| author | ohair |
| Wed, 06 Apr 2011 22:06:11 -0700 | |
| changeset 9035 | 1255eb81cc2f |
| parent 7970 | af1579474d16 |
| child 10336 | 0bb1999251f8 |
| permissions | -rw-r--r-- |
| 2 | 1 |
/* |
|
9035
1255eb81cc2f
7033660: Update copyright year to 2011 on any files changed in 2011
ohair
parents:
7970
diff
changeset
|
2 |
* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. |
| 2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
| 5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
| 2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
| 5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
| 2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
| 5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
| 2 | 24 |
*/ |
25 |
||
26 |
package com.sun.security.auth.module; |
|
27 |
||
28 |
import javax.security.auth.*; |
|
29 |
import javax.security.auth.callback.*; |
|
30 |
import javax.security.auth.login.*; |
|
31 |
import javax.security.auth.spi.*; |
|
32 |
import javax.naming.*; |
|
33 |
import javax.naming.directory.*; |
|
34 |
||
35 |
import java.io.IOException; |
|
36 |
import java.util.Map; |
|
37 |
import java.util.LinkedList; |
|
38 |
import java.util.ResourceBundle; |
|
39 |
||
40 |
import com.sun.security.auth.UnixPrincipal; |
|
41 |
import com.sun.security.auth.UnixNumericUserPrincipal; |
|
42 |
import com.sun.security.auth.UnixNumericGroupPrincipal; |
|
43 |
||
44 |
import sun.security.util.AuthResources; |
|
45 |
||
46 |
/** |
|
47 |
* <p> The module prompts for a username and password |
|
48 |
* and then verifies the password against the password stored in |
|
49 |
* a directory service configured under JNDI. |
|
50 |
* |
|
51 |
* <p> This <code>LoginModule</code> interoperates with |
|
52 |
* any conformant JNDI service provider. To direct this |
|
53 |
* <code>LoginModule</code> to use a specific JNDI service provider, |
|
54 |
* two options must be specified in the login <code>Configuration</code> |
|
55 |
* for this <code>LoginModule</code>. |
|
56 |
* <pre> |
|
57 |
* user.provider.url=<b>name_service_url</b> |
|
58 |
* group.provider.url=<b>name_service_url</b> |
|
59 |
* </pre> |
|
60 |
* |
|
61 |
* <b>name_service_url</b> specifies |
|
62 |
* the directory service and path where this <code>LoginModule</code> |
|
63 |
* can access the relevant user and group information. Because this |
|
64 |
* <code>LoginModule</code> only performs one-level searches to |
|
65 |
* find the relevant user information, the <code>URL</code> |
|
66 |
* must point to a directory one level above where the user and group |
|
67 |
* information is stored in the directory service. |
|
68 |
* For example, to instruct this <code>LoginModule</code> |
|
69 |
* to contact a NIS server, the following URLs must be specified: |
|
70 |
* <pre> |
|
71 |
* user.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/user" |
|
72 |
* group.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/system/group" |
|
73 |
* </pre> |
|
74 |
* |
|
75 |
* <b>NISServerHostName</b> specifies the server host name of the |
|
76 |
* NIS server (for example, <i>nis.sun.com</i>, and <b>NISDomain</b> |
|
77 |
* specifies the domain for that NIS server (for example, <i>jaas.sun.com</i>. |
|
78 |
* To contact an LDAP server, the following URLs must be specified: |
|
79 |
* <pre> |
|
80 |
* user.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>" |
|
81 |
* group.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>" |
|
82 |
* </pre> |
|
83 |
* |
|
84 |
* <b>LDAPServerHostName</b> specifies the server host name of the |
|
85 |
* LDAP server, which may include a port number |
|
86 |
* (for example, <i>ldap.sun.com:389</i>), |
|
87 |
* and <b>LDAPName</b> specifies the entry name in the LDAP directory |
|
88 |
* (for example, <i>ou=People,o=Sun,c=US</i> and <i>ou=Groups,o=Sun,c=US</i> |
|
89 |
* for user and group information, respectively). |
|
90 |
* |
|
91 |
* <p> The format in which the user's information must be stored in |
|
92 |
* the directory service is specified in RFC 2307. Specifically, |
|
93 |
* this <code>LoginModule</code> will search for the user's entry in the |
|
94 |
* directory service using the user's <i>uid</i> attribute, |
|
95 |
* where <i>uid=<b>username</b></i>. If the search succeeds, |
|
96 |
* this <code>LoginModule</code> will then |
|
97 |
* obtain the user's encrypted password from the retrieved entry |
|
98 |
* using the <i>userPassword</i> attribute. |
|
99 |
* This <code>LoginModule</code> assumes that the password is stored |
|
100 |
* as a byte array, which when converted to a <code>String</code>, |
|
101 |
* has the following format: |
|
102 |
* <pre> |
|
103 |
* "{crypt}<b>encrypted_password</b>"
|
|
104 |
* </pre> |
|
105 |
* |
|
106 |
* The LDAP directory server must be configured |
|
107 |
* to permit read access to the userPassword attribute. |
|
108 |
* If the user entered a valid username and password, |
|
109 |
* this <code>LoginModule</code> associates a |
|
110 |
* <code>UnixPrincipal</code>, <code>UnixNumericUserPrincipal</code>, |
|
111 |
* and the relevant UnixNumericGroupPrincipals with the |
|
112 |
* <code>Subject</code>. |
|
113 |
* |
|
114 |
* <p> This LoginModule also recognizes the following <code>Configuration</code> |
|
115 |
* options: |
|
116 |
* <pre> |
|
117 |
* debug if, true, debug messages are output to System.out. |
|
118 |
* |
|
119 |
* useFirstPass if, true, this LoginModule retrieves the |
|
120 |
* username and password from the module's shared state, |
|
121 |
* using "javax.security.auth.login.name" and |
|
122 |
* "javax.security.auth.login.password" as the respective |
|
123 |
* keys. The retrieved values are used for authentication. |
|
124 |
* If authentication fails, no attempt for a retry is made, |
|
125 |
* and the failure is reported back to the calling |
|
126 |
* application. |
|
127 |
* |
|
128 |
* tryFirstPass if, true, this LoginModule retrieves the |
|
129 |
* the username and password from the module's shared state, |
|
130 |
* using "javax.security.auth.login.name" and |
|
131 |
* "javax.security.auth.login.password" as the respective |
|
132 |
* keys. The retrieved values are used for authentication. |
|
133 |
* If authentication fails, the module uses the |
|
134 |
* CallbackHandler to retrieve a new username and password, |
|
135 |
* and another attempt to authenticate is made. |
|
136 |
* If the authentication fails, the failure is reported |
|
137 |
* back to the calling application. |
|
138 |
* |
|
139 |
* storePass if, true, this LoginModule stores the username and password |
|
140 |
* obtained from the CallbackHandler in the module's |
|
141 |
* shared state, using "javax.security.auth.login.name" and |
|
142 |
* "javax.security.auth.login.password" as the respective |
|
143 |
* keys. This is not performed if existing values already |
|
144 |
* exist for the username and password in the shared state, |
|
145 |
* or if authentication fails. |
|
146 |
* |
|
147 |
* clearPass if, true, this <code>LoginModule</code> clears the |
|
148 |
* username and password stored in the module's shared state |
|
149 |
* after both phases of authentication (login and commit) |
|
150 |
* have completed. |
|
151 |
* </pre> |
|
152 |
* |
|
153 |
*/ |
|
154 |
public class JndiLoginModule implements LoginModule {
|
|
155 |
||
156 |
static final java.util.ResourceBundle rb = |
|
157 |
java.util.ResourceBundle.getBundle("sun.security.util.AuthResources");
|
|
158 |
||
159 |
/** JNDI Provider */ |
|
160 |
public final String USER_PROVIDER = "user.provider.url"; |
|
161 |
public final String GROUP_PROVIDER = "group.provider.url"; |
|
162 |
||
163 |
// configurable options |
|
164 |
private boolean debug = false; |
|
165 |
private boolean strongDebug = false; |
|
166 |
private String userProvider; |
|
167 |
private String groupProvider; |
|
168 |
private boolean useFirstPass = false; |
|
169 |
private boolean tryFirstPass = false; |
|
170 |
private boolean storePass = false; |
|
171 |
private boolean clearPass = false; |
|
172 |
||
173 |
// the authentication status |
|
174 |
private boolean succeeded = false; |
|
175 |
private boolean commitSucceeded = false; |
|
176 |
||
177 |
// username, password, and JNDI context |
|
178 |
private String username; |
|
179 |
private char[] password; |
|
180 |
DirContext ctx; |
|
181 |
||
182 |
// the user (assume it is a UnixPrincipal) |
|
183 |
private UnixPrincipal userPrincipal; |
|
184 |
private UnixNumericUserPrincipal UIDPrincipal; |
|
185 |
private UnixNumericGroupPrincipal GIDPrincipal; |
|
186 |
private LinkedList<UnixNumericGroupPrincipal> supplementaryGroups = |
|
|
7970
af1579474d16
7008728: diamond conversion of basic security, permissions, authentication
smarks
parents:
7179
diff
changeset
|
187 |
new LinkedList<>(); |
| 2 | 188 |
|
189 |
// initial state |
|
190 |
private Subject subject; |
|
191 |
private CallbackHandler callbackHandler; |
|
192 |
private Map sharedState; |
|
193 |
private Map<String, ?> options; |
|
194 |
||
195 |
private static final String CRYPT = "{crypt}";
|
|
196 |
private static final String USER_PWD = "userPassword"; |
|
197 |
private static final String USER_UID = "uidNumber"; |
|
198 |
private static final String USER_GID = "gidNumber"; |
|
199 |
private static final String GROUP_ID = "gidNumber"; |
|
200 |
private static final String NAME = "javax.security.auth.login.name"; |
|
201 |
private static final String PWD = "javax.security.auth.login.password"; |
|
202 |
||
203 |
/** |
|
204 |
* Initialize this <code>LoginModule</code>. |
|
205 |
* |
|
206 |
* <p> |
|
207 |
* |
|
208 |
* @param subject the <code>Subject</code> to be authenticated. <p> |
|
209 |
* |
|
210 |
* @param callbackHandler a <code>CallbackHandler</code> for communicating |
|
211 |
* with the end user (prompting for usernames and |
|
212 |
* passwords, for example). <p> |
|
213 |
* |
|
214 |
* @param sharedState shared <code>LoginModule</code> state. <p> |
|
215 |
* |
|
216 |
* @param options options specified in the login |
|
217 |
* <code>Configuration</code> for this particular |
|
218 |
* <code>LoginModule</code>. |
|
219 |
*/ |
|
220 |
public void initialize(Subject subject, CallbackHandler callbackHandler, |
|
221 |
Map<String,?> sharedState, |
|
222 |
Map<String,?> options) {
|
|
223 |
||
224 |
this.subject = subject; |
|
225 |
this.callbackHandler = callbackHandler; |
|
226 |
this.sharedState = sharedState; |
|
227 |
this.options = options; |
|
228 |
||
229 |
// initialize any configured options |
|
230 |
debug = "true".equalsIgnoreCase((String)options.get("debug"));
|
|
231 |
strongDebug = |
|
232 |
"true".equalsIgnoreCase((String)options.get("strongDebug"));
|
|
233 |
userProvider = (String)options.get(USER_PROVIDER); |
|
234 |
groupProvider = (String)options.get(GROUP_PROVIDER); |
|
235 |
tryFirstPass = |
|
236 |
"true".equalsIgnoreCase((String)options.get("tryFirstPass"));
|
|
237 |
useFirstPass = |
|
238 |
"true".equalsIgnoreCase((String)options.get("useFirstPass"));
|
|
239 |
storePass = |
|
240 |
"true".equalsIgnoreCase((String)options.get("storePass"));
|
|
241 |
clearPass = |
|
242 |
"true".equalsIgnoreCase((String)options.get("clearPass"));
|
|
243 |
} |
|
244 |
||
245 |
/** |
|
246 |
* <p> Prompt for username and password. |
|
247 |
* Verify the password against the relevant name service. |
|
248 |
* |
|
249 |
* <p> |
|
250 |
* |
|
251 |
* @return true always, since this <code>LoginModule</code> |
|
252 |
* should not be ignored. |
|
253 |
* |
|
254 |
* @exception FailedLoginException if the authentication fails. <p> |
|
255 |
* |
|
256 |
* @exception LoginException if this <code>LoginModule</code> |
|
257 |
* is unable to perform the authentication. |
|
258 |
*/ |
|
259 |
public boolean login() throws LoginException {
|
|
260 |
||
261 |
if (userProvider == null) {
|
|
262 |
throw new LoginException |
|
263 |
("Error: Unable to locate JNDI user provider");
|
|
264 |
} |
|
265 |
if (groupProvider == null) {
|
|
266 |
throw new LoginException |
|
267 |
("Error: Unable to locate JNDI group provider");
|
|
268 |
} |
|
269 |
||
270 |
if (debug) {
|
|
271 |
System.out.println("\t\t[JndiLoginModule] user provider: " +
|
|
272 |
userProvider); |
|
273 |
System.out.println("\t\t[JndiLoginModule] group provider: " +
|
|
274 |
groupProvider); |
|
275 |
} |
|
276 |
||
277 |
// attempt the authentication |
|
278 |
if (tryFirstPass) {
|
|
279 |
||
280 |
try {
|
|
281 |
// attempt the authentication by getting the |
|
282 |
// username and password from shared state |
|
283 |
attemptAuthentication(true); |
|
284 |
||
285 |
// authentication succeeded |
|
286 |
succeeded = true; |
|
287 |
if (debug) {
|
|
288 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
289 |
"tryFirstPass succeeded"); |
|
290 |
} |
|
291 |
return true; |
|
292 |
} catch (LoginException le) {
|
|
293 |
// authentication failed -- try again below by prompting |
|
294 |
cleanState(); |
|
295 |
if (debug) {
|
|
296 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
297 |
"tryFirstPass failed with:" + |
|
298 |
le.toString()); |
|
299 |
} |
|
300 |
} |
|
301 |
||
302 |
} else if (useFirstPass) {
|
|
303 |
||
304 |
try {
|
|
305 |
// attempt the authentication by getting the |
|
306 |
// username and password from shared state |
|
307 |
attemptAuthentication(true); |
|
308 |
||
309 |
// authentication succeeded |
|
310 |
succeeded = true; |
|
311 |
if (debug) {
|
|
312 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
313 |
"useFirstPass succeeded"); |
|
314 |
} |
|
315 |
return true; |
|
316 |
} catch (LoginException le) {
|
|
317 |
// authentication failed |
|
318 |
cleanState(); |
|
319 |
if (debug) {
|
|
320 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
321 |
"useFirstPass failed"); |
|
322 |
} |
|
323 |
throw le; |
|
324 |
} |
|
325 |
} |
|
326 |
||
327 |
// attempt the authentication by prompting for the username and pwd |
|
328 |
try {
|
|
329 |
attemptAuthentication(false); |
|
330 |
||
331 |
// authentication succeeded |
|
332 |
succeeded = true; |
|
333 |
if (debug) {
|
|
334 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
335 |
"regular authentication succeeded"); |
|
336 |
} |
|
337 |
return true; |
|
338 |
} catch (LoginException le) {
|
|
339 |
cleanState(); |
|
340 |
if (debug) {
|
|
341 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
342 |
"regular authentication failed"); |
|
343 |
} |
|
344 |
throw le; |
|
345 |
} |
|
346 |
} |
|
347 |
||
348 |
/** |
|
349 |
* Abstract method to commit the authentication process (phase 2). |
|
350 |
* |
|
351 |
* <p> This method is called if the LoginContext's |
|
352 |
* overall authentication succeeded |
|
353 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules |
|
354 |
* succeeded). |
|
355 |
* |
|
356 |
* <p> If this LoginModule's own authentication attempt |
|
357 |
* succeeded (checked by retrieving the private state saved by the |
|
358 |
* <code>login</code> method), then this method associates a |
|
359 |
* <code>UnixPrincipal</code> |
|
360 |
* with the <code>Subject</code> located in the |
|
361 |
* <code>LoginModule</code>. If this LoginModule's own |
|
362 |
* authentication attempted failed, then this method removes |
|
363 |
* any state that was originally saved. |
|
364 |
* |
|
365 |
* <p> |
|
366 |
* |
|
367 |
* @exception LoginException if the commit fails |
|
368 |
* |
|
369 |
* @return true if this LoginModule's own login and commit |
|
370 |
* attempts succeeded, or false otherwise. |
|
371 |
*/ |
|
372 |
public boolean commit() throws LoginException {
|
|
373 |
||
374 |
if (succeeded == false) {
|
|
375 |
return false; |
|
376 |
} else {
|
|
377 |
if (subject.isReadOnly()) {
|
|
378 |
cleanState(); |
|
379 |
throw new LoginException ("Subject is Readonly");
|
|
380 |
} |
|
381 |
// add Principals to the Subject |
|
382 |
if (!subject.getPrincipals().contains(userPrincipal)) |
|
383 |
subject.getPrincipals().add(userPrincipal); |
|
384 |
if (!subject.getPrincipals().contains(UIDPrincipal)) |
|
385 |
subject.getPrincipals().add(UIDPrincipal); |
|
386 |
if (!subject.getPrincipals().contains(GIDPrincipal)) |
|
387 |
subject.getPrincipals().add(GIDPrincipal); |
|
388 |
for (int i = 0; i < supplementaryGroups.size(); i++) {
|
|
389 |
if (!subject.getPrincipals().contains |
|
390 |
(supplementaryGroups.get(i))) |
|
391 |
subject.getPrincipals().add(supplementaryGroups.get(i)); |
|
392 |
} |
|
393 |
||
394 |
if (debug) {
|
|
395 |
System.out.println("\t\t[JndiLoginModule]: " +
|
|
396 |
"added UnixPrincipal,"); |
|
397 |
System.out.println("\t\t\t\tUnixNumericUserPrincipal,");
|
|
398 |
System.out.println("\t\t\t\tUnixNumericGroupPrincipal(s),");
|
|
399 |
System.out.println("\t\t\t to Subject");
|
|
400 |
} |
|
401 |
} |
|
402 |
// in any case, clean out state |
|
403 |
cleanState(); |
|
404 |
commitSucceeded = true; |
|
405 |
return true; |
|
406 |
} |
|
407 |
||
408 |
/** |
|
409 |
* <p> This method is called if the LoginContext's |
|
410 |
* overall authentication failed. |
|
411 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules |
|
412 |
* did not succeed). |
|
413 |
* |
|
414 |
* <p> If this LoginModule's own authentication attempt |
|
415 |
* succeeded (checked by retrieving the private state saved by the |
|
416 |
* <code>login</code> and <code>commit</code> methods), |
|
417 |
* then this method cleans up any state that was originally saved. |
|
418 |
* |
|
419 |
* <p> |
|
420 |
* |
|
421 |
* @exception LoginException if the abort fails. |
|
422 |
* |
|
423 |
* @return false if this LoginModule's own login and/or commit attempts |
|
424 |
* failed, and true otherwise. |
|
425 |
*/ |
|
426 |
public boolean abort() throws LoginException {
|
|
427 |
if (debug) |
|
428 |
System.out.println("\t\t[JndiLoginModule]: " +
|
|
429 |
"aborted authentication failed"); |
|
430 |
||
431 |
if (succeeded == false) {
|
|
432 |
return false; |
|
433 |
} else if (succeeded == true && commitSucceeded == false) {
|
|
434 |
||
435 |
// Clean out state |
|
436 |
succeeded = false; |
|
437 |
cleanState(); |
|
438 |
||
439 |
userPrincipal = null; |
|
440 |
UIDPrincipal = null; |
|
441 |
GIDPrincipal = null; |
|
442 |
supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>(); |
|
443 |
} else {
|
|
444 |
// overall authentication succeeded and commit succeeded, |
|
445 |
// but someone else's commit failed |
|
446 |
logout(); |
|
447 |
} |
|
448 |
return true; |
|
449 |
} |
|
450 |
||
451 |
/** |
|
452 |
* Logout a user. |
|
453 |
* |
|
454 |
* <p> This method removes the Principals |
|
455 |
* that were added by the <code>commit</code> method. |
|
456 |
* |
|
457 |
* <p> |
|
458 |
* |
|
459 |
* @exception LoginException if the logout fails. |
|
460 |
* |
|
461 |
* @return true in all cases since this <code>LoginModule</code> |
|
462 |
* should not be ignored. |
|
463 |
*/ |
|
464 |
public boolean logout() throws LoginException {
|
|
465 |
if (subject.isReadOnly()) {
|
|
466 |
cleanState(); |
|
467 |
throw new LoginException ("Subject is Readonly");
|
|
468 |
} |
|
469 |
subject.getPrincipals().remove(userPrincipal); |
|
470 |
subject.getPrincipals().remove(UIDPrincipal); |
|
471 |
subject.getPrincipals().remove(GIDPrincipal); |
|
472 |
for (int i = 0; i < supplementaryGroups.size(); i++) {
|
|
473 |
subject.getPrincipals().remove(supplementaryGroups.get(i)); |
|
474 |
} |
|
475 |
||
476 |
||
477 |
// clean out state |
|
478 |
cleanState(); |
|
479 |
succeeded = false; |
|
480 |
commitSucceeded = false; |
|
481 |
||
482 |
userPrincipal = null; |
|
483 |
UIDPrincipal = null; |
|
484 |
GIDPrincipal = null; |
|
485 |
supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>(); |
|
486 |
||
487 |
if (debug) {
|
|
488 |
System.out.println("\t\t[JndiLoginModule]: " +
|
|
489 |
"logged out Subject"); |
|
490 |
} |
|
491 |
return true; |
|
492 |
} |
|
493 |
||
494 |
/** |
|
495 |
* Attempt authentication |
|
496 |
* |
|
497 |
* <p> |
|
498 |
* |
|
499 |
* @param getPasswdFromSharedState boolean that tells this method whether |
|
500 |
* to retrieve the password from the sharedState. |
|
501 |
*/ |
|
502 |
private void attemptAuthentication(boolean getPasswdFromSharedState) |
|
503 |
throws LoginException {
|
|
504 |
||
505 |
String encryptedPassword = null; |
|
506 |
||
507 |
// first get the username and password |
|
508 |
getUsernamePassword(getPasswdFromSharedState); |
|
509 |
||
510 |
try {
|
|
511 |
||
512 |
// get the user's passwd entry from the user provider URL |
|
513 |
InitialContext iCtx = new InitialContext(); |
|
514 |
ctx = (DirContext)iCtx.lookup(userProvider); |
|
515 |
||
516 |
/* |
|
517 |
SearchControls controls = new SearchControls |
|
518 |
(SearchControls.ONELEVEL_SCOPE, |
|
519 |
0, |
|
520 |
5000, |
|
521 |
new String[] { USER_PWD },
|
|
522 |
false, |
|
523 |
false); |
|
524 |
*/ |
|
525 |
||
526 |
SearchControls controls = new SearchControls(); |
|
527 |
NamingEnumeration<SearchResult> ne = ctx.search("",
|
|
528 |
"(uid=" + username + ")", |
|
529 |
controls); |
|
530 |
if (ne.hasMore()) {
|
|
531 |
SearchResult result = ne.next(); |
|
532 |
Attributes attributes = result.getAttributes(); |
|
533 |
||
534 |
// get the password |
|
535 |
||
536 |
// this module works only if the LDAP directory server |
|
537 |
// is configured to permit read access to the userPassword |
|
538 |
// attribute. The directory administrator need to grant |
|
539 |
// this access. |
|
540 |
// |
|
541 |
// A workaround would be to make the server do authentication |
|
542 |
// by setting the Context.SECURITY_PRINCIPAL |
|
543 |
// and Context.SECURITY_CREDENTIALS property. |
|
544 |
// However, this would make it not work with systems that |
|
545 |
// don't do authentication at the server (like NIS). |
|
546 |
// |
|
547 |
// Setting the SECURITY_* properties and using "simple" |
|
548 |
// authentication for LDAP is recommended only for secure |
|
549 |
// channels. For nonsecure channels, SSL is recommended. |
|
550 |
||
551 |
Attribute pwd = attributes.get(USER_PWD); |
|
552 |
String encryptedPwd = new String((byte[])pwd.get(), "UTF8"); |
|
553 |
encryptedPassword = encryptedPwd.substring(CRYPT.length()); |
|
554 |
||
555 |
// check the password |
|
556 |
if (verifyPassword |
|
557 |
(encryptedPassword, new String(password)) == true) {
|
|
558 |
||
559 |
// authentication succeeded |
|
560 |
if (debug) |
|
561 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
562 |
"attemptAuthentication() succeeded"); |
|
563 |
||
564 |
} else {
|
|
565 |
// authentication failed |
|
566 |
if (debug) |
|
567 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
568 |
"attemptAuthentication() failed"); |
|
569 |
throw new FailedLoginException("Login incorrect");
|
|
570 |
} |
|
571 |
||
572 |
// save input as shared state only if |
|
573 |
// authentication succeeded |
|
574 |
if (storePass && |
|
575 |
!sharedState.containsKey(NAME) && |
|
576 |
!sharedState.containsKey(PWD)) {
|
|
577 |
sharedState.put(NAME, username); |
|
578 |
sharedState.put(PWD, password); |
|
579 |
} |
|
580 |
||
581 |
// create the user principal |
|
582 |
userPrincipal = new UnixPrincipal(username); |
|
583 |
||
584 |
// get the UID |
|
585 |
Attribute uid = attributes.get(USER_UID); |
|
586 |
String uidNumber = (String)uid.get(); |
|
587 |
UIDPrincipal = new UnixNumericUserPrincipal(uidNumber); |
|
588 |
if (debug && uidNumber != null) {
|
|
589 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
590 |
"user: '" + username + "' has UID: " + |
|
591 |
uidNumber); |
|
592 |
} |
|
593 |
||
594 |
// get the GID |
|
595 |
Attribute gid = attributes.get(USER_GID); |
|
596 |
String gidNumber = (String)gid.get(); |
|
597 |
GIDPrincipal = new UnixNumericGroupPrincipal |
|
598 |
(gidNumber, true); |
|
599 |
if (debug && gidNumber != null) {
|
|
600 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
601 |
"user: '" + username + "' has GID: " + |
|
602 |
gidNumber); |
|
603 |
} |
|
604 |
||
605 |
// get the supplementary groups from the group provider URL |
|
606 |
ctx = (DirContext)iCtx.lookup(groupProvider); |
|
607 |
ne = ctx.search("", new BasicAttributes("memberUid", username));
|
|
608 |
||
609 |
while (ne.hasMore()) {
|
|
610 |
result = ne.next(); |
|
611 |
attributes = result.getAttributes(); |
|
612 |
||
613 |
gid = attributes.get(GROUP_ID); |
|
614 |
String suppGid = (String)gid.get(); |
|
615 |
if (!gidNumber.equals(suppGid)) {
|
|
616 |
UnixNumericGroupPrincipal suppPrincipal = |
|
617 |
new UnixNumericGroupPrincipal(suppGid, false); |
|
618 |
supplementaryGroups.add(suppPrincipal); |
|
619 |
if (debug && suppGid != null) {
|
|
620 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
621 |
"user: '" + username + |
|
622 |
"' has Supplementary Group: " + |
|
623 |
suppGid); |
|
624 |
} |
|
625 |
} |
|
626 |
} |
|
627 |
||
628 |
} else {
|
|
629 |
// bad username |
|
630 |
if (debug) {
|
|
631 |
System.out.println("\t\t[JndiLoginModule]: User not found");
|
|
632 |
} |
|
633 |
throw new FailedLoginException("User not found");
|
|
634 |
} |
|
635 |
} catch (NamingException ne) {
|
|
636 |
// bad username |
|
637 |
if (debug) {
|
|
638 |
System.out.println("\t\t[JndiLoginModule]: User not found");
|
|
639 |
ne.printStackTrace(); |
|
640 |
} |
|
641 |
throw new FailedLoginException("User not found");
|
|
642 |
} catch (java.io.UnsupportedEncodingException uee) {
|
|
643 |
// password stored in incorrect format |
|
644 |
if (debug) {
|
|
645 |
System.out.println("\t\t[JndiLoginModule]: " +
|
|
646 |
"password incorrectly encoded"); |
|
647 |
uee.printStackTrace(); |
|
648 |
} |
|
649 |
throw new LoginException("Login failure due to incorrect " +
|
|
650 |
"password encoding in the password database"); |
|
651 |
} |
|
652 |
||
653 |
// authentication succeeded |
|
654 |
} |
|
655 |
||
656 |
/** |
|
657 |
* Get the username and password. |
|
658 |
* This method does not return any value. |
|
659 |
* Instead, it sets global name and password variables. |
|
660 |
* |
|
661 |
* <p> Also note that this method will set the username and password |
|
662 |
* values in the shared state in case subsequent LoginModules |
|
663 |
* want to use them via use/tryFirstPass. |
|
664 |
* |
|
665 |
* <p> |
|
666 |
* |
|
667 |
* @param getPasswdFromSharedState boolean that tells this method whether |
|
668 |
* to retrieve the password from the sharedState. |
|
669 |
*/ |
|
670 |
private void getUsernamePassword(boolean getPasswdFromSharedState) |
|
671 |
throws LoginException {
|
|
672 |
||
673 |
if (getPasswdFromSharedState) {
|
|
674 |
// use the password saved by the first module in the stack |
|
675 |
username = (String)sharedState.get(NAME); |
|
676 |
password = (char[])sharedState.get(PWD); |
|
677 |
return; |
|
678 |
} |
|
679 |
||
680 |
// prompt for a username and password |
|
681 |
if (callbackHandler == null) |
|
682 |
throw new LoginException("Error: no CallbackHandler available " +
|
|
683 |
"to garner authentication information from the user"); |
|
684 |
||
685 |
String protocol = userProvider.substring(0, userProvider.indexOf(":"));
|
|
686 |
||
687 |
Callback[] callbacks = new Callback[2]; |
|
688 |
callbacks[0] = new NameCallback(protocol + " " |
|
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
689 |
+ rb.getString("username."));
|
| 2 | 690 |
callbacks[1] = new PasswordCallback(protocol + " " + |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
691 |
rb.getString("password."),
|
| 2 | 692 |
false); |
693 |
||
694 |
try {
|
|
695 |
callbackHandler.handle(callbacks); |
|
696 |
username = ((NameCallback)callbacks[0]).getName(); |
|
697 |
char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword(); |
|
698 |
password = new char[tmpPassword.length]; |
|
699 |
System.arraycopy(tmpPassword, 0, |
|
700 |
password, 0, tmpPassword.length); |
|
701 |
((PasswordCallback)callbacks[1]).clearPassword(); |
|
702 |
||
703 |
} catch (java.io.IOException ioe) {
|
|
704 |
throw new LoginException(ioe.toString()); |
|
705 |
} catch (UnsupportedCallbackException uce) {
|
|
706 |
throw new LoginException("Error: " + uce.getCallback().toString() +
|
|
707 |
" not available to garner authentication information " + |
|
708 |
"from the user"); |
|
709 |
} |
|
710 |
||
711 |
// print debugging information |
|
712 |
if (strongDebug) {
|
|
713 |
System.out.println("\t\t[JndiLoginModule] " +
|
|
714 |
"user entered username: " + |
|
715 |
username); |
|
716 |
System.out.print("\t\t[JndiLoginModule] " +
|
|
717 |
"user entered password: "); |
|
718 |
for (int i = 0; i < password.length; i++) |
|
719 |
System.out.print(password[i]); |
|
720 |
System.out.println(); |
|
721 |
} |
|
722 |
} |
|
723 |
||
724 |
/** |
|
725 |
* Verify a password against the encrypted passwd from /etc/shadow |
|
726 |
*/ |
|
727 |
private boolean verifyPassword(String encryptedPassword, String password) {
|
|
728 |
||
729 |
if (encryptedPassword == null) |
|
730 |
return false; |
|
731 |
||
732 |
Crypt c = new Crypt(); |
|
733 |
try {
|
|
734 |
byte oldCrypt[] = encryptedPassword.getBytes("UTF8");
|
|
735 |
byte newCrypt[] = c.crypt(password.getBytes("UTF8"),
|
|
736 |
oldCrypt); |
|
737 |
if (newCrypt.length != oldCrypt.length) |
|
738 |
return false; |
|
739 |
for (int i = 0; i < newCrypt.length; i++) {
|
|
740 |
if (oldCrypt[i] != newCrypt[i]) |
|
741 |
return false; |
|
742 |
} |
|
743 |
} catch (java.io.UnsupportedEncodingException uee) {
|
|
744 |
// cannot happen, but return false just to be safe |
|
745 |
return false; |
|
746 |
} |
|
747 |
return true; |
|
748 |
} |
|
749 |
||
750 |
/** |
|
751 |
* Clean out state because of a failed authentication attempt |
|
752 |
*/ |
|
753 |
private void cleanState() {
|
|
754 |
username = null; |
|
755 |
if (password != null) {
|
|
756 |
for (int i = 0; i < password.length; i++) |
|
757 |
password[i] = ' '; |
|
758 |
password = null; |
|
759 |
} |
|
760 |
ctx = null; |
|
761 |
||
762 |
if (clearPass) {
|
|
763 |
sharedState.remove(NAME); |
|
764 |
sharedState.remove(PWD); |
|
765 |
} |
|
766 |
} |
|
767 |
} |