directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r526509 - in /directory/apacheds/branches/apacheds-sasl-branch: core/src/main/java/org/apache/directory/server/core/ core/src/main/java/org/apache/directory/server/core/authn/ core/src/main/java/org/apache/directory/server/core/configuratio...
Date Sun, 08 Apr 2007 02:23:33 GMT
Author: erodriguez
Date: Sat Apr  7 19:23:31 2007
New Revision: 526509

URL: http://svn.apache.org/viewvc?view=rev&rev=526509
Log:
Added support for X.501 authenticationLevel 'strong' in the SASL branch:
o  Added new Authenticator, the StrongAuthenticator.
o  Modified DefaultDirectoryService and StartupConfiguration to use new StrongAuthenticator.
o  Modified Bind processing to use 'simple' or 'strong' depending on authentication mechanism.
o  Removed use of userPassword and SimpleAuthenticator from SASL mechanisms.

Added:
    directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java
  (with props)
Modified:
    directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
    directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/configuration/StartupConfiguration.java
    directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/CramMd5CallbackHandler.java
    directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/DigestMd5CallbackHandler.java
    directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GetLdapContext.java
    directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GssapiCallbackHandler.java

Modified: directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java?view=diff&rev=526509&r1=526508&r2=526509
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
Sat Apr  7 19:23:31 2007
@@ -21,11 +21,11 @@
 
 
 import java.io.IOException;
+import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
-import java.util.HashSet;
 
 import javax.naming.Context;
 import javax.naming.NamingException;
@@ -75,7 +75,6 @@
 import org.apache.directory.shared.ldap.schema.OidNormalizer;
 import org.apache.directory.shared.ldap.util.DateUtils;
 import org.apache.directory.shared.ldap.util.StringTools;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -379,10 +378,22 @@
         }
 
         /*
+         * If bind is strong make sure we have the principal name
+         * set within the environment, otherwise complain
+         */
+        if ( "strong".equalsIgnoreCase( authentication ) )
+        {
+            if ( principal == null )
+            {
+                throw new LdapConfigurationException( "missing required " + Context.SECURITY_PRINCIPAL
+                    + " property for strong authentication" );
+            }
+        }
+        /*
          * If bind is simple make sure we have the credentials and the
          * principal name set within the environment, otherwise complain
          */
-        if ( "simple".equalsIgnoreCase( authentication ) )
+        else if ( "simple".equalsIgnoreCase( authentication ) )
         {
             if ( credential == null )
             {
@@ -408,6 +419,7 @@
                     + "settings encountered where bind is anonymous yet " + Context.SECURITY_CREDENTIALS
                     + " property is set" );
             }
+
             if ( principal != null )
             {
                 throw new LdapConfigurationException( "ambiguous bind "
@@ -423,8 +435,7 @@
         else
         {
             /*
-             * If bind is anything other than simple or none we need to
-             * complain because SASL is not a supported auth method yet
+             * If bind is anything other than strong, simple, or none we need to complain
              */
             throw new LdapAuthenticationNotSupportedException( "Unknown authentication type:
'" + authentication + "'",
                 ResultCodeEnum.AUTH_METHOD_NOT_SUPPORTED );

Added: directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java?view=auto&rev=526509
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java
(added)
+++ directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java
Sat Apr  7 19:23:31 2007
@@ -0,0 +1,59 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authn;
+
+
+import javax.naming.NamingException;
+
+import org.apache.directory.server.core.jndi.ServerContext;
+import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
+import org.apache.directory.shared.ldap.name.LdapDN;
+
+
+/**
+ * An {@link Authenticator} that handles SASL connections (X.501 authentication
+ * level <tt>'strong'</tt>).  The principal has been authenticated during SASL
+ * negotiation; therefore, no additional authentication is necessary in this
+ * {@link Authenticator}.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class StrongAuthenticator extends AbstractAuthenticator
+{
+    /**
+     * Creates a new instance of SaslAuthenticator.
+     */
+    public StrongAuthenticator()
+    {
+        super( "strong" );
+    }
+
+
+    /**
+     * User has already been authenticated during SASL negotiation.  Set the authentication
level
+     * to strong and return an {@link LdapPrincipal}.
+     */
+    public LdapPrincipal authenticate( LdapDN principalDn, ServerContext ctx ) throws NamingException
+    {
+        // Possibly check if user account is disabled, other account checks.
+        return new LdapPrincipal( principalDn, AuthenticationLevel.STRONG );
+    }
+}

Propchange: directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/configuration/StartupConfiguration.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/configuration/StartupConfiguration.java?view=diff&rev=526509&r1=526508&r2=526509
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/configuration/StartupConfiguration.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/core/src/main/java/org/apache/directory/server/core/configuration/StartupConfiguration.java
Sat Apr  7 19:23:31 2007
@@ -33,6 +33,7 @@
 import org.apache.directory.server.core.authn.AnonymousAuthenticator;
 import org.apache.directory.server.core.authn.AuthenticationService;
 import org.apache.directory.server.core.authn.SimpleAuthenticator;
+import org.apache.directory.server.core.authn.StrongAuthenticator;
 import org.apache.directory.server.core.authz.AuthorizationService;
 import org.apache.directory.server.core.authz.DefaultAuthorizationService;
 import org.apache.directory.server.core.collective.CollectiveAttributeService;
@@ -113,6 +114,12 @@
         authCfg = new MutableAuthenticatorConfiguration();
         authCfg.setName( "Simple" );
         authCfg.setAuthenticator( new SimpleAuthenticator() );
+        set.add( authCfg );
+
+        // Strong
+        authCfg = new MutableAuthenticatorConfiguration();
+        authCfg.setName( "Strong" );
+        authCfg.setAuthenticator( new StrongAuthenticator() );
         set.add( authCfg );
 
         setAuthenticatorConfigurations( set );

Modified: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/CramMd5CallbackHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/CramMd5CallbackHandler.java?view=diff&rev=526509&r1=526508&r2=526509
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/CramMd5CallbackHandler.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/CramMd5CallbackHandler.java
Sat Apr  7 19:23:31 2007
@@ -80,7 +80,6 @@
     {
         log.debug( "Converted username " + getUsername() + " to DN " + bindDn + " with password
" + userPassword );
         session.setAttribute( Context.SECURITY_PRINCIPAL, bindDn );
-        session.setAttribute( Context.SECURITY_CREDENTIALS, userPassword );
 
         authorizeCB.setAuthorizedID( bindDn );
         authorizeCB.setAuthorized( true );

Modified: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/DigestMd5CallbackHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/DigestMd5CallbackHandler.java?view=diff&rev=526509&r1=526508&r2=526509
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/DigestMd5CallbackHandler.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/DigestMd5CallbackHandler.java
Sat Apr  7 19:23:31 2007
@@ -82,7 +82,6 @@
     {
         log.debug( "Converted username " + getUsername() + " to DN " + bindDn + " with password
" + userPassword );
         session.setAttribute( Context.SECURITY_PRINCIPAL, bindDn );
-        session.setAttribute( Context.SECURITY_CREDENTIALS, userPassword );
 
         authorizeCB.setAuthorizedID( bindDn );
         authorizeCB.setAuthorized( true );

Modified: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GetLdapContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GetLdapContext.java?view=diff&rev=526509&r1=526508&r2=526509
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GetLdapContext.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GetLdapContext.java
Sat Apr  7 19:23:31 2007
@@ -126,23 +126,31 @@
 
     private Hashtable getEnvironment( IoSession session, Object message )
     {
-        /**
-         * For simple, this is an LdapDN.  For GSSAPI, this is a principal String.
-         */
         Object principal = session.getAttribute( Context.SECURITY_PRINCIPAL );
 
+        /**
+         * For simple, this is a password.  For strong, this is unused.
+         */
         Object credentials = session.getAttribute( Context.SECURITY_CREDENTIALS );
 
+        String sessionMechanism = ( String ) session.getAttribute( "sessionMechanism" );
+        String authenticationLevel = getAuthenticationLevel( sessionMechanism );
+
         log.debug( Context.SECURITY_PRINCIPAL + " " + principal );
         log.debug( Context.SECURITY_CREDENTIALS + " " + credentials );
-        log.debug( Context.SECURITY_AUTHENTICATION + " " + "simple" );
+        log.debug( Context.SECURITY_AUTHENTICATION + " " + authenticationLevel );
         log.debug( PropertyKeys.PARSED_BIND_DN + " " + principal );
 
         // clone the environment first then add the required security settings
         Hashtable env = SessionRegistry.getSingleton().getEnvironmentByCopy();
         env.put( Context.SECURITY_PRINCIPAL, principal );
-        env.put( Context.SECURITY_CREDENTIALS, credentials );
-        env.put( Context.SECURITY_AUTHENTICATION, "simple" );
+
+        if ( credentials != null )
+        {
+            env.put( Context.SECURITY_CREDENTIALS, credentials );
+        }
+
+        env.put( Context.SECURITY_AUTHENTICATION, authenticationLevel );
         env.put( PropertyKeys.PARSED_BIND_DN, principal );
 
         BindRequest request = ( BindRequest ) message;
@@ -157,5 +165,18 @@
         }
 
         return env;
+    }
+
+
+    private String getAuthenticationLevel( String sessionMechanism )
+    {
+        if ( sessionMechanism.equals( "SIMPLE" ) )
+        {
+            return "simple";
+        }
+        else
+        {
+            return "strong";
+        }
     }
 }

Modified: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GssapiCallbackHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GssapiCallbackHandler.java?view=diff&rev=526509&r1=526508&r2=526509
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GssapiCallbackHandler.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/GssapiCallbackHandler.java
Sat Apr  7 19:23:31 2007
@@ -78,11 +78,9 @@
         // Don't actually want the entry, rather the hacked in dn.
         getPrincipal.execute( ctx, null );
         String bindDn = getPrincipal.getDn();
-        String userPassword = getPrincipal.getUserPassword();
 
-        log.debug( "Converted username " + username + " to DN " + bindDn + " with password
" + userPassword );
+        log.debug( "Converted username " + username + " to DN " + bindDn + "." );
         session.setAttribute( Context.SECURITY_PRINCIPAL, bindDn );
-        session.setAttribute( Context.SECURITY_CREDENTIALS, userPassword );
 
         authorizeCB.setAuthorizedID( bindDn );
         authorizeCB.setAuthorized( true );



Mime
View raw message