com.hazelcast.security.loginimpl

Class LdapLoginModule

java.lang.Object

com.hazelcast.security.ClusterLoginModule

com.hazelcast.security.loginimpl.BasicLdapLoginModule

com.hazelcast.security.loginimpl.LdapLoginModule

All Implemented Interfaces:

LoginModule

public class LdapLoginModule
extends BasicLdapLoginModule

JAAS Login module which uses LDAP protocol to verify credentials and load roles. Compared to the BasicLdapLoginModule, this module doesn't expect full user DN to be provided as a login name. This module allows to verify provided user credentials by doing a new LDAP bind similarly to the BasicLdapLoginModule, but it also allow to compare provided password against a value defined in passwordAttribute module option. This login module expects an LDAP account to be pre-configured. This account is used for searching user and roles objects. Account configuration is done by using well-known InitialLdapContext environment variables as login module options:

• java.naming.security.authentication
• java.naming.security.principal
• java.naming.security.credentials
• ...

Field Summary

Fields

Modifier and Type	Field and Description
static String	DEFAULT_USER_FILTER Default value for the "userFilter" option.
static String	OPTION_PASSWORD_ATTRIBUTE Login module option name - Credentials verification is done by new LDAP binds by default.
static String	OPTION_SECURITY_REALM Option name for referencing Security realm name in Hazelcast configuration.
static String	OPTION_SKIP_AUTHENTICATION Login module option name - Allows disabling password verification and only takes care about filling HazelcastPrincipal instances into the Subject.
static String	OPTION_USER_CONTEXT Login module option name - LDAP Context in which user objects are searched.
static String	OPTION_USER_FILTER Login module option name - LDAP search string for retrieving user objects based on provided login name.
static String	OPTION_USER_SEARCH_SCOPE Login module option name - LDAP search scope used for "userFilter" search.
static String	PLACEHOLDER_LOGIN Placeholder string to be replaced by provided login name in the "userFilter" option.

Fields inherited from class com.hazelcast.security.loginimpl.BasicLdapLoginModule

ctx, DEFAULT_PARSE_DN, DEFAULT_ROLE_RECURSION_MAX_DEPTH, DEFAULT_USER_NAME_ATTRIBUTE, login, maxRecursionDepth, name, OPTION_PARSE_DN, OPTION_ROLE_CONTEXT, OPTION_ROLE_FILTER, OPTION_ROLE_MAPPING_ATTRIBUTE, OPTION_ROLE_MAPPING_MODE, OPTION_ROLE_NAME_ATTRIBUTE, OPTION_ROLE_RECURSION_MAX_DEPTH, OPTION_ROLE_SEARCH_SCOPE, OPTION_USER_NAME_ATTRIBUTE, parseFromDN, password, PLACEHOLDER_DN, roleContext, roleFilter, roleMappingAttribute, roleMappingMode, roleNameAttribute, roleSearchScope, userAttributes, userDN, userNameAttribute, visitedRoleDns

Fields inherited from class com.hazelcast.security.ClusterLoginModule

callbackHandler, commitSucceeded, endpoint, logger, loginSucceeded, OPTION_SKIP_ENDPOINT, OPTION_SKIP_IDENTITY, OPTION_SKIP_ROLE, options, SHARED_STATE_IDENTITY, sharedState, subject

Constructor Summary

Constructors

Constructor and Description
LdapLoginModule()

Method Summary

Modifier and Type	Method and Description
protected LdapContext	createLdapContext()
protected void	initAuthentication()
protected void	onInitialize()
protected boolean	onLogin()
protected Attributes	setUserDnAndGetAttributes()

Methods inherited from class com.hazelcast.security.loginimpl.BasicLdapLoginModule

getName, getSearchScope, hasMoreIgnorePartResEx, logLdapContextProperties, verifyOptions

Methods inherited from class com.hazelcast.security.ClusterLoginModule

abort, addRole, commit, getBoolOption, getIntOption, getLastIdentity, getStringOption, initialize, isSkipIdentity, isSkipRole, login, logout, onAbort, onCommit, onLogout

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PLACEHOLDER_LOGIN

public static final String PLACEHOLDER_LOGIN

Placeholder string to be replaced by provided login name in the "userFilter" option.

See Also:

Constant Field Values

OPTION_USER_CONTEXT

public static final String OPTION_USER_CONTEXT

Login module option name - LDAP Context in which user objects are searched. (E.g. ou=Users,dc=hazelcast,dc=com)

See Also:

Constant Field Values

OPTION_USER_FILTER

public static final String OPTION_USER_FILTER

Login module option name - LDAP search string for retrieving user objects based on provided login name. It usually contains placeholder substring "{login}" which is replaced by the provided login name.

See Also:

Constant Field Values

OPTION_USER_SEARCH_SCOPE

public static final String OPTION_USER_SEARCH_SCOPE

Login module option name - LDAP search scope used for "userFilter" search. Allowed values:

• subtree - searches for objects in the given context and its subtree
• one-level - searches just one-level under the given context
• object - searches (or tests) just for the context object itself (if it matches the filter criteria)

See Also:

Constant Field Values

OPTION_PASSWORD_ATTRIBUTE

public static final String OPTION_PASSWORD_ATTRIBUTE

Login module option name - Credentials verification is done by new LDAP binds by default. Nevertheless, the password can be stored in a non-default LDAP attribute and in this case use passwordAttribute to configure against which LDAP attribute (within user object) is the password provided during the login compared. As a result, if the passwordAttribute option is provided, then the extra LDAP bind to verify credentials is not done and passwords are just compared within the login module code after the retrieving user object from the LDAP server.

See Also:

Constant Field Values

OPTION_SKIP_AUTHENTICATION

public static final String OPTION_SKIP_AUTHENTICATION

Login module option name - Allows disabling password verification and only takes care about filling HazelcastPrincipal instances into the Subject.

See Also:

Constant Field Values

OPTION_SECURITY_REALM

public static final String OPTION_SECURITY_REALM

Option name for referencing Security realm name in Hazelcast configuration. The realm's authentication configuration (when defined) will be used to authenticate the "run-as Subject" for LDAP queries.

See Also:

Constant Field Values

DEFAULT_USER_FILTER

public static final String DEFAULT_USER_FILTER

Default value for the "userFilter" option.

See Also:

Constant Field Values

Constructor Detail

LdapLoginModule

public LdapLoginModule()

Method Detail

onInitialize

protected void onInitialize()

Overrides:

onInitialize in class BasicLdapLoginModule

onLogin

protected boolean onLogin()
                   throws LoginException

Overrides:

onLogin in class BasicLdapLoginModule

Throws:

LoginException

setUserDnAndGetAttributes

protected Attributes setUserDnAndGetAttributes()
                                        throws NamingException,
                                               FailedLoginException

Overrides:

setUserDnAndGetAttributes in class BasicLdapLoginModule

Throws:

NamingException

FailedLoginException

initAuthentication

protected void initAuthentication()
                           throws FailedLoginException

Overrides:

initAuthentication in class BasicLdapLoginModule

Throws:

FailedLoginException

createLdapContext

protected LdapContext createLdapContext()
                                 throws NamingException

Overrides:

createLdapContext in class BasicLdapLoginModule

Throws:

NamingException