-
Nested classes/interfaces inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule
AbstractLoginModule.JAASUserInfo
-
-
Constructor Summary
Constructors Constructor Description LdapLoginModule()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description booleanabort()booleanbindingLogin(String username, Object password)binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.booleancommit()static StringconvertCredentialLdapToJetty(String encryptedPassword)protected booleancredentialLogin(Object webCredential)password supplied authentication checkprotected StringdoRFC2254Encoding(String inputString)Hashtable<Object,Object>getEnvironment()get the context for connectionUserInfogetUserInfo(String username)get the available information about the uservoidinitialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)Init LoginModule.booleanlogin()since ldap uses a context bind for valid authentication checking, we override login()-
Methods inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule
configureCallbacks, getCallbackHandler, getCurrentUser, getSubject, isAuthenticated, isCommitted, isIgnored, logout, setAuthenticated, setCallbackHandler, setCommitted, setCurrentUser, setSubject
-
-
-
-
Method Detail
-
getUserInfo
public UserInfo getUserInfo(String username) throws Exception
get the available information about the userfor this LoginModule, the credential can be null which will result in a binding ldap authentication scenario
roles are also an optional concept if required
- Specified by:
getUserInfoin classAbstractLoginModule- Parameters:
username- the user name- Returns:
- the userinfo for the username
- Throws:
Exception- if unable to get the user info
-
login
public boolean login() throws LoginExceptionsince ldap uses a context bind for valid authentication checking, we override login()if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic
- Specified by:
loginin interfaceLoginModule- Overrides:
loginin classAbstractLoginModule- Returns:
- true if authenticated, false otherwise
- Throws:
LoginException- if unable to login- See Also:
LoginModule.login()
-
credentialLogin
protected boolean credentialLogin(Object webCredential) throws LoginException
password supplied authentication check- Parameters:
webCredential- the web credential- Returns:
- true if authenticated
- Throws:
LoginException- if unable to login
-
bindingLogin
public boolean bindingLogin(String username, Object password) throws LoginException, NamingException
binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.- Parameters:
username- the user namepassword- the password- Returns:
- true always
- Throws:
LoginException- if unable to bind the loginNamingException- if failure to bind login
-
initialize
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
Init LoginModule.Called once by JAAS after new instance is created.
- Specified by:
initializein interfaceLoginModule- Overrides:
initializein classAbstractLoginModule- Parameters:
subject- the subectcallbackHandler- the callback handlersharedState- the shared state mapoptions- the option map- See Also:
LoginModule.initialize(javax.security.auth.Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)
-
commit
public boolean commit() throws LoginException- Specified by:
commitin interfaceLoginModule- Overrides:
commitin classAbstractLoginModule- Returns:
- true if committed, false if not (likely not authenticated)
- Throws:
LoginException- if unable to commit- See Also:
LoginModule.commit()
-
abort
public boolean abort() throws LoginException- Specified by:
abortin interfaceLoginModule- Overrides:
abortin classAbstractLoginModule- Throws:
LoginException- if unable to abort- See Also:
LoginModule.abort()
-
getEnvironment
public Hashtable<Object,Object> getEnvironment()
get the context for connection- Returns:
- the environment details for the context
-
-