org.apache.directory.server.core.authn
Class SimpleAuthenticator

java.lang.Object
  extended by org.apache.directory.server.core.authn.AbstractAuthenticator
      extended by org.apache.directory.server.core.authn.SimpleAuthenticator
All Implemented Interfaces:
Authenticator

public class SimpleAuthenticator
extends AbstractAuthenticator

A simple Authenticator that authenticates clear text passwords contained within the userPassword attribute in DIT. If the password is stored with a one-way encryption applied (e.g. SHA), the password is hashed the same way before comparison. We use a cache to speedup authentication, where the DN/password are stored.

Author:
Apache Directory Project

Constructor Summary
SimpleAuthenticator()
          Creates a new instance.
SimpleAuthenticator(int cacheSize)
          Creates a new instance, with an initial cache size
 
Method Summary
 LdapPrincipal authenticate(BindOperationContext opContext)
          Looks up userPassword attribute of the entry whose name is the value of Context.SECURITY_PRINCIPAL environment variable, and authenticates a user with the plain-text password.
protected  java.lang.String createDigestedPassword(java.lang.String algorithm, byte[] password)
          Creates a digested password.
protected  java.lang.String getAlgorithmForHashedPassword(byte[] password)
          Get the algorithm of a password, which is stored in the form "{XYZ}...".
 void invalidateCache(org.apache.directory.shared.ldap.name.LdapDN bindDn)
          Remove the principal form the cache.
 
Methods inherited from class org.apache.directory.server.core.authn.AbstractAuthenticator
destroy, doDestroy, doInit, getAuthenticatorType, getDirectoryService, init
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SimpleAuthenticator

public SimpleAuthenticator()
Creates a new instance.

See Also:
AbstractAuthenticator

SimpleAuthenticator

public SimpleAuthenticator(int cacheSize)
Creates a new instance, with an initial cache size

Parameters:
cacheSize - the size of the credential cache
Method Detail

authenticate

public LdapPrincipal authenticate(BindOperationContext opContext)
                           throws java.lang.Exception
Looks up userPassword attribute of the entry whose name is the value of Context.SECURITY_PRINCIPAL environment variable, and authenticates a user with the plain-text password. We have at least 6 algorithms to encrypt the password : - SHA - SSHA (salted SHA) - MD5 - SMD5 (slated MD5) - crypt (unix crypt) - plain text, ie no encryption. If we get an encrypted password, it is prefixed by the used algorithm, between brackets : {SSHA}password ... If the password is using SSHA, SMD5 or crypt, some 'salt' is added to the password : - length(password) - 20, starting at 21th position for SSHA - length(password) - 16, starting at 16th position for SMD5 - length(password) - 2, starting at 3rd position for crypt For (S)SHA and (S)MD5, we have to transform the password from Base64 encoded text to a byte[] before comparing the password with the stored one. For crypt, we only have to remove the salt. At the end, we use the digest() method for (S)SHA and (S)MD5, the crypt() method for the CRYPT algorithm and a straight comparison for PLAIN TEXT passwords. The stored password is always using the unsalted form, and is stored as a bytes array.

Throws:
java.lang.Exception

getAlgorithmForHashedPassword

protected java.lang.String getAlgorithmForHashedPassword(byte[] password)
                                                  throws java.lang.IllegalArgumentException
Get the algorithm of a password, which is stored in the form "{XYZ}...". The method returns null, if the argument is not in this form. It returns XYZ, if XYZ is an algorithm known to the MessageDigest class of java.security.

Parameters:
password - a byte[]
Returns:
included message digest alorithm, if any
Throws:
java.lang.IllegalArgumentException - if the algorithm cannot be identified

createDigestedPassword

protected java.lang.String createDigestedPassword(java.lang.String algorithm,
                                                  byte[] password)
                                           throws java.lang.IllegalArgumentException
Creates a digested password. For a given hash algorithm and a password value, the algorithm is applied to the password, and the result is Base64 encoded. The method returns a String which looks like "{XYZ}bbbbbbb", whereas XYZ is the name of the algorithm, and bbbbbbb is the Base64 encoded value of XYZ applied to the password.

Parameters:
algorithm - an algorithm which is supported by java.security.MessageDigest, e.g. SHA
password - password value, a byte[]
Returns:
a digested password, which looks like {SHA}LhkDrSoM6qr0fW6hzlfOJQW61tc=
Throws:
java.lang.IllegalArgumentException - if password is neither a String nor a byte[], or algorithm is not known to java.security.MessageDigest class

invalidateCache

public void invalidateCache(org.apache.directory.shared.ldap.name.LdapDN bindDn)
Remove the principal form the cache. This is used when the user changes his password.

Specified by:
invalidateCache in interface Authenticator
Overrides:
invalidateCache in class AbstractAuthenticator
Parameters:
bindDn - the already normalized distinguished name of the bind principal


Copyright © 2003-2009 Apache Software Foundation. All Rights Reserved.