/*
* Copyright (c) 1998-2011 Caucho Technology -- all rights reserved
*
* This file is part of Resin(R) Open Source
*
* Each copy or derived work must preserve the copyright notice and this
* notice unmodified.
*
* Resin Open Source is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* Resin Open Source is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, or any warranty
* of NON-INFRINGEMENT. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License
* along with Resin Open Source; if not, write to the
* Free SoftwareFoundation, Inc.
* 59 Temple Place, Suite 330
* Boston, MA 02111-1307 USA
*
* @author Scott Ferguson
*/
package com.caucho.security;
import java.security.Principal;
import java.util.Hashtable;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.InitialDirContext;
import javax.servlet.ServletException;
import com.caucho.config.Service;
import com.caucho.config.types.InitParam;
/**
* The LDAP authenticator uses the underlying LDAP services
* provided by the JDK.
*
* <code><pre>
* <authenticator url="ldap:url=ldap://localhost:389">
* </authenticator>
* </code></pre>
*/
@Service
public class LdapAuthenticator extends AbstractAuthenticator {
private static final Logger log
= Logger.getLogger(LdapAuthenticator.class.getName());
private String _host = "ldap://localhost:389";
private String _userAttribute = "uid";
private String _passwordAttribute = "userPassword";
private String _roleAttribute;
private String _baseDn;
private String _dnPrefix;
private String _dnSuffix;
private Hashtable<String,String> _jndiEnv
= new Hashtable<String,String>();
public LdapAuthenticator()
{
_jndiEnv.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
_jndiEnv.put(Context.PROVIDER_URL,
"ldap://localhost:389");
}
public void setDNPrefix(String prefix)
{
_dnPrefix = prefix;
}
public void setDNSuffix(String suffix)
{
_dnSuffix = suffix;
}
public void setBaseDn(String baseDn)
{
_baseDn = baseDn;
}
public void setHost(String host)
{
if (! host.startsWith("ldap:"))
host = "ldap://" + host;
setURL(host);
}
public void addJNDIEnv(InitParam init)
{
_jndiEnv.putAll(init.getParameters());
}
public void setURL(String url)
{
_jndiEnv.put(Context.PROVIDER_URL, url);
}
public void setUserAttribute(String user)
{
_userAttribute = user;
}
public void setPasswordAttribute(String password)
{
_passwordAttribute = password;
}
public void setRoleAttribute(String role)
{
_roleAttribute = role;
}
/**
* Sets the Context.SECURITY_AUTHENTICATION
*/
public void setSecurityAuthentication(String type)
{
_jndiEnv.put(Context.SECURITY_AUTHENTICATION, type);
}
/**
* Sets the Context.SECURITY_PRINCIPAL
*/
public void setSecurityPrincipal(String user)
{
_jndiEnv.put(Context.SECURITY_PRINCIPAL, user);
}
/**
* Sets the Context.SECURITY_CREDENTIALS
*/
public void setSecurityCredentials(String password)
{
_jndiEnv.put(Context.SECURITY_CREDENTIALS, password);
}
/**
* Initialize the authenticator.
*/
@PostConstruct
public void init()
throws ServletException
{
super.init();
}
/**
* Authenticate (login) the user.
*/
@Override
protected PasswordUser getPasswordUser(String userName)
{
try {
Hashtable env = new Hashtable();
env.putAll(_jndiEnv);
InitialDirContext ic = new InitialDirContext(env);
String query = _userAttribute + '=' + userName;
if (_baseDn != null && ! _baseDn.equals(""))
query = _baseDn + ',' + query;
if (_dnPrefix != null && ! _dnPrefix.equals(""))
query = _dnPrefix + ',' + query;
if (_dnSuffix != null && ! _dnSuffix.equals(""))
query = query + ',' + _dnSuffix;
Attributes attributes = ic.getAttributes(query);
if (log.isLoggable(Level.FINE))
log.fine("ldap-authenticator: " + query + "->" + (attributes != null));
if (attributes == null)
return null;
Attribute passwordAttr = attributes.get(_passwordAttribute);
String ldapPassword = (String) passwordAttr.get();
if (passwordAttr == null)
return null;
String []roles = null;
if (_roleAttribute != null) {
Attribute roleAttr = attributes.get(_roleAttribute);
if (roleAttr != null) {
String roleSet = (String) roleAttr.get();
if (roleSet != null)
roles = roleSet.split("[, ]+");
}
}
if (roles == null)
roles = new String[] { "user" };
Principal principal = new BasicPrincipal(userName);
boolean isDisabled = false;
boolean isAnonymous = false;
return new PasswordUser(principal, ldapPassword.toCharArray(),
isDisabled, isAnonymous,
roles);
} catch (NamingException e) {
log.log(Level.FINE, e.toString(), e);
return null;
}
}
}