Package org.jboss.security.auth.spi
Class LdapUsersLoginModule
- java.lang.Object
-
- org.jboss.security.auth.spi.AbstractServerLoginModule
-
- org.jboss.security.auth.spi.UsernamePasswordLoginModule
-
- org.jboss.security.auth.spi.LdapUsersLoginModule
-
- All Implemented Interfaces:
LoginModule
public class LdapUsersLoginModule extends UsernamePasswordLoginModule
A login module to authenticate users using a LDAP server.- Author:
- Marcus Moyses, Andy Oliver, Scott.Stark@jboss.org
-
-
Field Summary
Fields Modifier and Type Field Description protected boolean
allowEmptyPasswords
protected String
baseDN
protected String
baseFilter
protected String
bindCredential
protected String
bindDN
protected String
distinguishedNameAttribute
protected boolean
parseUsername
protected int
searchScope
protected int
searchTimeLimit
protected String
usernameBeginString
protected String
usernameEndString
-
Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule
callbackHandler, jbossModuleName, log, loginOk, options, principalClassModuleName, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass
-
-
Constructor Summary
Constructors Constructor Description LdapUsersLoginModule()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected String
bindDNAuthentication(InitialLdapContext ctx, String user, Object credential, String baseDN, String filter)
protected Group[]
getRoleSets()
Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user.protected String
getUsername()
protected String
getUsersPassword()
Get the expected password for the current username available via the getUsername() method.void
initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
Override the superclass method to look for the following options after first invoking the super version.protected boolean
validatePassword(String inputPassword, String expectedPassword)
A hook that allows subclasses to change the validation of the input password against the expected password.-
Methods inherited from class org.jboss.security.auth.spi.UsernamePasswordLoginModule
createPasswordHash, getCredentials, getIdentity, getUnauthenticatedIdentity, getUsernameAndPassword, getValidateError, login, safeClose, setValidateError
-
Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule
abort, addValidOptions, checkOptions, commit, createGroup, createIdentity, getCallerPrincipalGroup, getUseFirstPass, logout
-
-
-
-
Field Detail
-
bindDN
protected String bindDN
-
bindCredential
protected String bindCredential
-
baseDN
protected String baseDN
-
baseFilter
protected String baseFilter
-
searchTimeLimit
protected int searchTimeLimit
-
searchScope
protected int searchScope
-
distinguishedNameAttribute
protected String distinguishedNameAttribute
-
parseUsername
protected boolean parseUsername
-
usernameBeginString
protected String usernameBeginString
-
usernameEndString
protected String usernameEndString
-
allowEmptyPasswords
protected boolean allowEmptyPasswords
-
-
Method Detail
-
getUsersPassword
protected String getUsersPassword() throws LoginException
Description copied from class:UsernamePasswordLoginModule
Get the expected password for the current username available via the getUsername() method. This is called from within the login() method after the CallbackHandler has returned the username and candidate password.- Specified by:
getUsersPassword
in classUsernamePasswordLoginModule
- Returns:
- the valid password String
- Throws:
LoginException
-
getRoleSets
protected Group[] getRoleSets() throws LoginException
Description copied from class:AbstractServerLoginModule
Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user. Subclasses should create at least a Group named "Roles" that contains the roles assigned to the user. A second common group is "CallerPrincipal" that provides the application identity of the user rather than the security domain identity.- Specified by:
getRoleSets
in classAbstractServerLoginModule
- Returns:
- Group[] containing the sets of roles
- Throws:
LoginException
-
getUsername
protected String getUsername()
- Overrides:
getUsername
in classUsernamePasswordLoginModule
-
initialize
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
Description copied from class:UsernamePasswordLoginModule
Override the superclass method to look for the following options after first invoking the super version.- Specified by:
initialize
in interfaceLoginModule
- Overrides:
initialize
in classUsernamePasswordLoginModule
- Parameters:
subject
- the Subject to update after a successful login.callbackHandler
- the CallbackHandler that will be used to obtain the the user identity and credentials.sharedState
- a Map shared between all configured login module instancesoptions
- : option: hashAlgorithm - the message digest algorithm used to hash passwords. If null then plain passwords will be used. option: hashCharset - the name of the charset/encoding to use when converting the password String to a byte array. Default is the platform's default encoding. option: hashEncoding - the string encoding format to use. Defaults to base64. option: ignorePasswordCase: A flag indicating if the password comparison should ignore case. option: digestCallback - The class name of the DigestCallbackDigestCallback
implementation that includes pre/post digest content like salts for hashing the input password. Only used if hashAlgorithm has been specified. option: hashStorePassword - A flag indicating if the store password returned from #getUsersPassword() should be hashed . option: hashUserPassword - A flag indicating if the user entered password should be hashed. option: storeDigestCallback - The class name of the DigestCallbackDigestCallback
implementation that includes pre/post digest content like salts for hashing the store/expected password. Only used if hashStorePassword or hashUserPassword is true and hashAlgorithm has been specified.
-
validatePassword
protected boolean validatePassword(String inputPassword, String expectedPassword)
Description copied from class:UsernamePasswordLoginModule
A hook that allows subclasses to change the validation of the input password against the expected password. This version checks that neither inputPassword or expectedPassword are null that that inputPassword.equals(expectedPassword) is true;- Overrides:
validatePassword
in classUsernamePasswordLoginModule
- Returns:
- true if the inputPassword is valid, false otherwise.
-
bindDNAuthentication
protected String bindDNAuthentication(InitialLdapContext ctx, String user, Object credential, String baseDN, String filter) throws NamingException
- Throws:
NamingException
-
-