org.apache.directory.server.core.authn

Class SimpleAuthenticator

java.lang.Object

org.apache.directory.server.core.authn.AbstractAuthenticator

org.apache.directory.server.core.authn.SimpleAuthenticator

All Implemented Interfaces:

Authenticator

public class SimpleAuthenticator
extends AbstractAuthenticator

A simple Authenticator that authenticates clear text passwords contained within the userPassword attribute in DIT. If the password is stored with a one-way encryption applied (e.g. SHA), the password is hashed the same way before comparison. We use a cache to speedup authentication, where the Dn/password are stored.

Author:

Apache Directory Project

Field Summary

Fields inherited from class org.apache.directory.server.core.authn.AbstractAuthenticator

LOG

Constructor Summary

Constructors

Constructor and Description
SimpleAuthenticator() Creates a new instance.
SimpleAuthenticator(org.apache.directory.api.ldap.model.name.Dn baseDn) Creates a new instance.
SimpleAuthenticator(int cacheSize) Creates a new instance, with an initial cache size
SimpleAuthenticator(int cacheSize, org.apache.directory.api.ldap.model.name.Dn baseDn) Creates a new instance, with an initial cache size

Method Summary

Modifier and Type	Method and Description
LdapPrincipal	authenticate(BindOperationContext bindContext) Looks up userPassword attribute of the entry whose name is the value of Context#SECURITY_PRINCIPAL environment variable, and authenticates a user with the plain-text password.
protected String	createDigestedPassword(String algorithm, byte[] password) Creates a digested password.
protected String	getAlgorithmForHashedPassword(byte[] password) Get the algorithm of a password, which is stored in the form "{XYZ}...".
void	invalidateCache(org.apache.directory.api.ldap.model.name.Dn bindDn) Remove the principal form the cache.

Methods inherited from class org.apache.directory.server.core.authn.AbstractAuthenticator

checkPwdPolicy, destroy, doDestroy, doInit, getAuthenticatorType, getBaseDn, getDirectoryService, init, isValid, setBaseDn

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SimpleAuthenticator

public SimpleAuthenticator()

Creates a new instance.

SimpleAuthenticator

public SimpleAuthenticator(org.apache.directory.api.ldap.model.name.Dn baseDn)

Creates a new instance.

See Also:

AbstractAuthenticator

SimpleAuthenticator

public SimpleAuthenticator(int cacheSize)

Creates a new instance, with an initial cache size

Parameters:

cacheSize - the size of the credential cache

SimpleAuthenticator

public SimpleAuthenticator(int cacheSize,
                           org.apache.directory.api.ldap.model.name.Dn baseDn)

Creates a new instance, with an initial cache size

Parameters:

cacheSize - the size of the credential cache

Method Detail

authenticate

public LdapPrincipal authenticate(BindOperationContext bindContext)
                           throws org.apache.directory.api.ldap.model.exception.LdapException

Looks up userPassword attribute of the entry whose name is the value of Context#SECURITY_PRINCIPAL environment variable, and authenticates a user with the plain-text password.

Parameters:

bindContext - The Bind context

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

getAlgorithmForHashedPassword

protected String getAlgorithmForHashedPassword(byte[] password)
                                        throws IllegalArgumentException

Get the algorithm of a password, which is stored in the form "{XYZ}...". The method returns null, if the argument is not in this form. It returns XYZ, if XYZ is an algorithm known to the MessageDigest class of java.security.

Parameters:

password - a byte[]

Returns:

included message digest alorithm, if any

Throws:

IllegalArgumentException - if the algorithm cannot be identified

createDigestedPassword

protected String createDigestedPassword(String algorithm,
                                        byte[] password)
                                 throws IllegalArgumentException

Creates a digested password. For a given hash algorithm and a password value, the algorithm is applied to the password, and the result is Base64 encoded. The method returns a String which looks like "{XYZ}bbbbbbb", whereas XYZ is the name of the algorithm, and bbbbbbb is the Base64 encoded value of XYZ applied to the password.

Parameters:

algorithm - an algorithm which is supported by java.security.MessageDigest, e.g. SHA

password - password value, a byte[]

Returns:

a digested password, which looks like {SHA}LhkDrSoM6qr0fW6hzlfOJQW61tc=

Throws:

IllegalArgumentException - if password is neither a String nor a byte[], or algorithm is not known to java.security.MessageDigest class

invalidateCache

public void invalidateCache(org.apache.directory.api.ldap.model.name.Dn bindDn)

Remove the principal form the cache. This is used when the user changes his password.

Specified by:

invalidateCache in interface Authenticator

Overrides:

invalidateCache in class AbstractAuthenticator

Parameters:

bindDn - the already normalized distinguished name of the bind principal