org.apache.directory.server.core.authn

Class SimpleAuthenticator

java.lang.Object

org.apache.directory.server.core.authn.AbstractAuthenticator

org.apache.directory.server.core.authn.SimpleAuthenticator

All Implemented Interfaces:

Authenticator

public class SimpleAuthenticator
extends AbstractAuthenticator

A simple Authenticator that authenticates clear text passwords contained within the userPassword attribute in DIT. If the password is stored with a one-way encryption applied (e.g. SHA), the password is hashed the same way before comparison. We use a cache to speedup authentication, where the Dn/password are stored.

Field Summary

Fields

Modifier and Type	Field and Description
private org.apache.commons.collections.map.LRUMap	credentialCache A cache to store passwords.
private static int	DEFAULT_CACHE_SIZE Declare a default for this cache.
private static boolean	IS_DEBUG A speedup for logger in debug mode

Fields inherited from class org.apache.directory.server.core.authn.AbstractAuthenticator

LOG

Constructor Summary

Constructors

Constructor and Description
SimpleAuthenticator() Creates a new instance.
SimpleAuthenticator(org.apache.directory.api.ldap.model.name.Dn baseDn) Creates a new instance.
SimpleAuthenticator(int cacheSize) Creates a new instance, with an initial cache size
SimpleAuthenticator(int cacheSize, org.apache.directory.api.ldap.model.name.Dn baseDn) Creates a new instance, with an initial cache size

Method Summary

Modifier and Type	Method and Description
LdapPrincipal	authenticate(BindOperationContext bindContext) Looks up userPassword attribute of the entry whose name is the value of Context#SECURITY_PRINCIPAL environment variable, and authenticates a user with the plain-text password.
protected java.lang.String	createDigestedPassword(java.lang.String algorithm, byte[] password) Creates a digested password.
protected java.lang.String	getAlgorithmForHashedPassword(byte[] password) Get the algorithm of a password, which is stored in the form "{XYZ}...".
private LdapPrincipal	getStoredPassword(BindOperationContext bindContext) Get the password either from cache or from backend.
void	invalidateCache(org.apache.directory.api.ldap.model.name.Dn bindDn) Remove the principal form the cache.
private byte[][]	lookupUserPassword(BindOperationContext bindContext) Local function which request the password from the backend

Methods inherited from class org.apache.directory.server.core.authn.AbstractAuthenticator

checkPwdPolicy, destroy, doDestroy, doInit, getAuthenticatorType, getBaseDn, getDirectoryService, init, isValid, setBaseDn

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

IS_DEBUG

private static final boolean IS_DEBUG

A speedup for logger in debug mode

credentialCache

private final org.apache.commons.collections.map.LRUMap credentialCache

A cache to store passwords. It's a speedup, we will be able to avoid backend lookups. Note that the backend also use a cache mechanism, but for performance gain, it's good to manage a cache here. The main problem is that when a user modify his password, we will have to update it at three different places : - in the backend, - in the partition cache, - in this cache. The update of the backend and partition cache is already correctly handled, so we will just have to offer an access to refresh the local cache. We need to be sure that frequently used passwords be always in cache, and not discarded. We will use a LRU cache for this purpose.

DEFAULT_CACHE_SIZE

private static final int DEFAULT_CACHE_SIZE

Declare a default for this cache. 100 entries seems to be enough

See Also:

Constant Field Values

Constructor Detail

SimpleAuthenticator

public SimpleAuthenticator()

Creates a new instance.

SimpleAuthenticator

public SimpleAuthenticator(org.apache.directory.api.ldap.model.name.Dn baseDn)

Creates a new instance.

See Also:

AbstractAuthenticator

SimpleAuthenticator

public SimpleAuthenticator(int cacheSize)

Creates a new instance, with an initial cache size

Parameters:

cacheSize - the size of the credential cache

SimpleAuthenticator

public SimpleAuthenticator(int cacheSize,
                           org.apache.directory.api.ldap.model.name.Dn baseDn)

Creates a new instance, with an initial cache size

Parameters:

cacheSize - the size of the credential cache

Method Detail

getStoredPassword

private LdapPrincipal getStoredPassword(BindOperationContext bindContext)
                                 throws org.apache.directory.api.ldap.model.exception.LdapException

Get the password either from cache or from backend.

Parameters:

principalDN - The Dn from which we want the password

Returns:

A byte array which can be empty if the password was not found

Throws:

java.lang.Exception - If we have a problem during the lookup operation

org.apache.directory.api.ldap.model.exception.LdapException

authenticate

public LdapPrincipal authenticate(BindOperationContext bindContext)
                           throws org.apache.directory.api.ldap.model.exception.LdapException

Looks up userPassword attribute of the entry whose name is the value of Context#SECURITY_PRINCIPAL environment variable, and authenticates a user with the plain-text password.

Parameters:

bindContext - The Bind context

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

lookupUserPassword

private byte[][] lookupUserPassword(BindOperationContext bindContext)
                             throws org.apache.directory.api.ldap.model.exception.LdapException

Local function which request the password from the backend

Parameters:

bindContext - the Bind operation context

Returns:

the credentials from the backend

Throws:

java.lang.Exception - if there are problems accessing backend

org.apache.directory.api.ldap.model.exception.LdapException

getAlgorithmForHashedPassword

protected java.lang.String getAlgorithmForHashedPassword(byte[] password)
                                                  throws java.lang.IllegalArgumentException

Get the algorithm of a password, which is stored in the form "{XYZ}...". The method returns null, if the argument is not in this form. It returns XYZ, if XYZ is an algorithm known to the MessageDigest class of java.security.

Parameters:

password - a byte[]

Returns:

included message digest alorithm, if any

Throws:

java.lang.IllegalArgumentException - if the algorithm cannot be identified

createDigestedPassword

protected java.lang.String createDigestedPassword(java.lang.String algorithm,
                                                  byte[] password)
                                           throws java.lang.IllegalArgumentException

Creates a digested password. For a given hash algorithm and a password value, the algorithm is applied to the password, and the result is Base64 encoded. The method returns a String which looks like "{XYZ}bbbbbbb", whereas XYZ is the name of the algorithm, and bbbbbbb is the Base64 encoded value of XYZ applied to the password.

Parameters:

algorithm - an algorithm which is supported by java.security.MessageDigest, e.g. SHA

password - password value, a byte[]

Returns:

a digested password, which looks like {SHA}LhkDrSoM6qr0fW6hzlfOJQW61tc=

Throws:

java.lang.IllegalArgumentException - if password is neither a String nor a byte[], or algorithm is not known to java.security.MessageDigest class

invalidateCache

public void invalidateCache(org.apache.directory.api.ldap.model.name.Dn bindDn)

Remove the principal form the cache. This is used when the user changes his password.

Specified by:

invalidateCache in interface Authenticator

Overrides:

invalidateCache in class AbstractAuthenticator

Parameters:

bindDn - the already normalized distinguished name of the bind principal