jdk/src/jdk.security.auth/share/classes/com/sun/security/auth/module/JndiLoginModule.java
author chegar
Sun, 17 Aug 2014 15:54:13 +0100
changeset 25859 3317bb8137f4
parent 24685 jdk/src/share/classes/com/sun/security/auth/module/JndiLoginModule.java@215fa91e1b4c
child 30044 bab15bbe2ca3
permissions -rw-r--r--
8054834: Modular Source Code Reviewed-by: alanb, chegar, ihse, mduigou Contributed-by: alan.bateman@oracle.com, alex.buckley@oracle.com, chris.hegarty@oracle.com, erik.joelsson@oracle.com, jonathan.gibbons@oracle.com, karen.kinnear@oracle.com, magnus.ihse.bursie@oracle.com, mandy.chung@oracle.com, mark.reinhold@oracle.com, paul.sandoz@oracle.com
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
/*
23010
6dadb192ad81 8029235: Update copyright year to match last edit in jdk8 jdk repository for 2013
lana
parents: 20742
diff changeset
     2
 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load
duke
parents:
diff changeset
     4
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
     5
 * This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load
duke
parents:
diff changeset
     6
 * under the terms of the GNU General Public License version 2 only, as
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
     7
 * published by the Free Software Foundation.  Oracle designates this
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     8
 * particular file as subject to the "Classpath" exception as provided
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
     9
 * by Oracle in the LICENSE file that accompanied this code.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    10
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    11
 * This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load
duke
parents:
diff changeset
    12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
90ce3da70b43 Initial load
duke
parents:
diff changeset
    14
 * version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load
duke
parents:
diff changeset
    15
 * accompanied this code).
90ce3da70b43 Initial load
duke
parents:
diff changeset
    16
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    17
 * You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load
duke
parents:
diff changeset
    18
 * 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    20
 *
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    22
 * or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    23
 * questions.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    24
 */
90ce3da70b43 Initial load
duke
parents:
diff changeset
    25
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
package com.sun.security.auth.module;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
90ce3da70b43 Initial load
duke
parents:
diff changeset
    28
import javax.security.auth.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
import javax.security.auth.callback.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
import javax.security.auth.login.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
import javax.security.auth.spi.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    32
import javax.naming.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    33
import javax.naming.directory.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    34
16503
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
    35
import java.security.AccessController;
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
    36
import java.security.PrivilegedAction;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    37
import java.util.Map;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    38
import java.util.LinkedList;
16503
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
    39
import java.util.ResourceBundle;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    40
90ce3da70b43 Initial load
duke
parents:
diff changeset
    41
import com.sun.security.auth.UnixPrincipal;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    42
import com.sun.security.auth.UnixNumericUserPrincipal;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    43
import com.sun.security.auth.UnixNumericGroupPrincipal;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    44
90ce3da70b43 Initial load
duke
parents:
diff changeset
    45
90ce3da70b43 Initial load
duke
parents:
diff changeset
    46
/**
90ce3da70b43 Initial load
duke
parents:
diff changeset
    47
 * <p> The module prompts for a username and password
90ce3da70b43 Initial load
duke
parents:
diff changeset
    48
 * and then verifies the password against the password stored in
90ce3da70b43 Initial load
duke
parents:
diff changeset
    49
 * a directory service configured under JNDI.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    50
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    51
 * <p> This <code>LoginModule</code> interoperates with
90ce3da70b43 Initial load
duke
parents:
diff changeset
    52
 * any conformant JNDI service provider.  To direct this
90ce3da70b43 Initial load
duke
parents:
diff changeset
    53
 * <code>LoginModule</code> to use a specific JNDI service provider,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    54
 * two options must be specified in the login <code>Configuration</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    55
 * for this <code>LoginModule</code>.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    56
 * <pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    57
 *      user.provider.url=<b>name_service_url</b>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    58
 *      group.provider.url=<b>name_service_url</b>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    59
 * </pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    60
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    61
 * <b>name_service_url</b> specifies
90ce3da70b43 Initial load
duke
parents:
diff changeset
    62
 * the directory service and path where this <code>LoginModule</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    63
 * can access the relevant user and group information.  Because this
90ce3da70b43 Initial load
duke
parents:
diff changeset
    64
 * <code>LoginModule</code> only performs one-level searches to
90ce3da70b43 Initial load
duke
parents:
diff changeset
    65
 * find the relevant user information, the <code>URL</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    66
 * must point to a directory one level above where the user and group
90ce3da70b43 Initial load
duke
parents:
diff changeset
    67
 * information is stored in the directory service.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    68
 * For example, to instruct this <code>LoginModule</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    69
 * to contact a NIS server, the following URLs must be specified:
90ce3da70b43 Initial load
duke
parents:
diff changeset
    70
 * <pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    71
 *    user.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/user"
90ce3da70b43 Initial load
duke
parents:
diff changeset
    72
 *    group.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/system/group"
90ce3da70b43 Initial load
duke
parents:
diff changeset
    73
 * </pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    74
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    75
 * <b>NISServerHostName</b> specifies the server host name of the
90ce3da70b43 Initial load
duke
parents:
diff changeset
    76
 * NIS server (for example, <i>nis.sun.com</i>, and <b>NISDomain</b>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    77
 * specifies the domain for that NIS server (for example, <i>jaas.sun.com</i>.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    78
 * To contact an LDAP server, the following URLs must be specified:
90ce3da70b43 Initial load
duke
parents:
diff changeset
    79
 * <pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    80
 *    user.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"
90ce3da70b43 Initial load
duke
parents:
diff changeset
    81
 *    group.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"
90ce3da70b43 Initial load
duke
parents:
diff changeset
    82
 * </pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    83
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    84
 * <b>LDAPServerHostName</b> specifies the server host name of the
90ce3da70b43 Initial load
duke
parents:
diff changeset
    85
 * LDAP server, which may include a port number
90ce3da70b43 Initial load
duke
parents:
diff changeset
    86
 * (for example, <i>ldap.sun.com:389</i>),
90ce3da70b43 Initial load
duke
parents:
diff changeset
    87
 * and <b>LDAPName</b> specifies the entry name in the LDAP directory
90ce3da70b43 Initial load
duke
parents:
diff changeset
    88
 * (for example, <i>ou=People,o=Sun,c=US</i> and <i>ou=Groups,o=Sun,c=US</i>
90ce3da70b43 Initial load
duke
parents:
diff changeset
    89
 * for user and group information, respectively).
90ce3da70b43 Initial load
duke
parents:
diff changeset
    90
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    91
 * <p> The format in which the user's information must be stored in
90ce3da70b43 Initial load
duke
parents:
diff changeset
    92
 * the directory service is specified in RFC 2307.  Specifically,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    93
 * this <code>LoginModule</code> will search for the user's entry in the
90ce3da70b43 Initial load
duke
parents:
diff changeset
    94
 * directory service using the user's <i>uid</i> attribute,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    95
 * where <i>uid=<b>username</b></i>.  If the search succeeds,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    96
 * this <code>LoginModule</code> will then
90ce3da70b43 Initial load
duke
parents:
diff changeset
    97
 * obtain the user's encrypted password from the retrieved entry
90ce3da70b43 Initial load
duke
parents:
diff changeset
    98
 * using the <i>userPassword</i> attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    99
 * This <code>LoginModule</code> assumes that the password is stored
90ce3da70b43 Initial load
duke
parents:
diff changeset
   100
 * as a byte array, which when converted to a <code>String</code>,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   101
 * has the following format:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   102
 * <pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   103
 *      "{crypt}<b>encrypted_password</b>"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   104
 * </pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   105
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   106
 * The LDAP directory server must be configured
90ce3da70b43 Initial load
duke
parents:
diff changeset
   107
 * to permit read access to the userPassword attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   108
 * If the user entered a valid username and password,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   109
 * this <code>LoginModule</code> associates a
90ce3da70b43 Initial load
duke
parents:
diff changeset
   110
 * <code>UnixPrincipal</code>, <code>UnixNumericUserPrincipal</code>,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   111
 * and the relevant UnixNumericGroupPrincipals with the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   112
 * <code>Subject</code>.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   113
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   114
 * <p> This LoginModule also recognizes the following <code>Configuration</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   115
 * options:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   116
 * <pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   117
 *    debug          if, true, debug messages are output to System.out.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   118
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   119
 *    useFirstPass   if, true, this LoginModule retrieves the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   120
 *                   username and password from the module's shared state,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   121
 *                   using "javax.security.auth.login.name" and
90ce3da70b43 Initial load
duke
parents:
diff changeset
   122
 *                   "javax.security.auth.login.password" as the respective
90ce3da70b43 Initial load
duke
parents:
diff changeset
   123
 *                   keys.  The retrieved values are used for authentication.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   124
 *                   If authentication fails, no attempt for a retry is made,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   125
 *                   and the failure is reported back to the calling
90ce3da70b43 Initial load
duke
parents:
diff changeset
   126
 *                   application.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   127
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   128
 *    tryFirstPass   if, true, this LoginModule retrieves the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   129
 *                   the username and password from the module's shared state,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   130
 *                   using "javax.security.auth.login.name" and
90ce3da70b43 Initial load
duke
parents:
diff changeset
   131
 *                   "javax.security.auth.login.password" as the respective
90ce3da70b43 Initial load
duke
parents:
diff changeset
   132
 *                   keys.  The retrieved values are used for authentication.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   133
 *                   If authentication fails, the module uses the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   134
 *                   CallbackHandler to retrieve a new username and password,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   135
 *                   and another attempt to authenticate is made.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   136
 *                   If the authentication fails, the failure is reported
90ce3da70b43 Initial load
duke
parents:
diff changeset
   137
 *                   back to the calling application.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   138
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   139
 *    storePass      if, true, this LoginModule stores the username and password
90ce3da70b43 Initial load
duke
parents:
diff changeset
   140
 *                   obtained from the CallbackHandler in the module's
90ce3da70b43 Initial load
duke
parents:
diff changeset
   141
 *                   shared state, using "javax.security.auth.login.name" and
90ce3da70b43 Initial load
duke
parents:
diff changeset
   142
 *                   "javax.security.auth.login.password" as the respective
90ce3da70b43 Initial load
duke
parents:
diff changeset
   143
 *                   keys.  This is not performed if existing values already
90ce3da70b43 Initial load
duke
parents:
diff changeset
   144
 *                   exist for the username and password in the shared state,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   145
 *                   or if authentication fails.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   146
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   147
 *    clearPass     if, true, this <code>LoginModule</code> clears the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   148
 *                  username and password stored in the module's shared state
90ce3da70b43 Initial load
duke
parents:
diff changeset
   149
 *                  after both phases of authentication (login and commit)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   150
 *                  have completed.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   151
 * </pre>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   152
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   153
 */
20742
4ae78e8060d6 8008662: Add @jdk.Exported to JDK-specific/exported APIs
alanb
parents: 16503
diff changeset
   154
@jdk.Exported
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   155
public class JndiLoginModule implements LoginModule {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   156
16503
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
   157
    private static final ResourceBundle rb = AccessController.doPrivileged(
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
   158
            new PrivilegedAction<ResourceBundle>() {
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
   159
                public ResourceBundle run() {
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
   160
                    return ResourceBundle.getBundle(
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
   161
                            "sun.security.util.AuthResources");
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
   162
                }
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
   163
            }
03d7a6155092 8009970: Several LoginModule classes need extra permission to load AuthResources
weijun
parents: 10336
diff changeset
   164
    );
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   165
90ce3da70b43 Initial load
duke
parents:
diff changeset
   166
    /** JNDI Provider */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   167
    public final String USER_PROVIDER = "user.provider.url";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   168
    public final String GROUP_PROVIDER = "group.provider.url";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   169
90ce3da70b43 Initial load
duke
parents:
diff changeset
   170
    // configurable options
90ce3da70b43 Initial load
duke
parents:
diff changeset
   171
    private boolean debug = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   172
    private boolean strongDebug = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   173
    private String userProvider;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   174
    private String groupProvider;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   175
    private boolean useFirstPass = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   176
    private boolean tryFirstPass = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   177
    private boolean storePass = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   178
    private boolean clearPass = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   179
90ce3da70b43 Initial load
duke
parents:
diff changeset
   180
    // the authentication status
90ce3da70b43 Initial load
duke
parents:
diff changeset
   181
    private boolean succeeded = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   182
    private boolean commitSucceeded = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   183
90ce3da70b43 Initial load
duke
parents:
diff changeset
   184
    // username, password, and JNDI context
90ce3da70b43 Initial load
duke
parents:
diff changeset
   185
    private String username;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   186
    private char[] password;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   187
    DirContext ctx;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   188
90ce3da70b43 Initial load
duke
parents:
diff changeset
   189
    // the user (assume it is a UnixPrincipal)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   190
    private UnixPrincipal userPrincipal;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   191
    private UnixNumericUserPrincipal UIDPrincipal;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   192
    private UnixNumericGroupPrincipal GIDPrincipal;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   193
    private LinkedList<UnixNumericGroupPrincipal> supplementaryGroups =
7970
af1579474d16 7008728: diamond conversion of basic security, permissions, authentication
smarks
parents: 7179
diff changeset
   194
                                new LinkedList<>();
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   195
90ce3da70b43 Initial load
duke
parents:
diff changeset
   196
    // initial state
90ce3da70b43 Initial load
duke
parents:
diff changeset
   197
    private Subject subject;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   198
    private CallbackHandler callbackHandler;
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 9035
diff changeset
   199
    private Map<String, Object> sharedState;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   200
    private Map<String, ?> options;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   201
90ce3da70b43 Initial load
duke
parents:
diff changeset
   202
    private static final String CRYPT = "{crypt}";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   203
    private static final String USER_PWD = "userPassword";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   204
    private static final String USER_UID = "uidNumber";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   205
    private static final String USER_GID = "gidNumber";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   206
    private static final String GROUP_ID = "gidNumber";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   207
    private static final String NAME = "javax.security.auth.login.name";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   208
    private static final String PWD = "javax.security.auth.login.password";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   209
90ce3da70b43 Initial load
duke
parents:
diff changeset
   210
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   211
     * Initialize this <code>LoginModule</code>.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   212
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   213
     * <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   214
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   215
     * @param subject the <code>Subject</code> to be authenticated. <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   216
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   217
     * @param callbackHandler a <code>CallbackHandler</code> for communicating
90ce3da70b43 Initial load
duke
parents:
diff changeset
   218
     *                  with the end user (prompting for usernames and
90ce3da70b43 Initial load
duke
parents:
diff changeset
   219
     *                  passwords, for example). <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   220
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   221
     * @param sharedState shared <code>LoginModule</code> state. <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   222
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   223
     * @param options options specified in the login
90ce3da70b43 Initial load
duke
parents:
diff changeset
   224
     *                  <code>Configuration</code> for this particular
90ce3da70b43 Initial load
duke
parents:
diff changeset
   225
     *                  <code>LoginModule</code>.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   226
     */
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 9035
diff changeset
   227
    // Unchecked warning from (Map<String, Object>)sharedState is safe
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 9035
diff changeset
   228
    // since javax.security.auth.login.LoginContext passes a raw HashMap.
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 9035
diff changeset
   229
    // Unchecked warnings from options.get(String) are safe since we are
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 9035
diff changeset
   230
    // passing known keys.
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 9035
diff changeset
   231
    @SuppressWarnings("unchecked")
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   232
    public void initialize(Subject subject, CallbackHandler callbackHandler,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   233
                           Map<String,?> sharedState,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   234
                           Map<String,?> options) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   235
90ce3da70b43 Initial load
duke
parents:
diff changeset
   236
        this.subject = subject;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   237
        this.callbackHandler = callbackHandler;
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 9035
diff changeset
   238
        this.sharedState = (Map<String, Object>)sharedState;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   239
        this.options = options;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   240
90ce3da70b43 Initial load
duke
parents:
diff changeset
   241
        // initialize any configured options
90ce3da70b43 Initial load
duke
parents:
diff changeset
   242
        debug = "true".equalsIgnoreCase((String)options.get("debug"));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   243
        strongDebug =
90ce3da70b43 Initial load
duke
parents:
diff changeset
   244
                "true".equalsIgnoreCase((String)options.get("strongDebug"));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   245
        userProvider = (String)options.get(USER_PROVIDER);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   246
        groupProvider = (String)options.get(GROUP_PROVIDER);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   247
        tryFirstPass =
90ce3da70b43 Initial load
duke
parents:
diff changeset
   248
                "true".equalsIgnoreCase((String)options.get("tryFirstPass"));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   249
        useFirstPass =
90ce3da70b43 Initial load
duke
parents:
diff changeset
   250
                "true".equalsIgnoreCase((String)options.get("useFirstPass"));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   251
        storePass =
90ce3da70b43 Initial load
duke
parents:
diff changeset
   252
                "true".equalsIgnoreCase((String)options.get("storePass"));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   253
        clearPass =
90ce3da70b43 Initial load
duke
parents:
diff changeset
   254
                "true".equalsIgnoreCase((String)options.get("clearPass"));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   255
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   256
90ce3da70b43 Initial load
duke
parents:
diff changeset
   257
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   258
     * <p> Prompt for username and password.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   259
     * Verify the password against the relevant name service.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   260
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   261
     * <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   262
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   263
     * @return true always, since this <code>LoginModule</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   264
     *          should not be ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   265
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   266
     * @exception FailedLoginException if the authentication fails. <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   267
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   268
     * @exception LoginException if this <code>LoginModule</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   269
     *          is unable to perform the authentication.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   270
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   271
    public boolean login() throws LoginException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   272
90ce3da70b43 Initial load
duke
parents:
diff changeset
   273
        if (userProvider == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   274
            throw new LoginException
90ce3da70b43 Initial load
duke
parents:
diff changeset
   275
                ("Error: Unable to locate JNDI user provider");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   276
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   277
        if (groupProvider == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   278
            throw new LoginException
90ce3da70b43 Initial load
duke
parents:
diff changeset
   279
                ("Error: Unable to locate JNDI group provider");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   280
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   281
90ce3da70b43 Initial load
duke
parents:
diff changeset
   282
        if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   283
            System.out.println("\t\t[JndiLoginModule] user provider: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   284
                                userProvider);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   285
            System.out.println("\t\t[JndiLoginModule] group provider: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   286
                                groupProvider);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   287
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   288
90ce3da70b43 Initial load
duke
parents:
diff changeset
   289
        // attempt the authentication
90ce3da70b43 Initial load
duke
parents:
diff changeset
   290
        if (tryFirstPass) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   291
90ce3da70b43 Initial load
duke
parents:
diff changeset
   292
            try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   293
                // attempt the authentication by getting the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   294
                // username and password from shared state
90ce3da70b43 Initial load
duke
parents:
diff changeset
   295
                attemptAuthentication(true);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   296
90ce3da70b43 Initial load
duke
parents:
diff changeset
   297
                // authentication succeeded
90ce3da70b43 Initial load
duke
parents:
diff changeset
   298
                succeeded = true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   299
                if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   300
                    System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   301
                                "tryFirstPass succeeded");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   302
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   303
                return true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   304
            } catch (LoginException le) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   305
                // authentication failed -- try again below by prompting
90ce3da70b43 Initial load
duke
parents:
diff changeset
   306
                cleanState();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   307
                if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   308
                    System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   309
                                "tryFirstPass failed with:" +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   310
                                le.toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   311
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   312
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   313
90ce3da70b43 Initial load
duke
parents:
diff changeset
   314
        } else if (useFirstPass) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   315
90ce3da70b43 Initial load
duke
parents:
diff changeset
   316
            try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   317
                // attempt the authentication by getting the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   318
                // username and password from shared state
90ce3da70b43 Initial load
duke
parents:
diff changeset
   319
                attemptAuthentication(true);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   320
90ce3da70b43 Initial load
duke
parents:
diff changeset
   321
                // authentication succeeded
90ce3da70b43 Initial load
duke
parents:
diff changeset
   322
                succeeded = true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   323
                if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   324
                    System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   325
                                "useFirstPass succeeded");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   326
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   327
                return true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   328
            } catch (LoginException le) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   329
                // authentication failed
90ce3da70b43 Initial load
duke
parents:
diff changeset
   330
                cleanState();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   331
                if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   332
                    System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   333
                                "useFirstPass failed");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   334
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   335
                throw le;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   336
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   337
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   338
90ce3da70b43 Initial load
duke
parents:
diff changeset
   339
        // attempt the authentication by prompting for the username and pwd
90ce3da70b43 Initial load
duke
parents:
diff changeset
   340
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   341
            attemptAuthentication(false);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   342
90ce3da70b43 Initial load
duke
parents:
diff changeset
   343
            // authentication succeeded
90ce3da70b43 Initial load
duke
parents:
diff changeset
   344
           succeeded = true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   345
            if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   346
                System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   347
                                "regular authentication succeeded");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   348
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   349
            return true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   350
        } catch (LoginException le) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   351
            cleanState();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   352
            if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   353
                System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   354
                                "regular authentication failed");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   355
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   356
            throw le;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   357
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   358
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   359
90ce3da70b43 Initial load
duke
parents:
diff changeset
   360
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   361
     * Abstract method to commit the authentication process (phase 2).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   362
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   363
     * <p> This method is called if the LoginContext's
90ce3da70b43 Initial load
duke
parents:
diff changeset
   364
     * overall authentication succeeded
90ce3da70b43 Initial load
duke
parents:
diff changeset
   365
     * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
90ce3da70b43 Initial load
duke
parents:
diff changeset
   366
     * succeeded).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   367
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   368
     * <p> If this LoginModule's own authentication attempt
90ce3da70b43 Initial load
duke
parents:
diff changeset
   369
     * succeeded (checked by retrieving the private state saved by the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   370
     * <code>login</code> method), then this method associates a
90ce3da70b43 Initial load
duke
parents:
diff changeset
   371
     * <code>UnixPrincipal</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   372
     * with the <code>Subject</code> located in the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   373
     * <code>LoginModule</code>.  If this LoginModule's own
90ce3da70b43 Initial load
duke
parents:
diff changeset
   374
     * authentication attempted failed, then this method removes
90ce3da70b43 Initial load
duke
parents:
diff changeset
   375
     * any state that was originally saved.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   376
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   377
     * <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   378
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   379
     * @exception LoginException if the commit fails
90ce3da70b43 Initial load
duke
parents:
diff changeset
   380
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   381
     * @return true if this LoginModule's own login and commit
90ce3da70b43 Initial load
duke
parents:
diff changeset
   382
     *          attempts succeeded, or false otherwise.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   383
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   384
    public boolean commit() throws LoginException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   385
90ce3da70b43 Initial load
duke
parents:
diff changeset
   386
        if (succeeded == false) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   387
            return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   388
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   389
            if (subject.isReadOnly()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   390
                cleanState();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   391
                throw new LoginException ("Subject is Readonly");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   392
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   393
            // add Principals to the Subject
90ce3da70b43 Initial load
duke
parents:
diff changeset
   394
            if (!subject.getPrincipals().contains(userPrincipal))
90ce3da70b43 Initial load
duke
parents:
diff changeset
   395
                subject.getPrincipals().add(userPrincipal);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   396
            if (!subject.getPrincipals().contains(UIDPrincipal))
90ce3da70b43 Initial load
duke
parents:
diff changeset
   397
                subject.getPrincipals().add(UIDPrincipal);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   398
            if (!subject.getPrincipals().contains(GIDPrincipal))
90ce3da70b43 Initial load
duke
parents:
diff changeset
   399
                subject.getPrincipals().add(GIDPrincipal);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   400
            for (int i = 0; i < supplementaryGroups.size(); i++) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   401
                if (!subject.getPrincipals().contains
90ce3da70b43 Initial load
duke
parents:
diff changeset
   402
                        (supplementaryGroups.get(i)))
90ce3da70b43 Initial load
duke
parents:
diff changeset
   403
                    subject.getPrincipals().add(supplementaryGroups.get(i));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   404
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   405
90ce3da70b43 Initial load
duke
parents:
diff changeset
   406
            if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   407
                System.out.println("\t\t[JndiLoginModule]: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   408
                                   "added UnixPrincipal,");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   409
                System.out.println("\t\t\t\tUnixNumericUserPrincipal,");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   410
                System.out.println("\t\t\t\tUnixNumericGroupPrincipal(s),");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   411
                System.out.println("\t\t\t to Subject");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   412
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   413
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   414
        // in any case, clean out state
90ce3da70b43 Initial load
duke
parents:
diff changeset
   415
        cleanState();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   416
        commitSucceeded = true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   417
        return true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   418
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   419
90ce3da70b43 Initial load
duke
parents:
diff changeset
   420
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   421
     * <p> This method is called if the LoginContext's
90ce3da70b43 Initial load
duke
parents:
diff changeset
   422
     * overall authentication failed.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   423
     * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
90ce3da70b43 Initial load
duke
parents:
diff changeset
   424
     * did not succeed).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   425
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   426
     * <p> If this LoginModule's own authentication attempt
90ce3da70b43 Initial load
duke
parents:
diff changeset
   427
     * succeeded (checked by retrieving the private state saved by the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   428
     * <code>login</code> and <code>commit</code> methods),
90ce3da70b43 Initial load
duke
parents:
diff changeset
   429
     * then this method cleans up any state that was originally saved.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   430
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   431
     * <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   432
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   433
     * @exception LoginException if the abort fails.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   434
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   435
     * @return false if this LoginModule's own login and/or commit attempts
90ce3da70b43 Initial load
duke
parents:
diff changeset
   436
     *          failed, and true otherwise.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   437
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   438
    public boolean abort() throws LoginException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   439
        if (debug)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   440
            System.out.println("\t\t[JndiLoginModule]: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   441
                "aborted authentication failed");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   442
90ce3da70b43 Initial load
duke
parents:
diff changeset
   443
        if (succeeded == false) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   444
            return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   445
        } else if (succeeded == true && commitSucceeded == false) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   446
90ce3da70b43 Initial load
duke
parents:
diff changeset
   447
            // Clean out state
90ce3da70b43 Initial load
duke
parents:
diff changeset
   448
            succeeded = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   449
            cleanState();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   450
90ce3da70b43 Initial load
duke
parents:
diff changeset
   451
            userPrincipal = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   452
            UIDPrincipal = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   453
            GIDPrincipal = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   454
            supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   455
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   456
            // overall authentication succeeded and commit succeeded,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   457
            // but someone else's commit failed
90ce3da70b43 Initial load
duke
parents:
diff changeset
   458
            logout();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   459
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   460
        return true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   461
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   462
90ce3da70b43 Initial load
duke
parents:
diff changeset
   463
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   464
     * Logout a user.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   465
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   466
     * <p> This method removes the Principals
90ce3da70b43 Initial load
duke
parents:
diff changeset
   467
     * that were added by the <code>commit</code> method.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   468
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   469
     * <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   470
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   471
     * @exception LoginException if the logout fails.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   472
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   473
     * @return true in all cases since this <code>LoginModule</code>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   474
     *          should not be ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   475
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   476
    public boolean logout() throws LoginException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   477
        if (subject.isReadOnly()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   478
            cleanState();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   479
            throw new LoginException ("Subject is Readonly");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   480
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   481
        subject.getPrincipals().remove(userPrincipal);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   482
        subject.getPrincipals().remove(UIDPrincipal);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   483
        subject.getPrincipals().remove(GIDPrincipal);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   484
        for (int i = 0; i < supplementaryGroups.size(); i++) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   485
            subject.getPrincipals().remove(supplementaryGroups.get(i));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   486
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   487
90ce3da70b43 Initial load
duke
parents:
diff changeset
   488
90ce3da70b43 Initial load
duke
parents:
diff changeset
   489
        // clean out state
90ce3da70b43 Initial load
duke
parents:
diff changeset
   490
        cleanState();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   491
        succeeded = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   492
        commitSucceeded = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   493
90ce3da70b43 Initial load
duke
parents:
diff changeset
   494
        userPrincipal = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   495
        UIDPrincipal = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   496
        GIDPrincipal = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   497
        supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   498
90ce3da70b43 Initial load
duke
parents:
diff changeset
   499
        if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   500
            System.out.println("\t\t[JndiLoginModule]: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   501
                "logged out Subject");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   502
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   503
        return true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   504
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   505
90ce3da70b43 Initial load
duke
parents:
diff changeset
   506
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   507
     * Attempt authentication
90ce3da70b43 Initial load
duke
parents:
diff changeset
   508
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   509
     * <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   510
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   511
     * @param getPasswdFromSharedState boolean that tells this method whether
90ce3da70b43 Initial load
duke
parents:
diff changeset
   512
     *          to retrieve the password from the sharedState.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   513
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   514
    private void attemptAuthentication(boolean getPasswdFromSharedState)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   515
    throws LoginException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   516
90ce3da70b43 Initial load
duke
parents:
diff changeset
   517
        String encryptedPassword = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   518
90ce3da70b43 Initial load
duke
parents:
diff changeset
   519
        // first get the username and password
90ce3da70b43 Initial load
duke
parents:
diff changeset
   520
        getUsernamePassword(getPasswdFromSharedState);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   521
90ce3da70b43 Initial load
duke
parents:
diff changeset
   522
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   523
90ce3da70b43 Initial load
duke
parents:
diff changeset
   524
            // get the user's passwd entry from the user provider URL
90ce3da70b43 Initial load
duke
parents:
diff changeset
   525
            InitialContext iCtx = new InitialContext();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   526
            ctx = (DirContext)iCtx.lookup(userProvider);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   527
90ce3da70b43 Initial load
duke
parents:
diff changeset
   528
            /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
   529
            SearchControls controls = new SearchControls
90ce3da70b43 Initial load
duke
parents:
diff changeset
   530
                                        (SearchControls.ONELEVEL_SCOPE,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   531
                                        0,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   532
                                        5000,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   533
                                        new String[] { USER_PWD },
90ce3da70b43 Initial load
duke
parents:
diff changeset
   534
                                        false,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   535
                                        false);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   536
            */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   537
90ce3da70b43 Initial load
duke
parents:
diff changeset
   538
            SearchControls controls = new SearchControls();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   539
            NamingEnumeration<SearchResult> ne = ctx.search("",
90ce3da70b43 Initial load
duke
parents:
diff changeset
   540
                                        "(uid=" + username + ")",
90ce3da70b43 Initial load
duke
parents:
diff changeset
   541
                                        controls);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   542
            if (ne.hasMore()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   543
                SearchResult result = ne.next();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   544
                Attributes attributes = result.getAttributes();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   545
90ce3da70b43 Initial load
duke
parents:
diff changeset
   546
                // get the password
90ce3da70b43 Initial load
duke
parents:
diff changeset
   547
90ce3da70b43 Initial load
duke
parents:
diff changeset
   548
                // this module works only if the LDAP directory server
90ce3da70b43 Initial load
duke
parents:
diff changeset
   549
                // is configured to permit read access to the userPassword
90ce3da70b43 Initial load
duke
parents:
diff changeset
   550
                // attribute. The directory administrator need to grant
90ce3da70b43 Initial load
duke
parents:
diff changeset
   551
                // this access.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   552
                //
90ce3da70b43 Initial load
duke
parents:
diff changeset
   553
                // A workaround would be to make the server do authentication
90ce3da70b43 Initial load
duke
parents:
diff changeset
   554
                // by setting the Context.SECURITY_PRINCIPAL
90ce3da70b43 Initial load
duke
parents:
diff changeset
   555
                // and Context.SECURITY_CREDENTIALS property.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   556
                // However, this would make it not work with systems that
90ce3da70b43 Initial load
duke
parents:
diff changeset
   557
                // don't do authentication at the server (like NIS).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   558
                //
90ce3da70b43 Initial load
duke
parents:
diff changeset
   559
                // Setting the SECURITY_* properties and using "simple"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   560
                // authentication for LDAP is recommended only for secure
90ce3da70b43 Initial load
duke
parents:
diff changeset
   561
                // channels. For nonsecure channels, SSL is recommended.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   562
90ce3da70b43 Initial load
duke
parents:
diff changeset
   563
                Attribute pwd = attributes.get(USER_PWD);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   564
                String encryptedPwd = new String((byte[])pwd.get(), "UTF8");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   565
                encryptedPassword = encryptedPwd.substring(CRYPT.length());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   566
90ce3da70b43 Initial load
duke
parents:
diff changeset
   567
                // check the password
90ce3da70b43 Initial load
duke
parents:
diff changeset
   568
                if (verifyPassword
90ce3da70b43 Initial load
duke
parents:
diff changeset
   569
                    (encryptedPassword, new String(password)) == true) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   570
90ce3da70b43 Initial load
duke
parents:
diff changeset
   571
                    // authentication succeeded
90ce3da70b43 Initial load
duke
parents:
diff changeset
   572
                    if (debug)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   573
                        System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   574
                                "attemptAuthentication() succeeded");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   575
90ce3da70b43 Initial load
duke
parents:
diff changeset
   576
                } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   577
                    // authentication failed
90ce3da70b43 Initial load
duke
parents:
diff changeset
   578
                    if (debug)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   579
                        System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   580
                                "attemptAuthentication() failed");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   581
                    throw new FailedLoginException("Login incorrect");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   582
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   583
90ce3da70b43 Initial load
duke
parents:
diff changeset
   584
                // save input as shared state only if
90ce3da70b43 Initial load
duke
parents:
diff changeset
   585
                // authentication succeeded
90ce3da70b43 Initial load
duke
parents:
diff changeset
   586
                if (storePass &&
90ce3da70b43 Initial load
duke
parents:
diff changeset
   587
                    !sharedState.containsKey(NAME) &&
90ce3da70b43 Initial load
duke
parents:
diff changeset
   588
                    !sharedState.containsKey(PWD)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   589
                    sharedState.put(NAME, username);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   590
                    sharedState.put(PWD, password);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   591
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   592
90ce3da70b43 Initial load
duke
parents:
diff changeset
   593
                // create the user principal
90ce3da70b43 Initial load
duke
parents:
diff changeset
   594
                userPrincipal = new UnixPrincipal(username);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   595
90ce3da70b43 Initial load
duke
parents:
diff changeset
   596
                // get the UID
90ce3da70b43 Initial load
duke
parents:
diff changeset
   597
                Attribute uid = attributes.get(USER_UID);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   598
                String uidNumber = (String)uid.get();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   599
                UIDPrincipal = new UnixNumericUserPrincipal(uidNumber);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   600
                if (debug && uidNumber != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   601
                    System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   602
                                "user: '" + username + "' has UID: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   603
                                uidNumber);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   604
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   605
90ce3da70b43 Initial load
duke
parents:
diff changeset
   606
                // get the GID
90ce3da70b43 Initial load
duke
parents:
diff changeset
   607
                Attribute gid = attributes.get(USER_GID);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   608
                String gidNumber = (String)gid.get();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   609
                GIDPrincipal = new UnixNumericGroupPrincipal
90ce3da70b43 Initial load
duke
parents:
diff changeset
   610
                                (gidNumber, true);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   611
                if (debug && gidNumber != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   612
                    System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   613
                                "user: '" + username + "' has GID: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   614
                                gidNumber);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   615
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   616
90ce3da70b43 Initial load
duke
parents:
diff changeset
   617
                // get the supplementary groups from the group provider URL
90ce3da70b43 Initial load
duke
parents:
diff changeset
   618
                ctx = (DirContext)iCtx.lookup(groupProvider);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   619
                ne = ctx.search("", new BasicAttributes("memberUid", username));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   620
90ce3da70b43 Initial load
duke
parents:
diff changeset
   621
                while (ne.hasMore()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   622
                    result = ne.next();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   623
                    attributes = result.getAttributes();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   624
90ce3da70b43 Initial load
duke
parents:
diff changeset
   625
                    gid = attributes.get(GROUP_ID);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   626
                    String suppGid = (String)gid.get();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   627
                    if (!gidNumber.equals(suppGid)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   628
                        UnixNumericGroupPrincipal suppPrincipal =
90ce3da70b43 Initial load
duke
parents:
diff changeset
   629
                            new UnixNumericGroupPrincipal(suppGid, false);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   630
                        supplementaryGroups.add(suppPrincipal);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   631
                        if (debug && suppGid != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   632
                            System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   633
                                "user: '" + username +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   634
                                "' has Supplementary Group: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   635
                                suppGid);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   636
                        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   637
                    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   638
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   639
90ce3da70b43 Initial load
duke
parents:
diff changeset
   640
            } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   641
                // bad username
90ce3da70b43 Initial load
duke
parents:
diff changeset
   642
                if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   643
                    System.out.println("\t\t[JndiLoginModule]: User not found");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   644
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   645
                throw new FailedLoginException("User not found");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   646
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   647
        } catch (NamingException ne) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   648
            // bad username
90ce3da70b43 Initial load
duke
parents:
diff changeset
   649
            if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   650
                System.out.println("\t\t[JndiLoginModule]:  User not found");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   651
                ne.printStackTrace();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   652
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   653
            throw new FailedLoginException("User not found");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   654
        } catch (java.io.UnsupportedEncodingException uee) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   655
            // password stored in incorrect format
90ce3da70b43 Initial load
duke
parents:
diff changeset
   656
            if (debug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   657
                System.out.println("\t\t[JndiLoginModule]:  " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   658
                                "password incorrectly encoded");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   659
                uee.printStackTrace();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   660
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   661
            throw new LoginException("Login failure due to incorrect " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   662
                                "password encoding in the password database");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   663
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   664
90ce3da70b43 Initial load
duke
parents:
diff changeset
   665
        // authentication succeeded
90ce3da70b43 Initial load
duke
parents:
diff changeset
   666
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   667
90ce3da70b43 Initial load
duke
parents:
diff changeset
   668
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   669
     * Get the username and password.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   670
     * This method does not return any value.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   671
     * Instead, it sets global name and password variables.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   672
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   673
     * <p> Also note that this method will set the username and password
90ce3da70b43 Initial load
duke
parents:
diff changeset
   674
     * values in the shared state in case subsequent LoginModules
90ce3da70b43 Initial load
duke
parents:
diff changeset
   675
     * want to use them via use/tryFirstPass.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   676
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   677
     * <p>
90ce3da70b43 Initial load
duke
parents:
diff changeset
   678
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   679
     * @param getPasswdFromSharedState boolean that tells this method whether
90ce3da70b43 Initial load
duke
parents:
diff changeset
   680
     *          to retrieve the password from the sharedState.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   681
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   682
    private void getUsernamePassword(boolean getPasswdFromSharedState)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   683
    throws LoginException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   684
90ce3da70b43 Initial load
duke
parents:
diff changeset
   685
        if (getPasswdFromSharedState) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   686
            // use the password saved by the first module in the stack
90ce3da70b43 Initial load
duke
parents:
diff changeset
   687
            username = (String)sharedState.get(NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   688
            password = (char[])sharedState.get(PWD);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   689
            return;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   690
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   691
90ce3da70b43 Initial load
duke
parents:
diff changeset
   692
        // prompt for a username and password
90ce3da70b43 Initial load
duke
parents:
diff changeset
   693
        if (callbackHandler == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   694
            throw new LoginException("Error: no CallbackHandler available " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   695
                "to garner authentication information from the user");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   696
24685
215fa91e1b4c 8044461: Cleanup new Boolean and single character strings
rriggs
parents: 23010
diff changeset
   697
        String protocol = userProvider.substring(0, userProvider.indexOf(':'));
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   698
90ce3da70b43 Initial load
duke
parents:
diff changeset
   699
        Callback[] callbacks = new Callback[2];
90ce3da70b43 Initial load
duke
parents:
diff changeset
   700
        callbacks[0] = new NameCallback(protocol + " "
7179
4afb81e50183 6987827: security/util/Resources.java needs improvement
weijun
parents: 5506
diff changeset
   701
                                            + rb.getString("username."));
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   702
        callbacks[1] = new PasswordCallback(protocol + " " +
7179
4afb81e50183 6987827: security/util/Resources.java needs improvement
weijun
parents: 5506
diff changeset
   703
                                                rb.getString("password."),
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   704
                                            false);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   705
90ce3da70b43 Initial load
duke
parents:
diff changeset
   706
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   707
            callbackHandler.handle(callbacks);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   708
            username = ((NameCallback)callbacks[0]).getName();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   709
            char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   710
            password = new char[tmpPassword.length];
90ce3da70b43 Initial load
duke
parents:
diff changeset
   711
            System.arraycopy(tmpPassword, 0,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   712
                                password, 0, tmpPassword.length);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   713
            ((PasswordCallback)callbacks[1]).clearPassword();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   714
90ce3da70b43 Initial load
duke
parents:
diff changeset
   715
        } catch (java.io.IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   716
            throw new LoginException(ioe.toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   717
        } catch (UnsupportedCallbackException uce) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   718
            throw new LoginException("Error: " + uce.getCallback().toString() +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   719
                        " not available to garner authentication information " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   720
                        "from the user");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   721
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   722
90ce3da70b43 Initial load
duke
parents:
diff changeset
   723
        // print debugging information
90ce3da70b43 Initial load
duke
parents:
diff changeset
   724
        if (strongDebug) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   725
            System.out.println("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   726
                                "user entered username: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   727
                                username);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   728
            System.out.print("\t\t[JndiLoginModule] " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   729
                                "user entered password: ");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   730
            for (int i = 0; i < password.length; i++)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   731
                System.out.print(password[i]);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   732
            System.out.println();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   733
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   734
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   735
90ce3da70b43 Initial load
duke
parents:
diff changeset
   736
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   737
     * Verify a password against the encrypted passwd from /etc/shadow
90ce3da70b43 Initial load
duke
parents:
diff changeset
   738
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   739
    private boolean verifyPassword(String encryptedPassword, String password) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   740
90ce3da70b43 Initial load
duke
parents:
diff changeset
   741
        if (encryptedPassword == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   742
            return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   743
90ce3da70b43 Initial load
duke
parents:
diff changeset
   744
        Crypt c = new Crypt();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   745
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   746
            byte oldCrypt[] = encryptedPassword.getBytes("UTF8");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   747
            byte newCrypt[] = c.crypt(password.getBytes("UTF8"),
90ce3da70b43 Initial load
duke
parents:
diff changeset
   748
                                      oldCrypt);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   749
            if (newCrypt.length != oldCrypt.length)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   750
                return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   751
            for (int i = 0; i < newCrypt.length; i++) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   752
                if (oldCrypt[i] != newCrypt[i])
90ce3da70b43 Initial load
duke
parents:
diff changeset
   753
                    return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   754
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   755
        } catch (java.io.UnsupportedEncodingException uee) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   756
            // cannot happen, but return false just to be safe
90ce3da70b43 Initial load
duke
parents:
diff changeset
   757
            return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   758
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   759
        return true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   760
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   761
90ce3da70b43 Initial load
duke
parents:
diff changeset
   762
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   763
     * Clean out state because of a failed authentication attempt
90ce3da70b43 Initial load
duke
parents:
diff changeset
   764
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   765
    private void cleanState() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   766
        username = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   767
        if (password != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   768
            for (int i = 0; i < password.length; i++)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   769
                password[i] = ' ';
90ce3da70b43 Initial load
duke
parents:
diff changeset
   770
            password = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   771
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   772
        ctx = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   773
90ce3da70b43 Initial load
duke
parents:
diff changeset
   774
        if (clearPass) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   775
            sharedState.remove(NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   776
            sharedState.remove(PWD);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   777
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   778
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   779
}