Java Code Examples for org.apache.directory.api.ldap.model.message.BindRequest#getSaslMechanism()
The following examples show how to use
org.apache.directory.api.ldap.model.message.BindRequest#getSaslMechanism() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: BindRequestHandler.java From MyVirtualDirectory with Apache License 2.0 | 5 votes |
private void handleSaslAuthPending( LdapSession ldapSession, BindRequest bindRequest ) throws Exception { // First, check that we have the same mechanism String saslMechanism = bindRequest.getSaslMechanism(); // The empty mechanism is also a request for a new Bind session if ( Strings.isEmpty( saslMechanism ) || !ldapSession.getSaslProperty( SaslConstants.SASL_MECH ).equals( saslMechanism ) ) { sendAuthMethNotSupported( ldapSession, bindRequest ); return; } // We have already received a first BindRequest, and sent back some challenge. // First, check if the mechanism is the same MechanismHandler mechanismHandler = handlers.get( saslMechanism ); if ( mechanismHandler == null ) { String message = I18n.err( I18n.ERR_161, saslMechanism ); // Clear the saslProperties, and move to the anonymous state ldapSession.clearSaslProperties(); ldapSession.setAnonymous(); LOG.error( message ); throw new IllegalArgumentException( message ); } // Get the previously created SaslServer instance SaslServer ss = mechanismHandler.handleMechanism( ldapSession, bindRequest ); generateSaslChallengeOrComplete( ldapSession, ss, bindRequest ); }
Example 2
Source File: BindRequestHandler.java From MyVirtualDirectory with Apache License 2.0 | 5 votes |
private void handleSaslAuthPending(LdapSession ldapSession, BindRequest bindRequest) throws Exception { // First, check that we have the same mechanism String saslMechanism = bindRequest.getSaslMechanism(); // The empty mechanism is also a request for a new Bind session if (Strings.isEmpty(saslMechanism) || !ldapSession.getSaslProperty(SaslConstants.SASL_MECH).equals(saslMechanism)) { sendAuthMethNotSupported(ldapSession, bindRequest); return; } // We have already received a first BindRequest, and sent back some challenge. // First, check if the mechanism is the same MechanismHandler mechanismHandler = handlers.get(saslMechanism); if (mechanismHandler == null) { String message = I18n.err(I18n.ERR_161, saslMechanism); // Clear the saslProperties, and move to the anonymous state ldapSession.clearSaslProperties(); ldapSession.setAnonymous(); LOG.error(message); throw new IllegalArgumentException(message); } // Get the previously created SaslServer instance SaslServer ss = mechanismHandler.handleMechanism(ldapSession, bindRequest); generateSaslChallengeOrComplete(ldapSession, ss, bindRequest); }
Example 3
Source File: BindRequestHandler.java From MyVirtualDirectory with Apache License 2.0 | 4 votes |
/** * For challenge/response exchange, generate the challenge. * If the exchange is complete then send bind success. * * @param ldapSession * @param ss * @param bindRequest */ private void generateSaslChallengeOrComplete( LdapSession ldapSession, SaslServer ss, BindRequest bindRequest ) throws Exception { LdapResult result = bindRequest.getResultResponse().getLdapResult(); // SaslServer will throw an exception if the credentials are null. if ( bindRequest.getCredentials() == null ) { bindRequest.setCredentials( StringConstants.EMPTY_BYTES ); } try { // Compute the challenge byte[] tokenBytes = ss.evaluateResponse( bindRequest.getCredentials() ); if ( ss.isComplete() ) { // This is the end of the C/R exchange if ( tokenBytes != null ) { /* * There may be a token to return to the client. We set it here * so it will be returned in a SUCCESS message, after an LdapContext * has been initialized for the client. */ ldapSession.putSaslProperty( SaslConstants.SASL_CREDS, tokenBytes ); } LdapPrincipal ldapPrincipal = ( LdapPrincipal ) ldapSession .getSaslProperty( SaslConstants.SASL_AUTHENT_USER ); if ( ldapPrincipal != null ) { DirectoryService ds = ldapSession.getLdapServer().getDirectoryService(); String saslMechanism = bindRequest.getSaslMechanism(); byte[] password = null; if ( ldapPrincipal.getUserPasswords() != null ) { password = ldapPrincipal.getUserPasswords()[0]; } CoreSession userSession = ds.getSession( ldapPrincipal.getDn(), password, saslMechanism, null ); // Set the user session into the ldap session ldapSession.setCoreSession( userSession ); // Store the IoSession in the coreSession ( ( DefaultCoreSession ) userSession ).setIoSession( ldapSession.getIoSession() ); } // Mark the user as authenticated ldapSession.setAuthenticated(); // Call the cleanup method for the selected mechanism MechanismHandler handler = ( MechanismHandler ) ldapSession .getSaslProperty( SaslConstants.SASL_MECH_HANDLER ); handler.cleanup( ldapSession ); // Return the successful response sendBindSuccess( ldapSession, bindRequest, tokenBytes ); } else { // The SASL bind must continue, we are sending the computed challenge LOG.info( "Continuation token had length " + tokenBytes.length ); // Build the response result.setResultCode( ResultCodeEnum.SASL_BIND_IN_PROGRESS ); BindResponse resp = bindRequest.getResultResponse(); // Store the challenge resp.setServerSaslCreds( tokenBytes ); // Switch to SASLAuthPending ldapSession.setSaslAuthPending(); // And write back the response ldapSession.getIoSession().write( resp ); LOG.debug( "Returning final authentication data to client to complete context." ); } } catch ( SaslException se ) { sendInvalidCredentials( ldapSession, bindRequest, se ); } }
Example 4
Source File: BindRequestHandler.java From MyVirtualDirectory with Apache License 2.0 | 4 votes |
/** * Handle the SASL authentication. If the mechanism is known, we are * facing three cases : * <ul> * <li>The user does not has a session yet</li> * <li>The user already has a session</li> * <li>The user has started a SASL negotiation</li> * </lu><br/> * * In the first case, we initiate a SaslBind session, which will be used all * along the negotiation.<br/> * In the second case, we first have to unbind the user, and initiate a new * SaslBind session.<br/> * In the third case, we have sub cases : * <ul> * <li>The mechanism is not provided : that means the user want to reset the * current negotiation. We move back to an Anonymous state</li> * <li>The mechanism is provided : the user is initializing a new negotiation * with another mechanism. The current SaslBind session is reinitialized</li> * <li></li> * </ul><br/> * * @param ldapSession The associated Session * @param bindRequest The BindRequest received * @throws Exception If the authentication cannot be done */ public void handleSaslAuth( LdapSession ldapSession, BindRequest bindRequest ) throws Exception { String saslMechanism = bindRequest.getSaslMechanism(); // Case #2 : the user does have a session. We have to unbind him if ( ldapSession.isAuthenticated() ) { // We already have a bound session for this user. We have to // close the previous session first. ldapSession.getCoreSession().unbind(); // Reset the status to Anonymous ldapSession.setAnonymous(); // Clean the sasl properties ldapSession.clearSaslProperties(); // Now we can continue as if the client was Anonymous from the beginning } // case #1 : The user does not have a session. if ( ldapSession.isAnonymous() ) { // fist check that the mechanism exists if ( !checkMechanism( saslMechanism ) ) { // get out ! sendAuthMethNotSupported( ldapSession, bindRequest ); return; } // Store the mechanism in the ldap session ldapSession.putSaslProperty( SaslConstants.SASL_MECH, saslMechanism ); // Get the handler for this mechanism MechanismHandler mechanismHandler = handlers.get( saslMechanism ); // Store the mechanism handler in the salsProperties ldapSession.putSaslProperty( SaslConstants.SASL_MECH_HANDLER, mechanismHandler ); // Initialize the mechanism specific data mechanismHandler.init( ldapSession ); // Get the SaslServer instance which manage the C/R exchange SaslServer ss = mechanismHandler.handleMechanism( ldapSession, bindRequest ); // We have to generate a challenge generateSaslChallengeOrComplete( ldapSession, ss, bindRequest ); // And get back return; } else if ( ldapSession.isAuthPending() ) { try { handleSaslAuthPending( ldapSession, bindRequest ); } catch ( SaslException se ) { sendInvalidCredentials( ldapSession, bindRequest, se ); } return; } }
Example 5
Source File: BindRequestHandler.java From MyVirtualDirectory with Apache License 2.0 | 4 votes |
/** * For challenge/response exchange, generate the challenge. If the exchange is complete then send bind success. * * @param ldapSession * @param ss * @param bindRequest */ private void generateSaslChallengeOrComplete(LdapSession ldapSession, SaslServer ss, BindRequest bindRequest) throws Exception { LdapResult result = bindRequest.getResultResponse().getLdapResult(); // SaslServer will throw an exception if the credentials are null. if (bindRequest.getCredentials() == null) { bindRequest.setCredentials(StringConstants.EMPTY_BYTES); } try { // Compute the challenge byte[] tokenBytes = ss.evaluateResponse(bindRequest.getCredentials()); if (ss.isComplete()) { // This is the end of the C/R exchange if (tokenBytes != null) { /* * There may be a token to return to the client. We set it here * so it will be returned in a SUCCESS message, after an LdapContext * has been initialized for the client. */ ldapSession.putSaslProperty(SaslConstants.SASL_CREDS, tokenBytes); } LdapPrincipal ldapPrincipal = (LdapPrincipal) ldapSession .getSaslProperty(SaslConstants.SASL_AUTHENT_USER); if (ldapPrincipal != null) { DirectoryService ds = ldapSession.getLdapServer().getDirectoryService(); String saslMechanism = bindRequest.getSaslMechanism(); byte[] password = null; if (ldapPrincipal.getUserPasswords() != null) { password = ldapPrincipal.getUserPasswords()[0]; } CoreSession userSession = ds.getSession(ldapPrincipal.getDn(), password, saslMechanism, null); // Set the user session into the ldap session ldapSession.setCoreSession(userSession); // Store the IoSession in the coreSession ((DefaultCoreSession) userSession).setIoSession(ldapSession.getIoSession()); } // Mark the user as authenticated ldapSession.setAuthenticated(); // Call the cleanup method for the selected mechanism MechanismHandler handler = (MechanismHandler) ldapSession .getSaslProperty(SaslConstants.SASL_MECH_HANDLER); handler.cleanup(ldapSession); // Return the successful response sendBindSuccess(ldapSession, bindRequest, tokenBytes); } else { // The SASL bind must continue, we are sending the computed challenge LOG.info("Continuation token had length " + tokenBytes.length); // Build the response result.setResultCode(ResultCodeEnum.SASL_BIND_IN_PROGRESS); BindResponse resp = (BindResponse) bindRequest.getResultResponse(); // Store the challenge resp.setServerSaslCreds(tokenBytes); // Switch to SASLAuthPending ldapSession.setSaslAuthPending(); // And write back the response ldapSession.getIoSession().write(resp); LOG.debug("Returning final authentication data to client to complete context."); } } catch (SaslException se) { sendInvalidCredentials(ldapSession, bindRequest, se); } }
Example 6
Source File: BindRequestHandler.java From MyVirtualDirectory with Apache License 2.0 | 4 votes |
/** * Handle the SASL authentication. If the mechanism is known, we are facing three cases : <ul> <li>The user does not has a session yet</li> <li>The user * already has a session</li> <li>The user has started a SASL negotiation</li> </lu><br/> * <p> * In the first case, we initiate a SaslBind session, which will be used all along the negotiation.<br/> In the second case, we first have to unbind the * user, and initiate a new SaslBind session.<br/> In the third case, we have sub cases : <ul> <li>The mechanism is not provided : that means the user want * to reset the current negotiation. We move back to an Anonymous state</li> <li>The mechanism is provided : the user is initializing a new negotiation with * another mechanism. The current SaslBind session is reinitialized</li> <li></li> </ul><br/> * * @param ldapSession The associated Session * @param bindRequest The BindRequest received * @throws Exception If the authentication cannot be done */ public void handleSaslAuth(LdapSession ldapSession, BindRequest bindRequest) throws Exception { String saslMechanism = bindRequest.getSaslMechanism(); // Case #2 : the user does have a session. We have to unbind him if (ldapSession.isAuthenticated()) { // We already have a bound session for this user. We have to // close the previous session first. ldapSession.getCoreSession().unbind(); // Reset the status to Anonymous ldapSession.setAnonymous(); // Clean the sasl properties ldapSession.clearSaslProperties(); // Now we can continue as if the client was Anonymous from the beginning } // case #1 : The user does not have a session. if (ldapSession.isAnonymous()) { // fist check that the mechanism exists if (!checkMechanism(saslMechanism)) { // get out ! sendAuthMethNotSupported(ldapSession, bindRequest); return; } // Store the mechanism in the ldap session ldapSession.putSaslProperty(SaslConstants.SASL_MECH, saslMechanism); // Get the handler for this mechanism MechanismHandler mechanismHandler = handlers.get(saslMechanism); // Store the mechanism handler in the salsProperties ldapSession.putSaslProperty(SaslConstants.SASL_MECH_HANDLER, mechanismHandler); // Initialize the mechanism specific data mechanismHandler.init(ldapSession); // Get the SaslServer instance which manage the C/R exchange SaslServer ss = mechanismHandler.handleMechanism(ldapSession, bindRequest); // We have to generate a challenge generateSaslChallengeOrComplete(ldapSession, ss, bindRequest); // And get back return; } else if (ldapSession.isAuthPending()) { try { handleSaslAuthPending(ldapSession, bindRequest); } catch (SaslException se) { sendInvalidCredentials(ldapSession, bindRequest, se); } return; } }