JettyCachingLdapLoginModule (rundeckapp 3.2.2-20200204 API)

java.lang.Object
- org.eclipse.jetty.jaas.spi.AbstractLoginModule
- - com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule

All Implemented Interfaces:: javax.security.auth.spi.LoginModule

Direct Known Subclasses:: JettyCombinedLdapLoginModule

public class JettyCachingLdapLoginModule
extends org.eclipse.jetty.jaas.spi.AbstractLoginModule

A LdapLoginModule for use with JAAS setups The jvm should be started with the following parameter:


 -Djava.security.auth.login.config=etc/ldap-loginModule.conf

and an example of the ldap-loginModule.conf would be:

 ldaploginmodule {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="ldap.example.com"
    port="389"
    timeoutRead="5000"
    timeoutConnect="30000"
    bindDn="cn=Directory Manager"
    bindPassword="directory"
    authenticationMethod="simple"
    forceBindingLogin="false"
    forceBindingLoginUseRootContextForRoles="false"
    userBaseDn="ou=people,dc=alcatel"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userPasswordAttribute="userPassword"
    userObjectClass="inetOrgPerson"
    roleBaseDn="ou=groups,dc=example,dc=com"
    roleNameAttribute="cn"
    roleMemberAttribute="uniqueMember"
    roleUsernameMemberAttribute="memberUid"
    roleObjectClass="groupOfUniqueNames"
    rolePrefix="rundeck"
    cacheDurationMillis="500"
    reportStatistics="true"
    nestedGroups="false";
    };

Nested Class Summary
- Nested classes/interfaces inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule
  org.eclipse.jetty.jaas.spi.AbstractLoginModule.JAASUserInfo

Field Summary

Fields
Modifier and Type	Field and Description
`protected java.lang.String`	`_authenticationMethod` Context.SECURITY_AUTHENTICATION
`protected java.lang.String`	`_bindDn` root DN used to connect to
`protected java.lang.String`	`_bindPassword` password used to connect to the root ldap context
`protected int`	`_cacheDuration` Duration of storing the user in memory.
`protected java.lang.String`	`_contextFactory` Context.INITIAL_CONTEXT_FACTORY
`protected boolean`	`_debug`
`protected boolean`	`_forceBindingLogin` if the getUserInfo can pull a password off of the user then password comparison is an option for authn, to force binding login checks, set this to true
`protected boolean`	`_forceBindingLoginUseRootContextForRoles` if _forceFindingLogin is true, and _forceBindingLoginUseRootContextForRoles is true, then role memberships are obtained using _rootContext
`protected java.lang.String`	`_hostname` hostname of the ldap server
`protected boolean`	`_ldapsVerifyHostname`
`protected boolean`	`_nestedGroups`
`protected int`	`_port` port of the ldap server
`protected java.lang.String`	`_providerUrl` Provider URL
`protected boolean`	`_reportStatistics`
`protected java.lang.String`	`_roleBaseDn` base DN where role membership is to be searched from
`protected java.lang.String`	`_roleMemberAttribute` name of the attribute that a user DN would be under a role class
`protected java.lang.String`	`_roleMemberFilter`
`protected java.lang.String`	`_roleNameAttribute` the name of the attribute that a role would be stored under
`protected java.lang.String`	`_roleObjectClass` object class of roles
`protected java.lang.String`	`_rolePrefix` Role prefix to remove from ldap group name.
`protected java.lang.String`	`_roleUsernameMemberAttribute` name of the attribute that a username would be under a role class
`protected javax.naming.directory.DirContext`	`_rootContext`
`protected java.util.List<java.lang.String>`	`_supplementalRoles` List of supplemental roles provided in config file that get added to all users.
`protected long`	`_timeoutConnect` timeout for LDAP connection
`protected long`	`_timeoutRead` timeout for LDAP read
`protected java.lang.String`	`_userBaseDn` base DN where users are to be searched from
`protected java.lang.String`	`_userEmailAttribute` attribute of user email
`protected java.lang.String`	`_userFirstNameAttribute` attribute of user first name
`protected java.lang.String`	`_userIdAttribute` attribute that the principal is located
`protected java.lang.String`	`_userLastNameAttribute` attribute of user last name
`protected java.lang.String`	`_userObjectClass` object class of a user
`protected java.lang.String`	`_userPasswordAttribute` name of the attribute that a users password is stored under NOTE: not always accessible, see force binding login
`protected java.lang.String`	`_userRdnAttribute` attribute that the principal is located
`protected static long`	`loginAttempts` The number of login attempts for this particular module.
`static java.lang.String`	`OBJECT_CLASS_FILTER`
`protected static java.util.concurrent.ConcurrentHashMap<java.lang.String,com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.CachedUserInfo>`	`USERINFOCACHE`
`protected static long`	`userInfoCacheHits` The number of cache hits for UserInfo objects.

Constructor Summary

Constructors
Constructor and Description

JettyCachingLdapLoginModule()

Constructors
Constructor and Description
`JettyCachingLdapLoginModule()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`boolean`	`abort()`
`protected void`	`addSupplementalRoles(java.util.List<java.lang.String> roleList)`
`protected boolean`	`authenticate(java.lang.String webUserName, java.lang.Object webCredential)` since ldap uses a context bind for valid authentication checking, we override login() if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic
`protected boolean`	`bindingLogin(java.lang.String username, java.lang.Object password)` binding authentication check This methode of authentication works only if the user branch of the DIT (ldap tree) has an ACI (acces control instruction) that allow the access to any user or at least for the user that logs in.
`boolean`	`commit()`
`protected boolean`	`credentialLogin(java.lang.Object webCredential)` password supplied authentication check
`protected void`	`debug(java.lang.String message)` Default behavior to emit to System.err
`protected java.lang.String`	`doRFC2254Encoding(java.lang.String inputString)`
`protected java.lang.Object[]`	`getCallBackAuth()`
`java.util.Hashtable`	`getEnvironment()` get the context for connection
`protected java.lang.String`	`getOption(java.util.Map options, java.lang.String key, java.lang.String defaultValue)`
`org.eclipse.jetty.jaas.spi.UserInfo`	`getUserInfo(java.lang.String username)` get the available information about the user for this LoginModule, the credential can be null which will result in a binding ldap authentication scenario roles are also an optional concept if required
`protected java.util.List`	`getUserRoles(javax.naming.directory.DirContext dirContext, java.lang.String username)` attempts to get the users roles from the root context NOTE: this is not an user authenticated operation
`void`	`initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map<java.lang.String,?> sharedState, java.util.Map<java.lang.String,?> options)`
`void`	`initializeOptions(java.util.Map options)`
`protected boolean`	`isDebug()`
`boolean`	`login()` Gets credentials by calling `getCallBackAuth()`, then performs `authenticate(String, Object)`

Methods inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule
configureCallbacks, getCallbackHandler, getCurrentUser, getSubject, isAuthenticated, isCommitted, isIgnored, logout, setAuthenticated, setCallbackHandler, setCommitted, setCurrentUser, setSubject

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - OBJECT_CLASS_FILTER
```
public static final java.lang.String OBJECT_CLASS_FILTER
```
    See Also:
    
    Constant Field Values
  - _roleMemberFilter
```
protected final java.lang.String _roleMemberFilter
```
    See Also:
    
    Constant Field Values
  - _providerUrl
```
protected java.lang.String _providerUrl
```
    Provider URL
  - _rolePrefix
```
protected java.lang.String _rolePrefix
```
    Role prefix to remove from ldap group name.
  - _cacheDuration
```
protected int _cacheDuration
```
    Duration of storing the user in memory.
  - _hostname
```
protected java.lang.String _hostname
```
    hostname of the ldap server
  - _port
```
protected int _port
```
    port of the ldap server
  - _authenticationMethod
```
protected java.lang.String _authenticationMethod
```
    Context.SECURITY_AUTHENTICATION
  - _contextFactory
```
protected java.lang.String _contextFactory
```
    Context.INITIAL_CONTEXT_FACTORY
  - _bindDn
```
protected java.lang.String _bindDn
```
    root DN used to connect to
  - _bindPassword
```
protected java.lang.String _bindPassword
```
    password used to connect to the root ldap context
  - _userObjectClass
```
protected java.lang.String _userObjectClass
```
    object class of a user
  - _userRdnAttribute
```
protected java.lang.String _userRdnAttribute
```
    attribute that the principal is located
  - _userIdAttribute
```
protected java.lang.String _userIdAttribute
```
    attribute that the principal is located
  - _userPasswordAttribute
```
protected java.lang.String _userPasswordAttribute
```
    name of the attribute that a users password is stored under
    NOTE: not always accessible, see force binding login
  - _userBaseDn
```
protected java.lang.String _userBaseDn
```
    base DN where users are to be searched from
  - _userFirstNameAttribute
```
protected java.lang.String _userFirstNameAttribute
```
    attribute of user first name
  - _userLastNameAttribute
```
protected java.lang.String _userLastNameAttribute
```
    attribute of user last name
  - _userEmailAttribute
```
protected java.lang.String _userEmailAttribute
```
    attribute of user email
  - _roleBaseDn
```
protected java.lang.String _roleBaseDn
```
    base DN where role membership is to be searched from
  - _roleObjectClass
```
protected java.lang.String _roleObjectClass
```
    object class of roles
  - _roleMemberAttribute
```
protected java.lang.String _roleMemberAttribute
```
    name of the attribute that a user DN would be under a role class
  - _roleUsernameMemberAttribute
```
protected java.lang.String _roleUsernameMemberAttribute
```
    name of the attribute that a username would be under a role class
  - _roleNameAttribute
```
protected java.lang.String _roleNameAttribute
```
    the name of the attribute that a role would be stored under
  - _debug
```
protected boolean _debug
```
  - _ldapsVerifyHostname
```
protected boolean _ldapsVerifyHostname
```
  - _forceBindingLogin
```
protected boolean _forceBindingLogin
```
    if the getUserInfo can pull a password off of the user then password comparison is an option for authn, to force binding login checks, set this to true
  - _forceBindingLoginUseRootContextForRoles
```
protected boolean _forceBindingLoginUseRootContextForRoles
```
    if _forceFindingLogin is true, and _forceBindingLoginUseRootContextForRoles is true, then role memberships are obtained using _rootContext
  - _rootContext
```
protected javax.naming.directory.DirContext _rootContext
```
  - _reportStatistics
```
protected boolean _reportStatistics
```
  - _supplementalRoles
```
protected java.util.List<java.lang.String> _supplementalRoles
```
    List of supplemental roles provided in config file that get added to all users.
  - _nestedGroups
```
protected boolean _nestedGroups
```
  - _timeoutRead
```
protected long _timeoutRead
```
    timeout for LDAP read
  - _timeoutConnect
```
protected long _timeoutConnect
```
    timeout for LDAP connection
  - USERINFOCACHE
```
protected static final java.util.concurrent.ConcurrentHashMap<java.lang.String,com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.CachedUserInfo> USERINFOCACHE
```
  - userInfoCacheHits
```
protected static long userInfoCacheHits
```
    The number of cache hits for UserInfo objects.
  - loginAttempts
```
protected static long loginAttempts
```
    The number of login attempts for this particular module.
- Constructor Detail
  - JettyCachingLdapLoginModule
```
public JettyCachingLdapLoginModule()
```
- Method Detail
  - getUserInfo
```
public org.eclipse.jetty.jaas.spi.UserInfo getUserInfo(java.lang.String username)
                                                throws java.lang.Exception
```
    get the available information about the user
    for this LoginModule, the credential can be null which will result in a binding ldap authentication scenario
    roles are also an optional concept if required
    
    Specified by:
    
    getUserInfo in class org.eclipse.jetty.jaas.spi.AbstractLoginModule
    
    Parameters:
    
    username -
    
    Returns:
    
    Throws:
    
    java.lang.Exception
  - doRFC2254Encoding
```
protected java.lang.String doRFC2254Encoding(java.lang.String inputString)
```
  - getUserRoles
```
protected java.util.List getUserRoles(javax.naming.directory.DirContext dirContext,
                                      java.lang.String username)
                               throws javax.security.auth.login.LoginException,
                                      javax.naming.NamingException
```
    attempts to get the users roles from the root context NOTE: this is not an user authenticated operation
    
    Parameters:
    
    dirContext -
    
    username -
    
    Returns:
    
    Throws:
    
    javax.security.auth.login.LoginException
    
    javax.naming.NamingException
  - addSupplementalRoles
```
protected void addSupplementalRoles(java.util.List<java.lang.String> roleList)
```
  - isDebug
```
protected boolean isDebug()
```
  - debug
```
protected void debug(java.lang.String message)
```
    Default behavior to emit to System.err
    
    Parameters:
    
    message - message
  - login
```
public boolean login()
              throws javax.security.auth.login.LoginException
```
    Gets credentials by calling getCallBackAuth(), then performs authenticate(String, Object)
    
    Specified by:
    
    login in interface javax.security.auth.spi.LoginModule
    
    Overrides:
    
    login in class org.eclipse.jetty.jaas.spi.AbstractLoginModule
    
    Returns:
    
    true if authenticated
    
    Throws:
    
    javax.security.auth.login.LoginException
  - getCallBackAuth
```
protected java.lang.Object[] getCallBackAuth()
                                      throws java.io.IOException,
                                             javax.security.auth.callback.UnsupportedCallbackException,
                                             javax.security.auth.login.LoginException
```
    Returns:
    
    Return the object[] containing username and password, by using the callback mechanism
    
    Throws:
    
    java.io.IOException
    
    javax.security.auth.callback.UnsupportedCallbackException
    
    javax.security.auth.login.LoginException
  - authenticate
```
protected boolean authenticate(java.lang.String webUserName,
                               java.lang.Object webCredential)
                        throws javax.security.auth.login.LoginException
```
    since ldap uses a context bind for valid authentication checking, we override login()
    if credentials are not available from the users context or if we are forcing the binding check then we try a binding authentication check, otherwise if we have the users encoded password then we can try authentication via that mechanic
    
    Parameters:
    
    webUserName - user
    
    webCredential - password
    
    Returns:
    
    true if authenticated
    
    Throws:
    
    javax.security.auth.login.LoginException
  - credentialLogin
```
protected boolean credentialLogin(java.lang.Object webCredential)
                           throws javax.security.auth.login.LoginException
```
    password supplied authentication check
    
    Parameters:
    
    webCredential -
    
    Returns:
    
    Throws:
    
    javax.security.auth.login.LoginException
  - bindingLogin
```
protected boolean bindingLogin(java.lang.String username,
                               java.lang.Object password)
                        throws javax.security.auth.login.LoginException,
                               javax.naming.NamingException
```
    binding authentication check This methode of authentication works only if the user branch of the DIT (ldap tree) has an ACI (acces control instruction) that allow the access to any user or at least for the user that logs in.
    
    Parameters:
    
    username -
    
    password -
    
    Returns:
    
    Throws:
    
    javax.security.auth.login.LoginException
    
    javax.naming.NamingException
  - initialize
```
public void initialize(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map<java.lang.String,?> sharedState,
                       java.util.Map<java.lang.String,?> options)
```
    Specified by:
    
    initialize in interface javax.security.auth.spi.LoginModule
    
    Overrides:
    
    initialize in class org.eclipse.jetty.jaas.spi.AbstractLoginModule
  - initializeOptions
```
public void initializeOptions(java.util.Map options)
```
  - commit
```
public boolean commit()
               throws javax.security.auth.login.LoginException
```
    Specified by:
    
    commit in interface javax.security.auth.spi.LoginModule
    
    Overrides:
    
    commit in class org.eclipse.jetty.jaas.spi.AbstractLoginModule
    
    Throws:
    
    javax.security.auth.login.LoginException
  - abort
```
public boolean abort()
              throws javax.security.auth.login.LoginException
```
    Specified by:
    
    abort in interface javax.security.auth.spi.LoginModule
    
    Overrides:
    
    abort in class org.eclipse.jetty.jaas.spi.AbstractLoginModule
    
    Throws:
    
    javax.security.auth.login.LoginException
  - getOption
```
protected java.lang.String getOption(java.util.Map options,
                                     java.lang.String key,
                                     java.lang.String defaultValue)
```
  - getEnvironment
```
public java.util.Hashtable getEnvironment()
```
    get the context for connection
    
    Returns:

Class JettyCachingLdapLoginModule

Nested Class Summary

Nested classes/interfaces inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule

Field Summary

Constructor Summary

Method Summary

Methods inherited from class org.eclipse.jetty.jaas.spi.AbstractLoginModule

Methods inherited from class java.lang.Object

Field Detail

OBJECT_CLASS_FILTER

_roleMemberFilter

_providerUrl

_rolePrefix

_cacheDuration

_hostname

_port

_authenticationMethod

_contextFactory

_bindDn

_bindPassword

_userObjectClass

_userRdnAttribute

_userIdAttribute

_userPasswordAttribute

_userBaseDn

_userFirstNameAttribute

_userLastNameAttribute

_userEmailAttribute

_roleBaseDn

_roleObjectClass

_roleMemberAttribute

_roleUsernameMemberAttribute

_roleNameAttribute

_debug

_ldapsVerifyHostname

_forceBindingLogin

_forceBindingLoginUseRootContextForRoles

_rootContext

_reportStatistics

_supplementalRoles

_nestedGroups

_timeoutRead

_timeoutConnect

USERINFOCACHE

userInfoCacheHits

loginAttempts

Constructor Detail

JettyCachingLdapLoginModule

Method Detail

getUserInfo

doRFC2254Encoding

getUserRoles

addSupplementalRoles

isDebug

debug

login

getCallBackAuth

authenticate

credentialLogin

bindingLogin

initialize

initializeOptions

commit

abort

getOption

getEnvironment