Revision 1988
Added by Matt Jones almost 21 years ago
src/edu/ucsb/nceas/metacat/AuthLdap.java | ||
---|---|---|
47 | 47 |
import javax.naming.directory.SearchControls; |
48 | 48 |
import javax.naming.ReferralException; |
49 | 49 |
import javax.naming.ldap.*; |
50 |
import java.net.URLDecoder; |
|
50 | 51 |
import java.util.Iterator; |
51 | 52 |
import java.util.HashMap; |
52 | 53 |
import java.util.Hashtable; |
... | ... | |
72 | 73 |
private String userName; |
73 | 74 |
private String userPassword; |
74 | 75 |
ReferralException refExc; |
75 |
String uid=null; |
|
76 |
//String uid=null;
|
|
76 | 77 |
|
77 | 78 |
/** |
78 | 79 |
* Construct an AuthLdap |
... | ... | |
102 | 103 |
boolean authenticated = false; |
103 | 104 |
String identifier = user; |
104 | 105 |
//get uid here. |
105 |
uid=user.substring(0, user.indexOf(",")); |
|
106 |
//uid=user.substring(0, user.indexOf(","));
|
|
106 | 107 |
|
107 | 108 |
try { |
108 | 109 |
// Check the usename as passed in |
... | ... | |
111 | 112 |
if (!authenticated) { |
112 | 113 |
MetaCatUtil.debugMessage("Looking up DN for: " + identifier, 35); |
113 | 114 |
identifier = getIdentifyingName(identifier,ldapUrl,ldapBase); |
114 |
//System.out.println("identifier: "+identifier); |
|
115 |
MetaCatUtil.debugMessage("DN found: " + identifier, 35); |
|
116 |
String decoded = URLDecoder.decode(identifier); |
|
117 |
MetaCatUtil.debugMessage("DN decoded: " + decoded, 35); |
|
118 |
identifier = decoded; |
|
115 | 119 |
String refUrl = ""; |
116 | 120 |
String refBase = ""; |
117 | 121 |
if (identifier.startsWith("ldap")) { |
... | ... | |
179 | 183 |
{ |
180 | 184 |
double totStartTime = System.currentTimeMillis(); |
181 | 185 |
boolean authenticated = false; |
182 |
if (identifier != null && !password.equals("")) |
|
183 |
{ |
|
186 |
if (identifier != null && !password.equals("")) { |
|
184 | 187 |
|
185 | 188 |
//Pass the username and password to run() method |
186 | 189 |
userName=identifier; |
... | ... | |
191 | 194 |
"com.sun.jndi.ldap.LdapCtxFactory"); |
192 | 195 |
env.put(Context.REFERRAL, "throw"); |
193 | 196 |
env.put(Context.PROVIDER_URL, directoryUrl + searchBase); |
194 |
if ( !ldapsUrl.equals(ldapUrl) )
|
|
195 |
{ |
|
197 |
util.debugMessage("PROVIDER_URL set to: " + directoryUrl + searchBase, 35);
|
|
198 |
if ( !ldapsUrl.equals(ldapUrl) ) {
|
|
196 | 199 |
// ldap is set on default port 389 |
197 | 200 |
// ldaps is set on second port - 636 by default |
198 | 201 |
//env.put(Context.SECURITY_PROTOCOL, "ssl"); |
... | ... | |
202 | 205 |
env.put(Context.SECURITY_CREDENTIALS, password); |
203 | 206 |
// If our auth credentials are invalid, an exception will be thrown |
204 | 207 |
DirContext ctx = null; |
205 |
try |
|
206 |
{ |
|
208 |
try { |
|
207 | 209 |
double startTime = System.currentTimeMillis(); |
208 |
//Here to check the autheration
|
|
210 |
//Here to check the authorization
|
|
209 | 211 |
ctx = new InitialDirContext(env); |
210 | 212 |
double stopTime = System.currentTimeMillis(); |
211 | 213 |
util.debugMessage("Connection time thru " + ldapsUrl + " was: " + |
... | ... | |
216 | 218 |
this.ldapUrl = ldapUrl; |
217 | 219 |
this.ldapBase = ldapBase; |
218 | 220 |
//break; |
219 |
} |
|
220 |
catch (AuthenticationException ae) |
|
221 |
{ |
|
221 |
} catch (AuthenticationException ae) { |
|
222 | 222 |
authenticated = false; |
223 |
if ( ctx != null ) |
|
224 |
{ |
|
223 |
if ( ctx != null ) { |
|
225 | 224 |
ctx.close(); |
226 | 225 |
} |
227 |
} |
|
228 |
catch (javax.naming.InvalidNameException ine) |
|
229 |
{ |
|
226 |
} catch (javax.naming.InvalidNameException ine) { |
|
230 | 227 |
util.debugMessage("An invalid DN was provided!", 30); |
231 |
} |
|
232 |
catch (javax.naming.ReferralException re) |
|
233 |
{ |
|
228 |
} catch (javax.naming.ReferralException re) { |
|
234 | 229 |
util.debugMessage("referral during authentication", 30); |
235 | 230 |
util.debugMessage("Referral information: "+re.getReferralInfo(), 30); |
236 |
try |
|
237 |
{ |
|
231 |
try { |
|
238 | 232 |
refExc = re; |
239 | 233 |
|
240 | 234 |
Thread t = new Thread(this); |
... | ... | |
242 | 236 |
Thread.sleep(5000); //this is a manual override of ldap's |
243 | 237 |
//hideously long time out period. |
244 | 238 |
util.debugMessage("Awake after 5 seconds.", 35); |
245 |
if (referralContext == null) |
|
246 |
{ |
|
239 |
if (referralContext == null) { |
|
247 | 240 |
t.interrupt(); |
248 | 241 |
authenticated = false; |
249 |
} |
|
250 |
else |
|
251 |
{ |
|
242 |
} else { |
|
252 | 243 |
authenticated = true; |
253 |
|
|
254 | 244 |
} |
255 |
} |
|
256 |
catch (Exception e) |
|
257 |
{ |
|
245 |
} catch (Exception e) { |
|
258 | 246 |
authenticated = false; |
259 | 247 |
} |
260 | 248 |
} |
261 |
} |
|
262 |
else |
|
263 |
{ |
|
249 |
} else { |
|
264 | 250 |
util.debugMessage("User not found", 30); |
265 | 251 |
} |
266 | 252 |
double totStopTime = System.currentTimeMillis(); |
... | ... | |
314 | 300 |
user.indexOf(",", position+1)); |
315 | 301 |
MetaCatUtil.debugMessage("Second comp is: " + comp2, 35); |
316 | 302 |
|
317 |
String filter = "(&(" + comp1 + ")(" + comp2 + "))"; |
|
303 |
String filter = "(&(" + comp1 + "))"; |
|
304 |
//String filter = "(&(" + comp1 + ")(" + comp2 + "))"; |
|
318 | 305 |
MetaCatUtil.debugMessage("Filter is: " + filter, 35); |
319 | 306 |
MetaCatUtil.debugMessage("Provider URL is: " + ldapUrl + ldapBase, 35); |
320 | 307 |
NamingEnumeration answer; |
321 | 308 |
try { |
309 |
util.debugMessage("Trying search 1: " + filter, 35); |
|
322 | 310 |
answer = ctx.search("", filter, ctls); |
311 |
util.debugMessage("Search 1 complete", 35); |
|
312 |
if (answer == null) { |
|
313 |
util.debugMessage("Search 1 answer is null.", 35); |
|
314 |
} |
|
323 | 315 |
if (answer.hasMore()) { |
316 |
util.debugMessage("Search 1 has answers.", 35); |
|
324 | 317 |
SearchResult sr = (SearchResult)answer.next(); |
325 | 318 |
identifier = sr.getName(); |
326 | 319 |
util.debugMessage("Originally Found: " + identifier, 35); |
327 | 320 |
return identifier; |
328 | 321 |
} |
329 |
} catch (InvalidSearchFilterException e) {} |
|
322 |
} catch (InvalidSearchFilterException e) { |
|
323 |
util.debugMessage("Invalid Filter exception thrown (if1)", 35); |
|
324 |
} |
|
330 | 325 |
|
331 | 326 |
// That failed, so check if it is just a username |
332 | 327 |
filter = "(" + user + ")"; |
333 | 328 |
try { |
329 |
MetaCatUtil.debugMessage("Trying again: " + filter, 35); |
|
334 | 330 |
answer = ctx.search("", filter, ctls); |
335 | 331 |
if (answer.hasMore()) { |
336 | 332 |
SearchResult sr = (SearchResult)answer.next(); |
... | ... | |
349 | 345 |
|
350 | 346 |
// Maybe its a user id (uid) |
351 | 347 |
filter = "(uid=" + user + ")"; |
348 |
MetaCatUtil.debugMessage("Trying again: " + filter, 35); |
|
352 | 349 |
answer = ctx.search("", filter, ctls); |
353 | 350 |
if (answer.hasMore()) { |
354 | 351 |
SearchResult sr = (SearchResult)answer.next(); |
... | ... | |
364 | 361 |
|
365 | 362 |
// maybe its just a common name |
366 | 363 |
filter = "(cn=" + user + ")"; |
364 |
MetaCatUtil.debugMessage("Trying again: " + filter, 35); |
|
367 | 365 |
NamingEnumeration answer2 = ctx.search("", filter, ctls); |
368 | 366 |
if (answer2.hasMore()) { |
369 | 367 |
SearchResult sr = (SearchResult)answer2.next(); |
... | ... | |
380 | 378 |
|
381 | 379 |
// ok, last resort, is it a surname? |
382 | 380 |
filter = "(sn=" + user + ")"; |
381 |
MetaCatUtil.debugMessage("Trying again: " + filter, 35); |
|
383 | 382 |
NamingEnumeration answer3 = ctx.search("", filter, ctls); |
384 | 383 |
if (answer3.hasMore()) { |
385 | 384 |
SearchResult sr = (SearchResult)answer3.next(); |
... | ... | |
402 | 401 |
throw new NamingException( |
403 | 402 |
"Naming exception in AuthLdap.getIdentifyingName: " + e); |
404 | 403 |
} |
404 |
MetaCatUtil.debugMessage("Returning found identifier as: " + identifier, 35); |
|
405 | 405 |
return identifier; |
406 | 406 |
} |
407 | 407 |
|
... | ... | |
1025 | 1025 |
{ |
1026 | 1026 |
//revise environment variable |
1027 | 1027 |
referralInfo=(String)refExc.getReferralInfo(); |
1028 |
env.put(Context.PROVIDER_URL,refExc.getReferralInfo()); |
|
1029 |
//System.out.println("referral info: "+referralInfo); |
|
1030 |
//if (referralInfo.indexOf("piscoweb")!=-1) |
|
1031 |
//{ |
|
1032 |
//userName=uid+",o=PISCO,dc=piscoweb,dc=org"; |
|
1033 |
//} |
|
1034 |
env.put(Context.INITIAL_CONTEXT_FACTORY, |
|
1035 |
"com.sun.jndi.ldap.LdapCtxFactory"); |
|
1036 |
//System.out.println("principal: "+userName); |
|
1037 |
env.put(Context.SECURITY_PRINCIPAL, userName); |
|
1038 |
env.put(Context.SECURITY_CREDENTIALS, userPassword); |
|
1039 |
env.put(Context.REFERRAL, "throw"); |
|
1040 |
//get a context object for referral in the new envriment |
|
1041 |
rContext = refExc.getReferralContext(env); |
|
1028 |
util.debugMessage("Processing referral (pr0): ", 35); |
|
1029 |
util.debugMessage("PROVIDER_URL set to (pr1): " + referralInfo, 35); |
|
1030 |
//env.put(Context.PROVIDER_URL,referralInfo); |
|
1031 |
//env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); |
|
1032 |
//env.put(Context.SECURITY_PRINCIPAL, userName); |
|
1033 |
//env.put(Context.SECURITY_CREDENTIALS, userPassword); |
|
1034 |
//env.put(Context.REFERRAL, "throw"); |
|
1035 |
//util.debugMessage("Processing referral (pr1.info): " + userName,35); |
|
1036 |
//util.debugMessage("Processing referral (pr2)",35); |
|
1037 |
//rContext = refExc.getReferralContext(env); |
|
1038 |
rContext = refExc.getReferralContext(); |
|
1039 |
util.debugMessage("Processing referral (pr3)",35); |
|
1042 | 1040 |
//casting the context to dircontext and it will create a |
1043 | 1041 |
//autherntication or naming exception if DN and password is incorrect |
1044 | 1042 |
referralContext=rContext; |
... | ... | |
1046 | 1044 |
refDirContext.close(); |
1047 | 1045 |
//get context and jump out the while loop |
1048 | 1046 |
moreReferrals=false; |
1047 |
util.debugMessage("Processing referral (pr4)",35); |
|
1049 | 1048 |
}//try |
1050 | 1049 |
//if referral have another referral excption |
1051 | 1050 |
catch (ReferralException re) |
1052 | 1051 |
{ |
1052 |
util.debugMessage("GOT referral exception (re1): " + re.getMessage(),35); |
|
1053 |
util.debugMessage("RE details (re2): " + re.toString(true),35); |
|
1053 | 1054 |
//keep running in while loop |
1054 | 1055 |
moreReferrals=true; |
1055 | 1056 |
//assign refExc to new referral exception re |
... | ... | |
1058 | 1059 |
//catch a authentication exception |
1059 | 1060 |
catch (AuthenticationException ae) |
1060 | 1061 |
{ |
1061 |
util.debugMessage("Error running referral handler thread: " + |
|
1062 |
util.debugMessage("Error running referral handler thread (ae1): " +
|
|
1062 | 1063 |
ae.getMessage(), 20); |
1063 | 1064 |
//check if has another referral |
1064 | 1065 |
moreReferrals=refExc.skipReferral(); |
... | ... | |
1068 | 1069 |
//catch a naming exception |
1069 | 1070 |
catch (NamingException ne) |
1070 | 1071 |
{ |
1071 |
util.debugMessage("Error running referral handler thread: " + |
|
1072 |
util.debugMessage("Error running referral handler thread (ne1): " +
|
|
1072 | 1073 |
ne.getMessage(), 20); |
1073 | 1074 |
//check if has another referral |
1074 | 1075 |
moreReferrals=refExc.skipReferral(); |
... | ... | |
1128 | 1129 |
} |
1129 | 1130 |
catch (AuthenticationException ae) |
1130 | 1131 |
{ |
1131 |
util.debugMessage("Error running referral handler thread: " + |
|
1132 |
util.debugMessage("Error running referral handler thread (ae2): " +
|
|
1132 | 1133 |
ae.getMessage(), 50); |
1133 | 1134 |
//check if has another referral |
1134 | 1135 |
moreReferrals=refExc.skipReferral(); |
... | ... | |
1137 | 1138 |
} |
1138 | 1139 |
catch (NamingException ne) |
1139 | 1140 |
{ |
1140 |
util.debugMessage("Error running referral handler thread: " + |
|
1141 |
util.debugMessage("Error running referral handler thread (ne2): " +
|
|
1141 | 1142 |
ne.getMessage(), 50); |
1142 | 1143 |
//check if has another referral |
1143 | 1144 |
moreReferrals=refExc.skipReferral(); |
Also available in: Unified diff
Modified LDAP authentication to support a lookup for the NRS system. If
the auth on the provided string fails as a DN, try to look up a new
DN based on the UID. If we get a match, use that DN for auth and see
if that works. This allows us to use a referral within the
dc=ecoinformatics,dc=org tree to point at distinguished names that are
rooted in another tree (such as ou=People,o=ucnrs.org).