Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / libcore / 319a3b994703aac84df7bcde272adfcb3cdbbbf0 / . / jdk / src / share / classes / com / sun / security / auth / module / JndiLoginModule.java
blob: 7fd6752481fd076dfe40f3570eb918405aede4f4 [file] [log] [blame]
J. Duke319a3b92007-12-01 00:00:00 +0000[diff] [blame^]1/*
2 * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Sun designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Sun in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
22 * CA 95054 USA or visit www.sun.com if you need additional information or
23 * have any questions.
24 */
25
26package com.sun.security.auth.module;
27
28import javax.security.auth.*;
29import javax.security.auth.callback.*;
30import javax.security.auth.login.*;
31import javax.security.auth.spi.*;
32import javax.naming.*;
33import javax.naming.directory.*;
34
35import java.io.IOException;
36import java.util.Map;
37import java.util.LinkedList;
38import java.util.ResourceBundle;
39
40import com.sun.security.auth.UnixPrincipal;
41import com.sun.security.auth.UnixNumericUserPrincipal;
42import com.sun.security.auth.UnixNumericGroupPrincipal;
43
44import sun.security.util.AuthResources;
45
46/**
47 * <p> The module prompts for a username and password
48 * and then verifies the password against the password stored in
49 * a directory service configured under JNDI.
50 *
51 * <p> This <code>LoginModule</code> interoperates with
52 * any conformant JNDI service provider. To direct this
53 * <code>LoginModule</code> to use a specific JNDI service provider,
54 * two options must be specified in the login <code>Configuration</code>
55 * for this <code>LoginModule</code>.
56 * <pre>
57 * user.provider.url=<b>name_service_url</b>
58 * group.provider.url=<b>name_service_url</b>
59 * </pre>
60 *
61 * <b>name_service_url</b> specifies
62 * the directory service and path where this <code>LoginModule</code>
63 * can access the relevant user and group information. Because this
64 * <code>LoginModule</code> only performs one-level searches to
65 * find the relevant user information, the <code>URL</code>
66 * must point to a directory one level above where the user and group
67 * information is stored in the directory service.
68 * For example, to instruct this <code>LoginModule</code>
69 * to contact a NIS server, the following URLs must be specified:
70 * <pre>
71 * user.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/user"
72 * group.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/system/group"
73 * </pre>
74 *
75 * <b>NISServerHostName</b> specifies the server host name of the
76 * NIS server (for example, <i>nis.sun.com</i>, and <b>NISDomain</b>
77 * specifies the domain for that NIS server (for example, <i>jaas.sun.com</i>.
78 * To contact an LDAP server, the following URLs must be specified:
79 * <pre>
80 * user.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"
81 * group.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"
82 * </pre>
83 *
84 * <b>LDAPServerHostName</b> specifies the server host name of the
85 * LDAP server, which may include a port number
86 * (for example, <i>ldap.sun.com:389</i>),
87 * and <b>LDAPName</b> specifies the entry name in the LDAP directory
88 * (for example, <i>ou=People,o=Sun,c=US</i> and <i>ou=Groups,o=Sun,c=US</i>
89 * for user and group information, respectively).
90 *
91 * <p> The format in which the user's information must be stored in
92 * the directory service is specified in RFC 2307. Specifically,
93 * this <code>LoginModule</code> will search for the user's entry in the
94 * directory service using the user's <i>uid</i> attribute,
95 * where <i>uid=<b>username</b></i>. If the search succeeds,
96 * this <code>LoginModule</code> will then
97 * obtain the user's encrypted password from the retrieved entry
98 * using the <i>userPassword</i> attribute.
99 * This <code>LoginModule</code> assumes that the password is stored
100 * as a byte array, which when converted to a <code>String</code>,
101 * has the following format:
102 * <pre>
103 * "{crypt}<b>encrypted_password</b>"
104 * </pre>
105 *
106 * The LDAP directory server must be configured
107 * to permit read access to the userPassword attribute.
108 * If the user entered a valid username and password,
109 * this <code>LoginModule</code> associates a
110 * <code>UnixPrincipal</code>, <code>UnixNumericUserPrincipal</code>,
111 * and the relevant UnixNumericGroupPrincipals with the
112 * <code>Subject</code>.
113 *
114 * <p> This LoginModule also recognizes the following <code>Configuration</code>
115 * options:
116 * <pre>
117 * debug if, true, debug messages are output to System.out.
118 *
119 * useFirstPass if, true, this LoginModule retrieves the
120 * username and password from the module's shared state,
121 * using "javax.security.auth.login.name" and
122 * "javax.security.auth.login.password" as the respective
123 * keys. The retrieved values are used for authentication.
124 * If authentication fails, no attempt for a retry is made,
125 * and the failure is reported back to the calling
126 * application.
127 *
128 * tryFirstPass if, true, this LoginModule retrieves the
129 * the username and password from the module's shared state,
130 * using "javax.security.auth.login.name" and
131 * "javax.security.auth.login.password" as the respective
132 * keys. The retrieved values are used for authentication.
133 * If authentication fails, the module uses the
134 * CallbackHandler to retrieve a new username and password,
135 * and another attempt to authenticate is made.
136 * If the authentication fails, the failure is reported
137 * back to the calling application.
138 *
139 * storePass if, true, this LoginModule stores the username and password
140 * obtained from the CallbackHandler in the module's
141 * shared state, using "javax.security.auth.login.name" and
142 * "javax.security.auth.login.password" as the respective
143 * keys. This is not performed if existing values already
144 * exist for the username and password in the shared state,
145 * or if authentication fails.
146 *
147 * clearPass if, true, this <code>LoginModule</code> clears the
148 * username and password stored in the module's shared state
149 * after both phases of authentication (login and commit)
150 * have completed.
151 * </pre>
152 *
153 */
154public class JndiLoginModule implements LoginModule {
155
156 static final java.util.ResourceBundle rb =
157 java.util.ResourceBundle.getBundle("sun.security.util.AuthResources");
158
159 /** JNDI Provider */
160 public final String USER_PROVIDER = "user.provider.url";
161 public final String GROUP_PROVIDER = "group.provider.url";
162
163 // configurable options
164 private boolean debug = false;
165 private boolean strongDebug = false;
166 private String userProvider;
167 private String groupProvider;
168 private boolean useFirstPass = false;
169 private boolean tryFirstPass = false;
170 private boolean storePass = false;
171 private boolean clearPass = false;
172
173 // the authentication status
174 private boolean succeeded = false;
175 private boolean commitSucceeded = false;
176
177 // username, password, and JNDI context
178 private String username;
179 private char[] password;
180 DirContext ctx;
181
182 // the user (assume it is a UnixPrincipal)
183 private UnixPrincipal userPrincipal;
184 private UnixNumericUserPrincipal UIDPrincipal;
185 private UnixNumericGroupPrincipal GIDPrincipal;
186 private LinkedList<UnixNumericGroupPrincipal> supplementaryGroups =
187 new LinkedList<UnixNumericGroupPrincipal>();
188
189 // initial state
190 private Subject subject;
191 private CallbackHandler callbackHandler;
192 private Map sharedState;
193 private Map<String, ?> options;
194
195 private static final String CRYPT = "{crypt}";
196 private static final String USER_PWD = "userPassword";
197 private static final String USER_UID = "uidNumber";
198 private static final String USER_GID = "gidNumber";
199 private static final String GROUP_ID = "gidNumber";
200 private static final String NAME = "javax.security.auth.login.name";
201 private static final String PWD = "javax.security.auth.login.password";
202
203 /**
204 * Initialize this <code>LoginModule</code>.
205 *
206 * <p>
207 *
208 * @param subject the <code>Subject</code> to be authenticated. <p>
209 *
210 * @param callbackHandler a <code>CallbackHandler</code> for communicating
211 * with the end user (prompting for usernames and
212 * passwords, for example). <p>
213 *
214 * @param sharedState shared <code>LoginModule</code> state. <p>
215 *
216 * @param options options specified in the login
217 * <code>Configuration</code> for this particular
218 * <code>LoginModule</code>.
219 */
220 public void initialize(Subject subject, CallbackHandler callbackHandler,
221 Map<String,?> sharedState,
222 Map<String,?> options) {
223
224 this.subject = subject;
225 this.callbackHandler = callbackHandler;
226 this.sharedState = sharedState;
227 this.options = options;
228
229 // initialize any configured options
230 debug = "true".equalsIgnoreCase((String)options.get("debug"));
231 strongDebug =
232 "true".equalsIgnoreCase((String)options.get("strongDebug"));
233 userProvider = (String)options.get(USER_PROVIDER);
234 groupProvider = (String)options.get(GROUP_PROVIDER);
235 tryFirstPass =
236 "true".equalsIgnoreCase((String)options.get("tryFirstPass"));
237 useFirstPass =
238 "true".equalsIgnoreCase((String)options.get("useFirstPass"));
239 storePass =
240 "true".equalsIgnoreCase((String)options.get("storePass"));
241 clearPass =
242 "true".equalsIgnoreCase((String)options.get("clearPass"));
243 }
244
245 /**
246 * <p> Prompt for username and password.
247 * Verify the password against the relevant name service.
248 *
249 * <p>
250 *
251 * @return true always, since this <code>LoginModule</code>
252 * should not be ignored.
253 *
254 * @exception FailedLoginException if the authentication fails. <p>
255 *
256 * @exception LoginException if this <code>LoginModule</code>
257 * is unable to perform the authentication.
258 */
259 public boolean login() throws LoginException {
260
261 if (userProvider == null) {
262 throw new LoginException
263 ("Error: Unable to locate JNDI user provider");
264 }
265 if (groupProvider == null) {
266 throw new LoginException
267 ("Error: Unable to locate JNDI group provider");
268 }
269
270 if (debug) {
271 System.out.println("\t\t[JndiLoginModule] user provider: " +
272 userProvider);
273 System.out.println("\t\t[JndiLoginModule] group provider: " +
274 groupProvider);
275 }
276
277 // attempt the authentication
278 if (tryFirstPass) {
279
280 try {
281 // attempt the authentication by getting the
282 // username and password from shared state
283 attemptAuthentication(true);
284
285 // authentication succeeded
286 succeeded = true;
287 if (debug) {
288 System.out.println("\t\t[JndiLoginModule] " +
289 "tryFirstPass succeeded");
290 }
291 return true;
292 } catch (LoginException le) {
293 // authentication failed -- try again below by prompting
294 cleanState();
295 if (debug) {
296 System.out.println("\t\t[JndiLoginModule] " +
297 "tryFirstPass failed with:" +
298 le.toString());
299 }
300 }
301
302 } else if (useFirstPass) {
303
304 try {
305 // attempt the authentication by getting the
306 // username and password from shared state
307 attemptAuthentication(true);
308
309 // authentication succeeded
310 succeeded = true;
311 if (debug) {
312 System.out.println("\t\t[JndiLoginModule] " +
313 "useFirstPass succeeded");
314 }
315 return true;
316 } catch (LoginException le) {
317 // authentication failed
318 cleanState();
319 if (debug) {
320 System.out.println("\t\t[JndiLoginModule] " +
321 "useFirstPass failed");
322 }
323 throw le;
324 }
325 }
326
327 // attempt the authentication by prompting for the username and pwd
328 try {
329 attemptAuthentication(false);
330
331 // authentication succeeded
332 succeeded = true;
333 if (debug) {
334 System.out.println("\t\t[JndiLoginModule] " +
335 "regular authentication succeeded");
336 }
337 return true;
338 } catch (LoginException le) {
339 cleanState();
340 if (debug) {
341 System.out.println("\t\t[JndiLoginModule] " +
342 "regular authentication failed");
343 }
344 throw le;
345 }
346 }
347
348 /**
349 * Abstract method to commit the authentication process (phase 2).
350 *
351 * <p> This method is called if the LoginContext's
352 * overall authentication succeeded
353 * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
354 * succeeded).
355 *
356 * <p> If this LoginModule's own authentication attempt
357 * succeeded (checked by retrieving the private state saved by the
358 * <code>login</code> method), then this method associates a
359 * <code>UnixPrincipal</code>
360 * with the <code>Subject</code> located in the
361 * <code>LoginModule</code>. If this LoginModule's own
362 * authentication attempted failed, then this method removes
363 * any state that was originally saved.
364 *
365 * <p>
366 *
367 * @exception LoginException if the commit fails
368 *
369 * @return true if this LoginModule's own login and commit
370 * attempts succeeded, or false otherwise.
371 */
372 public boolean commit() throws LoginException {
373
374 if (succeeded == false) {
375 return false;
376 } else {
377 if (subject.isReadOnly()) {
378 cleanState();
379 throw new LoginException ("Subject is Readonly");
380 }
381 // add Principals to the Subject
382 if (!subject.getPrincipals().contains(userPrincipal))
383 subject.getPrincipals().add(userPrincipal);
384 if (!subject.getPrincipals().contains(UIDPrincipal))
385 subject.getPrincipals().add(UIDPrincipal);
386 if (!subject.getPrincipals().contains(GIDPrincipal))
387 subject.getPrincipals().add(GIDPrincipal);
388 for (int i = 0; i < supplementaryGroups.size(); i++) {
389 if (!subject.getPrincipals().contains
390 (supplementaryGroups.get(i)))
391 subject.getPrincipals().add(supplementaryGroups.get(i));
392 }
393
394 if (debug) {
395 System.out.println("\t\t[JndiLoginModule]: " +
396 "added UnixPrincipal,");
397 System.out.println("\t\t\t\tUnixNumericUserPrincipal,");
398 System.out.println("\t\t\t\tUnixNumericGroupPrincipal(s),");
399 System.out.println("\t\t\t to Subject");
400 }
401 }
402 // in any case, clean out state
403 cleanState();
404 commitSucceeded = true;
405 return true;
406 }
407
408 /**
409 * <p> This method is called if the LoginContext's
410 * overall authentication failed.
411 * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
412 * did not succeed).
413 *
414 * <p> If this LoginModule's own authentication attempt
415 * succeeded (checked by retrieving the private state saved by the
416 * <code>login</code> and <code>commit</code> methods),
417 * then this method cleans up any state that was originally saved.
418 *
419 * <p>
420 *
421 * @exception LoginException if the abort fails.
422 *
423 * @return false if this LoginModule's own login and/or commit attempts
424 * failed, and true otherwise.
425 */
426 public boolean abort() throws LoginException {
427 if (debug)
428 System.out.println("\t\t[JndiLoginModule]: " +
429 "aborted authentication failed");
430
431 if (succeeded == false) {
432 return false;
433 } else if (succeeded == true && commitSucceeded == false) {
434
435 // Clean out state
436 succeeded = false;
437 cleanState();
438
439 userPrincipal = null;
440 UIDPrincipal = null;
441 GIDPrincipal = null;
442 supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>();
443 } else {
444 // overall authentication succeeded and commit succeeded,
445 // but someone else's commit failed
446 logout();
447 }
448 return true;
449 }
450
451 /**
452 * Logout a user.
453 *
454 * <p> This method removes the Principals
455 * that were added by the <code>commit</code> method.
456 *
457 * <p>
458 *
459 * @exception LoginException if the logout fails.
460 *
461 * @return true in all cases since this <code>LoginModule</code>
462 * should not be ignored.
463 */
464 public boolean logout() throws LoginException {
465 if (subject.isReadOnly()) {
466 cleanState();
467 throw new LoginException ("Subject is Readonly");
468 }
469 subject.getPrincipals().remove(userPrincipal);
470 subject.getPrincipals().remove(UIDPrincipal);
471 subject.getPrincipals().remove(GIDPrincipal);
472 for (int i = 0; i < supplementaryGroups.size(); i++) {
473 subject.getPrincipals().remove(supplementaryGroups.get(i));
474 }
475
476
477 // clean out state
478 cleanState();
479 succeeded = false;
480 commitSucceeded = false;
481
482 userPrincipal = null;
483 UIDPrincipal = null;
484 GIDPrincipal = null;
485 supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>();
486
487 if (debug) {
488 System.out.println("\t\t[JndiLoginModule]: " +
489 "logged out Subject");
490 }
491 return true;
492 }
493
494 /**
495 * Attempt authentication
496 *
497 * <p>
498 *
499 * @param getPasswdFromSharedState boolean that tells this method whether
500 * to retrieve the password from the sharedState.
501 */
502 private void attemptAuthentication(boolean getPasswdFromSharedState)
503 throws LoginException {
504
505 String encryptedPassword = null;
506
507 // first get the username and password
508 getUsernamePassword(getPasswdFromSharedState);
509
510 try {
511
512 // get the user's passwd entry from the user provider URL
513 InitialContext iCtx = new InitialContext();
514 ctx = (DirContext)iCtx.lookup(userProvider);
515
516 /*
517 SearchControls controls = new SearchControls
518 (SearchControls.ONELEVEL_SCOPE,
519 0,
520 5000,
521 new String[] { USER_PWD },
522 false,
523 false);
524 */
525
526 SearchControls controls = new SearchControls();
527 NamingEnumeration<SearchResult> ne = ctx.search("",
528 "(uid=" + username + ")",
529 controls);
530 if (ne.hasMore()) {
531 SearchResult result = ne.next();
532 Attributes attributes = result.getAttributes();
533
534 // get the password
535
536 // this module works only if the LDAP directory server
537 // is configured to permit read access to the userPassword
538 // attribute. The directory administrator need to grant
539 // this access.
540 //
541 // A workaround would be to make the server do authentication
542 // by setting the Context.SECURITY_PRINCIPAL
543 // and Context.SECURITY_CREDENTIALS property.
544 // However, this would make it not work with systems that
545 // don't do authentication at the server (like NIS).
546 //
547 // Setting the SECURITY_* properties and using "simple"
548 // authentication for LDAP is recommended only for secure
549 // channels. For nonsecure channels, SSL is recommended.
550
551 Attribute pwd = attributes.get(USER_PWD);
552 String encryptedPwd = new String((byte[])pwd.get(), "UTF8");
553 encryptedPassword = encryptedPwd.substring(CRYPT.length());
554
555 // check the password
556 if (verifyPassword
557 (encryptedPassword, new String(password)) == true) {
558
559 // authentication succeeded
560 if (debug)
561 System.out.println("\t\t[JndiLoginModule] " +
562 "attemptAuthentication() succeeded");
563
564 } else {
565 // authentication failed
566 if (debug)
567 System.out.println("\t\t[JndiLoginModule] " +
568 "attemptAuthentication() failed");
569 throw new FailedLoginException("Login incorrect");
570 }
571
572 // save input as shared state only if
573 // authentication succeeded
574 if (storePass &&
575 !sharedState.containsKey(NAME) &&
576 !sharedState.containsKey(PWD)) {
577 sharedState.put(NAME, username);
578 sharedState.put(PWD, password);
579 }
580
581 // create the user principal
582 userPrincipal = new UnixPrincipal(username);
583
584 // get the UID
585 Attribute uid = attributes.get(USER_UID);
586 String uidNumber = (String)uid.get();
587 UIDPrincipal = new UnixNumericUserPrincipal(uidNumber);
588 if (debug && uidNumber != null) {
589 System.out.println("\t\t[JndiLoginModule] " +
590 "user: '" + username + "' has UID: " +
591 uidNumber);
592 }
593
594 // get the GID
595 Attribute gid = attributes.get(USER_GID);
596 String gidNumber = (String)gid.get();
597 GIDPrincipal = new UnixNumericGroupPrincipal
598 (gidNumber, true);
599 if (debug && gidNumber != null) {
600 System.out.println("\t\t[JndiLoginModule] " +
601 "user: '" + username + "' has GID: " +
602 gidNumber);
603 }
604
605 // get the supplementary groups from the group provider URL
606 ctx = (DirContext)iCtx.lookup(groupProvider);
607 ne = ctx.search("", new BasicAttributes("memberUid", username));
608
609 while (ne.hasMore()) {
610 result = ne.next();
611 attributes = result.getAttributes();
612
613 gid = attributes.get(GROUP_ID);
614 String suppGid = (String)gid.get();
615 if (!gidNumber.equals(suppGid)) {
616 UnixNumericGroupPrincipal suppPrincipal =
617 new UnixNumericGroupPrincipal(suppGid, false);
618 supplementaryGroups.add(suppPrincipal);
619 if (debug && suppGid != null) {
620 System.out.println("\t\t[JndiLoginModule] " +
621 "user: '" + username +
622 "' has Supplementary Group: " +
623 suppGid);
624 }
625 }
626 }
627
628 } else {
629 // bad username
630 if (debug) {
631 System.out.println("\t\t[JndiLoginModule]: User not found");
632 }
633 throw new FailedLoginException("User not found");
634 }
635 } catch (NamingException ne) {
636 // bad username
637 if (debug) {
638 System.out.println("\t\t[JndiLoginModule]: User not found");
639 ne.printStackTrace();
640 }
641 throw new FailedLoginException("User not found");
642 } catch (java.io.UnsupportedEncodingException uee) {
643 // password stored in incorrect format
644 if (debug) {
645 System.out.println("\t\t[JndiLoginModule]: " +
646 "password incorrectly encoded");
647 uee.printStackTrace();
648 }
649 throw new LoginException("Login failure due to incorrect " +
650 "password encoding in the password database");
651 }
652
653 // authentication succeeded
654 }
655
656 /**
657 * Get the username and password.
658 * This method does not return any value.
659 * Instead, it sets global name and password variables.
660 *
661 * <p> Also note that this method will set the username and password
662 * values in the shared state in case subsequent LoginModules
663 * want to use them via use/tryFirstPass.
664 *
665 * <p>
666 *
667 * @param getPasswdFromSharedState boolean that tells this method whether
668 * to retrieve the password from the sharedState.
669 */
670 private void getUsernamePassword(boolean getPasswdFromSharedState)
671 throws LoginException {
672
673 if (getPasswdFromSharedState) {
674 // use the password saved by the first module in the stack
675 username = (String)sharedState.get(NAME);
676 password = (char[])sharedState.get(PWD);
677 return;
678 }
679
680 // prompt for a username and password
681 if (callbackHandler == null)
682 throw new LoginException("Error: no CallbackHandler available " +
683 "to garner authentication information from the user");
684
685 String protocol = userProvider.substring(0, userProvider.indexOf(":"));
686
687 Callback[] callbacks = new Callback[2];
688 callbacks[0] = new NameCallback(protocol + " "
689 + rb.getString("username: "));
690 callbacks[1] = new PasswordCallback(protocol + " " +
691 rb.getString("password: "),
692 false);
693
694 try {
695 callbackHandler.handle(callbacks);
696 username = ((NameCallback)callbacks[0]).getName();
697 char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
698 password = new char[tmpPassword.length];
699 System.arraycopy(tmpPassword, 0,
700 password, 0, tmpPassword.length);
701 ((PasswordCallback)callbacks[1]).clearPassword();
702
703 } catch (java.io.IOException ioe) {
704 throw new LoginException(ioe.toString());
705 } catch (UnsupportedCallbackException uce) {
706 throw new LoginException("Error: " + uce.getCallback().toString() +
707 " not available to garner authentication information " +
708 "from the user");
709 }
710
711 // print debugging information
712 if (strongDebug) {
713 System.out.println("\t\t[JndiLoginModule] " +
714 "user entered username: " +
715 username);
716 System.out.print("\t\t[JndiLoginModule] " +
717 "user entered password: ");
718 for (int i = 0; i < password.length; i++)
719 System.out.print(password[i]);
720 System.out.println();
721 }
722 }
723
724 /**
725 * Verify a password against the encrypted passwd from /etc/shadow
726 */
727 private boolean verifyPassword(String encryptedPassword, String password) {
728
729 if (encryptedPassword == null)
730 return false;
731
732 Crypt c = new Crypt();
733 try {
734 byte oldCrypt[] = encryptedPassword.getBytes("UTF8");
735 byte newCrypt[] = c.crypt(password.getBytes("UTF8"),
736 oldCrypt);
737 if (newCrypt.length != oldCrypt.length)
738 return false;
739 for (int i = 0; i < newCrypt.length; i++) {
740 if (oldCrypt[i] != newCrypt[i])
741 return false;
742 }
743 } catch (java.io.UnsupportedEncodingException uee) {
744 // cannot happen, but return false just to be safe
745 return false;
746 }
747 return true;
748 }
749
750 /**
751 * Clean out state because of a failed authentication attempt
752 */
753 private void cleanState() {
754 username = null;
755 if (password != null) {
756 for (int i = 0; i < password.length; i++)
757 password[i] = ' ';
758 password = null;
759 }
760 ctx = null;
761
762 if (clearPass) {
763 sharedState.remove(NAME);
764 sharedState.remove(PWD);
765 }
766 }
767}