Package org.jboss.security.auth.callback
Class LdapCallbackHandler
- java.lang.Object
-
- org.jboss.security.auth.callback.AbstractCallbackHandler
-
- org.jboss.security.auth.callback.LdapCallbackHandler
-
- All Implemented Interfaces:
CallbackHandler
public class LdapCallbackHandler extends AbstractCallbackHandler implements CallbackHandler
A
CallbackHandler
using the LDAP to match the passed password.There are two callbacks that can be passed to this handler.
PasswordCallback
: Passing this callback will get the password for the user. The returned password will not be in clear text. It will be in the hashed form the ldap server has stored.VerifyPasswordCallback
Passing this callback with a value will make the handler to do a ldap bind to verify the user password.
The main method is
#setConfiguration(Map)
which takes in a map of String key/value pairs. The possible pairs are:- passwordAttributeID : what is the name of the attribute where the password is stored. Default: userPassword
- bindDN : DN used to bind against the ldap server with read/write permissions for baseCtxDN.
- bindCredential : Password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified.
- baseCtxDN : The fixed DN of the context to start the user search from.
- baseFilter: A search filter used to locate the context of the user to authenticate.
The input username/userDN as provided by the
NameCallback
will be substituted into the filter anywhere a "{0}" expression is seen. This substitution behavior comes from the standard. - searchTimeLimit : The timeout in milliseconds for the user/role searches. Defaults to 10000 (10 seconds).
- jaasSecurityDomain : The JMX ObjectName of the JaasSecurityDomain to use to decrypt the java.naming.security.principal. The encrypted form of the password is that returned by the JaasSecurityDomain#encrypt64(byte[]) method. The org.jboss.security.plugins.PBEUtils can also be used to generate the encrypted form.
- distinguishedNameAttribute : Used in ldap servers such as Active Directory where the ldap provider has a property (distinguishedName) to return the relative CN of the user. Default: distinguishedName
Example Usages:
LdapCallbackHandler cbh = new LdapCallbackHandler(); Map
map = new HashMap (); map.put("bindDN", "cn=Directory Manager"); map.put("bindCredential", "password"); map.put("baseFilter", "(uid={0})"); map.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); map.put("java.naming.provider.url", "ldap://localhost:10389"); map.put("baseCtxDN", "ou=People,dc=jboss,dc=org"); cbh.setConfiguration(map); NameCallback ncb = new NameCallback("Enter"); ncb.setName("jduke"); VerifyPasswordCallback vpc = new VerifyPasswordCallback(); vpc.setValue("theduke"); cbh.handle(new Callback[] {ncb,vpc} ); assertTrue(vpc.isVerified()); - Since:
- Nov 1, 2011
- Author:
- Anil Saldhana
-
-
Field Summary
Fields Modifier and Type Field Description protected String
bindCredential
protected String
bindDN
protected String
distinguishedNameAttribute
protected boolean
isPasswordValidated
protected Map<String,String>
options
protected String
passwordAttributeID
protected int
searchTimeLimit
-
Fields inherited from class org.jboss.security.auth.callback.AbstractCallbackHandler
userName
-
-
Constructor Summary
Constructors Constructor Description LdapCallbackHandler()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected String
bindDNAuthentication(InitialLdapContext ctx, String user, Object credential, String baseDN, String filter)
protected String
getBindCredential()
protected String
getBindDN()
void
handle(Callback[] callbacks)
protected void
handleCallBack(Callback c)
Handle aCallback
protected void
safeClose(InitialLdapContext ic)
protected void
safeClose(NamingEnumeration results)
void
setConfiguration(Map<String,String> config)
protected void
setPasswordCallbackValue(Object thePass, PasswordCallback passwdCallback)
protected void
verifyPassword(VerifyPasswordCallback vpc)
-
Methods inherited from class org.jboss.security.auth.callback.AbstractCallbackHandler
getUserName
-
-
-
-
Field Detail
-
bindDN
protected String bindDN
-
bindCredential
protected String bindCredential
-
passwordAttributeID
protected String passwordAttributeID
-
searchTimeLimit
protected int searchTimeLimit
-
distinguishedNameAttribute
protected String distinguishedNameAttribute
-
isPasswordValidated
protected boolean isPasswordValidated
-
-
Method Detail
-
handle
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
- Specified by:
handle
in interfaceCallbackHandler
- Throws:
IOException
UnsupportedCallbackException
-
handleCallBack
protected void handleCallBack(Callback c) throws UnsupportedCallbackException, NamingException
Handle aCallback
- Parameters:
c
- callback- Throws:
UnsupportedCallbackException
- If the callback is not supported by this handlerNamingException
-
verifyPassword
protected void verifyPassword(VerifyPasswordCallback vpc) throws NamingException
- Throws:
NamingException
-
getBindDN
protected String getBindDN()
-
getBindCredential
protected String getBindCredential()
-
setPasswordCallbackValue
protected void setPasswordCallbackValue(Object thePass, PasswordCallback passwdCallback)
-
bindDNAuthentication
protected String bindDNAuthentication(InitialLdapContext ctx, String user, Object credential, String baseDN, String filter) throws NamingException
- Parameters:
ctx
- - the context to search fromuser
- - the input usernamecredential
- - the bind credentialbaseDN
- - base DN to search the ctx fromfilter
- - the search filter string- Returns:
- the userDN string for the successful authentication
- Throws:
NamingException
-
safeClose
protected void safeClose(NamingEnumeration results)
-
safeClose
protected void safeClose(InitialLdapContext ic)
-
-