View Javadoc

1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License.
18   *
19   */
20  package org.apache.directory.server.ldap.handlers.bind.gssapi;
21  
22  
23  import org.apache.directory.server.core.DirectoryService;
24  import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
25  import org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal;
26  import org.apache.directory.server.ldap.LdapSession;
27  import org.apache.directory.server.ldap.handlers.bind.AbstractSaslCallbackHandler;
28  import org.apache.directory.shared.ldap.entry.EntryAttribute;
29  import org.apache.directory.shared.ldap.message.BindRequest;
30  import org.apache.directory.shared.ldap.name.LdapDN;
31  import org.slf4j.Logger;
32  import org.slf4j.LoggerFactory;
33  
34  import javax.naming.Context;
35  import javax.naming.ldap.LdapContext;
36  import javax.security.auth.kerberos.KerberosPrincipal;
37  import javax.security.sasl.AuthorizeCallback;
38  import java.util.Hashtable;
39  
40  
41  /**
42   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
43   * @version $Rev$, $Date$
44   */
45  public class GssapiCallbackHandler extends AbstractSaslCallbackHandler
46  {
47      private static final Logger LOG = LoggerFactory.getLogger( GssapiCallbackHandler.class );
48  
49      private LdapSession ldapSession;
50  
51  
52      /**
53       * Creates a new instance of GssapiCallbackHandler.
54       *
55       * @param session the mina IO session
56       * @param bindRequest the bind message
57       * @param directoryService the directory service core
58       */
59      public GssapiCallbackHandler( DirectoryService directoryService, LdapSession ldapSession, BindRequest bindRequest )
60      {
61          super( directoryService, bindRequest );
62          this.ldapSession = ldapSession;
63      }
64  
65  
66      protected EntryAttribute lookupPassword( String username, String password )
67      {
68          // do nothing, password not used by GSSAPI
69          return null;
70      }
71  
72  
73      protected void authorize( AuthorizeCallback authorizeCB ) throws Exception
74      {
75          LOG.debug( "Processing conversion of principal name to DN." );
76  
77          Hashtable<String, Object> env = getEnvironment( ldapSession.getIoSession() );
78  
79          LdapContext ctx = getContext( ldapSession.getIoSession(), bindRequest, env );
80  
81          String username = authorizeCB.getAuthorizationID();
82  
83          GetPrincipal getPrincipal = new GetPrincipal( new KerberosPrincipal( username ) );
84          PrincipalStoreEntry entry = ( PrincipalStoreEntry ) getPrincipal.execute( ldapSession.getCoreSession(), new LdapDN() );
85          String bindDn = entry.getDistinguishedName();
86  
87          LOG.debug( "Converted username {} to DN {}.", username, bindDn );
88          ldapSession.getIoSession().setAttribute( Context.SECURITY_PRINCIPAL, bindDn );
89  
90          authorizeCB.setAuthorizedID( bindDn );
91          authorizeCB.setAuthorized( true );
92      }
93  }