Package org.eclipse.jetty.security.jaas.spi

Class LdapLoginModule

java.lang.Object
org.eclipse.jetty.security.jaas.spi.AbstractLoginModule
org.eclipse.jetty.security.jaas.spi.LdapLoginModule
All Implemented Interfaces:
LoginModule
public class LdapLoginModule extends AbstractLoginModule
A LdapLoginModule for use with JAAS setups

The jvm should be started with the following parameter: 

 -Djava.security.auth.login.config=etc/ldap-loginModule.conf
and an example of the ldap-loginModule.conf would be: 
 ldaploginmodule {
    org.eclipse.jetty.server.server.plus.jaas.spi.LdapLoginModule required
    debug="true"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="ldap.example.com"
    port="389"
    bindDn="cn=Directory Manager"
    bindPassword="directory"
    authenticationMethod="simple"
    forceBindingLogin="false"
    userBaseDn="ou=people,dc=alcatel"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="inetOrgPerson"
    roleBaseDn="ou=groups,dc=example,dc=com"
    roleNameAttribute="cn"
    roleMemberAttribute="uniqueMember"
    roleObjectClass="groupOfUniqueNames";
    };

  • Constructor Details

    • LdapLoginModule

      public LdapLoginModule()

  • Method Details

    • getUser

      public AbstractLoginModule.JAASUser getUser(String username) throws Exception
      get the available information about the user

      for this LoginModule, the credential can be null which will result in a binding ldap authentication scenario

      roles are also an optional concept if required

      Specified by:
      getUser in class AbstractLoginModule
      Parameters:
      username - the user name
      Returns:
      the userinfo for the username
      Throws:
      Exception - if unable to get the user info

    • doRFC2254Encoding

      protected String doRFC2254Encoding(String inputString)

    • login

      public boolean login() throws LoginException
      since ldap uses a context bind for valid authentication checking, we override login()

      if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic

      Specified by:
      login in interface LoginModule
      Overrides:
      login in class AbstractLoginModule
      Returns:
      true if authenticated, false otherwise
      Throws:
      LoginException - if unable to login
      See Also:

    • credentialLogin

      protected boolean credentialLogin(Object webCredential) throws LoginException
      password supplied authentication check
      Parameters:
      webCredential - the web credential
      Returns:
      true if authenticated
      Throws:
      LoginException - if unable to login

    • bindingLogin

      public boolean bindingLogin(String username, Object password) throws LoginException
      binding authentication check This method of authentication works only if the user branch of the DIT (ldap tree) has an ACI (access control instruction) that allow the access to any user or at least for the user that logs in.
      Parameters:
      username - the user name
      password - the password
      Returns:
      true always
      Throws:
      LoginException - if unable to bind the login

    • initialize

      public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
      Init LoginModule.

      Called once by JAAS after new instance is created.

      Specified by:
      initialize in interface LoginModule
      Overrides:
      initialize in class AbstractLoginModule
      Parameters:
      subject - the subect
      callbackHandler - the callback handler
      sharedState - the shared state map
      options - the option map
      See Also:

    • commit

      public boolean commit() throws LoginException
      Specified by:
      commit in interface LoginModule
      Overrides:
      commit in class AbstractLoginModule
      Returns:
      true if committed, false if not (likely not authenticated)
      Throws:
      LoginException - if unable to commit
      See Also:

    • abort

      public boolean abort() throws LoginException
      Specified by:
      abort in interface LoginModule
      Overrides:
      abort in class AbstractLoginModule
      Throws:
      LoginException

    • getEnvironment

      public Hashtable<Object,Object> getEnvironment()
      get the context for connection
      Returns:
      the environment details for the context

    • convertCredentialLdapToJetty

      public static String convertCredentialLdapToJetty(String encryptedPassword)