J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | package com.sun.security.auth.module; |
| 27 | |
| 28 | import javax.security.auth.*; |
| 29 | import javax.security.auth.callback.*; |
| 30 | import javax.security.auth.login.*; |
| 31 | import javax.security.auth.spi.*; |
| 32 | import javax.naming.*; |
| 33 | import javax.naming.directory.*; |
| 34 | |
| 35 | import java.io.IOException; |
| 36 | import java.util.Map; |
| 37 | import java.util.LinkedList; |
| 38 | import java.util.ResourceBundle; |
| 39 | |
| 40 | import com.sun.security.auth.UnixPrincipal; |
| 41 | import com.sun.security.auth.UnixNumericUserPrincipal; |
| 42 | import com.sun.security.auth.UnixNumericGroupPrincipal; |
| 43 | |
| 44 | import sun.security.util.AuthResources; |
| 45 | |
| 46 | /** |
| 47 | * <p> The module prompts for a username and password |
| 48 | * and then verifies the password against the password stored in |
| 49 | * a directory service configured under JNDI. |
| 50 | * |
| 51 | * <p> This <code>LoginModule</code> interoperates with |
| 52 | * any conformant JNDI service provider. To direct this |
| 53 | * <code>LoginModule</code> to use a specific JNDI service provider, |
| 54 | * two options must be specified in the login <code>Configuration</code> |
| 55 | * for this <code>LoginModule</code>. |
| 56 | * <pre> |
| 57 | * user.provider.url=<b>name_service_url</b> |
| 58 | * group.provider.url=<b>name_service_url</b> |
| 59 | * </pre> |
| 60 | * |
| 61 | * <b>name_service_url</b> specifies |
| 62 | * the directory service and path where this <code>LoginModule</code> |
| 63 | * can access the relevant user and group information. Because this |
| 64 | * <code>LoginModule</code> only performs one-level searches to |
| 65 | * find the relevant user information, the <code>URL</code> |
| 66 | * must point to a directory one level above where the user and group |
| 67 | * information is stored in the directory service. |
| 68 | * For example, to instruct this <code>LoginModule</code> |
| 69 | * to contact a NIS server, the following URLs must be specified: |
| 70 | * <pre> |
| 71 | * user.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/user" |
| 72 | * group.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/system/group" |
| 73 | * </pre> |
| 74 | * |
| 75 | * <b>NISServerHostName</b> specifies the server host name of the |
| 76 | * NIS server (for example, <i>nis.sun.com</i>, and <b>NISDomain</b> |
| 77 | * specifies the domain for that NIS server (for example, <i>jaas.sun.com</i>. |
| 78 | * To contact an LDAP server, the following URLs must be specified: |
| 79 | * <pre> |
| 80 | * user.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>" |
| 81 | * group.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>" |
| 82 | * </pre> |
| 83 | * |
| 84 | * <b>LDAPServerHostName</b> specifies the server host name of the |
| 85 | * LDAP server, which may include a port number |
| 86 | * (for example, <i>ldap.sun.com:389</i>), |
| 87 | * and <b>LDAPName</b> specifies the entry name in the LDAP directory |
| 88 | * (for example, <i>ou=People,o=Sun,c=US</i> and <i>ou=Groups,o=Sun,c=US</i> |
| 89 | * for user and group information, respectively). |
| 90 | * |
| 91 | * <p> The format in which the user's information must be stored in |
| 92 | * the directory service is specified in RFC 2307. Specifically, |
| 93 | * this <code>LoginModule</code> will search for the user's entry in the |
| 94 | * directory service using the user's <i>uid</i> attribute, |
| 95 | * where <i>uid=<b>username</b></i>. If the search succeeds, |
| 96 | * this <code>LoginModule</code> will then |
| 97 | * obtain the user's encrypted password from the retrieved entry |
| 98 | * using the <i>userPassword</i> attribute. |
| 99 | * This <code>LoginModule</code> assumes that the password is stored |
| 100 | * as a byte array, which when converted to a <code>String</code>, |
| 101 | * has the following format: |
| 102 | * <pre> |
| 103 | * "{crypt}<b>encrypted_password</b>" |
| 104 | * </pre> |
| 105 | * |
| 106 | * The LDAP directory server must be configured |
| 107 | * to permit read access to the userPassword attribute. |
| 108 | * If the user entered a valid username and password, |
| 109 | * this <code>LoginModule</code> associates a |
| 110 | * <code>UnixPrincipal</code>, <code>UnixNumericUserPrincipal</code>, |
| 111 | * and the relevant UnixNumericGroupPrincipals with the |
| 112 | * <code>Subject</code>. |
| 113 | * |
| 114 | * <p> This LoginModule also recognizes the following <code>Configuration</code> |
| 115 | * options: |
| 116 | * <pre> |
| 117 | * debug if, true, debug messages are output to System.out. |
| 118 | * |
| 119 | * useFirstPass if, true, this LoginModule retrieves the |
| 120 | * username and password from the module's shared state, |
| 121 | * using "javax.security.auth.login.name" and |
| 122 | * "javax.security.auth.login.password" as the respective |
| 123 | * keys. The retrieved values are used for authentication. |
| 124 | * If authentication fails, no attempt for a retry is made, |
| 125 | * and the failure is reported back to the calling |
| 126 | * application. |
| 127 | * |
| 128 | * tryFirstPass if, true, this LoginModule retrieves the |
| 129 | * the username and password from the module's shared state, |
| 130 | * using "javax.security.auth.login.name" and |
| 131 | * "javax.security.auth.login.password" as the respective |
| 132 | * keys. The retrieved values are used for authentication. |
| 133 | * If authentication fails, the module uses the |
| 134 | * CallbackHandler to retrieve a new username and password, |
| 135 | * and another attempt to authenticate is made. |
| 136 | * If the authentication fails, the failure is reported |
| 137 | * back to the calling application. |
| 138 | * |
| 139 | * storePass if, true, this LoginModule stores the username and password |
| 140 | * obtained from the CallbackHandler in the module's |
| 141 | * shared state, using "javax.security.auth.login.name" and |
| 142 | * "javax.security.auth.login.password" as the respective |
| 143 | * keys. This is not performed if existing values already |
| 144 | * exist for the username and password in the shared state, |
| 145 | * or if authentication fails. |
| 146 | * |
| 147 | * clearPass if, true, this <code>LoginModule</code> clears the |
| 148 | * username and password stored in the module's shared state |
| 149 | * after both phases of authentication (login and commit) |
| 150 | * have completed. |
| 151 | * </pre> |
| 152 | * |
| 153 | */ |
| 154 | public class JndiLoginModule implements LoginModule { |
| 155 | |
| 156 | static final java.util.ResourceBundle rb = |
| 157 | java.util.ResourceBundle.getBundle("sun.security.util.AuthResources"); |
| 158 | |
| 159 | /** JNDI Provider */ |
| 160 | public final String USER_PROVIDER = "user.provider.url"; |
| 161 | public final String GROUP_PROVIDER = "group.provider.url"; |
| 162 | |
| 163 | // configurable options |
| 164 | private boolean debug = false; |
| 165 | private boolean strongDebug = false; |
| 166 | private String userProvider; |
| 167 | private String groupProvider; |
| 168 | private boolean useFirstPass = false; |
| 169 | private boolean tryFirstPass = false; |
| 170 | private boolean storePass = false; |
| 171 | private boolean clearPass = false; |
| 172 | |
| 173 | // the authentication status |
| 174 | private boolean succeeded = false; |
| 175 | private boolean commitSucceeded = false; |
| 176 | |
| 177 | // username, password, and JNDI context |
| 178 | private String username; |
| 179 | private char[] password; |
| 180 | DirContext ctx; |
| 181 | |
| 182 | // the user (assume it is a UnixPrincipal) |
| 183 | private UnixPrincipal userPrincipal; |
| 184 | private UnixNumericUserPrincipal UIDPrincipal; |
| 185 | private UnixNumericGroupPrincipal GIDPrincipal; |
| 186 | private LinkedList<UnixNumericGroupPrincipal> supplementaryGroups = |
| 187 | new LinkedList<UnixNumericGroupPrincipal>(); |
| 188 | |
| 189 | // initial state |
| 190 | private Subject subject; |
| 191 | private CallbackHandler callbackHandler; |
| 192 | private Map sharedState; |
| 193 | private Map<String, ?> options; |
| 194 | |
| 195 | private static final String CRYPT = "{crypt}"; |
| 196 | private static final String USER_PWD = "userPassword"; |
| 197 | private static final String USER_UID = "uidNumber"; |
| 198 | private static final String USER_GID = "gidNumber"; |
| 199 | private static final String GROUP_ID = "gidNumber"; |
| 200 | private static final String NAME = "javax.security.auth.login.name"; |
| 201 | private static final String PWD = "javax.security.auth.login.password"; |
| 202 | |
| 203 | /** |
| 204 | * Initialize this <code>LoginModule</code>. |
| 205 | * |
| 206 | * <p> |
| 207 | * |
| 208 | * @param subject the <code>Subject</code> to be authenticated. <p> |
| 209 | * |
| 210 | * @param callbackHandler a <code>CallbackHandler</code> for communicating |
| 211 | * with the end user (prompting for usernames and |
| 212 | * passwords, for example). <p> |
| 213 | * |
| 214 | * @param sharedState shared <code>LoginModule</code> state. <p> |
| 215 | * |
| 216 | * @param options options specified in the login |
| 217 | * <code>Configuration</code> for this particular |
| 218 | * <code>LoginModule</code>. |
| 219 | */ |
| 220 | public void initialize(Subject subject, CallbackHandler callbackHandler, |
| 221 | Map<String,?> sharedState, |
| 222 | Map<String,?> options) { |
| 223 | |
| 224 | this.subject = subject; |
| 225 | this.callbackHandler = callbackHandler; |
| 226 | this.sharedState = sharedState; |
| 227 | this.options = options; |
| 228 | |
| 229 | // initialize any configured options |
| 230 | debug = "true".equalsIgnoreCase((String)options.get("debug")); |
| 231 | strongDebug = |
| 232 | "true".equalsIgnoreCase((String)options.get("strongDebug")); |
| 233 | userProvider = (String)options.get(USER_PROVIDER); |
| 234 | groupProvider = (String)options.get(GROUP_PROVIDER); |
| 235 | tryFirstPass = |
| 236 | "true".equalsIgnoreCase((String)options.get("tryFirstPass")); |
| 237 | useFirstPass = |
| 238 | "true".equalsIgnoreCase((String)options.get("useFirstPass")); |
| 239 | storePass = |
| 240 | "true".equalsIgnoreCase((String)options.get("storePass")); |
| 241 | clearPass = |
| 242 | "true".equalsIgnoreCase((String)options.get("clearPass")); |
| 243 | } |
| 244 | |
| 245 | /** |
| 246 | * <p> Prompt for username and password. |
| 247 | * Verify the password against the relevant name service. |
| 248 | * |
| 249 | * <p> |
| 250 | * |
| 251 | * @return true always, since this <code>LoginModule</code> |
| 252 | * should not be ignored. |
| 253 | * |
| 254 | * @exception FailedLoginException if the authentication fails. <p> |
| 255 | * |
| 256 | * @exception LoginException if this <code>LoginModule</code> |
| 257 | * is unable to perform the authentication. |
| 258 | */ |
| 259 | public boolean login() throws LoginException { |
| 260 | |
| 261 | if (userProvider == null) { |
| 262 | throw new LoginException |
| 263 | ("Error: Unable to locate JNDI user provider"); |
| 264 | } |
| 265 | if (groupProvider == null) { |
| 266 | throw new LoginException |
| 267 | ("Error: Unable to locate JNDI group provider"); |
| 268 | } |
| 269 | |
| 270 | if (debug) { |
| 271 | System.out.println("\t\t[JndiLoginModule] user provider: " + |
| 272 | userProvider); |
| 273 | System.out.println("\t\t[JndiLoginModule] group provider: " + |
| 274 | groupProvider); |
| 275 | } |
| 276 | |
| 277 | // attempt the authentication |
| 278 | if (tryFirstPass) { |
| 279 | |
| 280 | try { |
| 281 | // attempt the authentication by getting the |
| 282 | // username and password from shared state |
| 283 | attemptAuthentication(true); |
| 284 | |
| 285 | // authentication succeeded |
| 286 | succeeded = true; |
| 287 | if (debug) { |
| 288 | System.out.println("\t\t[JndiLoginModule] " + |
| 289 | "tryFirstPass succeeded"); |
| 290 | } |
| 291 | return true; |
| 292 | } catch (LoginException le) { |
| 293 | // authentication failed -- try again below by prompting |
| 294 | cleanState(); |
| 295 | if (debug) { |
| 296 | System.out.println("\t\t[JndiLoginModule] " + |
| 297 | "tryFirstPass failed with:" + |
| 298 | le.toString()); |
| 299 | } |
| 300 | } |
| 301 | |
| 302 | } else if (useFirstPass) { |
| 303 | |
| 304 | try { |
| 305 | // attempt the authentication by getting the |
| 306 | // username and password from shared state |
| 307 | attemptAuthentication(true); |
| 308 | |
| 309 | // authentication succeeded |
| 310 | succeeded = true; |
| 311 | if (debug) { |
| 312 | System.out.println("\t\t[JndiLoginModule] " + |
| 313 | "useFirstPass succeeded"); |
| 314 | } |
| 315 | return true; |
| 316 | } catch (LoginException le) { |
| 317 | // authentication failed |
| 318 | cleanState(); |
| 319 | if (debug) { |
| 320 | System.out.println("\t\t[JndiLoginModule] " + |
| 321 | "useFirstPass failed"); |
| 322 | } |
| 323 | throw le; |
| 324 | } |
| 325 | } |
| 326 | |
| 327 | // attempt the authentication by prompting for the username and pwd |
| 328 | try { |
| 329 | attemptAuthentication(false); |
| 330 | |
| 331 | // authentication succeeded |
| 332 | succeeded = true; |
| 333 | if (debug) { |
| 334 | System.out.println("\t\t[JndiLoginModule] " + |
| 335 | "regular authentication succeeded"); |
| 336 | } |
| 337 | return true; |
| 338 | } catch (LoginException le) { |
| 339 | cleanState(); |
| 340 | if (debug) { |
| 341 | System.out.println("\t\t[JndiLoginModule] " + |
| 342 | "regular authentication failed"); |
| 343 | } |
| 344 | throw le; |
| 345 | } |
| 346 | } |
| 347 | |
| 348 | /** |
| 349 | * Abstract method to commit the authentication process (phase 2). |
| 350 | * |
| 351 | * <p> This method is called if the LoginContext's |
| 352 | * overall authentication succeeded |
| 353 | * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules |
| 354 | * succeeded). |
| 355 | * |
| 356 | * <p> If this LoginModule's own authentication attempt |
| 357 | * succeeded (checked by retrieving the private state saved by the |
| 358 | * <code>login</code> method), then this method associates a |
| 359 | * <code>UnixPrincipal</code> |
| 360 | * with the <code>Subject</code> located in the |
| 361 | * <code>LoginModule</code>. If this LoginModule's own |
| 362 | * authentication attempted failed, then this method removes |
| 363 | * any state that was originally saved. |
| 364 | * |
| 365 | * <p> |
| 366 | * |
| 367 | * @exception LoginException if the commit fails |
| 368 | * |
| 369 | * @return true if this LoginModule's own login and commit |
| 370 | * attempts succeeded, or false otherwise. |
| 371 | */ |
| 372 | public boolean commit() throws LoginException { |
| 373 | |
| 374 | if (succeeded == false) { |
| 375 | return false; |
| 376 | } else { |
| 377 | if (subject.isReadOnly()) { |
| 378 | cleanState(); |
| 379 | throw new LoginException ("Subject is Readonly"); |
| 380 | } |
| 381 | // add Principals to the Subject |
| 382 | if (!subject.getPrincipals().contains(userPrincipal)) |
| 383 | subject.getPrincipals().add(userPrincipal); |
| 384 | if (!subject.getPrincipals().contains(UIDPrincipal)) |
| 385 | subject.getPrincipals().add(UIDPrincipal); |
| 386 | if (!subject.getPrincipals().contains(GIDPrincipal)) |
| 387 | subject.getPrincipals().add(GIDPrincipal); |
| 388 | for (int i = 0; i < supplementaryGroups.size(); i++) { |
| 389 | if (!subject.getPrincipals().contains |
| 390 | (supplementaryGroups.get(i))) |
| 391 | subject.getPrincipals().add(supplementaryGroups.get(i)); |
| 392 | } |
| 393 | |
| 394 | if (debug) { |
| 395 | System.out.println("\t\t[JndiLoginModule]: " + |
| 396 | "added UnixPrincipal,"); |
| 397 | System.out.println("\t\t\t\tUnixNumericUserPrincipal,"); |
| 398 | System.out.println("\t\t\t\tUnixNumericGroupPrincipal(s),"); |
| 399 | System.out.println("\t\t\t to Subject"); |
| 400 | } |
| 401 | } |
| 402 | // in any case, clean out state |
| 403 | cleanState(); |
| 404 | commitSucceeded = true; |
| 405 | return true; |
| 406 | } |
| 407 | |
| 408 | /** |
| 409 | * <p> This method is called if the LoginContext's |
| 410 | * overall authentication failed. |
| 411 | * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules |
| 412 | * did not succeed). |
| 413 | * |
| 414 | * <p> If this LoginModule's own authentication attempt |
| 415 | * succeeded (checked by retrieving the private state saved by the |
| 416 | * <code>login</code> and <code>commit</code> methods), |
| 417 | * then this method cleans up any state that was originally saved. |
| 418 | * |
| 419 | * <p> |
| 420 | * |
| 421 | * @exception LoginException if the abort fails. |
| 422 | * |
| 423 | * @return false if this LoginModule's own login and/or commit attempts |
| 424 | * failed, and true otherwise. |
| 425 | */ |
| 426 | public boolean abort() throws LoginException { |
| 427 | if (debug) |
| 428 | System.out.println("\t\t[JndiLoginModule]: " + |
| 429 | "aborted authentication failed"); |
| 430 | |
| 431 | if (succeeded == false) { |
| 432 | return false; |
| 433 | } else if (succeeded == true && commitSucceeded == false) { |
| 434 | |
| 435 | // Clean out state |
| 436 | succeeded = false; |
| 437 | cleanState(); |
| 438 | |
| 439 | userPrincipal = null; |
| 440 | UIDPrincipal = null; |
| 441 | GIDPrincipal = null; |
| 442 | supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>(); |
| 443 | } else { |
| 444 | // overall authentication succeeded and commit succeeded, |
| 445 | // but someone else's commit failed |
| 446 | logout(); |
| 447 | } |
| 448 | return true; |
| 449 | } |
| 450 | |
| 451 | /** |
| 452 | * Logout a user. |
| 453 | * |
| 454 | * <p> This method removes the Principals |
| 455 | * that were added by the <code>commit</code> method. |
| 456 | * |
| 457 | * <p> |
| 458 | * |
| 459 | * @exception LoginException if the logout fails. |
| 460 | * |
| 461 | * @return true in all cases since this <code>LoginModule</code> |
| 462 | * should not be ignored. |
| 463 | */ |
| 464 | public boolean logout() throws LoginException { |
| 465 | if (subject.isReadOnly()) { |
| 466 | cleanState(); |
| 467 | throw new LoginException ("Subject is Readonly"); |
| 468 | } |
| 469 | subject.getPrincipals().remove(userPrincipal); |
| 470 | subject.getPrincipals().remove(UIDPrincipal); |
| 471 | subject.getPrincipals().remove(GIDPrincipal); |
| 472 | for (int i = 0; i < supplementaryGroups.size(); i++) { |
| 473 | subject.getPrincipals().remove(supplementaryGroups.get(i)); |
| 474 | } |
| 475 | |
| 476 | |
| 477 | // clean out state |
| 478 | cleanState(); |
| 479 | succeeded = false; |
| 480 | commitSucceeded = false; |
| 481 | |
| 482 | userPrincipal = null; |
| 483 | UIDPrincipal = null; |
| 484 | GIDPrincipal = null; |
| 485 | supplementaryGroups = new LinkedList<UnixNumericGroupPrincipal>(); |
| 486 | |
| 487 | if (debug) { |
| 488 | System.out.println("\t\t[JndiLoginModule]: " + |
| 489 | "logged out Subject"); |
| 490 | } |
| 491 | return true; |
| 492 | } |
| 493 | |
| 494 | /** |
| 495 | * Attempt authentication |
| 496 | * |
| 497 | * <p> |
| 498 | * |
| 499 | * @param getPasswdFromSharedState boolean that tells this method whether |
| 500 | * to retrieve the password from the sharedState. |
| 501 | */ |
| 502 | private void attemptAuthentication(boolean getPasswdFromSharedState) |
| 503 | throws LoginException { |
| 504 | |
| 505 | String encryptedPassword = null; |
| 506 | |
| 507 | // first get the username and password |
| 508 | getUsernamePassword(getPasswdFromSharedState); |
| 509 | |
| 510 | try { |
| 511 | |
| 512 | // get the user's passwd entry from the user provider URL |
| 513 | InitialContext iCtx = new InitialContext(); |
| 514 | ctx = (DirContext)iCtx.lookup(userProvider); |
| 515 | |
| 516 | /* |
| 517 | SearchControls controls = new SearchControls |
| 518 | (SearchControls.ONELEVEL_SCOPE, |
| 519 | 0, |
| 520 | 5000, |
| 521 | new String[] { USER_PWD }, |
| 522 | false, |
| 523 | false); |
| 524 | */ |
| 525 | |
| 526 | SearchControls controls = new SearchControls(); |
| 527 | NamingEnumeration<SearchResult> ne = ctx.search("", |
| 528 | "(uid=" + username + ")", |
| 529 | controls); |
| 530 | if (ne.hasMore()) { |
| 531 | SearchResult result = ne.next(); |
| 532 | Attributes attributes = result.getAttributes(); |
| 533 | |
| 534 | // get the password |
| 535 | |
| 536 | // this module works only if the LDAP directory server |
| 537 | // is configured to permit read access to the userPassword |
| 538 | // attribute. The directory administrator need to grant |
| 539 | // this access. |
| 540 | // |
| 541 | // A workaround would be to make the server do authentication |
| 542 | // by setting the Context.SECURITY_PRINCIPAL |
| 543 | // and Context.SECURITY_CREDENTIALS property. |
| 544 | // However, this would make it not work with systems that |
| 545 | // don't do authentication at the server (like NIS). |
| 546 | // |
| 547 | // Setting the SECURITY_* properties and using "simple" |
| 548 | // authentication for LDAP is recommended only for secure |
| 549 | // channels. For nonsecure channels, SSL is recommended. |
| 550 | |
| 551 | Attribute pwd = attributes.get(USER_PWD); |
| 552 | String encryptedPwd = new String((byte[])pwd.get(), "UTF8"); |
| 553 | encryptedPassword = encryptedPwd.substring(CRYPT.length()); |
| 554 | |
| 555 | // check the password |
| 556 | if (verifyPassword |
| 557 | (encryptedPassword, new String(password)) == true) { |
| 558 | |
| 559 | // authentication succeeded |
| 560 | if (debug) |
| 561 | System.out.println("\t\t[JndiLoginModule] " + |
| 562 | "attemptAuthentication() succeeded"); |
| 563 | |
| 564 | } else { |
| 565 | // authentication failed |
| 566 | if (debug) |
| 567 | System.out.println("\t\t[JndiLoginModule] " + |
| 568 | "attemptAuthentication() failed"); |
| 569 | throw new FailedLoginException("Login incorrect"); |
| 570 | } |
| 571 | |
| 572 | // save input as shared state only if |
| 573 | // authentication succeeded |
| 574 | if (storePass && |
| 575 | !sharedState.containsKey(NAME) && |
| 576 | !sharedState.containsKey(PWD)) { |
| 577 | sharedState.put(NAME, username); |
| 578 | sharedState.put(PWD, password); |
| 579 | } |
| 580 | |
| 581 | // create the user principal |
| 582 | userPrincipal = new UnixPrincipal(username); |
| 583 | |
| 584 | // get the UID |
| 585 | Attribute uid = attributes.get(USER_UID); |
| 586 | String uidNumber = (String)uid.get(); |
| 587 | UIDPrincipal = new UnixNumericUserPrincipal(uidNumber); |
| 588 | if (debug && uidNumber != null) { |
| 589 | System.out.println("\t\t[JndiLoginModule] " + |
| 590 | "user: '" + username + "' has UID: " + |
| 591 | uidNumber); |
| 592 | } |
| 593 | |
| 594 | // get the GID |
| 595 | Attribute gid = attributes.get(USER_GID); |
| 596 | String gidNumber = (String)gid.get(); |
| 597 | GIDPrincipal = new UnixNumericGroupPrincipal |
| 598 | (gidNumber, true); |
| 599 | if (debug && gidNumber != null) { |
| 600 | System.out.println("\t\t[JndiLoginModule] " + |
| 601 | "user: '" + username + "' has GID: " + |
| 602 | gidNumber); |
| 603 | } |
| 604 | |
| 605 | // get the supplementary groups from the group provider URL |
| 606 | ctx = (DirContext)iCtx.lookup(groupProvider); |
| 607 | ne = ctx.search("", new BasicAttributes("memberUid", username)); |
| 608 | |
| 609 | while (ne.hasMore()) { |
| 610 | result = ne.next(); |
| 611 | attributes = result.getAttributes(); |
| 612 | |
| 613 | gid = attributes.get(GROUP_ID); |
| 614 | String suppGid = (String)gid.get(); |
| 615 | if (!gidNumber.equals(suppGid)) { |
| 616 | UnixNumericGroupPrincipal suppPrincipal = |
| 617 | new UnixNumericGroupPrincipal(suppGid, false); |
| 618 | supplementaryGroups.add(suppPrincipal); |
| 619 | if (debug && suppGid != null) { |
| 620 | System.out.println("\t\t[JndiLoginModule] " + |
| 621 | "user: '" + username + |
| 622 | "' has Supplementary Group: " + |
| 623 | suppGid); |
| 624 | } |
| 625 | } |
| 626 | } |
| 627 | |
| 628 | } else { |
| 629 | // bad username |
| 630 | if (debug) { |
| 631 | System.out.println("\t\t[JndiLoginModule]: User not found"); |
| 632 | } |
| 633 | throw new FailedLoginException("User not found"); |
| 634 | } |
| 635 | } catch (NamingException ne) { |
| 636 | // bad username |
| 637 | if (debug) { |
| 638 | System.out.println("\t\t[JndiLoginModule]: User not found"); |
| 639 | ne.printStackTrace(); |
| 640 | } |
| 641 | throw new FailedLoginException("User not found"); |
| 642 | } catch (java.io.UnsupportedEncodingException uee) { |
| 643 | // password stored in incorrect format |
| 644 | if (debug) { |
| 645 | System.out.println("\t\t[JndiLoginModule]: " + |
| 646 | "password incorrectly encoded"); |
| 647 | uee.printStackTrace(); |
| 648 | } |
| 649 | throw new LoginException("Login failure due to incorrect " + |
| 650 | "password encoding in the password database"); |
| 651 | } |
| 652 | |
| 653 | // authentication succeeded |
| 654 | } |
| 655 | |
| 656 | /** |
| 657 | * Get the username and password. |
| 658 | * This method does not return any value. |
| 659 | * Instead, it sets global name and password variables. |
| 660 | * |
| 661 | * <p> Also note that this method will set the username and password |
| 662 | * values in the shared state in case subsequent LoginModules |
| 663 | * want to use them via use/tryFirstPass. |
| 664 | * |
| 665 | * <p> |
| 666 | * |
| 667 | * @param getPasswdFromSharedState boolean that tells this method whether |
| 668 | * to retrieve the password from the sharedState. |
| 669 | */ |
| 670 | private void getUsernamePassword(boolean getPasswdFromSharedState) |
| 671 | throws LoginException { |
| 672 | |
| 673 | if (getPasswdFromSharedState) { |
| 674 | // use the password saved by the first module in the stack |
| 675 | username = (String)sharedState.get(NAME); |
| 676 | password = (char[])sharedState.get(PWD); |
| 677 | return; |
| 678 | } |
| 679 | |
| 680 | // prompt for a username and password |
| 681 | if (callbackHandler == null) |
| 682 | throw new LoginException("Error: no CallbackHandler available " + |
| 683 | "to garner authentication information from the user"); |
| 684 | |
| 685 | String protocol = userProvider.substring(0, userProvider.indexOf(":")); |
| 686 | |
| 687 | Callback[] callbacks = new Callback[2]; |
| 688 | callbacks[0] = new NameCallback(protocol + " " |
| 689 | + rb.getString("username: ")); |
| 690 | callbacks[1] = new PasswordCallback(protocol + " " + |
| 691 | rb.getString("password: "), |
| 692 | false); |
| 693 | |
| 694 | try { |
| 695 | callbackHandler.handle(callbacks); |
| 696 | username = ((NameCallback)callbacks[0]).getName(); |
| 697 | char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword(); |
| 698 | password = new char[tmpPassword.length]; |
| 699 | System.arraycopy(tmpPassword, 0, |
| 700 | password, 0, tmpPassword.length); |
| 701 | ((PasswordCallback)callbacks[1]).clearPassword(); |
| 702 | |
| 703 | } catch (java.io.IOException ioe) { |
| 704 | throw new LoginException(ioe.toString()); |
| 705 | } catch (UnsupportedCallbackException uce) { |
| 706 | throw new LoginException("Error: " + uce.getCallback().toString() + |
| 707 | " not available to garner authentication information " + |
| 708 | "from the user"); |
| 709 | } |
| 710 | |
| 711 | // print debugging information |
| 712 | if (strongDebug) { |
| 713 | System.out.println("\t\t[JndiLoginModule] " + |
| 714 | "user entered username: " + |
| 715 | username); |
| 716 | System.out.print("\t\t[JndiLoginModule] " + |
| 717 | "user entered password: "); |
| 718 | for (int i = 0; i < password.length; i++) |
| 719 | System.out.print(password[i]); |
| 720 | System.out.println(); |
| 721 | } |
| 722 | } |
| 723 | |
| 724 | /** |
| 725 | * Verify a password against the encrypted passwd from /etc/shadow |
| 726 | */ |
| 727 | private boolean verifyPassword(String encryptedPassword, String password) { |
| 728 | |
| 729 | if (encryptedPassword == null) |
| 730 | return false; |
| 731 | |
| 732 | Crypt c = new Crypt(); |
| 733 | try { |
| 734 | byte oldCrypt[] = encryptedPassword.getBytes("UTF8"); |
| 735 | byte newCrypt[] = c.crypt(password.getBytes("UTF8"), |
| 736 | oldCrypt); |
| 737 | if (newCrypt.length != oldCrypt.length) |
| 738 | return false; |
| 739 | for (int i = 0; i < newCrypt.length; i++) { |
| 740 | if (oldCrypt[i] != newCrypt[i]) |
| 741 | return false; |
| 742 | } |
| 743 | } catch (java.io.UnsupportedEncodingException uee) { |
| 744 | // cannot happen, but return false just to be safe |
| 745 | return false; |
| 746 | } |
| 747 | return true; |
| 748 | } |
| 749 | |
| 750 | /** |
| 751 | * Clean out state because of a failed authentication attempt |
| 752 | */ |
| 753 | private void cleanState() { |
| 754 | username = null; |
| 755 | if (password != null) { |
| 756 | for (int i = 0; i < password.length; i++) |
| 757 | password[i] = ' '; |
| 758 | password = null; |
| 759 | } |
| 760 | ctx = null; |
| 761 | |
| 762 | if (clearPass) { |
| 763 | sharedState.remove(NAME); |
| 764 | sharedState.remove(PWD); |
| 765 | } |
| 766 | } |
| 767 | } |