Package org.eclipse.jetty.jaas.spi
Class LdapLoginModule
java.lang.Object
org.eclipse.jetty.jaas.spi.AbstractLoginModule
org.eclipse.jetty.jaas.spi.LdapLoginModule
- All Implemented Interfaces:
LoginModule
A LdapLoginModule for use with JAAS setups
The jvm should be started with the following parameter:
-Djava.security.auth.login.config=etc/ldap-loginModule.confand an example of the ldap-loginModule.conf would be:
ldaploginmodule { org.eclipse.jetty.server.server.plus.jaas.spi.LdapLoginModule required debug="true" useLdaps="false" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" hostname="ldap.example.com" port="389" bindDn="cn=Directory Manager" bindPassword="directory" authenticationMethod="simple" forceBindingLogin="false" userBaseDn="ou=people,dc=alcatel" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="inetOrgPerson" roleBaseDn="ou=groups,dc=example,dc=com" roleNameAttribute="cn" roleMemberAttribute="uniqueMember" roleObjectClass="groupOfUniqueNames"; };
-
Nested Class Summary
Modifier and TypeClassDescriptionclass
class
Nested classes/interfaces inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule
AbstractLoginModule.JAASUser
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionboolean
abort()
boolean
bindingLogin
(String username, Object password) binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.boolean
commit()
static String
convertCredentialLdapToJetty
(String encryptedPassword) protected boolean
credentialLogin
(Object webCredential) password supplied authentication checkprotected String
doRFC2254Encoding
(String inputString) get the context for connectionget the available information about the uservoid
initialize
(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) Init LoginModule.boolean
login()
since ldap uses a context bind for valid authentication checking, we override login()Methods inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule
configureCallbacks, getCallbackHandler, getCurrentUser, getSubject, isAuthenticated, isCommitted, isIgnored, logout, setAuthenticated, setCallbackHandler, setCommitted, setCurrentUser, setSubject
-
Constructor Details
-
LdapLoginModule
public LdapLoginModule()
-
-
Method Details
-
getUser
get the available information about the userfor this LoginModule, the credential can be null which will result in a binding ldap authentication scenario
roles are also an optional concept if required
- Specified by:
getUser
in classAbstractLoginModule
- Parameters:
username
- the user name- Returns:
- the userinfo for the username
- Throws:
Exception
- if unable to get the user info
-
doRFC2254Encoding
-
login
since ldap uses a context bind for valid authentication checking, we override login()if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic
- Specified by:
login
in interfaceLoginModule
- Overrides:
login
in classAbstractLoginModule
- Returns:
- true if authenticated, false otherwise
- Throws:
LoginException
- if unable to login- See Also:
-
credentialLogin
password supplied authentication check- Parameters:
webCredential
- the web credential- Returns:
- true if authenticated
- Throws:
LoginException
- if unable to login
-
bindingLogin
binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.- Parameters:
username
- the user namepassword
- the password- Returns:
- true always
- Throws:
LoginException
- if unable to bind the login
-
initialize
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) Init LoginModule.Called once by JAAS after new instance is created.
- Specified by:
initialize
in interfaceLoginModule
- Overrides:
initialize
in classAbstractLoginModule
- Parameters:
subject
- the subectcallbackHandler
- the callback handlersharedState
- the shared state mapoptions
- the option map- See Also:
-
commit
- Specified by:
commit
in interfaceLoginModule
- Overrides:
commit
in classAbstractLoginModule
- Returns:
- true if committed, false if not (likely not authenticated)
- Throws:
LoginException
- if unable to commit- See Also:
-
abort
- Specified by:
abort
in interfaceLoginModule
- Overrides:
abort
in classAbstractLoginModule
- Throws:
LoginException
-
getEnvironment
get the context for connection- Returns:
- the environment details for the context
-
convertCredentialLdapToJetty
-