|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.apache.directory.server.core.authn.AbstractAuthenticator
org.apache.directory.server.core.authn.SimpleAuthenticator
public class SimpleAuthenticator
A simple Authenticator
that authenticates clear text passwords
contained within the userPassword
attribute in DIT. If the
password is stored with a one-way encryption applied (e.g. SHA), the password
is hashed the same way before comparison.
We use a cache to speedup authentication, where the DN/password are stored.
Constructor Summary | |
---|---|
SimpleAuthenticator()
Creates a new instance. |
|
SimpleAuthenticator(int cacheSize)
Creates a new instance, with an initial cache size |
Method Summary | |
---|---|
LdapPrincipal |
authenticate(BindOperationContext opContext)
Looks up userPassword attribute of the entry whose name is the value of Context.SECURITY_PRINCIPAL environment variable, and
authenticates a user with the plain-text password. |
protected java.lang.String |
createDigestedPassword(java.lang.String algorithm,
byte[] password)
Creates a digested password. |
protected java.lang.String |
getAlgorithmForHashedPassword(byte[] password)
Get the algorithm of a password, which is stored in the form "{XYZ}...". |
void |
invalidateCache(org.apache.directory.shared.ldap.name.LdapDN bindDn)
Remove the principal form the cache. |
Methods inherited from class org.apache.directory.server.core.authn.AbstractAuthenticator |
---|
destroy, doDestroy, doInit, getAuthenticatorType, getDirectoryService, init |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public SimpleAuthenticator()
AbstractAuthenticator
public SimpleAuthenticator(int cacheSize)
cacheSize
- the size of the credential cacheMethod Detail |
---|
public LdapPrincipal authenticate(BindOperationContext opContext) throws java.lang.Exception
Context.SECURITY_PRINCIPAL
environment variable, and
authenticates a user with the plain-text password.
We have at least 6 algorithms to encrypt the password :
- SHA
- SSHA (salted SHA)
- MD5
- SMD5 (slated MD5)
- crypt (unix crypt)
- plain text, ie no encryption.
If we get an encrypted password, it is prefixed by the used algorithm, between
brackets : {SSHA}password ...
If the password is using SSHA, SMD5 or crypt, some 'salt' is added to the password :
- length(password) - 20, starting at 21th position for SSHA
- length(password) - 16, starting at 16th position for SMD5
- length(password) - 2, starting at 3rd position for crypt
For (S)SHA and (S)MD5, we have to transform the password from Base64 encoded text
to a byte[] before comparing the password with the stored one.
For crypt, we only have to remove the salt.
At the end, we use the digest() method for (S)SHA and (S)MD5, the crypt() method for
the CRYPT algorithm and a straight comparison for PLAIN TEXT passwords.
The stored password is always using the unsalted form, and is stored as a bytes array.
java.lang.Exception
protected java.lang.String getAlgorithmForHashedPassword(byte[] password) throws java.lang.IllegalArgumentException
password
- a byte[]
java.lang.IllegalArgumentException
- if the algorithm cannot be identifiedprotected java.lang.String createDigestedPassword(java.lang.String algorithm, byte[] password) throws java.lang.IllegalArgumentException
algorithm
- an algorithm which is supported by
java.security.MessageDigest, e.g. SHApassword
- password value, a byte[]
java.lang.IllegalArgumentException
- if password is neither a String nor a byte[], or algorithm is
not known to java.security.MessageDigest classpublic void invalidateCache(org.apache.directory.shared.ldap.name.LdapDN bindDn)
invalidateCache
in interface Authenticator
invalidateCache
in class AbstractAuthenticator
bindDn
- the already normalized distinguished name of the bind principal
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |