summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java234
1 files changed, 122 insertions, 112 deletions
diff --git a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java
index 3260af6e7..59c5d376b 100644
--- a/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java
+++ b/pki/base/common/src/com/netscape/cms/authentication/DirBasedAuthentication.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.authentication;
-
// ldap java sdk
import java.io.IOException;
import java.security.cert.CertificateException;
@@ -57,25 +56,25 @@ import com.netscape.certsrv.ldap.ILdapConnFactory;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.cmsutil.util.Utils;
-
/**
* Abstract class for directory based authentication managers
- * Uses a pattern for formulating subject names.
- * The pattern is read from configuration file.
+ * Uses a pattern for formulating subject names.
+ * The pattern is read from configuration file.
* Syntax of the pattern is described in the init() method.
*
* <P>
+ *
* @version $Revision$, $Date$
*/
-public abstract class DirBasedAuthentication
- implements IAuthManager, IExtendedPluginInfo {
+public abstract class DirBasedAuthentication
+ implements IAuthManager, IExtendedPluginInfo {
- protected static final String USER_DN = "userDN";
+ protected static final String USER_DN = "userDN";
/* configuration parameter keys */
- protected static final String PROP_LDAP = "ldap";
- protected static final String PROP_BASEDN = "basedn";
- protected static final String PROP_DNPATTERN = "dnpattern";
+ protected static final String PROP_LDAP = "ldap";
+ protected static final String PROP_BASEDN = "basedn";
+ protected static final String PROP_DNPATTERN = "dnpattern";
protected static final String PROP_LDAPSTRINGATTRS = "ldapStringAttributes";
protected static final String PROP_LDAPBYTEATTRS = "ldapByteAttributes";
@@ -117,8 +116,8 @@ public abstract class DirBasedAuthentication
protected String[] mLdapAttrs = null;
/* default dn pattern if left blank or not set in the config */
- protected static String DEFAULT_DNPATTERN =
- "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c";
+ protected static String DEFAULT_DNPATTERN =
+ "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c";
/* Vector of extendedPluginInfo strings */
protected static Vector mExtendedPluginInfo = null;
@@ -126,31 +125,31 @@ public abstract class DirBasedAuthentication
static {
mExtendedPluginInfo = new Vector();
mExtendedPluginInfo.add(PROP_DNPATTERN + ";string;Template for cert" +
- " Subject Name. ($dn.xxx - get value from user's LDAP " +
- "DN. $attr.yyy - get value from LDAP attributes in " +
- "user's entry.) Default: " + DEFAULT_DNPATTERN);
+ " Subject Name. ($dn.xxx - get value from user's LDAP " +
+ "DN. $attr.yyy - get value from LDAP attributes in " +
+ "user's entry.) Default: " + DEFAULT_DNPATTERN);
mExtendedPluginInfo.add(PROP_LDAPSTRINGATTRS + ";string;" +
- "Comma-separated list of LDAP attributes to copy from " +
- "the user's LDAP entry into the AuthToken. e.g use " +
- "'mail' to copy user's email address for subjectAltName");
+ "Comma-separated list of LDAP attributes to copy from " +
+ "the user's LDAP entry into the AuthToken. e.g use " +
+ "'mail' to copy user's email address for subjectAltName");
mExtendedPluginInfo.add(PROP_LDAPBYTEATTRS + ";string;" +
- "Comma-separated list of binary LDAP attributes to copy" +
- " from the user's LDAP entry into the AuthToken");
+ "Comma-separated list of binary LDAP attributes to copy" +
+ " from the user's LDAP entry into the AuthToken");
mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" +
- "LDAP host to connect to");
+ "LDAP host to connect to");
mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" +
- "LDAP port number (use 389, or 636 if SSL)");
+ "LDAP port number (use 389, or 636 if SSL)");
mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" +
- "Use SSL to connect to directory?");
+ "Use SSL to connect to directory?");
mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" +
- "LDAP protocol version");
+ "LDAP protocol version");
mExtendedPluginInfo.add("ldap.basedn;string,required;Base DN to start searching " +
- "under. If your user's DN is 'uid=jsmith, o=company', you " +
- "might want to use 'o=company' here");
+ "under. If your user's DN is 'uid=jsmith, o=company', you " +
+ "might want to use 'o=company' here");
mExtendedPluginInfo.add("ldap.minConns;number;number of connections " +
- "to keep open to directory server. Default 5.");
+ "to keep open to directory server. Default 5.");
mExtendedPluginInfo.add("ldap.maxConns;number;when needed, connection " +
- "pool can grow to this many (multiplexed) connections. Default 1000.");
+ "pool can grow to this many (multiplexed) connections. Default 1000.");
}
/**
@@ -163,24 +162,24 @@ public abstract class DirBasedAuthentication
* Initializes the UidPwdDirBasedAuthentication auth manager.
*
* Takes the following configuration parameters: <br>
+ *
* <pre>
- * ldap.basedn - the ldap base dn.
- * ldap.ldapconn.host - the ldap host.
- * ldap.ldapconn.port - the ldap port
- * ldap.ldapconn.secureConn - whether port should be secure
- * ldap.minConns - minimum connections
- * ldap.maxConns - max connections
- * dnpattern - dn pattern.
+ * ldap.basedn - the ldap base dn.
+ * ldap.ldapconn.host - the ldap host.
+ * ldap.ldapconn.port - the ldap port
+ * ldap.ldapconn.secureConn - whether port should be secure
+ * ldap.minConns - minimum connections
+ * ldap.maxConns - max connections
+ * dnpattern - dn pattern.
* </pre>
* <p>
- * <i><b>dnpattern</b></i> is a string representing a subject name pattern
- * to formulate from the directory attributes and entry dn. If empty or
- * not set, the ldap entry DN will be used as the certificate subject name.
+ * <i><b>dnpattern</b></i> is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.
* <p>
- * The syntax is
+ * The syntax is
+ *
* <pre>
* dnpattern = SubjectNameComp *[ "," SubjectNameComp ]
- *
+ *
* SubjectNameComponent = DnComp | EntryComp | ConstantComp
* DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
* EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
@@ -190,11 +189,12 @@ public abstract class DirBasedAuthentication
* CertAttr = a Component in the Certificate Subject Name
* (multiple AVA in one RDN not supported)
* Num = the nth value of tha attribute in the dn or entry.
- * Constant = Constant String, with any accepted ldap string value.
+ * Constant = Constant String, with any accepted ldap string value.
*
* </pre>
* <p>
* <b>Example:</b>
+ *
* <pre>
* dnpattern:
* E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
@@ -213,6 +213,7 @@ public abstract class DirBasedAuthentication
* </pre>
* <p>
* The subject name formulated in the cert will be : <br>
+ *
* <pre>
* E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US
*
@@ -229,19 +230,20 @@ public abstract class DirBasedAuthentication
* @exception EBaseException If an error occurs during initialization.
*/
public void init(String name, String implName, IConfigStore config)
- throws EBaseException {
+ throws EBaseException {
init(name, implName, config, true);
}
public void init(String name, String implName, IConfigStore config, boolean needBaseDN)
- throws EBaseException {
+ throws EBaseException {
mName = name;
mImplName = implName;
mConfig = config;
/* initialize ldap server configuration */
mLdapConfig = mConfig.getSubStore(PROP_LDAP);
- if (needBaseDN) mBaseDN = mLdapConfig.getString(PROP_BASEDN);
+ if (needBaseDN)
+ mBaseDN = mLdapConfig.getString(PROP_BASEDN);
if (needBaseDN && ((mBaseDN == null) || (mBaseDN.length() == 0) || (mBaseDN.trim().equals(""))))
throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn"));
mConnFactory = CMS.getLdapAnonConnFactory();
@@ -250,7 +252,7 @@ public abstract class DirBasedAuthentication
/* initialize dn pattern */
String pattern = mConfig.getString(PROP_DNPATTERN, null);
- if (pattern == null || pattern.length() == 0)
+ if (pattern == null || pattern.length() == 0)
pattern = DEFAULT_DNPATTERN;
mPattern = new DNPattern(pattern);
String[] patternLdapAttrs = mPattern.getLdapAttrs();
@@ -261,15 +263,15 @@ public abstract class DirBasedAuthentication
if (ldapStringAttrs == null) {
mLdapStringAttrs = patternLdapAttrs;
} else {
- StringTokenizer pAttrs =
- new StringTokenizer(ldapStringAttrs, ",", false);
+ StringTokenizer pAttrs =
+ new StringTokenizer(ldapStringAttrs, ",", false);
int begin = 0;
if (patternLdapAttrs != null && patternLdapAttrs.length > 0) {
- mLdapStringAttrs = new String[
+ mLdapStringAttrs = new String[
patternLdapAttrs.length + pAttrs.countTokens()];
- System.arraycopy(patternLdapAttrs, 0,
- mLdapStringAttrs, 0, patternLdapAttrs.length);
+ System.arraycopy(patternLdapAttrs, 0,
+ mLdapStringAttrs, 0, patternLdapAttrs.length);
begin = patternLdapAttrs.length;
} else {
mLdapStringAttrs = new String[pAttrs.countTokens()];
@@ -285,11 +287,11 @@ public abstract class DirBasedAuthentication
if (ldapByteAttrs == null) {
mLdapByteAttrs = new String[0];
} else {
- StringTokenizer byteAttrs =
- new StringTokenizer(ldapByteAttrs, ",", false);
+ StringTokenizer byteAttrs =
+ new StringTokenizer(ldapByteAttrs, ",", false);
mLdapByteAttrs = new String[byteAttrs.countTokens()];
- for (int j = 0; j < mLdapByteAttrs.length; j++) {
+ for (int j = 0; j < mLdapByteAttrs.length; j++) {
mLdapByteAttrs[j] = ((String) byteAttrs.nextElement()).trim();
}
}
@@ -297,10 +299,10 @@ public abstract class DirBasedAuthentication
/* make the combined list */
mLdapAttrs =
new String[mLdapStringAttrs.length + mLdapByteAttrs.length];
- System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs,
- 0, mLdapStringAttrs.length);
- System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs,
- mLdapStringAttrs.length, mLdapByteAttrs.length);
+ System.arraycopy(mLdapStringAttrs, 0, mLdapAttrs,
+ 0, mLdapStringAttrs.length);
+ System.arraycopy(mLdapByteAttrs, 0, mLdapAttrs,
+ mLdapStringAttrs.length, mLdapByteAttrs.length);
log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_INIT_DONE"));
}
@@ -320,21 +322,22 @@ public abstract class DirBasedAuthentication
}
/**
- * Authenticates user through LDAP by a set of credentials.
+ * Authenticates user through LDAP by a set of credentials.
* Resulting AuthToken a TOKEN_CERTINFO field of a X509CertInfo
* <p>
+ *
* @param authCred Authentication credentials, CRED_UID and CRED_PWD.
* @return A AuthToken with a TOKEN_SUBJECT of X500name type.
* @exception com.netscape.certsrv.authentication.EMissingCredential
- * If a required authentication credential is missing.
+ * If a required authentication credential is missing.
* @exception com.netscape.certsrv.authentication.EInvalidCredentials
- * If credentials failed authentication.
- * @exception com.netscape.certsrv.base.EBaseException
- * If an internal error occurred.
+ * If credentials failed authentication.
+ * @exception com.netscape.certsrv.base.EBaseException
+ * If an internal error occurred.
* @see com.netscape.certsrv.authentication.AuthToken
*/
public IAuthToken authenticate(IAuthCredentials authCred)
- throws EMissingCredential, EInvalidCredentials, EBaseException {
+ throws EMissingCredential, EInvalidCredentials, EBaseException {
String userdn = null;
LDAPConnection conn = null;
AuthToken authToken = new AuthToken(this);
@@ -360,11 +363,11 @@ public abstract class DirBasedAuthentication
// set subject name.
try {
CertificateSubjectName subjectname = (CertificateSubjectName)
- certInfo.get(X509CertInfo.SUBJECT);
+ certInfo.get(X509CertInfo.SUBJECT);
if (subjectname != null)
- authToken.set(AuthToken.TOKEN_CERT_SUBJECT,
- subjectname.toString());
+ authToken.set(AuthToken.TOKEN_CERT_SUBJECT,
+ subjectname.toString());
} // error means it's not set.
catch (CertificateException e) {
} catch (IOException e) {
@@ -373,15 +376,15 @@ public abstract class DirBasedAuthentication
// set validity if any
try {
CertificateValidity validity = (CertificateValidity)
- certInfo.get(X509CertInfo.VALIDITY);
+ certInfo.get(X509CertInfo.VALIDITY);
if (validity != null) {
// the gets throws IOException but only if attribute
// not recognized. In these cases they are always.
- authToken.set(AuthToken.TOKEN_CERT_NOTBEFORE,
- (Date)validity.get(CertificateValidity.NOT_BEFORE));
- authToken.set(AuthToken.TOKEN_CERT_NOTAFTER,
- (Date)validity.get(CertificateValidity.NOT_AFTER));
+ authToken.set(AuthToken.TOKEN_CERT_NOTBEFORE,
+ (Date) validity.get(CertificateValidity.NOT_BEFORE));
+ authToken.set(AuthToken.TOKEN_CERT_NOTAFTER,
+ (Date) validity.get(CertificateValidity.NOT_AFTER));
}
} // error means it's not set.
catch (CertificateException e) {
@@ -391,7 +394,7 @@ public abstract class DirBasedAuthentication
// set extensions if any.
try {
CertificateExtensions extensions = (CertificateExtensions)
- certInfo.get(X509CertInfo.EXTENSIONS);
+ certInfo.get(X509CertInfo.EXTENSIONS);
if (extensions != null)
authToken.set(AuthToken.TOKEN_CERT_EXTENSIONS, extensions);
@@ -401,7 +404,7 @@ public abstract class DirBasedAuthentication
}
} finally {
- if (conn != null)
+ if (conn != null)
mConnFactory.returnConn(conn);
}
@@ -410,15 +413,16 @@ public abstract class DirBasedAuthentication
/**
* get the list of required credentials.
+ *
* @return list of required credentials as strings.
*/
public abstract String[] getRequiredCreds();
/**
- * Returns a list of configuration parameter names.
- * The list is passed to the configuration console so instances of
+ * Returns a list of configuration parameter names.
+ * The list is passed to the configuration console so instances of
* this implementation can be configured through the console.
- *
+ *
* @return String array of configuration parameter names.
*/
public abstract String[] getConfigParams();
@@ -440,6 +444,7 @@ public abstract class DirBasedAuthentication
/**
* Gets the configuration substore used by this authentication manager
+ *
* @return configuration store
*/
public IConfigStore getConfigStore() {
@@ -452,11 +457,11 @@ public abstract class DirBasedAuthentication
* @param authCreds The authentication credentials.
* @return The user's ldap entry dn.
* @exception EInvalidCredentials If the uid and password are not valid
- * @exception EBaseException If an internal error occurs.
+ * @exception EBaseException If an internal error occurs.
*/
protected abstract String authenticate(
- LDAPConnection conn, IAuthCredentials authCreds, AuthToken token)
- throws EBaseException;
+ LDAPConnection conn, IAuthCredentials authCreds, AuthToken token)
+ throws EBaseException;
/**
* Formulate the cert info.
@@ -465,13 +470,13 @@ public abstract class DirBasedAuthentication
* @param userdn The user's dn.
* @param certinfo A certinfo object to fill.
* @param token A authentication token to fill.
- * @exception EBaseException If an internal error occurs.
+ * @exception EBaseException If an internal error occurs.
*/
- protected void formCertInfo(LDAPConnection conn,
- String userdn,
- X509CertInfo certinfo,
- AuthToken token)
- throws EBaseException {
+ protected void formCertInfo(LDAPConnection conn,
+ String userdn,
+ X509CertInfo certinfo,
+ AuthToken token)
+ throws EBaseException {
String dn = null;
// get ldap attributes to retrieve.
String[] attrs = getLdapAttrs();
@@ -480,9 +485,9 @@ public abstract class DirBasedAuthentication
try {
if (conn != null) {
LDAPEntry entry = null;
- LDAPSearchResults results =
- conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*",
- attrs, false);
+ LDAPSearchResults results =
+ conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*",
+ attrs, false);
if (!results.hasMoreElements()) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_ATTR_ERROR"));
@@ -508,19 +513,19 @@ public abstract class DirBasedAuthentication
// pack the dn into X500name and set subject name.
if (dn.length() == 0) {
- EBaseException ex =
- new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName));
+ EBaseException ex =
+ new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_EMPTY_DN_FORMED", mName));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_DN_ERROR", ex.toString()));
throw ex;
}
X500Name subjectdn = new X500Name(dn);
- certinfo.set(X509CertInfo.SUBJECT,
- new CertificateSubjectName(subjectdn));
+ certinfo.set(X509CertInfo.SUBJECT,
+ new CertificateSubjectName(subjectdn));
} catch (LDAPException e) {
switch (e.getLDAPResultCode()) {
- case LDAPException.SERVER_DOWN:
+ case LDAPException.SERVER_DOWN:
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_AUTH_ATTR_ERROR"));
throw new ELdapException(
CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
@@ -534,7 +539,7 @@ public abstract class DirBasedAuthentication
log(ILogger.LL_FAILURE, CMS.getLogMessage("LDAP_ERROR", e.toString()));
throw new ELdapException(
CMS.getUserMessage("CMS_LDAP_OTHER_LDAP_EXCEPTION",
- e.errorCodeToString()));
+ e.errorCodeToString()));
}
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_CREATE_SUBJECT_ERROR", userdn, e.getMessage()));
@@ -553,15 +558,16 @@ public abstract class DirBasedAuthentication
protected void setAuthTokenValues(LDAPEntry e, AuthToken tok) {
for (int i = 0; i < mLdapStringAttrs.length; i++)
setAuthTokenStringValue(mLdapStringAttrs[i], e, tok);
- for (int j = 0; j < mLdapByteAttrs.length; j++)
+ for (int j = 0; j < mLdapByteAttrs.length; j++)
setAuthTokenByteValue(mLdapByteAttrs[j], e, tok);
}
protected void setAuthTokenStringValue(
- String name, LDAPEntry entry, AuthToken tok) {
+ String name, LDAPEntry entry, AuthToken tok) {
LDAPAttribute values = entry.getAttribute(name);
- if (values == null) return;
+ if (values == null)
+ return;
Vector v = new Vector();
Enumeration e = values.getStringValues();
@@ -578,10 +584,11 @@ public abstract class DirBasedAuthentication
}
protected void setAuthTokenByteValue(
- String name, LDAPEntry entry, AuthToken tok) {
+ String name, LDAPEntry entry, AuthToken tok) {
LDAPAttribute values = entry.getAttribute(name);
- if (values == null) return;
+ if (values == null)
+ return;
Vector v = new Vector();
Enumeration e = values.getByteValues();
@@ -600,6 +607,7 @@ public abstract class DirBasedAuthentication
/**
* Return a list of LDAP attributes with String values to retrieve.
* Subclasses can override to return any set of attributes.
+ *
* @return Array of LDAP attributes to retrieve from the directory.
*/
protected String[] getLdapAttrs() {
@@ -609,6 +617,7 @@ public abstract class DirBasedAuthentication
/**
* Return a list of LDAP attributes with byte[] values to retrieve.
* Subclasses can override to return any set of attributes.
+ *
* @return Array of LDAP attributes to retrieve from the directory.
*/
protected String[] getLdapByteAttrs() {
@@ -616,22 +625,23 @@ public abstract class DirBasedAuthentication
}
/**
- * Formulate the subject name
+ * Formulate the subject name
+ *
* @param entry The LDAP entry
* @return The subject name string.
* @exception EBaseException If an internal error occurs.
*/
protected String formSubjectName(LDAPEntry entry)
- throws EAuthException {
- if (mPattern.mPatternString == null)
+ throws EAuthException {
+ if (mPattern.mPatternString == null)
return entry.getDN();
-
- /*
- if (mTestDNString != null) {
- mPattern.mTestDN = mTestDNString;
- //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN);
- }
- */
+
+ /*
+ if (mTestDNString != null) {
+ mPattern.mTestDN = mTestDNString;
+ //System.out.println("Set DNPattern.mTestDN to "+mPattern.mTestDN);
+ }
+ */
String dn = mPattern.formDN(entry);
@@ -641,6 +651,7 @@ public abstract class DirBasedAuthentication
/**
* Logs a message for this class in the system log file.
+ *
* @param level The log level.
* @param msg The message to log.
* @see com.netscape.certsrv.logging.ILogger
@@ -649,15 +660,14 @@ public abstract class DirBasedAuthentication
if (mLogger == null)
return;
mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION,
- level, msg);
+ level, msg);
}
public String[] getExtendedPluginInfo(Locale locale) {
String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
return s;
-
+
}
}
-