public class LdapLoginModule extends UsernamePasswordLoginModule
The LoginModule options include whatever options your LDAP JNDI provider supports. Examples of standard property names are:
Context.INITIAL_CONTEXT_FACTORY = "java.naming.factory.initial"
Context.SECURITY_PROTOCOL = "java.naming.security.protocol"
Context.PROVIDER_URL = "java.naming.provider.url"
Context.SECURITY_AUTHENTICATION = "java.naming.security.authentication"
The Context.SECURITY_PRINCIPAL is set to the distinguished name of the user as obtained by the callback handler and the Context.SECURITY_CREDENTIALS property is either set to the String password or Object credential depending on the useObjectCredential option.
Additional module properties include:
String userDN = principalDNPrefix + username + principalDNSuffix;
org.jboss.security.plugins.ObjectCallback
type
of Callback rather than as a char[] password using a JAAS PasswordCallback.
testLdap { org.jboss.security.auth.spi.LdapLoginModule required java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory java.naming.provider.url="ldap://ldaphost.jboss.org:1389/" java.naming.security.authentication=simple principalDNPrefix=uid= uidAttributeID=userid roleAttributeID=roleName principalDNSuffix=,ou=People,o=jboss.org rolesCtxDN=cn=JBossSX Tests,ou=Roles,o=jboss.org }; testLdap2 { org.jboss.security.auth.spi.LdapLoginModule required java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory java.naming.provider.url="ldap://ldaphost.jboss.org:1389/" java.naming.security.authentication=simple principalDNPrefix=uid= uidAttributeID=userid roleAttributeID=roleName principalDNSuffix=,ou=People,o=jboss.org userRolesCtxDNAttributeName=ou=Roles,dc=user1,dc=com }; testLdapToActiveDirectory { org.jboss.security.auth.spi.LdapLoginModule required java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory java.naming.provider.url="ldap://ldaphost.jboss.org:1389/" java.naming.security.authentication=simple rolesCtxDN=cn=Users,dc=ldaphost,dc=jboss,dc=org uidAttributeID=userPrincipalName roleAttributeID=memberOf roleAttributeIsDN=true roleNameAttributeID=name };
callbackHandler, jbossModuleName, log, loginOk, options, principalClassModuleName, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass
Constructor and Description |
---|
LdapLoginModule() |
Modifier and Type | Method and Description |
---|---|
protected Group[] |
getRoleSets()
Overridden by subclasses to return the Groups that correspond to the
to the role sets assigned to the user.
|
protected String |
getUsersPassword()
Overridden to return an empty password string as typically one cannot
obtain a user's password.
|
void |
initialize(Subject subject,
CallbackHandler callbackHandler,
Map<String,?> sharedState,
Map<String,?> options)
Override the superclass method to look for the following options after
first invoking the super version.
|
protected boolean |
validatePassword(String inputPassword,
String expectedPassword)
Validate the inputPassword by creating a ldap InitialContext with the
SECURITY_CREDENTIALS set to the password.
|
createPasswordHash, getCredentials, getIdentity, getUnauthenticatedIdentity, getUsername, getUsernameAndPassword, getValidateError, login, safeClose, setValidateError
abort, addValidOptions, checkOptions, commit, createGroup, createIdentity, getCallerPrincipalGroup, getUseFirstPass, logout
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
UsernamePasswordLoginModule
initialize
in interface LoginModule
initialize
in class UsernamePasswordLoginModule
subject
- the Subject to update after a successful login.callbackHandler
- the CallbackHandler that will be used to obtain the
the user identity and credentials.sharedState
- a Map shared between all configured login module instancesoptions
- :
option: hashAlgorithm - the message digest algorithm used to hash passwords.
If null then plain passwords will be used.
option: hashCharset - the name of the charset/encoding to use when converting
the password String to a byte array. Default is the platform's default
encoding.
option: hashEncoding - the string encoding format to use. Defaults to base64.
option: ignorePasswordCase: A flag indicating if the password comparison
should ignore case.
option: digestCallback - The class name of the DigestCallback DigestCallback
implementation that includes pre/post digest content like salts for hashing
the input password. Only used if hashAlgorithm has been specified.
option: hashStorePassword - A flag indicating if the store password returned
from #getUsersPassword() should be hashed .
option: hashUserPassword - A flag indicating if the user entered password should be hashed.
option: storeDigestCallback - The class name of the DigestCallback DigestCallback
implementation that includes pre/post digest content like salts for hashing
the store/expected password. Only used if hashStorePassword or hashUserPassword is true and
hashAlgorithm has been specified.protected String getUsersPassword() throws LoginException
getUsersPassword
in class UsernamePasswordLoginModule
LoginException
protected Group[] getRoleSets() throws LoginException
getRoleSets
in class AbstractServerLoginModule
LoginException
protected boolean validatePassword(String inputPassword, String expectedPassword)
validatePassword
in class UsernamePasswordLoginModule
inputPassword
- the password to validate.expectedPassword
- ignoredCopyright © 2017 JBoss by Red Hat. All rights reserved.