All Downloads are FREE. Search and download functionalities are using the official Maven repository.

jakarta.security.enterprise.identitystore.LdapIdentityStoreDefinition Maven / Gradle / Ivy

/*
 * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0, which is available at
 * http://www.eclipse.org/legal/epl-2.0.
 *
 * This Source Code may also be made available under the following Secondary
 * Licenses when the conditions for such availability set forth in the
 * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
 * version 2 with the GNU Classpath Exception, which is available at
 * https://www.gnu.org/software/classpath/license.html.
 *
 * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
 */

package jakarta.security.enterprise.identitystore;

import java.lang.annotation.Retention;
import java.lang.annotation.Target;

import jakarta.security.enterprise.credential.UsernamePasswordCredential;
import jakarta.security.enterprise.identitystore.IdentityStore;
import jakarta.security.enterprise.identitystore.IdentityStore.ValidationType;

import static jakarta.security.enterprise.identitystore.IdentityStore.ValidationType.PROVIDE_GROUPS;
import static jakarta.security.enterprise.identitystore.IdentityStore.ValidationType.VALIDATE;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;

/**
 * Annotation used to define a container-provided {@link IdentityStore} that stores
 * caller credentials and identity attributes (together caller identities) in an
 * LDAP store, and make that implementation available as an enabled CDI bean.
 * 

* The container-provided {@code IdentityStore} must support validating {@link UsernamePasswordCredential}, * and may support validating other credential types. */ @Retention(RUNTIME) @Target(TYPE) public @interface LdapIdentityStoreDefinition { /** * Enum representing LDAP search scope values. */ enum LdapSearchScope { ONE_LEVEL, SUBTREE } /** * URL where the LDAP server can be reached. *

* E.g.: ldap://localhost:33389 * * @return URL where the LDAP server can be reached */ String url() default ""; /** * Distinguished name for the application or administrative user that will be used to * make the initial connection to the LDAP and to perform searches and lookups. *

* This value is needed if caller or group lookup will be done. It is not needed if the * store will be used only to authenticate callers using direct binding (see callerBaseDn). *

* This user needs search permission in the LDAP for persons and/or groups. *

* E.g.: uid=ldap,ou=apps,dc=eclipse,dc=net * * @return The distinguished name for the application user. */ String bindDn() default ""; /** * Password for the application/admin user defined by the bindDn member. * Only used when the member bindDn is filled in. * * @return password for the application user. */ String bindDnPassword() default ""; /** * Base distinguished name for callers in the LDAP store * (e.g., "ou=caller,dc=eclipse,dc=net"). *

* When this member value is specified, and callerSearchBase is not, direct binding is attempted. *

* The callerNameAttribute must be specified along with this attribute so that the * runtime can create the "leaf" RDN needed to concatenate with the base DN to create the * full DN of the caller. * * @return The base distinguished name for callers. */ String callerBaseDn() default ""; /** * Name of the attribute that contains the callers name in the person object * (e.g., "uid"). *

* This attribute will be used, with callerBaseDn, to construct caller DNs for direct binding. * It is also used to retrieve the caller's name when the caller object is instead looked up * using search. *

* The value of this attribute is returned as the caller principal name * for a successful credential validation. *

* The following gives an example in ldif format: *

     * 
     * dn: uid=peter,ou=caller,dc=eclipse,dc=net
     * objectclass: top
     * objectclass: uidObject
     * objectclass: person
     * uid: peter
     * cn: Peter Smith
     * sn: Peter
     * userPassword: secret1
     * 
     * 
* * @return Name of the attribute that represents the caller name */ String callerNameAttribute() default "uid"; /** * Search base for looking up callers * (e.g., "ou=caller,dc=eclipse,dc=net"). *

* Overrides callerBaseDn, if configured, causing caller search * to be used instead of direct binding. * Requires that the bindDn member be filled in. * * @return Base DN for searching the LDAP tree for callers. */ String callerSearchBase() default ""; /** * Search filter to find callers when callerSearchBase is set. * The search is performed starting from the callerSearchBase DN * with the scope specified by callerSearchScope. * * @return Search expression to find callers. */ String callerSearchFilter() default ""; /** * Search scope for caller searches: determines depth * of the search in the LDAP tree. * * @return The search scope */ LdapSearchScope callerSearchScope() default LdapSearchScope.SUBTREE; /** * Allow callerSearchScope to be specified as a Jakarta Expression Language expression. * If set, overrides any value set with callerSearchScope. * * @return the callerSearchScope Jakarta Expression Language expression */ String callerSearchScopeExpression() default ""; /** * Search base for looking up groups * (e.g., "ou=group,dc=eclipse,dc=net"). *

* Needed only for a store that performs group lookup. * Requires that the bindDn member be filled in. * * @return Base DN for searching the LDAP tree for groups. */ String groupSearchBase() default ""; /** * Search filter to find groups when groupSearchBase is set. * The search is performed starting from the groupSearchBase DN * with the scope specified by groupSearchScope. * * @return Search expression to find groups. */ String groupSearchFilter() default ""; /** * Search scope for group searches, determines depth * of the search in the LDAP tree. * * @return The search scope */ LdapSearchScope groupSearchScope() default LdapSearchScope.SUBTREE; /** * Allow groupSearchScope to be specified as a Jakarta Expression Language expression. * If set, overrides any value set with groupSearchScope. * * @return the groupSearchScope Jakarta Expression Language expression */ String groupSearchScopeExpression() default ""; /** * Name of the attribute of a group object that represents the group name * (e.g., "cn") * * @return Name of the attribute that represents the group name */ String groupNameAttribute() default "cn"; /** * Name of the attribute in a group object that identifies the * members of the group * (e.g., "member"). *

* The value of this attribute must be the full DN of the caller. The following gives an example * entry in ldif format: *

     * 
     * dn: cn=foo,ou=group,dc=eclipse,dc=net
     * objectclass: top
     * objectclass: groupOfNames
     * cn: foo
     * member: uid=pete,ou=caller,dc=eclipse,dc=net
     * member: uid=john,ou=caller,dc=eclipse,dc=net
     * 
     * 
* * @return Attribute for the group members */ String groupMemberAttribute() default "member"; /** * Name of the attribute in a person object that identifies the groups * the caller belongs to * (e.g., "memberOf"). *

* This attribute is used only if: a) group search is not configured * (i.e., no groupSearchBase and groupSearchFilter configured); and, * b) the caller's DN is available, either because groups are being returned * during the credential validation phase by an identity store that performs * both validation and group lookup, or because the DN is available in the * {@link CredentialValidationResult} passed to the * {@link IdentityStore#getCallerGroups(CredentialValidationResult)} method. *

* The value of this attribute must be the full DN of the group. The following gives an example * entry in ldif format: *

     * 
     * dn: uid=peter,ou=caller,dc=eclipse,dc=net
     * objectclass: top
     * objectclass: uidObject
     * objectclass: person
     * uid: peter
     * cn: Peter Smith
     * memberOf: cn=foo,ou=group,dc=eclipse,dc=net
     * memberOf: cn=bar,ou=group,dc=eclipse,dc=net
     * 
     * 
* * @return Attribute for group membership */ String groupMemberOfAttribute() default "memberOf"; /** * Set the timeout value that should be used when waiting for * the LDAP server to return results. Note that this is different * from the connection timeout for the underlying socket connection; *

* The default value of 0 means wait forever (assuming the connection * itself does not time out). * * @return The readTimeout value. */ int readTimeout() default 0; /** * Allow readTimeout to be specified as an Jakarta Expression Language expression. * If set, overrides any value set with readTimeout. * * @return The readTimeout Jakarta Expression Language expression */ String readTimeoutExpression() default ""; /** * Set the maximum number of results (objects) the server should * return in response to a search. *

* The default value is set to 1000, which corresponds to the * maximum number of results most LDAP servers will return for * in a single response. Most LDAP servers support paging through * result sets larger than 1000, but doing so should rarely be * necessary for normal validation and group lookup use cases. * Implementations of the built-in LDAP IdentityStore MAY support * paging through larger result sets, but are NOT REQUIRED to. * * @return The maximum number of results the LDAP server should return. */ int maxResults() default 1000; /** * Allow maxResults to be specified as Jakarta Expression Language expression. * If set, overrides any value set with maxResults. * * @return The maxResults Jakarta Expression Language expression */ String maxResultsExpression() default ""; /** * Determines the order in case multiple IdentityStores are found. * @return The priority. */ int priority() default 80; /** * Allow priority to be specified as a Jakarta Expression Language expression. * If set, overrides any value set with priority. * * @return The priority Jakarta Expression Language expression */ String priorityExpression() default ""; /** * Determines what the identity store is used for * * @return The type the identity store is used for */ ValidationType[] useFor() default {VALIDATE, PROVIDE_GROUPS}; /** * Allow useFor to be specified as a Jakarta Expression Language expression. * If set, overrides any value set with useFor. * * @return The useFor Jakarta Expression Language expression */ String useForExpression() default ""; }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy