ldaploginmodule.java

JAVA 所有包

    // Authentication status
    private boolean succeeded = false;
    private boolean commitSucceeded = false;

    // Supplied username and password
    private String username;
    private char[] password;

    // User's identities
    private LdapPrincipal ldapPrincipal;
    private UserPrincipal userPrincipal;
    private UserPrincipal authzPrincipal;

    // Initial state
    private Subject subject;
    private CallbackHandler callbackHandler;
    private Map sharedState;
    private Map options;
    private LdapContext ctx;
    private Matcher identityMatcher = null;
    private Matcher filterMatcher = null;
    private Hashtable ldapEnvironment;
    private SearchControls constraints = null;

    /**
     * Initialize this <code>LoginModule</code>.
     *
     * @param subject the <code>Subject</code> to be authenticated.
     * @param callbackHandler a <code>CallbackHandler</code> to acquire the
     *                  username and password.
     * @param sharedState shared <code>LoginModule</code> state.
     * @param options options specified in the login
     *			<code>Configuration</code> for this particular
     *			<code>LoginModule</code>.
     */
    public void initialize(Subject subject, CallbackHandler callbackHandler,
			Map<String, ?> sharedState, Map<String, ?> options) {

	this.subject = subject;
	this.callbackHandler = callbackHandler;
	this.sharedState = sharedState;
	this.options = options;

	ldapEnvironment = new Hashtable(9);
	ldapEnvironment.put(Context.INITIAL_CONTEXT_FACTORY,
	    "com.sun.jndi.ldap.LdapCtxFactory");

	// Add any JNDI properties to the environment
	Set keys = options.keySet();
	String key;
	for (Iterator i = keys.iterator(); i.hasNext(); ) {
	    key = (String) i.next();
	    if (key.indexOf(".") > -1) {
		ldapEnvironment.put(key, options.get(key));
	    }
	}

	// initialize any configured options

	userProvider = (String)options.get(USER_PROVIDER);
	if (userProvider != null) {
	    ldapEnvironment.put(Context.PROVIDER_URL, userProvider);
	}

	authcIdentity = (String)options.get(AUTHC_IDENTITY);
	if (authcIdentity != null &&
	    (authcIdentity.indexOf(USERNAME_TOKEN) != -1)) {
	    identityMatcher = USERNAME_PATTERN.matcher(authcIdentity);
	}

	userFilter = (String)options.get(USER_FILTER);
	if (userFilter != null) {
	    if (userFilter.indexOf(USERNAME_TOKEN) != -1) {
		filterMatcher = USERNAME_PATTERN.matcher(userFilter);
	    }
	    constraints = new SearchControls();
	    constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
	    constraints.setReturningAttributes(new String[0]); //return no attrs
	    constraints.setReturningObjFlag(true); // to get the full DN
	}

	authzIdentity = (String)options.get(AUTHZ_IDENTITY);
	if (authzIdentity != null &&
	    authzIdentity.startsWith("{") && authzIdentity.endsWith("}")) {
	    if (constraints != null) {
		authzIdentityAttr =
		    authzIdentity.substring(1, authzIdentity.length() - 1);
		constraints.setReturningAttributes(
		    new String[]{authzIdentityAttr});
	    }
	    authzIdentity = null; // set later, from the specified attribute
	}

	// determine mode
	if (authcIdentity != null) {
	    if (userFilter != null) {
		authFirst = true; // authentication-first mode
	    } else {
		authOnly = true; // authentication-only mode
	    }
	}

	if ("false".equalsIgnoreCase((String)options.get("useSSL"))) {
	    useSSL = false;
	    ldapEnvironment.remove(Context.SECURITY_PROTOCOL);
	} else {
	    ldapEnvironment.put(Context.SECURITY_PROTOCOL, "ssl");
	}

	tryFirstPass =
		"true".equalsIgnoreCase((String)options.get("tryFirstPass"));

	useFirstPass =
		"true".equalsIgnoreCase((String)options.get("useFirstPass"));

	storePass = "true".equalsIgnoreCase((String)options.get("storePass"));

	clearPass = "true".equalsIgnoreCase((String)options.get("clearPass"));

	debug = "true".equalsIgnoreCase((String)options.get("debug"));

	if (debug) {
	    if (authFirst) {
		System.out.println("\t\t[LdapLoginModule] " +
		    "authentication-first mode; " +
		    (useSSL ? "SSL enabled" : "SSL disabled"));
	    } else if (authOnly) {
		System.out.println("\t\t[LdapLoginModule] " +
		    "authentication-only mode; " +
		    (useSSL ? "SSL enabled" : "SSL disabled"));
	    } else {
		System.out.println("\t\t[LdapLoginModule] " +
		    "search-first mode; " +
		    (useSSL ? "SSL enabled" : "SSL disabled"));
	    }
	}
    }

    /**
     * Begin user authentication.
     *
     * <p> Acquire the user's credentials and verify them against the
     * specified LDAP directory.
     *
     * @return true always, since this <code>LoginModule</code>
     *		should not be ignored.
     * @exception FailedLoginException if the authentication fails.
     * @exception LoginException if this <code>LoginModule</code>
     *		is unable to perform the authentication.
     */
    public boolean login() throws LoginException {

	if (userProvider == null) {
	    throw new LoginException
		("Unable to locate the LDAP directory service");
	}

	if (debug) {
	    System.out.println("\t\t[LdapLoginModule] user provider: " +
		userProvider);
	}

	// attempt the authentication
	if (tryFirstPass) {

	    try {
		// attempt the authentication by getting the
		// username and password from shared state
		attemptAuthentication(true);

		// authentication succeeded
		succeeded = true;
		if (debug) {
		    System.out.println("\t\t[LdapLoginModule] " +
				"tryFirstPass succeeded");
		}
		return true;

	    } catch (LoginException le) {
		// authentication failed -- try again below by prompting
		cleanState();
		if (debug) {
		    System.out.println("\t\t[LdapLoginModule] " +
				"tryFirstPass failed: " + le.toString());
		}
	    }

	} else if (useFirstPass) {

	    try {
		// attempt the authentication by getting the
		// username and password from shared state
		attemptAuthentication(true);

		// authentication succeeded
		succeeded = true;
		if (debug) {
		    System.out.println("\t\t[LdapLoginModule] " +
				"useFirstPass succeeded");
		}
		return true;

	    } catch (LoginException le) {
		// authentication failed
		cleanState();
		if (debug) {
		    System.out.println("\t\t[LdapLoginModule] " +
				"useFirstPass failed");
		}
		throw le;
	    }
	}

	// attempt the authentication by prompting for the username and pwd
	try {
	    attemptAuthentication(false);

	    // authentication succeeded
	   succeeded = true;
	    if (debug) {
		System.out.println("\t\t[LdapLoginModule] " +
				"authentication succeeded");
	    }
	    return true;

	} catch (LoginException le) {
	    cleanState();
	    if (debug) {
		System.out.println("\t\t[LdapLoginModule] " +
				"authentication failed");
	    }
	    throw le;
	}
    }

    /**
     * Complete user authentication.
     *
     * <p> This method is called if the LoginContext's
     * overall authentication succeeded
     * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
     * succeeded).
     *
     * <p> If this LoginModule's own authentication attempt
     * succeeded (checked by retrieving the private state saved by the
     * <code>login</code> method), then this method associates an
     * <code>LdapPrincipal</code> and one or more <code>UserPrincipal</code>s
     * with the <code>Subject</code> located in the
     * <code>LoginModule</code>.  If this LoginModule's own
     * authentication attempted failed, then this method removes
     * any state that was originally saved.
     *
     * @exception LoginException if the commit fails
     * @return true if this LoginModule's own login and commit
     *		attempts succeeded, or false otherwise.
     */
    public boolean commit() throws LoginException {

	if (succeeded == false) {
	    return false;
	} else {
	    if (subject.isReadOnly()) {
		cleanState();
		throw new LoginException ("Subject is read-only");
	    }
	    // add Principals to the Subject
	    Set principals = subject.getPrincipals();
	    if (! principals.contains(ldapPrincipal)) {
		principals.add(ldapPrincipal);
	    }
	    if (debug) {
		System.out.println("\t\t[LdapLoginModule] " +
				   "added LdapPrincipal \"" +
				   ldapPrincipal +
				   "\" to Subject");
	    }

	    if (! principals.contains(userPrincipal)) {
		principals.add(userPrincipal);
	    }
	    if (debug) {
		System.out.println("\t\t[LdapLoginModule] " +
				   "added UserPrincipal \"" +
				   userPrincipal +
				   "\" to Subject");
	    }

	    if (authzPrincipal != null &&
		(! principals.contains(authzPrincipal))) {
		principals.add(authzPrincipal);

		if (debug) {
		    System.out.println("\t\t[LdapLoginModule] " +
				   "added UserPrincipal \"" +
				   authzPrincipal +
				   "\" to Subject");
		}
	    }
	}
	// in any case, clean out state
	cleanState();
	commitSucceeded = true;
	return true;
    }

    /**
     * Abort user authentication.
     *
     * <p> This method is called if the overall authentication failed.
     * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
     * did not succeed).
     *
     * <p> If this LoginModule's own authentication attempt
     * succeeded (checked by retrieving the private state saved by the
     * <code>login</code> and <code>commit</code> methods),
     * then this method cleans up any state that was originally saved.
     *
     * @exception LoginException if the abort fails.
     * @return false if this LoginModule's own login and/or commit attempts
     *		failed, and true otherwise.
     */
    public boolean abort() throws LoginException {
	if (debug)
	    System.out.println("\t\t[LdapLoginModule] " +
		"aborted authentication");

	if (succeeded == false) {
	    return false;
	} else if (succeeded == true && commitSucceeded == false) {

	    // Clean out state
	    succeeded = false;
	    cleanState();

	    ldapPrincipal = null;