Package org.eclipse.jetty.jaas.spi

Class LdapLoginModule

java.lang.Object

org.eclipse.jetty.jaas.spi.AbstractLoginModule

org.eclipse.jetty.jaas.spi.LdapLoginModule

All Implemented Interfaces:

LoginModule

public class LdapLoginModule
extends AbstractLoginModule

A LdapLoginModule for use with JAAS setups

The jvm should be started with the following parameter:

 -Djava.security.auth.login.config=etc/ldap-loginModule.conf
 

and an example of the ldap-loginModule.conf would be:

 ldaploginmodule {
    org.eclipse.jetty.server.server.plus.jaas.spi.LdapLoginModule required
    debug="true"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="ldap.example.com"
    port="389"
    bindDn="cn=Directory Manager"
    bindPassword="directory"
    authenticationMethod="simple"
    forceBindingLogin="false"
    userBaseDn="ou=people,dc=alcatel"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="inetOrgPerson"
    roleBaseDn="ou=groups,dc=example,dc=com"
    roleNameAttribute="cn"
    roleMemberAttribute="uniqueMember"
    roleObjectClass="groupOfUniqueNames";
    };
 

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
class	LdapLoginModule.LDAPBindingUser
class	LdapLoginModule.LDAPUser

Nested classes/interfaces inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule

AbstractLoginModule.JAASUser

Constructor Summary

Constructors

Constructor	Description
LdapLoginModule()

Method Summary

Modifier and Type	Method	Description
boolean	abort()
boolean	bindingLogin(String username, Object password)	binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.
boolean	commit()
static String	convertCredentialLdapToJetty(String encryptedPassword)
protected boolean	credentialLogin(Object webCredential)	password supplied authentication check
protected String	doRFC2254Encoding(String inputString)
Hashtable<Object,Object>	getEnvironment()	get the context for connection
AbstractLoginModule.JAASUser	getUser(String username)	get the available information about the user
void	initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)	Init LoginModule.
boolean	login()	since ldap uses a context bind for valid authentication checking, we override login()

Methods inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule

configureCallbacks, getCallbackHandler, getCurrentUser, getSubject, isAuthenticated, isCommitted, isIgnored, logout, setAuthenticated, setCallbackHandler, setCommitted, setCurrentUser, setSubject

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

LdapLoginModule

public LdapLoginModule()

Method Details

getUser

public AbstractLoginModule.JAASUser getUser(String username)
                                     throws Exception

get the available information about the user

for this LoginModule, the credential can be null which will result in a binding ldap authentication scenario

roles are also an optional concept if required

Specified by:

getUser in class AbstractLoginModule

Parameters:

username - the user name

Returns:

the userinfo for the username

Throws:

Exception - if unable to get the user info

doRFC2254Encoding

protected String doRFC2254Encoding(String inputString)

login

public boolean login()
              throws LoginException

since ldap uses a context bind for valid authentication checking, we override login()

if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic

Specified by:

login in interface LoginModule

Overrides:

login in class AbstractLoginModule

Returns:

true if authenticated, false otherwise

Throws:

LoginException - if unable to login

See Also:

• LoginModule.login()

credentialLogin

protected boolean credentialLogin(Object webCredential)
                           throws LoginException

password supplied authentication check

Parameters:

webCredential - the web credential

Returns:

true if authenticated

Throws:

LoginException - if unable to login

bindingLogin

public boolean bindingLogin(String username,
 Object password)
                     throws LoginException

binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.

Parameters:

username - the user name

password - the password

Returns:

true always

Throws:

LoginException - if unable to bind the login

initialize

public void initialize(Subject subject,
 CallbackHandler callbackHandler,
 Map<String,?> sharedState,
 Map<String,?> options)

Init LoginModule.

Called once by JAAS after new instance is created.

Specified by:

initialize in interface LoginModule

Overrides:

initialize in class AbstractLoginModule

Parameters:

subject - the subect

callbackHandler - the callback handler

sharedState - the shared state map

options - the option map

See Also:

• LoginModule.initialize(javax.security.auth.Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)

commit

public boolean commit()
               throws LoginException

Specified by:

commit in interface LoginModule

Overrides:

commit in class AbstractLoginModule

Returns:

true if committed, false if not (likely not authenticated)

Throws:

LoginException - if unable to commit

See Also:

• LoginModule.commit()

abort

public boolean abort()
              throws LoginException

Specified by:

abort in interface LoginModule

Overrides:

abort in class AbstractLoginModule

Throws:

LoginException

getEnvironment

public Hashtable<Object,Object> getEnvironment()

get the context for connection

Returns:

the environment details for the context

convertCredentialLdapToJetty

public static String convertCredentialLdapToJetty(String encryptedPassword)