Package org.eclipse.jetty.jaas.spi

Class LdapLoginModule

  • All Implemented Interfaces:
    javax.security.auth.spi.LoginModule
    public class LdapLoginModule
extends AbstractLoginModule
    A LdapLoginModule for use with JAAS setups

    The jvm should be started with the following parameter: 

     -Djava.security.auth.login.config=etc/ldap-loginModule.conf
    and an example of the ldap-loginModule.conf would be: 
     ldaploginmodule {
    org.eclipse.jetty.server.server.plus.jaas.spi.LdapLoginModule required
    debug="true"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="ldap.example.com"
    port="389"
    bindDn="cn=Directory Manager"
    bindPassword="directory"
    authenticationMethod="simple"
    forceBindingLogin="false"
    userBaseDn="ou=people,dc=alcatel"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="inetOrgPerson"
    roleBaseDn="ou=groups,dc=example,dc=com"
    roleNameAttribute="cn"
    roleMemberAttribute="uniqueMember"
    roleObjectClass="groupOfUniqueNames";
    };

    • Constructor Detail

      • LdapLoginModule

        public LdapLoginModule()

    • Method Detail

      • getUserInfo

        public UserInfo getUserInfo​(java.lang.String username)
                     throws java.lang.Exception
        get the available information about the user

        for this LoginModule, the credential can be null which will result in a binding ldap authentication scenario

        roles are also an optional concept if required

        Specified by:
        getUserInfo in class AbstractLoginModule
        Parameters:
        username - the user name
        Returns:
        the userinfo for the username
        Throws:
        java.lang.Exception - if unable to get the user info

      • doRFC2254Encoding

        protected java.lang.String doRFC2254Encoding​(java.lang.String inputString)

      • login

        public boolean login()
              throws javax.security.auth.login.LoginException
        since ldap uses a context bind for valid authentication checking, we override login()

        if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic

        Specified by:
        login in interface javax.security.auth.spi.LoginModule
        Overrides:
        login in class AbstractLoginModule
        Returns:
        true if authenticated, false otherwise
        Throws:
        javax.security.auth.login.LoginException - if unable to login
        See Also:
        LoginModule.login()

      • credentialLogin

        protected boolean credentialLogin​(java.lang.Object webCredential)
                           throws javax.security.auth.login.LoginException
        password supplied authentication check
        Parameters:
        webCredential - the web credential
        Returns:
        true if authenticated
        Throws:
        javax.security.auth.login.LoginException - if unable to login

      • bindingLogin

        public boolean bindingLogin​(java.lang.String username,
                            java.lang.Object password)
                     throws javax.security.auth.login.LoginException
        binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.
        Parameters:
        username - the user name
        password - the password
        Returns:
        true always
        Throws:
        javax.security.auth.login.LoginException - if unable to bind the login

      • initialize

        public void initialize​(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map<java.lang.String,​?> sharedState,
                       java.util.Map<java.lang.String,​?> options)
        Init LoginModule.

        Called once by JAAS after new instance is created.

        Specified by:
        initialize in interface javax.security.auth.spi.LoginModule
        Overrides:
        initialize in class AbstractLoginModule
        Parameters:
        subject - the subect
        callbackHandler - the callback handler
        sharedState - the shared state map
        options - the option map
        See Also:
        LoginModule.initialize(javax.security.auth.Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)

      • commit

        public boolean commit()
               throws javax.security.auth.login.LoginException
        Specified by:
        commit in interface javax.security.auth.spi.LoginModule
        Overrides:
        commit in class AbstractLoginModule
        Returns:
        true if committed, false if not (likely not authenticated)
        Throws:
        javax.security.auth.login.LoginException - if unable to commit
        See Also:
        LoginModule.commit()

      • abort

        public boolean abort()
              throws javax.security.auth.login.LoginException
        Specified by:
        abort in interface javax.security.auth.spi.LoginModule
        Overrides:
        abort in class AbstractLoginModule
        Throws:
        javax.security.auth.login.LoginException - if unable to abort
        See Also:
        LoginModule.abort()

      • getEnvironment

        public java.util.Hashtable<java.lang.Object,​java.lang.Object> getEnvironment()
        get the context for connection
        Returns:
        the environment details for the context

      • convertCredentialLdapToJetty

        public static java.lang.String convertCredentialLdapToJetty​(java.lang.String encryptedPassword)