All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.activemq.jaas.LDAPLoginModule Maven / Gradle / Ivy

There is a newer version: 6.1.3
Show newest version
/**
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.activemq.jaas;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.text.MessageFormat;
import java.util.*;

import javax.naming.*;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * @version $Rev: $ $Date: $
 */
public class LDAPLoginModule implements LoginModule {

    private static final String INITIAL_CONTEXT_FACTORY = "initialContextFactory";
    private static final String CONNECTION_URL = "connectionURL";
    private static final String CONNECTION_USERNAME = "connectionUsername";
    private static final String CONNECTION_PASSWORD = "connectionPassword";
    private static final String CONNECTION_PROTOCOL = "connectionProtocol";
    private static final String AUTHENTICATION = "authentication";
    private static final String USER_BASE = "userBase";
    private static final String USER_SEARCH_MATCHING = "userSearchMatching";
    private static final String USER_SEARCH_SUBTREE = "userSearchSubtree";
    private static final String ROLE_BASE = "roleBase";
    private static final String ROLE_NAME = "roleName";
    private static final String ROLE_SEARCH_MATCHING = "roleSearchMatching";
    private static final String ROLE_SEARCH_SUBTREE = "roleSearchSubtree";
    private static final String USER_ROLE_NAME = "userRoleName";
    private static final String EXPAND_ROLES = "expandRoles";
    private static final String EXPAND_ROLES_MATCHING = "expandRolesMatching";

    private static Logger log = LoggerFactory.getLogger(LDAPLoginModule.class);

    protected DirContext context;

    private Subject subject;
    private CallbackHandler handler;  
    private LDAPLoginProperty [] config;
    private Principal user;
    private Set groups = new HashSet();

    /** the authentication status*/
    private boolean succeeded = false;
    private boolean commitSucceeded = false;

    @Override
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
        this.subject = subject;
        this.handler = callbackHandler;
        
        config = new LDAPLoginProperty [] {
        		new LDAPLoginProperty (INITIAL_CONTEXT_FACTORY, (String)options.get(INITIAL_CONTEXT_FACTORY)),
        		new LDAPLoginProperty (CONNECTION_URL, (String)options.get(CONNECTION_URL)),
        		new LDAPLoginProperty (CONNECTION_USERNAME, (String)options.get(CONNECTION_USERNAME)),
        		new LDAPLoginProperty (CONNECTION_PASSWORD, (String)options.get(CONNECTION_PASSWORD)),
        		new LDAPLoginProperty (CONNECTION_PROTOCOL, (String)options.get(CONNECTION_PROTOCOL)),
        		new LDAPLoginProperty (AUTHENTICATION, (String)options.get(AUTHENTICATION)),
        		new LDAPLoginProperty (USER_BASE, (String)options.get(USER_BASE)),
        		new LDAPLoginProperty (USER_SEARCH_MATCHING, (String)options.get(USER_SEARCH_MATCHING)),
        		new LDAPLoginProperty (USER_SEARCH_SUBTREE, (String)options.get(USER_SEARCH_SUBTREE)),
        		new LDAPLoginProperty (ROLE_BASE, (String)options.get(ROLE_BASE)),
        		new LDAPLoginProperty (ROLE_NAME, (String)options.get(ROLE_NAME)),
        		new LDAPLoginProperty (ROLE_SEARCH_MATCHING, (String)options.get(ROLE_SEARCH_MATCHING)),
        		new LDAPLoginProperty (ROLE_SEARCH_SUBTREE, (String)options.get(ROLE_SEARCH_SUBTREE)),
        		new LDAPLoginProperty (USER_ROLE_NAME, (String)options.get(USER_ROLE_NAME)),
                new LDAPLoginProperty (EXPAND_ROLES, (String) options.get(EXPAND_ROLES)),
                new LDAPLoginProperty (EXPAND_ROLES_MATCHING, (String) options.get(EXPAND_ROLES_MATCHING)),

        };
    }

    @Override
    public boolean login() throws LoginException {

        Callback[] callbacks = new Callback[2];

        callbacks[0] = new NameCallback("User name");
        callbacks[1] = new PasswordCallback("Password", false);
        try {
            handler.handle(callbacks);
        } catch (IOException ioe) {
            throw (LoginException)new LoginException().initCause(ioe);
        } catch (UnsupportedCallbackException uce) {
            throw (LoginException)new LoginException().initCause(uce);
        }
        
        String password;
        
        String username = ((NameCallback)callbacks[0]).getName();
        if (username == null)
        	return false;
        	
        if (((PasswordCallback)callbacks[1]).getPassword() != null)
        	password = new String(((PasswordCallback)callbacks[1]).getPassword());
        else
        	password="";

        // authenticate will throw LoginException
        // in case of failed authentication
        authenticate(username, password);

        user = new UserPrincipal(username);
        succeeded = true;
        return true;
    }

    @Override
    public boolean logout() throws LoginException {
        subject.getPrincipals().remove(user);
        subject.getPrincipals().removeAll(groups);

        user = null;
        groups.clear();

        succeeded = false;
        commitSucceeded = false;
        return true;
    }

    @Override
    public boolean commit() throws LoginException {
        if (!succeeded) {
            user = null;
            groups.clear();
            return false;
        }

        Set principals = subject.getPrincipals();
        principals.add(user);
        for (GroupPrincipal gp : groups) {
            principals.add(gp);
        }

        commitSucceeded = true;
        return true;
    }

    @Override
    public boolean abort() throws LoginException {
        if (!succeeded) {
            return false;
        } else if (succeeded && commitSucceeded) {
            // we succeeded, but another required module failed
            logout();
        } else {
            // our commit failed
            user = null;
            groups.clear();
            succeeded = false;
        }
        return true;
    }

    protected void close(DirContext context) {
        try {
            context.close();
        } catch (Exception e) {
            log.error(e.toString());
        }
    }

    protected boolean authenticate(String username, String password) throws LoginException {

        MessageFormat userSearchMatchingFormat;
        boolean userSearchSubtreeBool;
        
        DirContext context = null;

        if (log.isDebugEnabled()) {
            log.debug("Create the LDAP initial context.");
        }
        try {
            context = open();
        } catch (NamingException ne) {
            FailedLoginException ex = new FailedLoginException("Error opening LDAP connection");
            ex.initCause(ne);
            throw ex;
        }
        
        if (!isLoginPropertySet(USER_SEARCH_MATCHING))
        	return false;

        userSearchMatchingFormat = new MessageFormat(getLDAPPropertyValue(USER_SEARCH_MATCHING));
        userSearchSubtreeBool = Boolean.valueOf(getLDAPPropertyValue(USER_SEARCH_SUBTREE)).booleanValue();

        try {

            String filter = userSearchMatchingFormat.format(new String[] {
                doRFC2254Encoding(username)
            });
            SearchControls constraints = new SearchControls();
            if (userSearchSubtreeBool) {
                constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
            } else {
                constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
            }

            // setup attributes
            List list = new ArrayList();
            if (isLoginPropertySet(USER_ROLE_NAME)) {
                list.add(getLDAPPropertyValue(USER_ROLE_NAME));
            }
            String[] attribs = new String[list.size()];
            list.toArray(attribs);
            constraints.setReturningAttributes(attribs);

            if (log.isDebugEnabled()) {
                log.debug("Get the user DN.");
                log.debug("Looking for the user in LDAP with ");
                log.debug("  base DN: " + getLDAPPropertyValue(USER_BASE));
                log.debug("  filter: " + filter);
            }

            NamingEnumeration results = context.search(getLDAPPropertyValue(USER_BASE), filter, constraints);

            if (results == null || !results.hasMore()) {
                log.warn("User " + username + " not found in LDAP.");
                throw new FailedLoginException("User " + username + " not found in LDAP.");
            }

            SearchResult result = results.next();

            if (results.hasMore()) {
                // ignore for now
            }

            String dn;
            if (result.isRelative()) {
                log.debug("LDAP returned a relative name: {}", result.getName());

                NameParser parser = context.getNameParser("");
                Name contextName = parser.parse(context.getNameInNamespace());
                Name baseName = parser.parse(getLDAPPropertyValue(USER_BASE));
                Name entryName = parser.parse(result.getName());
                Name name = contextName.addAll(baseName);
                name = name.addAll(entryName);
                dn = name.toString();
            } else {
                log.debug("LDAP returned an absolute name: {}", result.getName());

                try {
                    URI uri = new URI(result.getName());
                    String path = uri.getPath();

                    if (path.startsWith("/")) {
                        dn = path.substring(1);
                    } else {
                        dn = path;
                    }
                } catch (URISyntaxException e) {
                    if (context != null) {
                        close(context);
                    }
                    FailedLoginException ex = new FailedLoginException("Error parsing absolute name as URI.");
                    ex.initCause(e);
                    throw ex;
                }
            }

            if (log.isDebugEnabled()) {
                log.debug("Using DN [" + dn + "] for binding.");
            }

            Attributes attrs = result.getAttributes();
            if (attrs == null) {
                throw new FailedLoginException("User found, but LDAP entry malformed: " + username);
            }
            List roles = null;
            if (isLoginPropertySet(USER_ROLE_NAME)) {
                roles = addAttributeValues(getLDAPPropertyValue(USER_ROLE_NAME), attrs, roles);
            }

            // check the credentials by binding to server
            if (bindUser(context, dn, password)) {
                // if authenticated add more roles
                roles = getRoles(context, dn, username, roles);
                if (log.isDebugEnabled()) {
                    log.debug("Roles " + roles + " for user " + username);
                }
                for (int i = 0; i < roles.size(); i++) {
                    groups.add(new GroupPrincipal(roles.get(i)));
                }
            } else {
                throw new FailedLoginException("Password does not match for user: " + username);
            }
        } catch (CommunicationException e) {
            FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
            ex.initCause(e);
            throw ex;
        } catch (NamingException e) {
            if (context != null) {
                close(context);
            }
            FailedLoginException ex = new FailedLoginException("Error contacting LDAP");
            ex.initCause(e);
            throw ex;
        }

        if (context != null) {
            close(context);
        }

        return true;
    }

    protected List getRoles(DirContext context, String dn, String username, List currentRoles) throws NamingException {
        List list = currentRoles;
        MessageFormat roleSearchMatchingFormat;
        boolean roleSearchSubtreeBool;
        boolean expandRolesBool;
        roleSearchMatchingFormat = new MessageFormat(getLDAPPropertyValue(ROLE_SEARCH_MATCHING));
        roleSearchSubtreeBool = Boolean.valueOf(getLDAPPropertyValue(ROLE_SEARCH_SUBTREE)).booleanValue();
        expandRolesBool = Boolean.valueOf(getLDAPPropertyValue(EXPAND_ROLES)).booleanValue();
        
        if (list == null) {
            list = new ArrayList();
        }
        if (!isLoginPropertySet(ROLE_NAME)) {
            return list;
        }
        String filter = roleSearchMatchingFormat.format(new String[] {
            doRFC2254Encoding(dn), doRFC2254Encoding(username)
        });

        SearchControls constraints = new SearchControls();
        if (roleSearchSubtreeBool) {
            constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
        } else {
            constraints.setSearchScope(SearchControls.ONELEVEL_SCOPE);
        }
        if (log.isDebugEnabled()) {
            log.debug("Get user roles.");
            log.debug("Looking for the user roles in LDAP with ");
            log.debug("  base DN: " + getLDAPPropertyValue(ROLE_BASE));
            log.debug("  filter: " + filter);
        }
        HashSet haveSeenNames = new HashSet();
        Queue pendingNameExpansion = new LinkedList();
        NamingEnumeration results = context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints);
        while (results.hasMore()) {
            SearchResult result = results.next();
            Attributes attrs = result.getAttributes();
            if (expandRolesBool) {
                haveSeenNames.add(result.getNameInNamespace());
                pendingNameExpansion.add(result.getNameInNamespace());
            }
            if (attrs == null) {
                continue;
            }
            list = addAttributeValues(getLDAPPropertyValue(ROLE_NAME), attrs, list);
        }
        if (expandRolesBool) {
            MessageFormat expandRolesMatchingFormat = new MessageFormat(getLDAPPropertyValue(EXPAND_ROLES_MATCHING));
            while (!pendingNameExpansion.isEmpty()) {
                String name = pendingNameExpansion.remove();
                filter = expandRolesMatchingFormat.format(new String[]{name});
                results = context.search(getLDAPPropertyValue(ROLE_BASE), filter, constraints);
                while (results.hasMore()) {
                    SearchResult result = results.next();
                    name = result.getNameInNamespace();
                    if (!haveSeenNames.contains(name)) {
                        Attributes attrs = result.getAttributes();
                        list = addAttributeValues(getLDAPPropertyValue(ROLE_NAME), attrs, list);
                        haveSeenNames.add(name);
                        pendingNameExpansion.add(name);
                    }
                }
            }
        }
        return list;
    }

    protected String doRFC2254Encoding(String inputString) {
        StringBuffer buf = new StringBuffer(inputString.length());
        for (int i = 0; i < inputString.length(); i++) {
            char c = inputString.charAt(i);
            switch (c) {
            case '\\':
                buf.append("\\5c");
                break;
            case '*':
                buf.append("\\2a");
                break;
            case '(':
                buf.append("\\28");
                break;
            case ')':
                buf.append("\\29");
                break;
            case '\0':
                buf.append("\\00");
                break;
            default:
                buf.append(c);
                break;
            }
        }
        return buf.toString();
    }

    protected boolean bindUser(DirContext context, String dn, String password) throws NamingException {
        boolean isValid = false;

        if (log.isDebugEnabled()) {
            log.debug("Binding the user.");
        }
        context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
        context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
        try {
            context.getAttributes("", null);
            isValid = true;
            if (log.isDebugEnabled()) {
                log.debug("User " + dn + " successfully bound.");
            }
        } catch (AuthenticationException e) {
            isValid = false;
            if (log.isDebugEnabled()) {
                log.debug("Authentication failed for dn=" + dn);
            }
        }

        if (isLoginPropertySet(CONNECTION_USERNAME)) {
            context.addToEnvironment(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME));
        } else {
            context.removeFromEnvironment(Context.SECURITY_PRINCIPAL);
        }
        if (isLoginPropertySet(CONNECTION_PASSWORD)) {
            context.addToEnvironment(Context.SECURITY_CREDENTIALS, getLDAPPropertyValue(CONNECTION_PASSWORD));
        } else {
            context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
        }

        return isValid;
    }

    private List addAttributeValues(String attrId, Attributes attrs, List values) throws NamingException {

        if (attrId == null || attrs == null) {
            return values;
        }
        if (values == null) {
            values = new ArrayList();
        }
        Attribute attr = attrs.get(attrId);
        if (attr == null) {
            return values;
        }
        NamingEnumeration e = attr.getAll();
        while (e.hasMore()) {
            String value = (String)e.next();
            values.add(value);
        }
        return values;
    }

    protected DirContext open() throws NamingException {
        try {
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, getLDAPPropertyValue(INITIAL_CONTEXT_FACTORY));
            if (isLoginPropertySet(CONNECTION_USERNAME)) {
                env.put(Context.SECURITY_PRINCIPAL, getLDAPPropertyValue(CONNECTION_USERNAME));
            } else {
                throw new NamingException("Empty username is not allowed");
            }

            if (isLoginPropertySet(CONNECTION_PASSWORD)) {
                env.put(Context.SECURITY_CREDENTIALS, getLDAPPropertyValue(CONNECTION_PASSWORD));
            } else {
                throw new NamingException("Empty password is not allowed");
            }
            env.put(Context.SECURITY_PROTOCOL, getLDAPPropertyValue(CONNECTION_PROTOCOL));
            env.put(Context.PROVIDER_URL, getLDAPPropertyValue(CONNECTION_URL));
            env.put(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION));
            context = new InitialDirContext(env);

        } catch (NamingException e) {
            log.error(e.toString());
            throw e;
        }
        return context;
    }
    
    private String getLDAPPropertyValue (String propertyName){
    	for (int i=0; i < config.length; i++ )
    		if (config[i].getPropertyName() == propertyName)
    			return config[i].getPropertyValue();
    	return null;
    }
    
    private boolean isLoginPropertySet(String propertyName) {
    	for (int i=0; i < config.length; i++ ) {
    		if (config[i].getPropertyName() == propertyName && (config[i].getPropertyValue() != null && !"".equals(config[i].getPropertyValue())))
    				return true;
    	}
    	return false;
    }

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy