- /*
- * @(#)JndiLoginModule.java 1.8 03/01/23
- *
- * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
- * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
- */
-
- package com.sun.security.auth.module;
-
- import javax.security.auth.*;
- import javax.security.auth.callback.*;
- import javax.security.auth.login.*;
- import javax.security.auth.spi.*;
- import javax.naming.*;
- import javax.naming.directory.*;
-
- import java.io.IOException;
- import java.util.Map;
- import java.util.LinkedList;
- import java.util.ResourceBundle;
-
- import com.sun.security.auth.UnixPrincipal;
- import com.sun.security.auth.UnixNumericUserPrincipal;
- import com.sun.security.auth.UnixNumericGroupPrincipal;
-
- import sun.security.util.AuthResources;
-
- /**
- * <p> The module prompts for a username and password
- * and then verifies the password against the password stored in
- * a directory service configured under JNDI.
- *
- * <p> This <code>LoginModule</code> interoperates with
- * any conformant JNDI service provider. To direct this
- * <code>LoginModule</code> to use a specific JNDI service provider,
- * two options must be specified in the login <code>Configuration</code>
- * for this <code>LoginModule</code>.
- * <pre>
- * user.provider.url=<b>name_service_url</b>
- * group.provider.url=<b>name_service_url</b>
- * </pre>
- *
- * <b>name_service_url</b> specifies
- * the directory service and path where this <code>LoginModule</code>
- * can access the relevant user and group information. Because this
- * <code>LoginModule</code> only performs one-level searches to
- * find the relevant user information, the <code>URL</code>
- * must point to a directory one level above where the user and group
- * information is stored in the directory service.
- * For example, to instruct this <code>LoginModule</code>
- * to contact a NIS server, the following URLs must be specified:
- * <pre>
- * user.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/user"
- * group.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/system/group"
- * </pre>
- *
- * <b>NISServerHostName</b> specifies the server host name of the
- * NIS server (for example, <i>nis.sun.com</i>, and <b>NISDomain</b>
- * specifies the domain for that NIS server (for example, <i>jaas.sun.com</i>.
- * To contact an LDAP server, the following URLs must be specified:
- * <pre>
- * user.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"
- * group.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"
- * </pre>
- *
- * <b>LDAPServerHostName</b> specifies the server host name of the
- * LDAP server, which may include a port number
- * (for example, <i>ldap.sun.com:389</i>),
- * and <b>LDAPName</b> specifies the entry name in the LDAP directory
- * (for example, <i>ou=People,o=Sun,c=US</i> and <i>ou=Groups,o=Sun,c=US</i>
- * for user and group information, respectively).
- *
- * <p> The format in which the user's information must be stored in
- * the directory service is specified in RFC 2307. Specifically,
- * this <code>LoginModule</code> will search for the user's entry in the
- * directory service using the user's <i>uid</i> attribute,
- * where <i>uid=<b>username</b></i>. If the search succeeds,
- * this <code>LoginModule</code> will then
- * obtain the user's encrypted password from the retrieved entry
- * using the <i>userPassword</i> attribute.
- * This <code>LoginModule</code> assumes that the password is stored
- * as a byte array, which when converted to a <code>String</code>,
- * has the following format:
- * <pre>
- * "{crypt}<b>encrypted_password</b>"
- * </pre>
- *
- * The LDAP directory server must be configured
- * to permit read access to the userPassword attribute.
- * If the user entered a valid username and password,
- * this <code>LoginModule</code> associates a
- * <code>UnixPrincipal</code>, <code>UnixNumericUserPrincipal</code>,
- * and the relevant UnixNumericGroupPrincipals with the
- * <code>Subject</code>.
- *
- * <p> This LoginModule also recognizes the following <code>Configuration</code>
- * options:
- * <pre>
- * debug if, true, debug messages are output to System.out.
- *
- * useFirstPass if, true, this LoginModule retrieves the
- * username and password from the module's shared state,
- * using "javax.security.auth.login.name" and
- * "javax.security.auth.login.password" as the respective
- * keys. The retrieved values are used for authentication.
- * If authentication fails, no attempt for a retry is made,
- * and the failure is reported back to the calling
- * application.
- *
- * tryFirstPass if, true, this LoginModule retrieves the
- * the username and password from the module's shared state,
- * using "javax.security.auth.login.name" and
- * "javax.security.auth.login.password" as the respective
- * keys. The retrieved values are used for authentication.
- * If authentication fails, the module uses the
- * CallbackHandler to retrieve a new username and password,
- * and another attempt to authenticate is made.
- * If the authentication fails, the failure is reported
- * back to the calling application.
- *
- * storePass if, true, this LoginModule stores the username and password
- * obtained from the CallbackHandler in the module's
- * shared state, using "javax.security.auth.login.name" and
- * "javax.security.auth.login.password" as the respective
- * keys. This is not performed if existing values already
- * exist for the username and password in the shared state,
- * or if authentication fails.
- *
- * clearPass if, true, this <code>LoginModule</code> clears the
- * username and password stored in the module's shared state
- * after both phases of authentication (login and commit)
- * have completed.
- * </pre>
- *
- * @version 1.8, 01/23/03
- */
- public class JndiLoginModule implements LoginModule {
-
- static final java.util.ResourceBundle rb =
- java.util.ResourceBundle.getBundle("sun.security.util.AuthResources");
-
- /** JNDI Provider */
- public final String USER_PROVIDER = "user.provider.url";
- public final String GROUP_PROVIDER = "group.provider.url";
-
- // configurable options
- private boolean debug = false;
- private boolean strongDebug = false;
- private String userProvider;
- private String groupProvider;
- private boolean useFirstPass = false;
- private boolean tryFirstPass = false;
- private boolean storePass = false;
- private boolean clearPass = false;
-
- // the authentication status
- private boolean succeeded = false;
- private boolean commitSucceeded = false;
-
- // username, password, and JNDI context
- private String username;
- private char[] password;
- DirContext ctx;
-
- // the user (assume it is a UnixPrincipal)
- private UnixPrincipal userPrincipal;
- private UnixNumericUserPrincipal UIDPrincipal;
- private UnixNumericGroupPrincipal GIDPrincipal;
- private LinkedList supplementaryGroups = new LinkedList();
-
- // initial state
- private Subject subject;
- private CallbackHandler callbackHandler;
- private Map sharedState;
- private Map options;
-
- private static final String CRYPT = "{crypt}";
- private static final String USER_PWD = "userPassword";
- private static final String USER_UID = "uidNumber";
- private static final String USER_GID = "gidNumber";
- private static final String GROUP_ID = "gidNumber";
- private static final String NAME = "javax.security.auth.login.name";
- private static final String PWD = "javax.security.auth.login.password";
-
- /**
- * Initialize this <code>LoginModule</code>.
- *
- * <p>
- *
- * @param subject the <code>Subject</code> to be authenticated. <p>
- *
- * @param callbackHandler a <code>CallbackHandler</code> for communicating
- * with the end user (prompting for usernames and
- * passwords, for example). <p>
- *
- * @param sharedState shared <code>LoginModule</code> state. <p>
- *
- * @param options options specified in the login
- * <code>Configuration</code> for this particular
- * <code>LoginModule</code>.
- */
- public void initialize(Subject subject, CallbackHandler callbackHandler,
- Map sharedState, Map options) {
-
- this.subject = subject;
- this.callbackHandler = callbackHandler;
- this.sharedState = sharedState;
- this.options = options;
-
- // initialize any configured options
- debug = "true".equalsIgnoreCase((String)options.get("debug"));
- strongDebug =
- "true".equalsIgnoreCase((String)options.get("strongDebug"));
- userProvider = (String)options.get(USER_PROVIDER);
- groupProvider = (String)options.get(GROUP_PROVIDER);
- tryFirstPass =
- "true".equalsIgnoreCase((String)options.get("tryFirstPass"));
- useFirstPass =
- "true".equalsIgnoreCase((String)options.get("useFirstPass"));
- storePass =
- "true".equalsIgnoreCase((String)options.get("storePass"));
- clearPass =
- "true".equalsIgnoreCase((String)options.get("clearPass"));
- }
-
- /**
- * <p> Prompt for username and password.
- * Verify the password against the relevant name service.
- *
- * <p>
- *
- * @return true always, since this <code>LoginModule</code>
- * should not be ignored.
- *
- * @exception FailedLoginException if the authentication fails. <p>
- *
- * @exception LoginException if this <code>LoginModule</code>
- * is unable to perform the authentication.
- */
- public boolean login() throws LoginException {
-
- if (userProvider == null) {
- throw new LoginException
- ("Error: Unable to locate JNDI user provider");
- }
- if (groupProvider == null) {
- throw new LoginException
- ("Error: Unable to locate JNDI group provider");
- }
-
- if (debug) {
- System.out.println("\t\t[JndiLoginModule] user provider: " +
- userProvider);
- System.out.println("\t\t[JndiLoginModule] group provider: " +
- groupProvider);
- }
-
- // attempt the authentication
- if (tryFirstPass) {
-
- try {
- // attempt the authentication by getting the
- // username and password from shared state
- attemptAuthentication(true);
-
- // authentication succeeded
- succeeded = true;
- if (debug) {
- System.out.println("\t\t[JndiLoginModule] " +
- "tryFirstPass succeeded");
- }
- return true;
- } catch (LoginException le) {
- // authentication failed -- try again below by prompting
- cleanState();
- if (debug) {
- System.out.println("\t\t[JndiLoginModule] " +
- "tryFirstPass failed with:" +
- le.toString());
- }
- }
-
- } else if (useFirstPass) {
-
- try {
- // attempt the authentication by getting the
- // username and password from shared state
- attemptAuthentication(true);
-
- // authentication succeeded
- succeeded = true;
- if (debug) {
- System.out.println("\t\t[JndiLoginModule] " +
- "useFirstPass succeeded");
- }
- return true;
- } catch (LoginException le) {
- // authentication failed
- cleanState();
- if (debug) {
- System.out.println("\t\t[JndiLoginModule] " +
- "useFirstPass failed");
- }
- throw le;
- }
- }
-
- // attempt the authentication by prompting for the username and pwd
- try {
- attemptAuthentication(false);
-
- // authentication succeeded
- succeeded = true;
- if (debug) {
- System.out.println("\t\t[JndiLoginModule] " +
- "regular authentication succeeded");
- }
- return true;
- } catch (LoginException le) {
- cleanState();
- if (debug) {
- System.out.println("\t\t[JndiLoginModule] " +
- "regular authentication failed");
- }
- throw le;
- }
- }
-
- /**
- * Abstract method to commit the authentication process (phase 2).
- *
- * <p> This method is called if the LoginContext's
- * overall authentication succeeded
- * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
- * succeeded).
- *
- * <p> If this LoginModule's own authentication attempt
- * succeeded (checked by retrieving the private state saved by the
- * <code>login</code> method), then this method associates a
- * <code>UnixPrincipal</code>
- * with the <code>Subject</code> located in the
- * <code>LoginModule</code>. If this LoginModule's own
- * authentication attempted failed, then this method removes
- * any state that was originally saved.
- *
- * <p>
- *
- * @exception LoginException if the commit fails
- *
- * @return true if this LoginModule's own login and commit
- * attempts succeeded, or false otherwise.
- */
- public boolean commit() throws LoginException {
-
- if (succeeded == false) {
- return false;
- } else {
- if (subject.isReadOnly()) {
- cleanState();
- throw new LoginException ("Subject is Readonly");
- }
- // add Principals to the Subject
- if (!subject.getPrincipals().contains(userPrincipal))
- subject.getPrincipals().add(userPrincipal);
- if (!subject.getPrincipals().contains(UIDPrincipal))
- subject.getPrincipals().add(UIDPrincipal);
- if (!subject.getPrincipals().contains(GIDPrincipal))
- subject.getPrincipals().add(GIDPrincipal);
- for (int i = 0; i < supplementaryGroups.size(); i++) {
- if (!subject.getPrincipals().contains
- ((UnixNumericGroupPrincipal)supplementaryGroups.get(i)))
- subject.getPrincipals().add((UnixNumericGroupPrincipal)
- supplementaryGroups.get(i));
- }
-
- if (debug) {
- System.out.println("\t\t[JndiLoginModule]: " +
- "added UnixPrincipal,");
- System.out.println("\t\t\t\tUnixNumericUserPrincipal,");
- System.out.println("\t\t\t\tUnixNumericGroupPrincipal(s),");
- System.out.println("\t\t\t to Subject");
- }
- }
- // in any case, clean out state
- cleanState();
- commitSucceeded = true;
- return true;
- }
-
- /**
- * <p> This method is called if the LoginContext's
- * overall authentication failed.
- * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
- * did not succeed).
- *
- * <p> If this LoginModule's own authentication attempt
- * succeeded (checked by retrieving the private state saved by the
- * <code>login</code> and <code>commit</code> methods),
- * then this method cleans up any state that was originally saved.
- *
- * <p>
- *
- * @exception LoginException if the abort fails.
- *
- * @return false if this LoginModule's own login and/or commit attempts
- * failed, and true otherwise.
- */
- public boolean abort() throws LoginException {
- if (debug)
- System.out.println("\t\t[JndiLoginModule]: " +
- "aborted authentication failed");
-
- if (succeeded == false) {
- return false;
- } else if (succeeded == true && commitSucceeded == false) {
-
- // Clean out state
- succeeded = false;
- cleanState();
-
- userPrincipal = null;
- UIDPrincipal = null;
- GIDPrincipal = null;
- supplementaryGroups = new LinkedList();
- } else {
- // overall authentication succeeded and commit succeeded,
- // but someone else's commit failed
- logout();
- }
- return true;
- }
-
- /**
- * Logout a user.
- *
- * <p> This method removes the Principals
- * that were added by the <code>commit</code> method.
- *
- * <p>
- *
- * @exception LoginException if the logout fails.
- *
- * @return true in all cases since this <code>LoginModule</code>
- * should not be ignored.
- */
- public boolean logout() throws LoginException {
- if (subject.isReadOnly()) {
- cleanState();
- throw new LoginException ("Subject is Readonly");
- }
- subject.getPrincipals().remove(userPrincipal);
- subject.getPrincipals().remove(UIDPrincipal);
- subject.getPrincipals().remove(GIDPrincipal);
- for (int i = 0; i < supplementaryGroups.size(); i++) {
- subject.getPrincipals().remove
- ((UnixNumericGroupPrincipal)supplementaryGroups.get(i));
- }
-
-
- // clean out state
- cleanState();
- succeeded = false;
- commitSucceeded = false;
-
- userPrincipal = null;
- UIDPrincipal = null;
- GIDPrincipal = null;
- supplementaryGroups = new LinkedList();
-
- if (debug) {
- System.out.println("\t\t[JndiLoginModule]: " +
- "logged out Subject");
- }
- return true;
- }
-
- /**
- * Attempt authentication
- *
- * <p>
- *
- * @param getPasswdFromSharedState boolean that tells this method whether
- * to retrieve the password from the sharedState.
- */
- private void attemptAuthentication(boolean getPasswdFromSharedState)
- throws LoginException {
-
- String encryptedPassword = null;
-
- // first get the username and password
- getUsernamePassword(getPasswdFromSharedState);
-
- try {
-
- // get the user's passwd entry from the user provider URL
- InitialContext iCtx = new InitialContext();
- ctx = (DirContext)iCtx.lookup(userProvider);
-
- /*
- SearchControls controls = new SearchControls
- (SearchControls.ONELEVEL_SCOPE,
- 0,
- 5000,
- new String[] { USER_PWD },
- false,
- false);
- */
-
- SearchControls controls = new SearchControls();
- NamingEnumeration ne = ctx.search("",
- "(uid=" + username + ")",
- controls);
- if (ne.hasMore()) {
- SearchResult result = (SearchResult)ne.next();
- Attributes attributes = result.getAttributes();
-
- // get the password
-
- // this module works only if the LDAP directory server
- // is configured to permit read access to the userPassword
- // attribute. The directory administrator need to grant
- // this access.
- //
- // A workaround would be to make the server do authentication
- // by setting the Context.SECURITY_PRINCIPAL
- // and Context.SECURITY_CREDENTIALS property.
- // However, this would make it not work with systems that
- // don't do authentication at the server (like NIS).
- //
- // Setting the SECURITY_* properties and using "simple"
- // authentication for LDAP is recommended only for secure
- // channels. For nonsecure channels, SSL is recommended.
-
- Attribute pwd = attributes.get(USER_PWD);
- String encryptedPwd = new String((byte[])pwd.get(), "UTF8");
- encryptedPassword = encryptedPwd.substring(CRYPT.length());
-
- // check the password
- if (verifyPassword
- (encryptedPassword, new String(password)) == true) {
-
- // authentication succeeded
- if (debug)
- System.out.println("\t\t[JndiLoginModule] " +
- "attemptAuthentication() succeeded");
-
- } else {
- // authentication failed
- if (debug)
- System.out.println("\t\t[JndiLoginModule] " +
- "attemptAuthentication() failed");
- throw new FailedLoginException("Login incorrect");
- }
-
- // save input as shared state only if
- // authentication succeeded
- if (storePass &&
- !sharedState.containsKey(NAME) &&
- !sharedState.containsKey(PWD)) {
- sharedState.put(NAME, username);
- sharedState.put(PWD, password);
- }
-
- // create the user principal
- userPrincipal = new UnixPrincipal(username);
-
- // get the UID
- Attribute uid = attributes.get(USER_UID);
- String uidNumber = (String)uid.get();
- UIDPrincipal = new UnixNumericUserPrincipal(uidNumber);
- if (debug && uidNumber != null) {
- System.out.println("\t\t[JndiLoginModule] " +
- "user: '" + username + "' has UID: " +
- uidNumber);
- }
-
- // get the GID
- Attribute gid = attributes.get(USER_GID);
- String gidNumber = (String)gid.get();
- GIDPrincipal = new UnixNumericGroupPrincipal
- (gidNumber, true);
- if (debug && gidNumber != null) {
- System.out.println("\t\t[JndiLoginModule] " +
- "user: '" + username + "' has GID: " +
- gidNumber);
- }
-
- // get the supplementary groups from the group provider URL
- ctx = (DirContext)iCtx.lookup(groupProvider);
- ne = ctx.search("", new BasicAttributes("memberUid", username));
-
- while (ne.hasMore()) {
- result = (SearchResult)ne.next();
- attributes = result.getAttributes();
-
- gid = attributes.get(GROUP_ID);
- String suppGid = (String)gid.get();
- if (!gidNumber.equals(suppGid)) {
- UnixNumericGroupPrincipal suppPrincipal =
- new UnixNumericGroupPrincipal(suppGid, false);
- supplementaryGroups.add(suppPrincipal);
- if (debug && suppGid != null) {
- System.out.println("\t\t[JndiLoginModule] " +
- "user: '" + username +
- "' has Supplementary Group: " +
- suppGid);
- }
- }
- }
-
- } else {
- // bad username
- if (debug) {
- System.out.println("\t\t[JndiLoginModule]: User not found");
- }
- throw new FailedLoginException("User not found");
- }
- } catch (NamingException ne) {
- // bad username
- if (debug) {
- System.out.println("\t\t[JndiLoginModule]: User not found");
- ne.printStackTrace();
- }
- throw new FailedLoginException("User not found");
- } catch (java.io.UnsupportedEncodingException uee) {
- // password stored in incorrect format
- if (debug) {
- System.out.println("\t\t[JndiLoginModule]: " +
- "password incorrectly encoded");
- uee.printStackTrace();
- }
- throw new LoginException("Login failure due to incorrect " +
- "password encoding in the password database");
- }
-
- // authentication succeeded
- }
-
- /**
- * Get the username and password.
- * This method does not return any value.
- * Instead, it sets global name and password variables.
- *
- * <p> Also note that this method will set the username and password
- * values in the shared state in case subsequent LoginModules
- * want to use them via use/tryFirstPass.
- *
- * <p>
- *
- * @param getPasswdFromSharedState boolean that tells this method whether
- * to retrieve the password from the sharedState.
- */
- private void getUsernamePassword(boolean getPasswdFromSharedState)
- throws LoginException {
-
- if (getPasswdFromSharedState) {
- // use the password saved by the first module in the stack
- username = (String)sharedState.get(NAME);
- password = (char[])sharedState.get(PWD);
- return;
- }
-
- // prompt for a username and password
- if (callbackHandler == null)
- throw new LoginException("Error: no CallbackHandler available " +
- "to garner authentication information from the user");
-
- String protocol = userProvider.substring(0, userProvider.indexOf(":"));
-
- Callback[] callbacks = new Callback[2];
- callbacks[0] = new NameCallback(protocol + " "
- + rb.getString("username: "));
- callbacks[1] = new PasswordCallback(protocol + " " +
- rb.getString("password: "),
- false);
-
- try {
- callbackHandler.handle(callbacks);
- username = ((NameCallback)callbacks[0]).getName();
- char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
- password = new char[tmpPassword.length];
- System.arraycopy(tmpPassword, 0,
- password, 0, tmpPassword.length);
- ((PasswordCallback)callbacks[1]).clearPassword();
-
- } catch (java.io.IOException ioe) {
- throw new LoginException(ioe.toString());
- } catch (UnsupportedCallbackException uce) {
- throw new LoginException("Error: " + uce.getCallback().toString() +
- " not available to garner authentication information " +
- "from the user");
- }
-
- // print debugging information
- if (strongDebug) {
- System.out.println("\t\t[JndiLoginModule] " +
- "user entered username: " +
- username);
- System.out.print("\t\t[JndiLoginModule] " +
- "user entered password: ");
- for (int i = 0; i < password.length; i++)
- System.out.print(password[i]);
- System.out.println();
- }
- }
-
- /**
- * Verify a password against the encrypted passwd from /etc/shadow
- */
- private boolean verifyPassword(String encryptedPassword, String password) {
-
- if (encryptedPassword == null)
- return false;
-
- Crypt c = new Crypt();
- byte oldCrypt[] = encryptedPassword.getBytes();
- byte newCrypt[] = c.crypt(password.getBytes(),
- oldCrypt);
- if (newCrypt.length != oldCrypt.length)
- return false;
- for (int i = 0; i < newCrypt.length; i++) {
- if (oldCrypt[i] != newCrypt[i])
- return false;
- }
- return true;
- }
-
- /**
- * Clean out state because of a failed authentication attempt
- */
- private void cleanState() {
- username = null;
- if (password != null) {
- for (int i = 0; i < password.length; i++)
- password[i] = ' ';
- password = null;
- }
- ctx = null;
-
- if (clearPass) {
- sharedState.remove(NAME);
- sharedState.remove(PWD);
- }
- }
- }