author | chegar |
Sun, 17 Aug 2014 15:54:13 +0100 | |
changeset 25859 | 3317bb8137f4 |
parent 24685 | jdk/src/share/classes/com/sun/security/auth/module/JndiLoginModule.java@215fa91e1b4c |
child 30044 | bab15bbe2ca3 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
23010
6dadb192ad81
8029235: Update copyright year to match last edit in jdk8 jdk repository for 2013
lana
parents:
20742
diff
changeset
|
2 |
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package com.sun.security.auth.module; |
|
27 |
||
28 |
import javax.security.auth.*; |
|
29 |
import javax.security.auth.callback.*; |
|
30 |
import javax.security.auth.login.*; |
|
31 |
import javax.security.auth.spi.*; |
|
32 |
import javax.naming.*; |
|
33 |
import javax.naming.directory.*; |
|
34 |
||
16503
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
35 |
import java.security.AccessController; |
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
36 |
import java.security.PrivilegedAction; |
2 | 37 |
import java.util.Map; |
38 |
import java.util.LinkedList; |
|
16503
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
39 |
import java.util.ResourceBundle; |
2 | 40 |
|
41 |
import com.sun.security.auth.UnixPrincipal; |
|
42 |
import com.sun.security.auth.UnixNumericUserPrincipal; |
|
43 |
import com.sun.security.auth.UnixNumericGroupPrincipal; |
|
44 |
||
45 |
||
46 |
/** |
|
47 |
* <p> The module prompts for a username and password |
|
48 |
* and then verifies the password against the password stored in |
|
49 |
* a directory service configured under JNDI. |
|
50 |
* |
|
51 |
* <p> This <code>LoginModule</code> interoperates with |
|
52 |
* any conformant JNDI service provider. To direct this |
|
53 |
* <code>LoginModule</code> to use a specific JNDI service provider, |
|
54 |
* two options must be specified in the login <code>Configuration</code> |
|
55 |
* for this <code>LoginModule</code>. |
|
56 |
* <pre> |
|
57 |
* user.provider.url=<b>name_service_url</b> |
|
58 |
* group.provider.url=<b>name_service_url</b> |
|
59 |
* </pre> |
|
60 |
* |
|
61 |
* <b>name_service_url</b> specifies |
|
62 |
* the directory service and path where this <code>LoginModule</code> |
|
63 |
* can access the relevant user and group information. Because this |
|
64 |
* <code>LoginModule</code> only performs one-level searches to |
|
65 |
* find the relevant user information, the <code>URL</code> |
|
66 |
* must point to a directory one level above where the user and group |
|
67 |
* information is stored in the directory service. |
|
68 |
* For example, to instruct this <code>LoginModule</code> |
|
69 |
* to contact a NIS server, the following URLs must be specified: |
|
70 |
* <pre> |
|
71 |
* user.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/user" |
|
72 |
* group.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/system/group" |
|
73 |
* </pre> |
|
74 |
* |
|
75 |
* <b>NISServerHostName</b> specifies the server host name of the |
|
76 |
* NIS server (for example, <i>nis.sun.com</i>, and <b>NISDomain</b> |
|
77 |
* specifies the domain for that NIS server (for example, <i>jaas.sun.com</i>. |
|
78 |
* To contact an LDAP server, the following URLs must be specified: |
|
79 |
* <pre> |
|
80 |
* user.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>" |
|
81 |
* group.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>" |
|
82 |
* </pre> |
|
83 |
* |
|
84 |
* <b>LDAPServerHostName</b> specifies the server host name of the |
|
85 |
* LDAP server, which may include a port number |
|
86 |
* (for example, <i>ldap.sun.com:389</i>), |
|
87 |
* and <b>LDAPName</b> specifies the entry name in the LDAP directory |
|
88 |
* (for example, <i>ou=People,o=Sun,c=US</i> and <i>ou=Groups,o=Sun,c=US</i> |
|
89 |
* for user and group information, respectively). |
|
90 |
* |
|
91 |
* <p> The format in which the user's information must be stored in |
|
92 |
* the directory service is specified in RFC 2307. Specifically, |
|
93 |
* this <code>LoginModule</code> will search for the user's entry in the |
|
94 |
* directory service using the user's <i>uid</i> attribute, |
|
95 |
* where <i>uid=<b>username</b></i>. If the search succeeds, |
|
96 |
* this <code>LoginModule</code> will then |
|
97 |
* obtain the user's encrypted password from the retrieved entry |
|
98 |
* using the <i>userPassword</i> attribute. |
|
99 |
* This <code>LoginModule</code> assumes that the password is stored |
|
100 |
* as a byte array, which when converted to a <code>String</code>, |
|
101 |
* has the following format: |
|
102 |
* <pre> |
|
103 |
* "{crypt}<b>encrypted_password</b>" |
|
104 |
* </pre> |
|
105 |
* |
|
106 |
* The LDAP directory server must be configured |
|
107 |
* to permit read access to the userPassword attribute. |
|
108 |
* If the user entered a valid username and password, |
|
109 |
* this <code>LoginModule</code> associates a |
|
110 |
* <code>UnixPrincipal</code>, <code>UnixNumericUserPrincipal</code>, |
|
111 |
* and the relevant UnixNumericGroupPrincipals with the |
|
112 |
* <code>Subject</code>. |
|
113 |
* |
|
114 |
* <p> This LoginModule also recognizes the following <code>Configuration</code> |
|
115 |
* options: |
|
116 |
* <pre> |
|
117 |
* debug if, true, debug messages are output to System.out. |
|
118 |
* |
|
119 |
* useFirstPass if, true, this LoginModule retrieves the |
|
120 |
* username and password from the module's shared state, |
|
121 |
* using "javax.security.auth.login.name" and |
|
122 |
* "javax.security.auth.login.password" as the respective |
|
123 |
* keys. The retrieved values are used for authentication. |
|
124 |
* If authentication fails, no attempt for a retry is made, |
|
125 |
* and the failure is reported back to the calling |
|
126 |
* application. |
|
127 |
* |
|
128 |
* tryFirstPass if, true, this LoginModule retrieves the |
|
129 |
* the username and password from the module's shared state, |
|
130 |
* using "javax.security.auth.login.name" and |
|
131 |
* "javax.security.auth.login.password" as the respective |
|
132 |
* keys. The retrieved values are used for authentication. |
|
133 |
* If authentication fails, the module uses the |
|
134 |
* CallbackHandler to retrieve a new username and password, |
|
135 |
* and another attempt to authenticate is made. |
|
136 |
* If the authentication fails, the failure is reported |
|
137 |
* back to the calling application. |
|
138 |
* |
|
139 |
* storePass if, true, this LoginModule stores the username and password |
|
140 |
* obtained from the CallbackHandler in the module's |
|
141 |
* shared state, using "javax.security.auth.login.name" and |
|
142 |
* "javax.security.auth.login.password" as the respective |
|
143 |
* keys. This is not performed if existing values already |
|
144 |
* exist for the username and password in the shared state, |
|
145 |
* or if authentication fails. |
|
146 |
* |
|
147 |
* clearPass if, true, this <code>LoginModule</code> clears the |
|
148 |
* username and password stored in the module's shared state |
|
149 |
* after both phases of authentication (login and commit) |
|
150 |
* have completed. |
|
151 |
* </pre> |
|
152 |
* |
|
153 |
*/ |
|
20742
4ae78e8060d6
8008662: Add @jdk.Exported to JDK-specific/exported APIs
alanb
parents:
16503
diff
changeset
|
154 |
@jdk.Exported |
2 | 155 |
public class JndiLoginModule implements LoginModule { |
156 |
||
16503
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
157 |
private static final ResourceBundle rb = AccessController.doPrivileged( |
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
158 |
new PrivilegedAction<ResourceBundle>() { |
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
159 |
public ResourceBundle run() { |
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
160 |
return ResourceBundle.getBundle( |
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
161 |
"sun.security.util.AuthResources"); |
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
162 |
} |
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
163 |
} |
03d7a6155092
8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents:
10336
diff
changeset
|
164 |
); |
2 | 165 |
|
166 |
/** JNDI Provider */ |
|
167 |
public final String USER_PROVIDER = "user.provider.url"; |
|
168 |
public final String GROUP_PROVIDER = "group.provider.url"; |
|
169 |
||
170 |
// configurable options |
|
171 |
private boolean debug = false; |
|
172 |
private boolean strongDebug = false; |
|
173 |
private String userProvider; |
|
174 |
private String groupProvider; |
|
175 |
private boolean useFirstPass = false; |
|
176 |
private boolean tryFirstPass = false; |
|
177 |
private boolean storePass = false; |
|
178 |
private boolean clearPass = false; |
|
179 |
||
180 |
// the authentication status |
|
181 |
private boolean succeeded = false; |
|
182 |
private boolean commitSucceeded = false; |
|
183 |
||
184 |
// username, password, and JNDI context |
|
185 |
private String username; |
|
186 |
private char[] password; |
|
187 |
DirContext ctx; |
|
188 |
||
189 |
// the user (assume it is a UnixPrincipal) |
|
190 |
private UnixPrincipal userPrincipal; |
|
191 |
private UnixNumericUserPrincipal UIDPrincipal; |
|
192 |
private UnixNumericGroupPrincipal GIDPrincipal; |
|
193 |
private LinkedList<UnixNumericGroupPrincipal> supplementaryGroups = |
|
7970
af1579474d16
7008728: diamond conversion of basic security, permissions, authentication
smarks
parents:
7179
diff
changeset
|
194 |
new LinkedList<>(); |
2 | 195 |
|
196 |
// initial state |
|
197 |
private Subject subject; |
|
198 |
private CallbackHandler callbackHandler; |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
199 |
private Map<String, Object> sharedState; |
2 | 200 |
private Map<String, ?> options; |
201 |
||
202 |
private static final String CRYPT = "{crypt}"; |
|
203 |
private static final String USER_PWD = "userPassword"; |
|
204 |
private static final String USER_UID = "uidNumber"; |
|
205 |
private static final String USER_GID = "gidNumber"; |
|
206 |
private static final String GROUP_ID = "gidNumber"; |
|
207 |
private static final String NAME = "javax.security.auth.login.name"; |
|
208 |
private static final String PWD = "javax.security.auth.login.password"; |
|
209 |
||
210 |
/** |
|
211 |
* Initialize this <code>LoginModule</code>. |
|
212 |
* |
|
213 |
* <p> |
|
214 |
* |
|
215 |
* @param subject the <code>Subject</code> to be authenticated. <p> |
|
216 |
* |
|
217 |
* @param callbackHandler a <code>CallbackHandler</code> for communicating |
|
218 |
* with the end user (prompting for usernames and |
|
219 |
* passwords, for example). <p> |
|
220 |
* |
|
221 |
* @param sharedState shared <code>LoginModule</code> state. <p> |
|
222 |
* |
|
223 |
* @param options options specified in the login |
|
224 |
* <code>Configuration</code> for this particular |
|
225 |
* <code>LoginModule</code>. |
|
226 |
*/ |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
227 |
// Unchecked warning from (Map<String, Object>)sharedState is safe |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
228 |
// since javax.security.auth.login.LoginContext passes a raw HashMap. |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
229 |
// Unchecked warnings from options.get(String) are safe since we are |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
230 |
// passing known keys. |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
231 |
@SuppressWarnings("unchecked") |
2 | 232 |
public void initialize(Subject subject, CallbackHandler callbackHandler, |
233 |
Map<String,?> sharedState, |
|
234 |
Map<String,?> options) { |
|
235 |
||
236 |
this.subject = subject; |
|
237 |
this.callbackHandler = callbackHandler; |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9035
diff
changeset
|
238 |
this.sharedState = (Map<String, Object>)sharedState; |
2 | 239 |
this.options = options; |
240 |
||
241 |
// initialize any configured options |
|
242 |
debug = "true".equalsIgnoreCase((String)options.get("debug")); |
|
243 |
strongDebug = |
|
244 |
"true".equalsIgnoreCase((String)options.get("strongDebug")); |
|
245 |
userProvider = (String)options.get(USER_PROVIDER); |
|
246 |
groupProvider = (String)options.get(GROUP_PROVIDER); |
|
247 |
tryFirstPass = |
|
248 |
"true".equalsIgnoreCase((String)options.get("tryFirstPass")); |
|
249 |
useFirstPass = |
|
250 |
"true".equalsIgnoreCase((String)options.get("useFirstPass")); |
|
251 |
storePass = |
|
252 |
"true".equalsIgnoreCase((String)options.get("storePass")); |
|
253 |
clearPass = |
|
254 |
"true".equalsIgnoreCase((String)options.get("clearPass")); |
|
255 |
} |
|
256 |
||
257 |
/** |
|
258 |
* <p> Prompt for username and password. |
|
259 |
* Verify the password against the relevant name service. |
|
260 |
* |
|
261 |
* <p> |
|
262 |
* |
|
263 |
* @return true always, since this <code>LoginModule</code> |
|
264 |
* should not be ignored. |
|
265 |
* |
|
266 |
* @exception FailedLoginException if the authentication fails. <p> |
|
267 |
* |
|
268 |
* @exception LoginException if this <code>LoginModule</code> |
|
269 |
* is unable to perform the authentication. |
|
270 |
*/ |
|
271 |
public boolean login() throws LoginException { |
|
272 |
||
273 |
if (userProvider == null) { |
|
274 |
throw new LoginException |
|
275 |
("Error: Unable to locate JNDI user provider"); |
|
276 |
} |
|
277 |
if (groupProvider == null) { |
|
278 |
throw new LoginException |
|
279 |
("Error: Unable to locate JNDI group provider"); |
|
280 |
} |
|
281 |
||
282 |
if (debug) { |
|
283 |
System.out.println("\t\t[JndiLoginModule] user provider: " + |
|
284 |
userProvider); |
|
285 |
System.out.println("\t\t[JndiLoginModule] group provider: " + |
|
286 |
groupProvider); |
|
287 |
} |
|
288 |
||
289 |
// attempt the authentication |
|
290 |
if (tryFirstPass) { |
|
291 |
||
292 |
try { |
|
293 |
// attempt the authentication by getting the |
|
294 |
// username and password from shared state |
|
295 |
attemptAuthentication(true); |
|
296 |
||
297 |
// authentication succeeded |
|
298 |
succeeded = true; |
|
299 |
if (debug) { |
|
300 |
System.out.println("\t\t[JndiLoginModule] " + |
|
301 |
"tryFirstPass succeeded"); |
|
302 |
} |
|
303 |
return true; |
|
304 |
} catch (LoginException le) { |
|
305 |
// authentication failed -- try again below by prompting |
|
306 |
cleanState(); |
|
307 |
if (debug) { |
|
308 |
System.out.println("\t\t[JndiLoginModule] " + |
|
309 |
"tryFirstPass failed with:" + |
|
310 |
le.toString()); |
|
311 |
} |
|
312 |
} |
|
313 |
||
314 |
} else if (useFirstPass) { |
|
315 |
||
316 |
try { |
|
317 |
// attempt the authentication by getting the |
|
318 |
// username and password from shared state |
|
319 |
attemptAuthentication(true); |
|
320 |
||
321 |
// authentication succeeded |
|
322 |
succeeded = true; |
|
323 |
if (debug) { |
|
324 |
System.out.println("\t\t[JndiLoginModule] " + |
|
325 |
"useFirstPass succeeded"); |
|
326 |
} |
|
327 |
return true; |
|
328 |
} catch (LoginException le) { |
|
329 |
// authentication failed |
|
330 |
cleanState(); |
|
331 |
if (debug) { |
|
332 |
System.out.println("\t\t[JndiLoginModule] " + |
|
333 |
"useFirstPass failed"); |
|
334 |
} |
|
335 |
throw le; |
|
336 |
} |
|
337 |
} |
|
338 |
||
339 |
// attempt the authentication by prompting for the username and pwd |
|
340 |
try { |
|
341 |
attemptAuthentication(false); |
|
342 |
||
343 |
// authentication succeeded |
|
344 |
succeeded = true; |
|
345 |
if (debug) { |
|
346 |
System.out.println("\t\t[JndiLoginModule] " + |
|
347 |
"regular authentication succeeded"); |
|
348 |
} |
|
349 |
return true; |
|
350 |
} catch (LoginException le) { |
|
351 |
cleanState(); |
|
352 |
if (debug) { |
|
353 |
System.out.println("\t\t[JndiLoginModule] " + |
|
354 |
"regular authentication failed"); |
|
355 |
} |
|
356 |
throw le; |
|
357 |
} |
|
358 |
} |
|
359 |
||
360 |
/** |
|
361 |
* Abstract method to commit the authentication process (phase 2). |
|
362 |
* |
|
363 |
* <p> This method is called if the LoginContext's |
|
364 |
* overall authentication succeeded |
|
365 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules |
|
366 |
* succeeded). |
|
367 |
* |
|
368 |
* <p> If this LoginModule's own authentication attempt |
|
369 |
* succeeded (checked by retrieving the private state saved by the |
|
370 |
* <code>login</code> method), then this method associates a |
|
371 |
* <code>UnixPrincipal</code> |
|
372 |
* with the <code>Subject</code> located in the |
|
373 |
* <code>LoginModule</code>. If this LoginModule's own |
|
374 |
* authentication attempted failed, then this method removes |
|
375 |
* any state that was originally saved. |
|
376 |
* |
|
377 |
* <p> |
|
378 |
* |
|
379 |
* @exception LoginException if the commit fails |
|
380 |
* |
|
381 |
* @return true if this LoginModule's own login and commit |
|
382 |
* attempts succeeded, or false otherwise. |
|
383 |
*/ |
|
384 |
public boolean commit() throws LoginException { |
|
385 |
||
386 |
if (succeeded == false) { |
|
387 |
return false; |
|
388 |
} else { |
|
389 |
if (subject.isReadOnly()) { |
|
390 |
cleanState(); |
|
391 |
throw new LoginException ("Subject is Readonly"); |
|
392 |
} |
|
393 |
// add Principals to the Subject |
|
394 |
if (!subject.getPrincipals().contains(userPrincipal)) |
|
395 |
subject.getPrincipals().add(userPrincipal); |
|
396 |
if (!subject.getPrincipals().contains(UIDPrincipal)) |
|
397 |
subject.getPrincipals().add(UIDPrincipal); |
|
398 |
if (!subject.getPrincipals().contains(GIDPrincipal)) |
|
399 |
subject.getPrincipals().add(GIDPrincipal); |
|
400 |
for (int i = 0; i < supplementaryGroups.size(); i++) { |
|
401 |
if (!subject.getPrincipals().contains |
|
402 |
(supplementaryGroups.get(i))) |
|
403 |
subject.getPrincipals().add(supplementaryGroups.get(i)); |
|
404 |
} |
|
405 |
||
406 |
if (debug) { |
|
407 |
System.out.println("\t\t[JndiLoginModule]: " + |
|
408 |
"added UnixPrincipal,"); |
|
409 |
System.out.println("\t\t\t\tUnixNumericUserPrincipal,"); |
|
410 |
System.out.println("\t\t\t\tUnixNumericGroupPrincipal(s),"); |
|
411 |
System.out.println("\t\t\t to Subject"); |
|
412 |
} |
|
413 |
} |
|
414 |
// in any case, clean out state |
|
415 |
cleanState(); |
|
416 |
commitSucceeded = true; |
|
417 |
return true; |
|
418 |
} |
|
419 |
||
420 |
/** |
|
421 |
* <p> This method is called if the LoginContext's |
|
422 |
* overall authentication failed. |
|
423 |
* (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules |
|
424 |
* did not succeed). |
|
425 |
* |
|
426 |
* <p> If this LoginModule's own authentication attempt |
|
427 |
* succeeded (checked by retrieving the private state saved by the |
|
428 |
* <code>login</code> and <code>commit</code> methods), |
|
429 |
* then this method cleans up any state that was originally saved. |
|
430 |
* |
|
431 |
* <p> |
|
432 |
* |
|
433 |
* @exception LoginException if the abort fails. |
|
434 |
* |
|
435 |
* @return false if this LoginModule's own login and/or commit attempts |
|
436 |
* failed, and true otherwise. |
|
437 |
*/ |
|
438 |
public boolean abort() throws LoginException { |
|
439 |
if (debug) |
|
440 |
System.out.println("\t\t[JndiLoginModule]: " + |
|
441 |
"aborted authentication failed"); |
|
442 |
||
443 |
if (succeeded == false) { |
|
444 |
return false; |
|
445 |
} else if (succeeded == true && commitSucceeded == false) { |
|
446 |
||
447 |
// Clean out state |
|
448 |
succeeded = false; |
|
449 |
cleanState(); |
|
450 |
||
451 |
userPrincipal = null; |
|
452 |
UIDPrincipal = null; |
|
453 |
GIDPrincipal = null; |
|
454 |
supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>(); |
|
455 |
} else { |
|
456 |
// overall authentication succeeded and commit succeeded, |
|
457 |
// but someone else's commit failed |
|
458 |
logout(); |
|
459 |
} |
|
460 |
return true; |
|
461 |
} |
|
462 |
||
463 |
/** |
|
464 |
* Logout a user. |
|
465 |
* |
|
466 |
* <p> This method removes the Principals |
|
467 |
* that were added by the <code>commit</code> method. |
|
468 |
* |
|
469 |
* <p> |
|
470 |
* |
|
471 |
* @exception LoginException if the logout fails. |
|
472 |
* |
|
473 |
* @return true in all cases since this <code>LoginModule</code> |
|
474 |
* should not be ignored. |
|
475 |
*/ |
|
476 |
public boolean logout() throws LoginException { |
|
477 |
if (subject.isReadOnly()) { |
|
478 |
cleanState(); |
|
479 |
throw new LoginException ("Subject is Readonly"); |
|
480 |
} |
|
481 |
subject.getPrincipals().remove(userPrincipal); |
|
482 |
subject.getPrincipals().remove(UIDPrincipal); |
|
483 |
subject.getPrincipals().remove(GIDPrincipal); |
|
484 |
for (int i = 0; i < supplementaryGroups.size(); i++) { |
|
485 |
subject.getPrincipals().remove(supplementaryGroups.get(i)); |
|
486 |
} |
|
487 |
||
488 |
||
489 |
// clean out state |
|
490 |
cleanState(); |
|
491 |
succeeded = false; |
|
492 |
commitSucceeded = false; |
|
493 |
||
494 |
userPrincipal = null; |
|
495 |
UIDPrincipal = null; |
|
496 |
GIDPrincipal = null; |
|
497 |
supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>(); |
|
498 |
||
499 |
if (debug) { |
|
500 |
System.out.println("\t\t[JndiLoginModule]: " + |
|
501 |
"logged out Subject"); |
|
502 |
} |
|
503 |
return true; |
|
504 |
} |
|
505 |
||
506 |
/** |
|
507 |
* Attempt authentication |
|
508 |
* |
|
509 |
* <p> |
|
510 |
* |
|
511 |
* @param getPasswdFromSharedState boolean that tells this method whether |
|
512 |
* to retrieve the password from the sharedState. |
|
513 |
*/ |
|
514 |
private void attemptAuthentication(boolean getPasswdFromSharedState) |
|
515 |
throws LoginException { |
|
516 |
||
517 |
String encryptedPassword = null; |
|
518 |
||
519 |
// first get the username and password |
|
520 |
getUsernamePassword(getPasswdFromSharedState); |
|
521 |
||
522 |
try { |
|
523 |
||
524 |
// get the user's passwd entry from the user provider URL |
|
525 |
InitialContext iCtx = new InitialContext(); |
|
526 |
ctx = (DirContext)iCtx.lookup(userProvider); |
|
527 |
||
528 |
/* |
|
529 |
SearchControls controls = new SearchControls |
|
530 |
(SearchControls.ONELEVEL_SCOPE, |
|
531 |
0, |
|
532 |
5000, |
|
533 |
new String[] { USER_PWD }, |
|
534 |
false, |
|
535 |
false); |
|
536 |
*/ |
|
537 |
||
538 |
SearchControls controls = new SearchControls(); |
|
539 |
NamingEnumeration<SearchResult> ne = ctx.search("", |
|
540 |
"(uid=" + username + ")", |
|
541 |
controls); |
|
542 |
if (ne.hasMore()) { |
|
543 |
SearchResult result = ne.next(); |
|
544 |
Attributes attributes = result.getAttributes(); |
|
545 |
||
546 |
// get the password |
|
547 |
||
548 |
// this module works only if the LDAP directory server |
|
549 |
// is configured to permit read access to the userPassword |
|
550 |
// attribute. The directory administrator need to grant |
|
551 |
// this access. |
|
552 |
// |
|
553 |
// A workaround would be to make the server do authentication |
|
554 |
// by setting the Context.SECURITY_PRINCIPAL |
|
555 |
// and Context.SECURITY_CREDENTIALS property. |
|
556 |
// However, this would make it not work with systems that |
|
557 |
// don't do authentication at the server (like NIS). |
|
558 |
// |
|
559 |
// Setting the SECURITY_* properties and using "simple" |
|
560 |
// authentication for LDAP is recommended only for secure |
|
561 |
// channels. For nonsecure channels, SSL is recommended. |
|
562 |
||
563 |
Attribute pwd = attributes.get(USER_PWD); |
|
564 |
String encryptedPwd = new String((byte[])pwd.get(), "UTF8"); |
|
565 |
encryptedPassword = encryptedPwd.substring(CRYPT.length()); |
|
566 |
||
567 |
// check the password |
|
568 |
if (verifyPassword |
|
569 |
(encryptedPassword, new String(password)) == true) { |
|
570 |
||
571 |
// authentication succeeded |
|
572 |
if (debug) |
|
573 |
System.out.println("\t\t[JndiLoginModule] " + |
|
574 |
"attemptAuthentication() succeeded"); |
|
575 |
||
576 |
} else { |
|
577 |
// authentication failed |
|
578 |
if (debug) |
|
579 |
System.out.println("\t\t[JndiLoginModule] " + |
|
580 |
"attemptAuthentication() failed"); |
|
581 |
throw new FailedLoginException("Login incorrect"); |
|
582 |
} |
|
583 |
||
584 |
// save input as shared state only if |
|
585 |
// authentication succeeded |
|
586 |
if (storePass && |
|
587 |
!sharedState.containsKey(NAME) && |
|
588 |
!sharedState.containsKey(PWD)) { |
|
589 |
sharedState.put(NAME, username); |
|
590 |
sharedState.put(PWD, password); |
|
591 |
} |
|
592 |
||
593 |
// create the user principal |
|
594 |
userPrincipal = new UnixPrincipal(username); |
|
595 |
||
596 |
// get the UID |
|
597 |
Attribute uid = attributes.get(USER_UID); |
|
598 |
String uidNumber = (String)uid.get(); |
|
599 |
UIDPrincipal = new UnixNumericUserPrincipal(uidNumber); |
|
600 |
if (debug && uidNumber != null) { |
|
601 |
System.out.println("\t\t[JndiLoginModule] " + |
|
602 |
"user: '" + username + "' has UID: " + |
|
603 |
uidNumber); |
|
604 |
} |
|
605 |
||
606 |
// get the GID |
|
607 |
Attribute gid = attributes.get(USER_GID); |
|
608 |
String gidNumber = (String)gid.get(); |
|
609 |
GIDPrincipal = new UnixNumericGroupPrincipal |
|
610 |
(gidNumber, true); |
|
611 |
if (debug && gidNumber != null) { |
|
612 |
System.out.println("\t\t[JndiLoginModule] " + |
|
613 |
"user: '" + username + "' has GID: " + |
|
614 |
gidNumber); |
|
615 |
} |
|
616 |
||
617 |
// get the supplementary groups from the group provider URL |
|
618 |
ctx = (DirContext)iCtx.lookup(groupProvider); |
|
619 |
ne = ctx.search("", new BasicAttributes("memberUid", username)); |
|
620 |
||
621 |
while (ne.hasMore()) { |
|
622 |
result = ne.next(); |
|
623 |
attributes = result.getAttributes(); |
|
624 |
||
625 |
gid = attributes.get(GROUP_ID); |
|
626 |
String suppGid = (String)gid.get(); |
|
627 |
if (!gidNumber.equals(suppGid)) { |
|
628 |
UnixNumericGroupPrincipal suppPrincipal = |
|
629 |
new UnixNumericGroupPrincipal(suppGid, false); |
|
630 |
supplementaryGroups.add(suppPrincipal); |
|
631 |
if (debug && suppGid != null) { |
|
632 |
System.out.println("\t\t[JndiLoginModule] " + |
|
633 |
"user: '" + username + |
|
634 |
"' has Supplementary Group: " + |
|
635 |
suppGid); |
|
636 |
} |
|
637 |
} |
|
638 |
} |
|
639 |
||
640 |
} else { |
|
641 |
// bad username |
|
642 |
if (debug) { |
|
643 |
System.out.println("\t\t[JndiLoginModule]: User not found"); |
|
644 |
} |
|
645 |
throw new FailedLoginException("User not found"); |
|
646 |
} |
|
647 |
} catch (NamingException ne) { |
|
648 |
// bad username |
|
649 |
if (debug) { |
|
650 |
System.out.println("\t\t[JndiLoginModule]: User not found"); |
|
651 |
ne.printStackTrace(); |
|
652 |
} |
|
653 |
throw new FailedLoginException("User not found"); |
|
654 |
} catch (java.io.UnsupportedEncodingException uee) { |
|
655 |
// password stored in incorrect format |
|
656 |
if (debug) { |
|
657 |
System.out.println("\t\t[JndiLoginModule]: " + |
|
658 |
"password incorrectly encoded"); |
|
659 |
uee.printStackTrace(); |
|
660 |
} |
|
661 |
throw new LoginException("Login failure due to incorrect " + |
|
662 |
"password encoding in the password database"); |
|
663 |
} |
|
664 |
||
665 |
// authentication succeeded |
|
666 |
} |
|
667 |
||
668 |
/** |
|
669 |
* Get the username and password. |
|
670 |
* This method does not return any value. |
|
671 |
* Instead, it sets global name and password variables. |
|
672 |
* |
|
673 |
* <p> Also note that this method will set the username and password |
|
674 |
* values in the shared state in case subsequent LoginModules |
|
675 |
* want to use them via use/tryFirstPass. |
|
676 |
* |
|
677 |
* <p> |
|
678 |
* |
|
679 |
* @param getPasswdFromSharedState boolean that tells this method whether |
|
680 |
* to retrieve the password from the sharedState. |
|
681 |
*/ |
|
682 |
private void getUsernamePassword(boolean getPasswdFromSharedState) |
|
683 |
throws LoginException { |
|
684 |
||
685 |
if (getPasswdFromSharedState) { |
|
686 |
// use the password saved by the first module in the stack |
|
687 |
username = (String)sharedState.get(NAME); |
|
688 |
password = (char[])sharedState.get(PWD); |
|
689 |
return; |
|
690 |
} |
|
691 |
||
692 |
// prompt for a username and password |
|
693 |
if (callbackHandler == null) |
|
694 |
throw new LoginException("Error: no CallbackHandler available " + |
|
695 |
"to garner authentication information from the user"); |
|
696 |
||
24685
215fa91e1b4c
8044461: Cleanup new Boolean and single character strings
rriggs
parents:
23010
diff
changeset
|
697 |
String protocol = userProvider.substring(0, userProvider.indexOf(':')); |
2 | 698 |
|
699 |
Callback[] callbacks = new Callback[2]; |
|
700 |
callbacks[0] = new NameCallback(protocol + " " |
|
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
701 |
+ rb.getString("username.")); |
2 | 702 |
callbacks[1] = new PasswordCallback(protocol + " " + |
7179
4afb81e50183
6987827: security/util/Resources.java needs improvement
weijun
parents:
5506
diff
changeset
|
703 |
rb.getString("password."), |
2 | 704 |
false); |
705 |
||
706 |
try { |
|
707 |
callbackHandler.handle(callbacks); |
|
708 |
username = ((NameCallback)callbacks[0]).getName(); |
|
709 |
char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword(); |
|
710 |
password = new char[tmpPassword.length]; |
|
711 |
System.arraycopy(tmpPassword, 0, |
|
712 |
password, 0, tmpPassword.length); |
|
713 |
((PasswordCallback)callbacks[1]).clearPassword(); |
|
714 |
||
715 |
} catch (java.io.IOException ioe) { |
|
716 |
throw new LoginException(ioe.toString()); |
|
717 |
} catch (UnsupportedCallbackException uce) { |
|
718 |
throw new LoginException("Error: " + uce.getCallback().toString() + |
|
719 |
" not available to garner authentication information " + |
|
720 |
"from the user"); |
|
721 |
} |
|
722 |
||
723 |
// print debugging information |
|
724 |
if (strongDebug) { |
|
725 |
System.out.println("\t\t[JndiLoginModule] " + |
|
726 |
"user entered username: " + |
|
727 |
username); |
|
728 |
System.out.print("\t\t[JndiLoginModule] " + |
|
729 |
"user entered password: "); |
|
730 |
for (int i = 0; i < password.length; i++) |
|
731 |
System.out.print(password[i]); |
|
732 |
System.out.println(); |
|
733 |
} |
|
734 |
} |
|
735 |
||
736 |
/** |
|
737 |
* Verify a password against the encrypted passwd from /etc/shadow |
|
738 |
*/ |
|
739 |
private boolean verifyPassword(String encryptedPassword, String password) { |
|
740 |
||
741 |
if (encryptedPassword == null) |
|
742 |
return false; |
|
743 |
||
744 |
Crypt c = new Crypt(); |
|
745 |
try { |
|
746 |
byte oldCrypt[] = encryptedPassword.getBytes("UTF8"); |
|
747 |
byte newCrypt[] = c.crypt(password.getBytes("UTF8"), |
|
748 |
oldCrypt); |
|
749 |
if (newCrypt.length != oldCrypt.length) |
|
750 |
return false; |
|
751 |
for (int i = 0; i < newCrypt.length; i++) { |
|
752 |
if (oldCrypt[i] != newCrypt[i]) |
|
753 |
return false; |
|
754 |
} |
|
755 |
} catch (java.io.UnsupportedEncodingException uee) { |
|
756 |
// cannot happen, but return false just to be safe |
|
757 |
return false; |
|
758 |
} |
|
759 |
return true; |
|
760 |
} |
|
761 |
||
762 |
/** |
|
763 |
* Clean out state because of a failed authentication attempt |
|
764 |
*/ |
|
765 |
private void cleanState() { |
|
766 |
username = null; |
|
767 |
if (password != null) { |
|
768 |
for (int i = 0; i < password.length; i++) |
|
769 |
password[i] = ' '; |
|
770 |
password = null; |
|
771 |
} |
|
772 |
ctx = null; |
|
773 |
||
774 |
if (clearPass) { |
|
775 |
sharedState.remove(NAME); |
|
776 |
sharedState.remove(PWD); |
|
777 |
} |
|
778 |
} |
|
779 |
} |