X509CertificateLdapLoginModule (Cams API Documentation)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.cafesoft.cams.auth.login.module
Class X509CertificateLdapLoginModule

java.lang.Object
  com.cafesoft.cams.auth.login.module.X509CertificateLdapLoginModule

All Implemented Interfaces:: LoggerClient, LoginModule

public class X509CertificateLdapLoginModule
extends Object
implements LoginModule, LoggerClient
extends Object
implements LoginModule, LoggerClient

X509CertificateLdapLoginModule implements a JAAS LoginModule that uses LDAP to authenticate a user presenting a username, password, and an X509 client certificate.

This LoginModule attempts to bind to a user-specific LDAP DN which may be constructed by substituting the value of configuration option "userDN" with a username parameter. The LDAP bind is attempted using the user-specified password, but only if all three authentication callback parameters are present.

If the LDAP bind succeeds, the LDAP userCertificate attribute is compared with the X509 certificate presented by the client. If the certificates match (exactly), then the first phase of the login transaction continues to assignment of roles, else login fails due an invalid certificate.

Role assignment is accomplished by use of an LDAP role filter, which queries Groups to which the user assigned and maps them directly to roles.

The following configuration options are available:

debug - Enables/disables debugging for the LoginModule.
host - The hostname of the LDAP server.
port - The port number of the LDAP server.
useSSL - Enables/disables use of SSL to the LDAP server.
connectTimeout - (Optional) The number of milliseconds to wait for a connection to the LDAP server before timing out.
emptyPassword - (Optional) Enable empty passwords (true or false). By default, the X509CertificateLdapLoginModule does not allow a password to be empty. Set this value to true to allow use of empty passwords when anonymous binds are required.
userDN - The distinguished name pattern to match to find a user. The username callback values entered by the the user as login credentials will be substituted for the values "{username}". For example:
uid={username},ou=accounting,o=mycompany,c=US
defaultRoles - (Optional) A comma-delimited list of one or more roles that will be assigned to successfully authenticated users. If not specified (or empty), no default roles will be assigned.
roleBaseDN - The base distinguished name to use for your LDAP schema role searches.
roleScope - Specifies the LDAP search scope to use for role searches. Valid values are BASE (search is done only at the base dn tree node), ONE (search is done only at the first child tree node of the base dn), and SUB (search is done at the base dn node and all child nodes).
roleAttrName - The name of the attribute used to store the role names.
roleFilter - The filter to use to search for a users roles. The username entered by the the user at login will be substituted for the value "{username}".
username_cb_name - (Optional) By default, a "username" callback is expected. If the login form uses a different name, then optionally configure it, for example:
password - (Optional) By default, a "password" callback is expected. If the login form uses a different name, then optionally configure it, for example:
X509_cb_name - (Optional) By default, a "X509" callback is expected. If the login request uses a different name, then optionally configure it, for example:

Since:: 07/10/2006
See Also:: Subject, CallbackHandler, LoginModule

Constructor Summary
`X509CertificateLdapLoginModule()` Default X509CertificateLdapLoginModule Constructor.

Method Summary
`boolean`	`abort()` Method to abort the authentication process (phase 2).
`boolean`	`commit()` Method to commit the authentication process (phase 2).
`void`	`initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)` Initialize this LoginModule.
`boolean`	`login()` Method to authenticate a `Subject` (phase 1).
`boolean`	`logout()` Method which logs out a `Subject`.
`void`	`setLogger(Logger logger)` Sets the logger.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

X509CertificateLdapLoginModule

public X509CertificateLdapLoginModule()

Default X509CertificateLdapLoginModule Constructor.

Method Detail

setLogger

public void setLogger(Logger logger)

Sets the logger.

Specified by:: setLogger in interface LoggerClient

Parameters:: logger - logs messages

initialize

public void initialize(Subject subject,
                       CallbackHandler callbackHandler,
                       Map sharedState,
                       Map options)

Initialize this LoginModule.

This method is called by the LoginContext after this LoginModule has been instantiated. The purpose of this method is to initialize this LoginModule with the relevant information. If this LoginModule does not understand any of the data stored in sharedState or options parameters, they can be ignored.

Specified by:: initialize in interface LoginModule

Parameters:: subject - the Subject to be authenticated.; callbackHandler - a CallbackHandler for communicating with the end user (prompting for usernames and passwords, for example).; sharedState - state shared with other configured LoginModules.; options - options specified in the login Configuration for this particular LoginModule.

login

public boolean login()
              throws LoginException

Method to authenticate a Subject (phase 1).

The implementation of this method authenticates a Subject. For example, it may prompt for Subject information such as a username and password and then attempt to verify the password. This method saves the result of the authentication attempt as private state within the LoginModule.

Specified by:: login in interface LoginModule

Returns:: true if the authentication succeeded, or false if this LoginModule should be ignored.
Throws:: LoginException - if the authentication fails

commit

public boolean commit()
               throws LoginException

Method to commit the authentication process (phase 2).

This method is called if the LoginContext's overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method associates relevant Principals and Credentials with the Subject located in the LoginModule. If this LoginModule's own authentication attempted failed, then this method removes/destroys any state that was originally saved.

Specified by:: commit in interface LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: LoginException - if the commit fails

abort

public boolean abort()
              throws LoginException

Method to abort the authentication process (phase 2).

This method is called if the LoginContext's overall authentication failed. (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed).

If this LoginModule's own authentication attempt succeeded (checked by retrieving the private state saved by the login method), then this method cleans up any state that was originally saved.

Specified by:: abort in interface LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: LoginException - if the abort fails

logout

public boolean logout()
               throws LoginException

Method which logs out a Subject.

An implementation of this method might remove/destroy a Subject's Principals and Credentials.

Specified by:: logout in interface LoginModule

Returns:: true if this method succeeded, or false if this LoginModule should be ignored.
Throws:: LoginException - if the logout fails