/**
* Method authenticate.
*
* @param username String
* @param password String
* @return boolean * @throws Exception
*/
public boolean authenticate(String username, String password) throws Exception {
try {
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, username);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
ctx.reconnect(connCtls);
} catch (AuthenticationException e) {
throw e;
} catch (NamingException e) {
throw e;
}
return true;
}
/**
* Attempt authentication
*
* @param getPasswdFromSharedState boolean that tells this method whether to retrieve the password
* from the sharedState.
* @exception LoginException if the authentication attempt fails.
*/
private void attemptAuthentication(boolean getPasswdFromSharedState) throws LoginException {
// first get the username and password
getUsernamePassword(getPasswdFromSharedState);
if (password == null || password.length == 0) {
throw (LoginException) new FailedLoginException("No password was supplied");
}
String dn = "";
if (authFirst || authOnly) {
String id = replaceUsernameToken(identityMatcher, authcIdentity);
// Prepare to bind using user's username and password
ldapEnvironment.put(Context.SECURITY_CREDENTIALS, password);
ldapEnvironment.put(Context.SECURITY_PRINCIPAL, id);
if (debug) {
System.out.println(
"\t\t[LdapLoginModule] " + "attempting to authenticate user: "******"Cannot bind to LDAP server").initCause(e);
}
// Authentication has succeeded
// Locate the user's distinguished name
if (userFilter != null) {
dn = findUserDN(ctx);
} else {
dn = id;
}
} else {
try {
// Connect to the LDAP server (using anonymous bind)
ctx = new InitialLdapContext(ldapEnvironment, null);
} catch (NamingException e) {
throw (LoginException)
new FailedLoginException("Cannot connect to LDAP server").initCause(e);
}
// Locate the user's distinguished name
dn = findUserDN(ctx);
try {
// Prepare to bind using user's distinguished name and password
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
if (debug) {
System.out.println(
"\t\t[LdapLoginModule] " + "attempting to authenticate user: "******"Cannot bind to LDAP server").initCause(e);
}
}
// Save input as shared state only if authentication succeeded
if (storePass
&& !sharedState.containsKey(USERNAME_KEY)
&& !sharedState.containsKey(PASSWORD_KEY)) {
sharedState.put(USERNAME_KEY, username);
sharedState.put(PASSWORD_KEY, password);
}
// Create the user principals
userPrincipal = new UserPrincipal(username);
if (authzIdentity != null) {
authzPrincipal = new UserPrincipal(authzIdentity);
}
try {
ldapPrincipal = new LdapPrincipal(dn);
} catch (InvalidNameException e) {
if (debug) {
System.out.println("\t\t[LdapLoginModule] " + "cannot create LdapPrincipal: bad DN");
}
throw (LoginException) new FailedLoginException("Cannot create LdapPrincipal").initCause(e);
}
}
private LdapContext bind(
String principalName, String password, SocketInfo server, Hashtable<String, String> props)
throws NamingException {
String ldapUrl = (FORCE_LDAPS ? "ldaps://" : "ldap://") + server + '/';
String oldName = Thread.currentThread().getName();
Thread.currentThread().setName("Connecting to " + ldapUrl + " : " + oldName);
LOGGER.fine("Connecting to " + ldapUrl);
try {
props.put(Context.PROVIDER_URL, ldapUrl);
props.put("java.naming.ldap.version", "3");
customizeLdapProperties(props);
LdapContext context = (LdapContext) LdapCtxFactory.getLdapCtxInstance(ldapUrl, props);
if (!FORCE_LDAPS) {
// try to upgrade to TLS if we can, but failing to do so isn't fatal
// see http://download.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html
try {
StartTlsResponse rsp =
(StartTlsResponse) context.extendedOperation(new StartTlsRequest());
rsp.negotiate((SSLSocketFactory) TrustAllSocketFactory.getDefault());
LOGGER.fine("Connection upgraded to TLS");
} catch (NamingException e) {
LOGGER.log(
Level.FINE,
"Failed to start TLS. Authentication will be done via plain-text LDAP",
e);
context.removeFromEnvironment("java.naming.ldap.factory.socket");
} catch (IOException e) {
LOGGER.log(
Level.FINE,
"Failed to start TLS. Authentication will be done via plain-text LDAP",
e);
context.removeFromEnvironment("java.naming.ldap.factory.socket");
}
}
if (principalName == null || password == null || password.equals("")) {
// anonymous bind. LDAP uses empty password as a signal to anonymous bind (RFC 2829 5.1),
// which means it can never be the actual user password.
context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "none");
LOGGER.fine("Binding anonymously to " + ldapUrl);
} else {
// authenticate after upgrading to TLS, so that the credential won't go in clear text
context.addToEnvironment(Context.SECURITY_PRINCIPAL, principalName);
context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
LOGGER.fine("Binding as " + principalName + " to " + ldapUrl);
}
// this is supposed to cause the LDAP bind operation with the server,
// but I notice that AD may still accept this and yet fail to search later,
// when I tried anonymous bind.
// if I do specify a wrong credential, this seems to fail.
context.reconnect(null);
return context; // worked
} finally {
Thread.currentThread().setName(oldName);
}
}
