ldaploginmodule.java

JAVA 所有包

	    userPrincipal = null;
	    authzPrincipal = null;
	} else {
	    // overall authentication succeeded and commit succeeded,
	    // but someone else's commit failed
	    logout();
	}
	return true;
    }

    /**
     * Logout a user.
     *
     * <p> This method removes the Principals
     * that were added by the <code>commit</code> method.
     *
     * @exception LoginException if the logout fails.
     * @return true in all cases since this <code>LoginModule</code>
     *		should not be ignored.
     */
    public boolean logout() throws LoginException {
	if (subject.isReadOnly()) {
	    cleanState();
	    throw new LoginException ("Subject is read-only");
	}
	Set principals = subject.getPrincipals();
	principals.remove(ldapPrincipal);
	principals.remove(userPrincipal);
	if (authzIdentity != null) {
	    principals.remove(authzPrincipal);
	}

	// clean out state
	cleanState();
	succeeded = false;
	commitSucceeded = false;

	ldapPrincipal = null;
	userPrincipal = null;
	authzPrincipal = null;

	if (debug) {
	    System.out.println("\t\t[LdapLoginModule] logged out Subject");
	}
	return true;
    }

    /**
     * Attempt authentication
     *
     * @param getPasswdFromSharedState boolean that tells this method whether
     *		to retrieve the password from the sharedState.
     * @exception LoginException if the authentication attempt fails.
     */
    private void attemptAuthentication(boolean getPasswdFromSharedState)
	throws LoginException {

	// first get the username and password
	getUsernamePassword(getPasswdFromSharedState);

	if (password == null || password.length == 0) {
	    throw (LoginException)
		new FailedLoginException("No password was supplied");
	}

	String dn = "";

	if (authFirst || authOnly) {

	    String id = replaceUsernameToken(identityMatcher, authcIdentity);

	    // Prepare to bind using user's username and password
	    ldapEnvironment.put(Context.SECURITY_CREDENTIALS, password);
	    ldapEnvironment.put(Context.SECURITY_PRINCIPAL, id);

	    if (debug) {
		System.out.println("\t\t[LdapLoginModule] " +
		    "attempting to authenticate user: " + username);
	    }

	    try {
		// Connect to the LDAP server (using simple bind)
		ctx = new InitialLdapContext(ldapEnvironment, null);

	    } catch (NamingException e) {
		throw (LoginException)
		    new FailedLoginException("Cannot bind to LDAP server")
			.initCause(e);
	    }

	    // Authentication has succeeded

	    // Locate the user's distinguished name
	    if (userFilter != null) {
		dn = findUserDN(ctx);
	    } else {
		dn = id;
	    }

	} else {

	    try {
		// Connect to the LDAP server (using anonymous bind)
		ctx = new InitialLdapContext(ldapEnvironment, null);

	    } catch (NamingException e) {
		throw (LoginException)
		    new FailedLoginException("Cannot connect to LDAP server")
			.initCause(e);
	    }

	    // Locate the user's distinguished name
	    dn = findUserDN(ctx);

	    try {

		// Prepare to bind using user's distinguished name and password
		ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
		ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
		ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);

		if (debug) {
		    System.out.println("\t\t[LdapLoginModule] " +
			"attempting to authenticate user: " + username);
		}
		// Connect to the LDAP server (using simple bind)
		ctx.reconnect(null);

		// Authentication has succeeded

	    } catch (NamingException e) {
		throw (LoginException)
		    new FailedLoginException("Cannot bind to LDAP server")
			.initCause(e);
	    }
	}

	// Save input as shared state only if authentication succeeded
	if (storePass &&
	    !sharedState.containsKey(USERNAME_KEY) &&
	    !sharedState.containsKey(PASSWORD_KEY)) {
	    sharedState.put(USERNAME_KEY, username);
	    sharedState.put(PASSWORD_KEY, password);
	}

	// Create the user principals
	userPrincipal = new UserPrincipal(username);
	if (authzIdentity != null) {
	    authzPrincipal = new UserPrincipal(authzIdentity);
	}

	try {

	    ldapPrincipal = new LdapPrincipal(dn);

	} catch (InvalidNameException e) {
	    if (debug) {
		System.out.println("\t\t[LdapLoginModule] " +
				   "cannot create LdapPrincipal: bad DN");
	    }
	    throw (LoginException)
		new FailedLoginException("Cannot create LdapPrincipal")
		    .initCause(e);
	}
    }

    /**
     * Search for the user's entry.
     * Determine the distinguished name of the user's entry and optionally
     * an authorization identity for the user.
     *
     * @param ctx an LDAP context to use for the search
     * @return the user's distinguished name or an empty string if none
     *         was found.
     * @exception LoginException if the user's entry cannot be found.
     */
    private String findUserDN(LdapContext ctx) throws LoginException {

	String userDN = "";

	// Locate the user's LDAP entry
	if (userFilter != null) {
	    if (debug) {
		System.out.println("\t\t[LdapLoginModule] " +
		    "searching for entry belonging to user: " + username);
	    }
	} else {
	    if (debug) {
		System.out.println("\t\t[LdapLoginModule] " +
		    "cannot search for entry belonging to user: " + username);
	    }
	    throw (LoginException)
		new FailedLoginException("Cannot find user's LDAP entry");
	}

	try {
	    NamingEnumeration results = ctx.search("",
		replaceUsernameToken(filterMatcher, userFilter), constraints);

	    // Extract the distinguished name of the user's entry
	    // (Use the first entry if more than one is returned)
	    if (results.hasMore()) {
		SearchResult entry = (SearchResult) results.next();

		// %%% - use the SearchResult.getNameInNamespace method
		//        available in JDK 1.5 and later.
		//        (can remove call to constraints.setReturningObjFlag)
		userDN = ((Context)entry.getObject()).getNameInNamespace();

		if (debug) {
		    System.out.println("\t\t[LdapLoginModule] found entry: " +
			userDN);
		}

		// Extract a value from user's authorization identity attribute
		if (authzIdentityAttr != null) {
		    Attribute attr =
			entry.getAttributes().get(authzIdentityAttr);
		    if (attr != null) {
			Object val = attr.get();
			if (val instanceof String) {
			    authzIdentity = (String) val;
			}
		    }
		}

		results.close();

	    } else {
		// Bad username
		if (debug) {
		    System.out.println("\t\t[LdapLoginModule] user's entry " +
			"not found");
		}
	    }

	} catch (NamingException e) {
	    // ignore
	}

	if (userDN.equals("")) {
	    throw (LoginException)
		new FailedLoginException("Cannot find user's LDAP entry");
	} else {
	    return userDN;
	}
    }

    /**
     * Replace the username token
     *
     * @param string the target string
     * @return the modified string
     */
    private String replaceUsernameToken(Matcher matcher, String string) {
	return matcher != null ? matcher.replaceAll(username) : string;
    }

    /**
     * Get the username and password.
     * This method does not return any value.
     * Instead, it sets global name and password variables.
     *
     * <p> Also note that this method will set the username and password
     * values in the shared state in case subsequent LoginModules
     * want to use them via use/tryFirstPass.
     *
     * @param getPasswdFromSharedState boolean that tells this method whether
     *		to retrieve the password from the sharedState.
     * @exception LoginException if the username/password cannot be acquired.
     */
    private void getUsernamePassword(boolean getPasswdFromSharedState)
	throws LoginException {

	if (getPasswdFromSharedState) {
	    // use the password saved by the first module in the stack
	    username = (String)sharedState.get(USERNAME_KEY);
	    password = (char[])sharedState.get(PASSWORD_KEY);
	    return;
	}

	// prompt for a username and password
        if (callbackHandler == null)
	    throw new LoginException("No CallbackHandler available " +
		"to acquire authentication information from the user");

	Callback[] callbacks = new Callback[2];
	callbacks[0] = new NameCallback(rb.getString("username: "));
	callbacks[1] = new PasswordCallback(rb.getString("password: "), false);

	try {
	    callbackHandler.handle(callbacks);
	    username = ((NameCallback)callbacks[0]).getName();
	    char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
	    password = new char[tmpPassword.length];
	    System.arraycopy(tmpPassword, 0,
				password, 0, tmpPassword.length);
	    ((PasswordCallback)callbacks[1]).clearPassword();

	} catch (java.io.IOException ioe) {
	    throw new LoginException(ioe.toString());

	} catch (UnsupportedCallbackException uce) {
	    throw new LoginException("Error: " + uce.getCallback().toString() +
			" not available to acquire authentication information" +
			" from the user");
	}
    }

    /**
     * Clean out state because of a failed authentication attempt
     */
    private void cleanState() {
	username = null;
	if (password != null) {
	    Arrays.fill(password, ' ');
	    password = null;
	}
	try {
	    if (ctx != null) {
		ctx.close();
	    }
	} catch (NamingException e) {
	    // ignore
	}
	ctx = null;

	if (clearPass) {
	    sharedState.remove(USERNAME_KEY);
	    sharedState.remove(PASSWORD_KEY);
	}
    }
}