1. /*

  2.  * @(#)JndiLoginModule.java	1.11 04/05/05

  3.  *

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package com.sun.security.auth.module;

  9. 

  10. import javax.security.auth.*;

  11. import javax.security.auth.callback.*;

  12. import javax.security.auth.login.*;

  13. import javax.security.auth.spi.*;

  14. import javax.naming.*;

  15. import javax.naming.directory.*;

  16. 

  17. import java.io.IOException;

  18. import java.util.Map;

  19. import java.util.LinkedList;

  20. import java.util.ResourceBundle;

  21. 

  22. import com.sun.security.auth.UnixPrincipal;

  23. import com.sun.security.auth.UnixNumericUserPrincipal;

  24. import com.sun.security.auth.UnixNumericGroupPrincipal;

  25. 

  26. import sun.security.util.AuthResources; 

  27. 

  28. /**

  29.  * <p> The module prompts for a username and password

  30.  * and then verifies the password against the password stored in

  31.  * a directory service configured under JNDI.

  32.  *

  33.  * <p> This <code>LoginModule</code> interoperates with

  34.  * any conformant JNDI service provider.  To direct this

  35.  * <code>LoginModule</code> to use a specific JNDI service provider,

  36.  * two options must be specified in the login <code>Configuration</code>

  37.  * for this <code>LoginModule</code>.

  38.  * <pre>

  39.  *	user.provider.url=<b>name_service_url</b>

  40.  *	group.provider.url=<b>name_service_url</b>

  41.  * </pre>

  42.  *

  43.  * <b>name_service_url</b> specifies

  44.  * the directory service and path where this <code>LoginModule</code>

  45.  * can access the relevant user and group information.  Because this

  46.  * <code>LoginModule</code> only performs one-level searches to

  47.  * find the relevant user information, the <code>URL</code>

  48.  * must point to a directory one level above where the user and group

  49.  * information is stored in the directory service.

  50.  * For example, to instruct this <code>LoginModule</code>

  51.  * to contact a NIS server, the following URLs must be specified:

  52.  * <pre>

  53.  *    user.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/user"

  54.  *    group.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/system/group"

  55.  * </pre>

  56.  *

  57.  * <b>NISServerHostName</b> specifies the server host name of the

  58.  * NIS server (for example, <i>nis.sun.com</i>, and <b>NISDomain</b>

  59.  * specifies the domain for that NIS server (for example, <i>jaas.sun.com</i>.

  60.  * To contact an LDAP server, the following URLs must be specified:

  61.  * <pre>

  62.  *    user.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"

  63.  *    group.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"

  64.  * </pre>

  65.  *

  66.  * <b>LDAPServerHostName</b> specifies the server host name of the

  67.  * LDAP server, which may include a port number

  68.  * (for example, <i>ldap.sun.com:389</i>),

  69.  * and <b>LDAPName</b> specifies the entry name in the LDAP directory

  70.  * (for example, <i>ou=People,o=Sun,c=US</i> and <i>ou=Groups,o=Sun,c=US</i>

  71.  * for user and group information, respectively).

  72.  *

  73.  * <p> The format in which the user's information must be stored in

  74.  * the directory service is specified in RFC 2307.  Specifically,

  75.  * this <code>LoginModule</code> will search for the user's entry in the

  76.  * directory service using the user's <i>uid</i> attribute,

  77.  * where <i>uid=<b>username</b></i>.  If the search succeeds,

  78.  * this <code>LoginModule</code> will then

  79.  * obtain the user's encrypted password from the retrieved entry

  80.  * using the <i>userPassword</i> attribute.

  81.  * This <code>LoginModule</code> assumes that the password is stored

  82.  * as a byte array, which when converted to a <code>String</code>,

  83.  * has the following format:

  84.  * <pre>

  85.  *	"{crypt}<b>encrypted_password</b>"

  86.  * </pre>

  87.  * 

  88.  * The LDAP directory server must be configured

  89.  * to permit read access to the userPassword attribute.

  90.  * If the user entered a valid username and password,

  91.  * this <code>LoginModule</code> associates a

  92.  * <code>UnixPrincipal</code>, <code>UnixNumericUserPrincipal</code>,

  93.  * and the relevant UnixNumericGroupPrincipals with the

  94.  * <code>Subject</code>.

  95.  * 

  96.  * <p> This LoginModule also recognizes the following <code>Configuration</code>

  97.  * options:

  98.  * <pre>

  99.  *    debug          if, true, debug messages are output to System.out.

  100.  *

  101.  *    useFirstPass   if, true, this LoginModule retrieves the

  102.  *                   username and password from the module's shared state,

  103.  *                   using "javax.security.auth.login.name" and

  104.  *                   "javax.security.auth.login.password" as the respective

  105.  *                   keys.  The retrieved values are used for authentication.

  106.  *                   If authentication fails, no attempt for a retry is made,

  107.  *                   and the failure is reported back to the calling

  108.  *                   application.

  109.  *

  110.  *    tryFirstPass   if, true, this LoginModule retrieves the

  111.  *                   the username and password from the module's shared state,

  112.  *                   using "javax.security.auth.login.name" and

  113.  *                   "javax.security.auth.login.password" as the respective

  114.  *                   keys.  The retrieved values are used for authentication.

  115.  *                   If authentication fails, the module uses the

  116.  *                   CallbackHandler to retrieve a new username and password,

  117.  *                   and another attempt to authenticate is made.

  118.  *                   If the authentication fails, the failure is reported

  119.  *                   back to the calling application.

  120.  *

  121.  *    storePass      if, true, this LoginModule stores the username and password

  122.  *                   obtained from the CallbackHandler in the module's

  123.  *                   shared state, using "javax.security.auth.login.name" and

  124.  *                   "javax.security.auth.login.password" as the respective

  125.  *                   keys.  This is not performed if existing values already

  126.  *                   exist for the username and password in the shared state,

  127.  *                   or if authentication fails.

  128.  *

  129.  *    clearPass     if, true, this <code>LoginModule</code> clears the

  130.  *                  username and password stored in the module's shared state

  131.  *                  after both phases of authentication (login and commit)

  132.  *                  have completed.

  133.  * </pre>

  134.  *

  135.  * @version 1.11, 05/05/04

  136.  */

  137. public class JndiLoginModule implements LoginModule {

  138. 

  139.     static final java.util.ResourceBundle rb =

  140.         java.util.ResourceBundle.getBundle("sun.security.util.AuthResources");

  141. 

  142.     /** JNDI Provider */

  143.     public final String USER_PROVIDER = "user.provider.url";

  144.     public final String GROUP_PROVIDER = "group.provider.url";

  145. 

  146.     // configurable options

  147.     private boolean debug = false;

  148.     private boolean strongDebug = false;

  149.     private String userProvider;

  150.     private String groupProvider;

  151.     private boolean useFirstPass = false;

  152.     private boolean tryFirstPass = false;

  153.     private boolean storePass = false;

  154.     private boolean clearPass = false;

  155. 

  156.     // the authentication status

  157.     private boolean succeeded = false;

  158.     private boolean commitSucceeded = false;

  159. 

  160.     // username, password, and JNDI context

  161.     private String username;

  162.     private char[] password;

  163.     DirContext ctx;

  164. 

  165.     // the user (assume it is a UnixPrincipal)

  166.     private UnixPrincipal userPrincipal;

  167.     private UnixNumericUserPrincipal UIDPrincipal;

  168.     private UnixNumericGroupPrincipal GIDPrincipal;

  169.     private LinkedList supplementaryGroups = new LinkedList();

  170. 

  171.     // initial state

  172.     private Subject subject;

  173.     private CallbackHandler callbackHandler;

  174.     private Map sharedState;

  175.     private Map options;

  176. 

  177.     private static final String CRYPT = "{crypt}";

  178.     private static final String USER_PWD = "userPassword";

  179.     private static final String USER_UID = "uidNumber";

  180.     private static final String USER_GID = "gidNumber";

  181.     private static final String GROUP_ID = "gidNumber";

  182.     private static final String NAME = "javax.security.auth.login.name";

  183.     private static final String PWD = "javax.security.auth.login.password";

  184. 

  185.     /**

  186.      * Initialize this <code>LoginModule</code>.

  187.      *

  188.      * <p>

  189.      *

  190.      * @param subject the <code>Subject</code> to be authenticated. <p>

  191.      *

  192.      * @param callbackHandler a <code>CallbackHandler</code> for communicating

  193.      *			with the end user (prompting for usernames and

  194.      *			passwords, for example). <p>

  195.      *

  196.      * @param sharedState shared <code>LoginModule</code> state. <p>

  197.      *

  198.      * @param options options specified in the login

  199.      *			<code>Configuration</code> for this particular

  200.      *			<code>LoginModule</code>.

  201.      */

  202.     public void initialize(Subject subject, CallbackHandler callbackHandler,

  203. 			   Map<String,?> sharedState,

  204. 			   Map<String,?> options) {

  205. 

  206. 	this.subject = subject;

  207. 	this.callbackHandler = callbackHandler;

  208. 	this.sharedState = sharedState;

  209. 	this.options = options;

  210. 

  211. 	// initialize any configured options

  212. 	debug = "true".equalsIgnoreCase((String)options.get("debug"));

  213. 	strongDebug =

  214. 		"true".equalsIgnoreCase((String)options.get("strongDebug"));

  215. 	userProvider = (String)options.get(USER_PROVIDER);

  216. 	groupProvider = (String)options.get(GROUP_PROVIDER);

  217. 	tryFirstPass =

  218. 		"true".equalsIgnoreCase((String)options.get("tryFirstPass"));

  219. 	useFirstPass =

  220. 		"true".equalsIgnoreCase((String)options.get("useFirstPass"));

  221. 	storePass =

  222. 		"true".equalsIgnoreCase((String)options.get("storePass"));

  223. 	clearPass =

  224. 		"true".equalsIgnoreCase((String)options.get("clearPass"));

  225.     }

  226. 

  227.     /**

  228.      * <p> Prompt for username and password.

  229.      * Verify the password against the relevant name service.

  230.      *

  231.      * <p>

  232.      *

  233.      * @return true always, since this <code>LoginModule</code>

  234.      *		should not be ignored.

  235.      *

  236.      * @exception FailedLoginException if the authentication fails. <p>

  237.      *

  238.      * @exception LoginException if this <code>LoginModule</code>

  239.      *		is unable to perform the authentication.

  240.      */

  241.     public boolean login() throws LoginException {

  242. 

  243. 	if (userProvider == null) {

  244. 	    throw new LoginException

  245. 		("Error: Unable to locate JNDI user provider");

  246. 	}

  247. 	if (groupProvider == null) {

  248. 	    throw new LoginException

  249. 		("Error: Unable to locate JNDI group provider");

  250. 	}

  251. 

  252. 	if (debug) {

  253. 	    System.out.println("\t\t[JndiLoginModule] user provider: " +

  254. 				userProvider);

  255. 	    System.out.println("\t\t[JndiLoginModule] group provider: " +

  256. 				groupProvider);

  257. 	}

  258. 

  259. 	// attempt the authentication

  260. 	if (tryFirstPass) {

  261. 

  262. 	    try {

  263. 		// attempt the authentication by getting the

  264. 		// username and password from shared state

  265. 		attemptAuthentication(true);

  266. 

  267. 		// authentication succeeded

  268. 		succeeded = true;

  269. 		if (debug) {

  270. 		    System.out.println("\t\t[JndiLoginModule] " +

  271. 				"tryFirstPass succeeded");

  272. 		}

  273. 		return true;

  274. 	    } catch (LoginException le) {

  275. 		// authentication failed -- try again below by prompting

  276. 		cleanState();

  277. 		if (debug) {

  278. 		    System.out.println("\t\t[JndiLoginModule] " +

  279. 				"tryFirstPass failed with:" +

  280. 				le.toString());

  281. 		}

  282. 	    }

  283. 

  284. 	} else if (useFirstPass) {

  285. 

  286. 	    try {

  287. 		// attempt the authentication by getting the

  288. 		// username and password from shared state

  289. 		attemptAuthentication(true);

  290. 

  291. 		// authentication succeeded

  292. 		succeeded = true;

  293. 		if (debug) {

  294. 		    System.out.println("\t\t[JndiLoginModule] " +

  295. 				"useFirstPass succeeded");

  296. 		}

  297. 		return true;

  298. 	    } catch (LoginException le) {

  299. 		// authentication failed

  300. 		cleanState();

  301. 		if (debug) {

  302. 		    System.out.println("\t\t[JndiLoginModule] " +

  303. 				"useFirstPass failed");

  304. 		}

  305. 		throw le;

  306. 	    }

  307. 	}

  308. 

  309. 	// attempt the authentication by prompting for the username and pwd

  310. 	try {

  311. 	    attemptAuthentication(false);

  312. 

  313. 	    // authentication succeeded

  314. 	   succeeded = true;

  315. 	    if (debug) {

  316. 		System.out.println("\t\t[JndiLoginModule] " +

  317. 				"regular authentication succeeded");

  318. 	    }

  319. 	    return true;

  320. 	} catch (LoginException le) {

  321. 	    cleanState();

  322. 	    if (debug) {

  323. 		System.out.println("\t\t[JndiLoginModule] " +

  324. 				"regular authentication failed");

  325. 	    }

  326. 	    throw le;

  327. 	}

  328.     }

  329. 

  330.     /**

  331.      * Abstract method to commit the authentication process (phase 2).

  332.      *

  333.      * <p> This method is called if the LoginContext's

  334.      * overall authentication succeeded

  335.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules

  336.      * succeeded).

  337.      *

  338.      * <p> If this LoginModule's own authentication attempt

  339.      * succeeded (checked by retrieving the private state saved by the

  340.      * <code>login</code> method), then this method associates a

  341.      * <code>UnixPrincipal</code>

  342.      * with the <code>Subject</code> located in the

  343.      * <code>LoginModule</code>.  If this LoginModule's own

  344.      * authentication attempted failed, then this method removes

  345.      * any state that was originally saved.

  346.      *

  347.      * <p>

  348.      *

  349.      * @exception LoginException if the commit fails

  350.      *

  351.      * @return true if this LoginModule's own login and commit

  352.      *		attempts succeeded, or false otherwise.

  353.      */

  354.     public boolean commit() throws LoginException {

  355. 

  356. 	if (succeeded == false) {

  357. 	    return false;

  358. 	} else {

  359. 	    if (subject.isReadOnly()) {

  360. 		cleanState();

  361. 		throw new LoginException ("Subject is Readonly");

  362. 	    } 

  363. 	    // add Principals to the Subject

  364. 	    if (!subject.getPrincipals().contains(userPrincipal))

  365. 		subject.getPrincipals().add(userPrincipal);

  366. 	    if (!subject.getPrincipals().contains(UIDPrincipal))

  367. 		subject.getPrincipals().add(UIDPrincipal);

  368. 	    if (!subject.getPrincipals().contains(GIDPrincipal))

  369. 		subject.getPrincipals().add(GIDPrincipal);

  370. 	    for (int i = 0; i < supplementaryGroups.size(); i++) {

  371. 		if (!subject.getPrincipals().contains

  372. 		    ((UnixNumericGroupPrincipal)supplementaryGroups.get(i)))

  373. 		    subject.getPrincipals().add((UnixNumericGroupPrincipal)

  374. 						supplementaryGroups.get(i));

  375. 	    }

  376. 	    

  377. 	    if (debug) {

  378. 		System.out.println("\t\t[JndiLoginModule]: " +

  379. 				   "added UnixPrincipal,");

  380. 		System.out.println("\t\t\t\tUnixNumericUserPrincipal,");

  381. 		System.out.println("\t\t\t\tUnixNumericGroupPrincipal(s),");

  382. 		System.out.println("\t\t\t to Subject");

  383. 	    }

  384. 	}

  385. 	// in any case, clean out state

  386. 	cleanState();

  387. 	commitSucceeded = true;

  388. 	return true;

  389.     }

  390. 

  391.     /**

  392.      * <p> This method is called if the LoginContext's

  393.      * overall authentication failed.

  394.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules

  395.      * did not succeed).

  396.      *

  397.      * <p> If this LoginModule's own authentication attempt

  398.      * succeeded (checked by retrieving the private state saved by the

  399.      * <code>login</code> and <code>commit</code> methods),

  400.      * then this method cleans up any state that was originally saved.

  401.      *

  402.      * <p>

  403.      *

  404.      * @exception LoginException if the abort fails.

  405.      *

  406.      * @return false if this LoginModule's own login and/or commit attempts

  407.      *		failed, and true otherwise.

  408.      */

  409.     public boolean abort() throws LoginException {

  410. 	if (debug)

  411. 	    System.out.println("\t\t[JndiLoginModule]: " +

  412. 		"aborted authentication failed");

  413. 

  414. 	if (succeeded == false) {

  415. 	    return false;

  416. 	} else if (succeeded == true && commitSucceeded == false) {

  417. 

  418. 	    // Clean out state

  419. 	    succeeded = false;

  420. 	    cleanState();

  421. 

  422. 	    userPrincipal = null;

  423. 	    UIDPrincipal = null;

  424. 	    GIDPrincipal = null;

  425. 	    supplementaryGroups = new LinkedList();

  426. 	} else {

  427. 	    // overall authentication succeeded and commit succeeded,

  428. 	    // but someone else's commit failed

  429. 	    logout();

  430. 	}

  431. 	return true;

  432.     }

  433. 

  434.     /**

  435.      * Logout a user.

  436.      *

  437.      * <p> This method removes the Principals

  438.      * that were added by the <code>commit</code> method.

  439.      *

  440.      * <p>

  441.      *

  442.      * @exception LoginException if the logout fails.

  443.      *

  444.      * @return true in all cases since this <code>LoginModule</code>

  445.      *		should not be ignored.

  446.      */

  447.     public boolean logout() throws LoginException {

  448. 	if (subject.isReadOnly()) {

  449. 	    cleanState();

  450. 	    throw new LoginException ("Subject is Readonly");

  451. 	}

  452. 	subject.getPrincipals().remove(userPrincipal);

  453. 	subject.getPrincipals().remove(UIDPrincipal);

  454. 	subject.getPrincipals().remove(GIDPrincipal);

  455. 	for (int i = 0; i < supplementaryGroups.size(); i++) {

  456. 	    subject.getPrincipals().remove

  457. 		((UnixNumericGroupPrincipal)supplementaryGroups.get(i));

  458. 	}

  459.     

  460.     

  461. 	// clean out state

  462. 	cleanState();

  463. 	succeeded = false;

  464. 	commitSucceeded = false;

  465. 

  466. 	userPrincipal = null;

  467. 	UIDPrincipal = null;

  468. 	GIDPrincipal = null;

  469. 	supplementaryGroups = new LinkedList();

  470. 

  471. 	if (debug) {

  472. 	    System.out.println("\t\t[JndiLoginModule]: " +

  473. 		"logged out Subject");

  474. 	}

  475. 	return true;

  476.     }

  477. 

  478.     /**

  479.      * Attempt authentication

  480.      *

  481.      * <p>

  482.      *

  483.      * @param getPasswdFromSharedState boolean that tells this method whether

  484.      *		to retrieve the password from the sharedState.

  485.      */

  486.     private void attemptAuthentication(boolean getPasswdFromSharedState)

  487.     throws LoginException {

  488. 

  489. 	String encryptedPassword = null;

  490. 

  491. 	// first get the username and password

  492. 	getUsernamePassword(getPasswdFromSharedState);

  493. 	

  494. 	try {

  495. 

  496. 	    // get the user's passwd entry from the user provider URL

  497. 	    InitialContext iCtx = new InitialContext();

  498. 	    ctx = (DirContext)iCtx.lookup(userProvider);

  499. 

  500. 	    /*

  501. 	    SearchControls controls = new SearchControls

  502. 					(SearchControls.ONELEVEL_SCOPE,

  503. 					0,

  504. 					5000,

  505. 					new String[] { USER_PWD },

  506. 					false,

  507. 					false);

  508. 	    */

  509. 

  510. 	    SearchControls controls = new SearchControls();

  511. 	    NamingEnumeration ne = ctx.search("",

  512. 					"(uid=" + username + ")",

  513. 					controls);

  514. 	    if (ne.hasMore()) {

  515. 		SearchResult result = (SearchResult)ne.next();

  516. 		Attributes attributes = result.getAttributes();

  517. 

  518. 		// get the password

  519. 

  520. 		// this module works only if the LDAP directory server

  521. 		// is configured to permit read access to the userPassword

  522. 		// attribute. The directory administrator need to grant

  523. 		// this access.

  524. 		//

  525. 		// A workaround would be to make the server do authentication

  526. 		// by setting the Context.SECURITY_PRINCIPAL

  527. 		// and Context.SECURITY_CREDENTIALS property.

  528. 		// However, this would make it not work with systems that

  529. 		// don't do authentication at the server (like NIS).

  530. 		//

  531. 		// Setting the SECURITY_* properties and using "simple"

  532. 		// authentication for LDAP is recommended only for secure

  533. 		// channels. For nonsecure channels, SSL is recommended.

  534. 

  535. 		Attribute pwd = attributes.get(USER_PWD);

  536. 		String encryptedPwd = new String((byte[])pwd.get(), "UTF8");

  537. 		encryptedPassword = encryptedPwd.substring(CRYPT.length());

  538. 

  539. 		// check the password

  540. 		if (verifyPassword

  541. 		    (encryptedPassword, new String(password)) == true) {

  542. 

  543. 		    // authentication succeeded

  544. 		    if (debug)

  545. 			System.out.println("\t\t[JndiLoginModule] " +

  546. 				"attemptAuthentication() succeeded");

  547. 

  548. 		} else {

  549. 		    // authentication failed

  550. 		    if (debug)

  551. 			System.out.println("\t\t[JndiLoginModule] " +

  552. 				"attemptAuthentication() failed");

  553. 		    throw new FailedLoginException("Login incorrect");

  554. 		}

  555. 

  556. 		// save input as shared state only if

  557. 		// authentication succeeded

  558. 		if (storePass &&

  559. 		    !sharedState.containsKey(NAME) &&

  560. 		    !sharedState.containsKey(PWD)) {

  561. 		    sharedState.put(NAME, username);

  562. 		    sharedState.put(PWD, password);

  563. 		}

  564. 

  565. 		// create the user principal

  566. 		userPrincipal = new UnixPrincipal(username);

  567. 

  568. 		// get the UID

  569. 		Attribute uid = attributes.get(USER_UID);

  570. 		String uidNumber = (String)uid.get();

  571. 		UIDPrincipal = new UnixNumericUserPrincipal(uidNumber);

  572. 		if (debug && uidNumber != null) {

  573. 		    System.out.println("\t\t[JndiLoginModule] " +

  574. 				"user: '" + username + "' has UID: " +

  575. 				uidNumber);

  576. 		}

  577. 

  578. 		// get the GID

  579. 		Attribute gid = attributes.get(USER_GID);

  580. 		String gidNumber = (String)gid.get();

  581. 		GIDPrincipal = new UnixNumericGroupPrincipal

  582. 				(gidNumber, true);

  583. 		if (debug && gidNumber != null) {

  584. 		    System.out.println("\t\t[JndiLoginModule] " +

  585. 				"user: '" + username + "' has GID: " +

  586. 				gidNumber);

  587. 		}

  588. 

  589. 		// get the supplementary groups from the group provider URL

  590. 		ctx = (DirContext)iCtx.lookup(groupProvider);

  591. 		ne = ctx.search("", new BasicAttributes("memberUid", username));

  592. 

  593. 		while (ne.hasMore()) {

  594. 		    result = (SearchResult)ne.next();

  595. 		    attributes = result.getAttributes();

  596. 

  597. 		    gid = attributes.get(GROUP_ID);

  598. 		    String suppGid = (String)gid.get();

  599. 		    if (!gidNumber.equals(suppGid)) {

  600. 			UnixNumericGroupPrincipal suppPrincipal =

  601. 			    new UnixNumericGroupPrincipal(suppGid, false);

  602. 			supplementaryGroups.add(suppPrincipal);

  603. 			if (debug && suppGid != null) {

  604. 			    System.out.println("\t\t[JndiLoginModule] " +

  605. 				"user: '" + username +

  606. 				"' has Supplementary Group: " +

  607. 				suppGid);

  608. 			}

  609. 		    }

  610. 		}

  611. 

  612. 	    } else {

  613. 		// bad username

  614. 		if (debug) {

  615. 		    System.out.println("\t\t[JndiLoginModule]: User not found");

  616. 		}

  617. 		throw new FailedLoginException("User not found");

  618. 	    }

  619. 	} catch (NamingException ne) {

  620. 	    // bad username

  621. 	    if (debug) {

  622. 		System.out.println("\t\t[JndiLoginModule]:  User not found");

  623. 		ne.printStackTrace();

  624. 	    }

  625. 	    throw new FailedLoginException("User not found");

  626. 	} catch (java.io.UnsupportedEncodingException uee) {

  627. 	    // password stored in incorrect format

  628. 	    if (debug) {

  629. 		System.out.println("\t\t[JndiLoginModule]:  " +

  630. 				"password incorrectly encoded");

  631. 		uee.printStackTrace();

  632. 	    }

  633. 	    throw new LoginException("Login failure due to incorrect " +

  634. 				"password encoding in the password database");

  635. 	}

  636. 

  637. 	// authentication succeeded

  638.     }

  639.  

  640.     /**

  641.      * Get the username and password.

  642.      * This method does not return any value.

  643.      * Instead, it sets global name and password variables.

  644.      *

  645.      * <p> Also note that this method will set the username and password

  646.      * values in the shared state in case subsequent LoginModules

  647.      * want to use them via use/tryFirstPass.

  648.      *

  649.      * <p>

  650.      *

  651.      * @param getPasswdFromSharedState boolean that tells this method whether

  652.      *		to retrieve the password from the sharedState.

  653.      */

  654.     private void getUsernamePassword(boolean getPasswdFromSharedState)

  655.     throws LoginException {

  656. 

  657. 	if (getPasswdFromSharedState) {

  658. 	    // use the password saved by the first module in the stack

  659. 	    username = (String)sharedState.get(NAME);

  660. 	    password = (char[])sharedState.get(PWD);

  661. 	    return;

  662. 	}

  663. 

  664. 	// prompt for a username and password

  665.         if (callbackHandler == null)

  666. 	    throw new LoginException("Error: no CallbackHandler available " +

  667. 		"to garner authentication information from the user");

  668. 

  669. 	String protocol = userProvider.substring(0, userProvider.indexOf(":"));

  670. 

  671. 	Callback[] callbacks = new Callback[2];

  672. 	callbacks[0] = new NameCallback(protocol + " " 

  673. 					    + rb.getString("username: "));

  674. 	callbacks[1] = new PasswordCallback(protocol + " " +

  675.  					        rb.getString("password: "),

  676. 					    false);

  677. 

  678. 	try {

  679. 	    callbackHandler.handle(callbacks);

  680. 	    username = ((NameCallback)callbacks[0]).getName();

  681. 	    char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();

  682. 	    password = new char[tmpPassword.length];

  683. 	    System.arraycopy(tmpPassword, 0,

  684. 				password, 0, tmpPassword.length);

  685. 	    ((PasswordCallback)callbacks[1]).clearPassword();

  686. 

  687. 	} catch (java.io.IOException ioe) {

  688. 	    throw new LoginException(ioe.toString());

  689. 	} catch (UnsupportedCallbackException uce) {

  690. 	    throw new LoginException("Error: " + uce.getCallback().toString() +

  691. 			" not available to garner authentication information " +

  692. 			"from the user");

  693. 	}

  694. 

  695. 	// print debugging information

  696. 	if (strongDebug) {

  697. 	    System.out.println("\t\t[JndiLoginModule] " +

  698. 				"user entered username: " +

  699. 				username);

  700. 	    System.out.print("\t\t[JndiLoginModule] " +

  701. 				"user entered password: ");

  702. 	    for (int i = 0; i < password.length; i++)

  703. 		System.out.print(password[i]);

  704. 	    System.out.println();

  705. 	}

  706.     }

  707. 

  708.     /**

  709.      * Verify a password against the encrypted passwd from /etc/shadow

  710.      */

  711.     private boolean verifyPassword(String encryptedPassword, String password) {

  712. 

  713. 	if (encryptedPassword == null)

  714. 	    return false;

  715. 

  716. 	Crypt c = new Crypt();

  717. 	try {

  718. 	    byte oldCrypt[] = encryptedPassword.getBytes("UTF8");

  719. 	    byte newCrypt[] = c.crypt(password.getBytes("UTF8"),

  720. 				      oldCrypt);

  721. 	    if (newCrypt.length != oldCrypt.length)

  722. 	        return false;

  723. 	    for (int i = 0; i < newCrypt.length; i++) {

  724. 	        if (oldCrypt[i] != newCrypt[i])

  725. 		    return false;

  726. 	    }

  727. 	} catch (java.io.UnsupportedEncodingException uee) {

  728. 	    // cannot happen, but return false just to be safe

  729. 	    return false;

  730. 	}

  731. 	return true;

  732.     }

  733. 

  734.     /**

  735.      * Clean out state because of a failed authentication attempt

  736.      */

  737.     private void cleanState() {

  738. 	username = null;

  739. 	if (password != null) {

  740. 	    for (int i = 0; i < password.length; i++)

  741. 		password[i] = ' ';

  742. 	    password = null;

  743. 	}

  744. 	ctx = null;

  745. 

  746. 	if (clearPass) {

  747. 	    sharedState.remove(NAME);

  748. 	    sharedState.remove(PWD);

  749. 	}

  750.     }

  751. }