org.apache.directory.server.core.authn
Class SimpleAuthenticator

java.lang.Object
  extended byorg.apache.directory.server.core.authn.AbstractAuthenticator
      extended byorg.apache.directory.server.core.authn.SimpleAuthenticator
All Implemented Interfaces:
Authenticator

public class SimpleAuthenticator
extends AbstractAuthenticator

A simple Authenticator that authenticates clear text passwords contained within the userPassword attribute in DIT. If the password is stored with a one-way encryption applied (e.g. SHA), the password is hashed the same way before comparison.

Author:
Apache Directory Project

Constructor Summary
SimpleAuthenticator()
          Creates a new instance.
 
Method Summary
 LdapPrincipal authenticate(LdapDN principalDn, ServerContext ctx)
          Looks up userPassword attribute of the entry whose name is the value of Context.SECURITY_PRINCIPAL environment variable, and authenticates a user with the plain-text password.
protected  java.lang.String createDigestedPassword(java.lang.String algorithm, java.lang.Object password)
          Creates a digested password.
protected  java.lang.String getAlgorithmForHashedPassword(java.lang.Object password)
          Get the algorithm of a password, which is stored in the form "{XYZ}...".
 void invalidateCache(LdapDN bindDn)
          Does nothing leaving it so subclasses can override.
protected  boolean isPasswordOneWayEncrypted(java.lang.Object password)
          Checks if the argument is one-way encryped.
protected  byte[] lookupUserPassword(LdapDN principalDn)
           
 
Methods inherited from class org.apache.directory.server.core.authn.AbstractAuthenticator
createLdapPrincipal, destroy, doDestroy, doInit, getAuthenticatorType, getConfiguration, getFactoryConfiguration, init
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SimpleAuthenticator

public SimpleAuthenticator()
Creates a new instance.

Method Detail

authenticate

public LdapPrincipal authenticate(LdapDN principalDn,
                                  ServerContext ctx)
                           throws javax.naming.NamingException
Looks up userPassword attribute of the entry whose name is the value of Context.SECURITY_PRINCIPAL environment variable, and authenticates a user with the plain-text password.

Specified by:
authenticate in interface Authenticator
Specified by:
authenticate in class AbstractAuthenticator
Throws:
javax.naming.NamingException

lookupUserPassword

protected byte[] lookupUserPassword(LdapDN principalDn)
                             throws javax.naming.NamingException
Throws:
javax.naming.NamingException

isPasswordOneWayEncrypted

protected boolean isPasswordOneWayEncrypted(java.lang.Object password)
Checks if the argument is one-way encryped. If it is a string or a byte-array which looks like "{XYZ}...", and XYZ is a known lessage digest, the method returns true. The method does not throw an exception otherwise, e.g. if the algorithm XYZ is not known to the runtime.

Parameters:
password - agument, either a string or a byte-array
Returns:
true, if the value is a digested password with algorithm included

getAlgorithmForHashedPassword

protected java.lang.String getAlgorithmForHashedPassword(java.lang.Object password)
                                                  throws java.lang.IllegalArgumentException
Get the algorithm of a password, which is stored in the form "{XYZ}...". The method returns null, if the argument is not in this form. It returns XYZ, if XYZ is an algorithm known to the MessageDigest class of java.security.

Returns:
included message digest alorithm, if any
Throws:
java.lang.IllegalArgumentException

createDigestedPassword

protected java.lang.String createDigestedPassword(java.lang.String algorithm,
                                                  java.lang.Object password)
                                           throws java.security.NoSuchAlgorithmException,
                                                  java.lang.IllegalArgumentException
Creates a digested password. For a given hash algorithm and a password value, the algorithm is applied to the password, and the result is Base64 encoded. The method returns a String which looks like "{XYZ}bbbbbbb", whereas XYZ is the name of the algorithm, and bbbbbbb is the Base64 encoded value of XYZ applied to the password.

Parameters:
algorithm - an algorithm which is supported by java.security.MessageDigest, e.g. SHA
password - password value, either a string or a byte[]
Returns:
a digested password, which looks like {SHA}LhkDrSoM6qr0fW6hzlfOJQW61tc=
Throws:
java.lang.IllegalArgumentException - if password is neither a String nor a byte[], or algorithm is not known to java.security.MessageDigest class
java.security.NoSuchAlgorithmException

invalidateCache

public void invalidateCache(LdapDN bindDn)
Description copied from class: AbstractAuthenticator
Does nothing leaving it so subclasses can override.

Specified by:
invalidateCache in interface Authenticator
Overrides:
invalidateCache in class AbstractAuthenticator