Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 60602 invoked from network); 15 Apr 2011 13:45:40 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 15 Apr 2011 13:45:40 -0000 Received: (qmail 60519 invoked by uid 500); 15 Apr 2011 13:45:40 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 60475 invoked by uid 500); 15 Apr 2011 13:45:40 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 60468 invoked by uid 99); 15 Apr 2011 13:45:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Apr 2011 13:45:40 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Apr 2011 13:45:37 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id BDC77238899C; Fri, 15 Apr 2011 13:45:15 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1092704 - in /directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api: LdapNetworkConnection.java SaslRequest.java Date: Fri, 15 Apr 2011 13:45:15 -0000 To: commits@directory.apache.org From: pamarcelot@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110415134515.BDC77238899C@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: pamarcelot Date: Fri Apr 15 13:45:15 2011 New Revision: 1092704 URL: http://svn.apache.org/viewvc?rev=1092704&view=rev Log: Redo for commit '1071709' which was lost after an errorneous merge at commit '1072787' Initial commit log was: Fix for DIRAPI-42 (Add additional classes and clean method arguments for SASL binds (CRAM-MD5, DIGEST-MD5, GSS-API)). Added support for specifying: o krb5.conf file path o a Configuration class for LoginModule Modified: directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/SaslRequest.java Modified: directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java URL: http://svn.apache.org/viewvc/directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java?rev=1092704&r1=1092703&r2=1092704&view=diff ============================================================================== --- directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java (original) +++ directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java Fri Apr 15 13:45:15 2011 @@ -28,6 +28,7 @@ import java.net.SocketAddress; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collection; +import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -1389,30 +1390,52 @@ public class LdapNetworkConnection exten public BindFuture bindAsync( GssApiRequest request ) throws LdapException, IOException { - System.clearProperty( "java.security.krb5.conf" ); - String krbConfPath = createKrbConfFile( request.getRealmName(), request.getKdcHost(), request.getKdcPort() ); - System.setProperty( "java.security.krb5.conf", krbConfPath ); + // Krb5.conf file + if ( request.getKrb5ConfFilePath() != null ) + { + // Using the krb5.conf file provided by the user + System.setProperty( "java.security.krb5.conf", request.getKrb5ConfFilePath() ); + } + else if ( ( request.getRealmName() != null ) && ( request.getKdcHost() != null ) + && ( request.getKdcPort() != 0 ) ) + { + // Using a custom krb5.conf we create from the settings provided by the user + String krb5ConfPath = createKrb5ConfFile( request.getRealmName(), request.getKdcHost(), request.getKdcPort() ); + System.setProperty( "java.security.krb5.conf", krb5ConfPath ); + } + else + { + // Using the system Kerberos configuration + System.clearProperty( "java.security.krb5.conf" ); + } - Configuration.setConfiguration( new Krb5LoginConfiguration() ); - System.setProperty( "javax.security.auth.useSubjectCredsOnly", "true" ); + // Login Module configuration + if ( request.getLoginModuleConfiguration() != null ) + { + // Using the configuration provided by the user + Configuration.setConfiguration( request.getLoginModuleConfiguration() ); + } + else + { + // Using the default configuration + Configuration.setConfiguration( new Krb5LoginConfiguration() ); + } try { System.setProperty( "javax.security.auth.useSubjectCredsOnly", "true" ); LoginContext loginContext = new LoginContext( "ldapnetworkconnection", - new SaslCallbackHandler( request ) ); + new SaslCallbackHandler( request ) ); loginContext.login(); final GssApiRequest requetFinal = request; - - return ( BindFuture ) Subject.doAs( loginContext.getSubject(), - new PrivilegedExceptionAction() + return ( BindFuture ) Subject.doAs( loginContext.getSubject(), new PrivilegedExceptionAction() + { + public Object run() throws Exception { - public Object run() throws Exception - { - return bindSasl( requetFinal ); - } - } ); + return bindSasl( requetFinal ); + } + } ); } catch ( Exception e ) { @@ -3633,6 +3656,28 @@ public class LdapNetworkConnection exten byte[] response = null; ResultCodeEnum result = null; + // Creating a map for SASL properties + Map properties = new HashMap(); + + // Quality of Protection SASL property + if ( saslRequest.getQualityOfProtection() != null ) + { + + properties.put( Sasl.QOP, saslRequest.getQualityOfProtection().getValue() ); + } + + // Security Strength SASL property + if ( saslRequest.getSecurityStrength() != null ) + { + properties.put( Sasl.STRENGTH, saslRequest.getSecurityStrength().getValue() ); + } + + // Mutual Authentication SASL property + if ( saslRequest.isMutualAuthentication() ) + { + properties.put( Sasl.SERVER_AUTH, "true" ); + } + // Creating a SASL Client SaslClient sc = Sasl.createSaslClient( new String[] @@ -3640,7 +3685,7 @@ public class LdapNetworkConnection exten saslRequest.getAuthorizationId(), "ldap", config.getLdapHost(), - null, + properties, new SaslCallbackHandler( saslRequest ) ); // If the SaslClient wasn't created, that means we can't create the SASL client @@ -3791,7 +3836,7 @@ public class LdapNetworkConnection exten * * @return the full path of the config file */ - private String createKrbConfFile( String realmName, String kdcHost, int kdcPort ) throws IOException + private String createKrb5ConfFile( String realmName, String kdcHost, int kdcPort ) throws IOException { StringBuilder sb = new StringBuilder(); @@ -3819,10 +3864,10 @@ public class LdapNetworkConnection exten fw.write( sb.toString() ); fw.close(); - String krbConfPath = krb5Conf.getAbsolutePath(); + String krb5ConfPath = krb5Conf.getAbsolutePath(); - LOG.debug( "krb config file created at {}", krbConfPath ); + LOG.debug( "krb 5 config file created at {}", krb5ConfPath ); - return krbConfPath; + return krb5ConfPath; } } Modified: directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/SaslRequest.java URL: http://svn.apache.org/viewvc/directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/SaslRequest.java?rev=1092704&r1=1092703&r2=1092704&view=diff ============================================================================== --- directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/SaslRequest.java (original) +++ directory/shared/trunk/ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/SaslRequest.java Fri Apr 15 13:45:15 2011 @@ -25,6 +25,8 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import org.apache.directory.shared.ldap.model.constants.SaslQoP; +import org.apache.directory.shared.ldap.model.constants.SaslSecurityStrength; import org.apache.directory.shared.ldap.model.message.Control; import org.apache.directory.shared.util.StringConstants; import org.apache.directory.shared.util.Strings; @@ -35,8 +37,7 @@ import org.apache.directory.shared.util. * * @author Apache Directory Project */ -// TODO make this class abstract -public class SaslRequest +public abstract class SaslRequest { /** The mechanism used to decode user identity */ protected String saslMechanism; @@ -56,6 +57,15 @@ public class SaslRequest /** The authorization ID of the entity */ protected String authorizationId; + /** The quality of protection */ + protected SaslQoP qualityOfProtection; + + /** The security strength */ + protected SaslSecurityStrength securityStrength; + + /** Require mutual authentication */ + protected boolean mutualAuthentication = false; + /** * Creates a new instance of SaslRequest. @@ -132,6 +142,17 @@ public class SaslRequest /** + * Gets the quality of protection. + * + * @return the quality of protection + */ + public SaslQoP getQualityOfProtection() + { + return qualityOfProtection; + } + + + /** * Gets realm name. * * @return the realm name @@ -154,6 +175,17 @@ public class SaslRequest /** + * Gets the security strength. + * + * @return the security strength + */ + public SaslSecurityStrength getSecurityStrength() + { + return securityStrength; + } + + + /** * Gets the username. * * @return the username @@ -165,6 +197,17 @@ public class SaslRequest /** + * Indicates if mutual authentication is required. + * + * @return the flag indicating if mutual authentication is required + */ + public boolean isMutualAuthentication() + { + return mutualAuthentication; + } + + + /** * Sets the Authorization ID * * @param authorizationId The authorization ID @@ -198,6 +241,28 @@ public class SaslRequest /** + * Sets the flag indicating if mutual authentication is required. + * + * @param mutualAuthentication the flag indicating if mutual authentication is required + */ + public void setMutualAuthentication( boolean mutualAuthentication ) + { + this.mutualAuthentication = mutualAuthentication; + } + + + /** + * Sets the quality of protection. + * + * @param qualityOfProtection the quality of protection + */ + public void setQualityOfProtection( SaslQoP qualityOfProtection ) + { + this.qualityOfProtection = qualityOfProtection; + } + + + /** * Sets the realm name. * * @param realmName The realm name @@ -220,6 +285,17 @@ public class SaslRequest /** + * Sets the security strength. + * + * @param securityStrength the security strength + */ + public void setSecurityStrength( SaslSecurityStrength securityStrength ) + { + this.securityStrength = securityStrength; + } + + + /** * Sets the username. * * @param username the username