Examples of com.sun.security.auth.module.LdapLoginModule

• com.sun.security.auth.module.LdapLoginModule
  etf.org/rfc/rfc2255.txt">RFC 2255) that identifies the LDAP server to use and the position in its directory tree where user entries are located. When several LDAP URLs are specified then each is attempted, in turn, until the first successful connection is established. Spaces in the distinguished name component of the URL must be escaped using the standard mechanism of percent character ('%') followed by two hexadecimal digits (see {@link java.net.URI}). Query components must also be omitted from the URL.

  Automatic discovery of the LDAP server via DNS (RFC 2782) is supported (once DNS has been configured to support such a service). It is enabled by omitting the hostname and port number components from the LDAP URL.

  This module also recognizes the following optional {@link Configuration}options:

  userFilter=ldap_filter

  This option specifies the search filter to use to locate a user's entry in the LDAP directory. It is used to determine a user's distinguished name. ldap_filter is an LDAP filter string (RFC 2254). If it contains the special token "{USERNAME}" then that token will be replaced with the supplied username value before the filter is used to search the directory.

  authIdentity=auth_id

  This option specifies the identity to use when authenticating a user to the LDAP directory. auth_id may be an LDAP distinguished name string (RFC 2253) or some other string name. It must contain the special token "{USERNAME}" which will be replaced with the supplied username value before the name is used for authentication. Note that if this option does not contain a distinguished name then the userFilter option must also be specified.

  authzIdentity=authz_id

  This option specifies an authorization identity for the user. authz_id is any string name. If it comprises a single special token with curly braces then that token is treated as a attribute name and will be replaced with a single value of that attribute from the user's LDAP entry. If the attribute cannot be found then the option is ignored. When this option is supplied and the user has been successfully authenticated then an additional {@link UserPrincipal}is created using the authorization identity and it is associated with the current {@link Subject}.

  useSSL

  if false, this module does not establish an SSL connection to the LDAP server before attempting authentication. SSL is used to protect the privacy of the user's password because it is transmitted in the clear over LDAP. By default, this module uses SSL.

  useFirstPass

  if true, this module retrieves the username and password from the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, no attempt for a retry is made, and the failure is reported back to the calling application.

  tryFirstPass

  if true, this module retrieves the username and password from the module's shared state, using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. The retrieved values are used for authentication. If authentication fails, the module uses the {@link CallbackHandler} to retrieve a new usernameand password, and another attempt to authenticate is made. If the authentication fails, the failure is reported back to the calling application.

  storePass

  if true, this module stores the username and password obtained from the {@link CallbackHandler} in the module's shared state,using "javax.security.auth.login.name" and "javax.security.auth.login.password" as the respective keys. This is not performed if existing values already exist for the username and password in the shared state, or if authentication fails.

  clearPass

  if true, this module clears the username and password stored in the module's shared state after both phases of authentication (login and commit) have completed.

  debug

  if true, debug messages are displayed on the standard output stream.

  Arbitrary JNDI properties may also be specified in the {@link Configuration}. They are added to the environment and passed to the LDAP provider. Note that the following four JNDI properties are set by this module directly and are ignored if also present in the configuration:

  • java.naming.provider.url
  • java.naming.security.principal
  • java.naming.security.credentials
  • java.naming.security.protocol

  Three sample {@link Configuration}s are shown below. The first one activates search-first mode. It identifies the LDAP server and specifies that users' entries be located by their uid and objectClass attributes. It also specifies that an identity based on the user's employeeNumber attribute should be created. The second one activates authentication-first mode. It requests that the LDAP server be located dynamically, that authentication be performed using the supplied username directly but without the protection of SSL and that users' entries be located by one of three naming attributes and their objectClass attribute. The third one activates authentication-only mode. It identifies alternative LDAP servers, it specifies the distinguished name to use for authentication and a fixed identity to use for authorization. No directory search is performed.

   ExampleApplication { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap://ldap-svr/ou=people,dc=example,dc=com" userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))" authzIdentity="{EMPLOYEENUMBER}" debug=true; }; ExampleApplication { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap:///cn=users,dc=example,dc=com" authIdentity="{USERNAME}" userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))" useSSL=false debug=true; }; ExampleApplication { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap://ldap-svr1 ldap://ldap-svr2" authIdentity="cn={USERNAME},ou=people,dc=example,dc=com" authzIdentity="staff" debug=true; }; 

  Note:

  When a {@link SecurityManager} is active then an applicationthat creates a {@link LoginContext} and uses a {@link LoginModule}must be granted certain permissions.

  If the application creates a login context using an installed {@link Configuration} then the application must be granted the{@link AuthPermission} to create login contexts.For example, the following security policy allows an application in the user's current directory to instantiate any login context:

   grant codebase "file:${user.dir}/" { permission javax.security.auth.AuthPermission "createLoginContext.*"; }; 

  Alternatively, if the application creates a login context using a caller-specified {@link Configuration} then the applicationmust be granted the permissions required by the {@link LoginModule}. This module requires the following two permissions:

  • The {@link SocketPermission} to connect to an LDAP server.
  • The {@link AuthPermission} to modify the set of {@link Principal}s associated with a {@link Subject}.

  For example, the following security policy grants an application in the user's current directory all the permissions required by this module:

   grant codebase "file:${user.dir}/" { permission java.net.SocketPermission "*:389", "connect"; permission java.net.SocketPermission "*:636", "connect"; permission javax.security.auth.AuthPermission "modifyPrincipals"; }; 

  @since 1.6

    private static void testInvalidOptions() throws Exception {

        // empty set of options

        LdapLoginModule ldap = new LdapLoginModule();
        Subject subject = new Subject();
        ldap.initialize(subject, null, null, Collections.EMPTY_MAP);

        try {
            ldap.login();
            throw new SecurityException("expected a LoginException");

        } catch (LoginException le) {
            // expected behaviour
            System.out.println("Caught a LoginException, as expected");
        }

        // bad value for userProvider option

        Map<String, String> options = new HashMap<String, String>();
        options.put(USER_PROVIDER_OPTION, "ldap://localhost:23456");
        ldap.initialize(subject, null, null, options);

        try {
            ldap.login();
            throw new SecurityException("expected a LoginException");

        } catch (LoginException le) {
            // expected behaviour
            System.out.println("Caught a LoginException, as expected");

    private static void testNullCallbackHandler() throws Exception {

        // empty set of options

        LdapLoginModule ldap = new LdapLoginModule();
        Subject subject = new Subject();
        Map<String, String> options = new HashMap<String, String>();
        ldap.initialize(subject, null, null, options);

        try {
            ldap.login();
            throw new SecurityException("expected LoginException");

        } catch (LoginException le) {
            // expected behaviour
            System.out.println("Caught a LoginException, as expected");

        }
    }

    private static void testWithCallbackHandler() throws Exception {

        LdapLoginModule ldap = new LdapLoginModule();
        Subject subject = new Subject();
        Map<String, String> options = new HashMap<String, String>();

        CallbackHandler goodHandler = new MyCallbackHandler(true);
        ldap.initialize(subject, goodHandler, null, options);

        try {
            ldap.login();
            throw new SecurityException("expected LoginException");

        } catch (LoginException le) {
            // expected behaviour
            System.out.println("Caught a LoginException, as expected");
        }

        CallbackHandler badHandler = new MyCallbackHandler(false);
        ldap.initialize(subject, badHandler, null, options);

        try {
            ldap.login();
            throw new SecurityException("expected LoginException");

        } catch (LoginException le) {
            // expected behaviour
            System.out.println("Caught a LoginException, as expected");