Revision 3344
Added by berkley over 17 years ago
| src/edu/ucsb/nceas/metacat/AuthLdap.java | ||
|---|---|---|
| 254 | 254 |
LdapContext ctx = null; |
| 255 | 255 |
double startTime; |
| 256 | 256 |
double stopTime; |
| 257 |
try {
|
|
| 257 |
try |
|
| 258 |
{
|
|
| 258 | 259 |
Hashtable env = new Hashtable(); |
| 259 | 260 |
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); |
| 260 | 261 |
env.put(Context.PROVIDER_URL, server); |
| 261 | 262 |
env.put(Context.REFERRAL, "throw"); |
| 262 |
|
|
| 263 |
try {
|
|
| 263 |
try |
|
| 264 |
{
|
|
| 264 | 265 |
|
| 265 | 266 |
startTime = System.currentTimeMillis(); |
| 266 | 267 |
ctx = new InitialLdapContext(env, null); |
| 267 |
|
|
| 268 | 268 |
// Start up TLS here so that we don't pass our jewels in cleartext |
| 269 | 269 |
StartTlsResponse tls = |
| 270 | 270 |
(StartTlsResponse)ctx.extendedOperation(new StartTlsRequest()); |
| 271 | 271 |
//tls.setHostnameVerifier(new SampleVerifier()); |
| 272 | 272 |
SSLSession sess = tls.negotiate(); |
| 273 |
|
|
| 274 | 273 |
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); |
| 275 | 274 |
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN); |
| 276 | 275 |
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); |
| 277 | 276 |
ctx.reconnect(null); |
| 278 |
|
|
| 279 | 277 |
stopTime = System.currentTimeMillis(); |
| 280 | 278 |
logMetacat.info("Connection time thru " + ldapsUrl + " was: " +
|
| 281 | 279 |
(stopTime - startTime) / 1000 + " seconds."); |
| 282 |
|
|
| 283 | 280 |
authenticated = true; |
| 284 |
} catch (java.io.IOException ioe) {
|
|
| 281 |
} |
|
| 282 |
catch (Exception ioe) |
|
| 283 |
{
|
|
| 285 | 284 |
logMetacat.info("Caught IOException in login while negotiating TLS: "
|
| 286 | 285 |
+ ioe.getMessage()); |
| 287 | 286 |
|
| 288 |
if(secureConnectionOnly){
|
|
| 289 |
|
|
| 287 |
if(secureConnectionOnly) |
|
| 288 |
{
|
|
| 290 | 289 |
return authenticated; |
| 291 | 290 |
|
| 292 |
} else {
|
|
| 293 |
|
|
| 291 |
} |
|
| 292 |
else |
|
| 293 |
{
|
|
| 294 | 294 |
logMetacat.info("Trying to authenticate without TLS");
|
| 295 | 295 |
env.put(Context.SECURITY_AUTHENTICATION, "simple"); |
| 296 | 296 |
env.put(Context.SECURITY_PRINCIPAL, userDN); |
| ... | ... | |
| 301 | 301 |
stopTime = System.currentTimeMillis(); |
| 302 | 302 |
logMetacat.info("Connection time thru " + ldapsUrl + " was: " +
|
| 303 | 303 |
(stopTime - startTime) / 1000 + " seconds."); |
| 304 |
|
|
| 305 | 304 |
authenticated = true; |
| 306 | 305 |
} |
| 307 | 306 |
} |
| 308 |
} catch (AuthenticationException ae) {
|
|
| 307 |
} |
|
| 308 |
catch (AuthenticationException ae) |
|
| 309 |
{
|
|
| 309 | 310 |
authenticated = false; |
| 310 |
} catch (javax.naming.InvalidNameException ine) {
|
|
| 311 |
} |
|
| 312 |
catch (javax.naming.InvalidNameException ine) |
|
| 313 |
{
|
|
| 311 | 314 |
logMetacat.error("An invalid DN was provided!");
|
| 312 |
} catch (NamingException e) {
|
|
| 315 |
} |
|
| 316 |
catch (NamingException e) |
|
| 317 |
{
|
|
| 313 | 318 |
logMetacat.warn("Caught NamingException in login: " + e.getClass().getName());
|
| 314 | 319 |
logMetacat.info(e.toString() + " " + e.getRootCause()); |
| 315 |
}
|
|
| 320 |
} |
|
| 316 | 321 |
|
| 317 | 322 |
return authenticated; |
| 318 | 323 |
} |
Also available in: Unified diff
fixed a bug in metacat that was preventing it from using non-TLS authentication. ldap was throwing a namingException which was causing the exception handling to go to the wrong block so non-tls auth never even got tried. this shoudl hopefully fix the problem with sanparks