Revision 5158
Added by daigle over 14 years ago
| AuthLdap.java | ||
|---|---|---|
| 77 | 77 |
private int ldapSearchTimeLimit; |
| 78 | 78 |
private int ldapSearchCountLimit; |
| 79 | 79 |
private String currentReferralInfo; |
| 80 |
Hashtable env = new Hashtable(11);
|
|
| 80 |
Hashtable<String, String> env = new Hashtable<String, String>(11);
|
|
| 81 | 81 |
private Context rContext; |
| 82 | 82 |
private String userName; |
| 83 | 83 |
private String userPassword; |
| ... | ... | |
| 272 | 272 |
logMetacat.warn("AuthLdap.ldapAuthenticate - Trying to authenticate: " +
|
| 273 | 273 |
userDN + " Using server: " + server); |
| 274 | 274 |
|
| 275 |
LdapContext ctx = null; |
|
| 276 |
double startTime; |
|
| 277 |
double stopTime; |
|
| 278 | 275 |
try {
|
| 279 |
Hashtable env = new Hashtable();
|
|
| 276 |
Hashtable<String, String> env = new Hashtable<String, String>();
|
|
| 280 | 277 |
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); |
| 281 | 278 |
env.put(Context.PROVIDER_URL, server); |
| 282 | 279 |
env.put(Context.REFERRAL, "throw"); |
| 280 |
|
|
| 283 | 281 |
try {
|
| 282 |
authenticated = authenticateTLS(env, userDN, password); |
|
| 283 |
} catch (AuthTLSException ate) {
|
|
| 284 |
logMetacat.info("AuthLdap.ldapAuthenticate - error while negotiating TLS: "
|
|
| 285 |
+ ate.getMessage()); |
|
| 284 | 286 |
|
| 285 |
startTime = System.currentTimeMillis(); |
|
| 286 |
ctx = new InitialLdapContext(env, null); |
|
| 287 |
// Start up TLS here so that we don't pass our jewels in |
|
| 288 |
// cleartext |
|
| 289 |
StartTlsResponse tls = (StartTlsResponse) ctx |
|
| 290 |
.extendedOperation(new StartTlsRequest()); |
|
| 291 |
// tls.setHostnameVerifier(new SampleVerifier()); |
|
| 292 |
SSLSession sess = tls.negotiate(); |
|
| 293 |
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); |
|
| 294 |
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN); |
|
| 295 |
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); |
|
| 296 |
ctx.reconnect(null); |
|
| 297 |
stopTime = System.currentTimeMillis(); |
|
| 298 |
logMetacat.info("AuthLdap.ldapAuthenticate - Connection time thru " + ldapsUrl + " was: "
|
|
| 299 |
+ (stopTime - startTime) / 1000 + " seconds."); |
|
| 300 |
authenticated = true; |
|
| 301 |
} catch (IOException ioe) {
|
|
| 302 |
logMetacat.info("AuthLdap.ldapAuthenticate - Caught IOException in login while negotiating TLS: "
|
|
| 303 |
+ ioe.getMessage()); |
|
| 304 |
|
|
| 305 | 287 |
if (secureConnectionOnly) {
|
| 306 | 288 |
return authenticated; |
| 307 | 289 |
|
| 308 | 290 |
} else {
|
| 309 |
logMetacat.info("AuthLdap.ldapAuthenticate - Trying to authenticate without TLS");
|
|
| 310 |
env.put(Context.SECURITY_AUTHENTICATION, "simple"); |
|
| 311 |
env.put(Context.SECURITY_PRINCIPAL, userDN); |
|
| 312 |
env.put(Context.SECURITY_CREDENTIALS, password); |
|
| 313 |
|
|
| 314 |
startTime = System.currentTimeMillis(); |
|
| 315 |
ctx = new InitialLdapContext(env, null); |
|
| 316 |
stopTime = System.currentTimeMillis(); |
|
| 317 |
logMetacat.info("AuthLdap.ldapAuthenticate - Connection time thru " + ldapsUrl + " was: "
|
|
| 318 |
+ (stopTime - startTime) / 1000 + " seconds."); |
|
| 319 |
authenticated = true; |
|
| 291 |
authenticated = authenticateNonTLS(env, userDN, password); |
|
| 320 | 292 |
} |
| 321 | 293 |
} |
| 322 | 294 |
} catch (AuthenticationException ae) {
|
| ... | ... | |
| 331 | 303 |
|
| 332 | 304 |
return authenticated; |
| 333 | 305 |
} |
| 306 |
|
|
| 307 |
private boolean authenticateTLS(Hashtable<String, String> env, String userDN, String password) |
|
| 308 |
throws AuthTLSException{
|
|
| 309 |
logMetacat.info("AuthLdap.authenticateTLS - Trying to authenticate with TLS");
|
|
| 310 |
try {
|
|
| 311 |
LdapContext ctx = null; |
|
| 312 |
double startTime; |
|
| 313 |
double stopTime; |
|
| 314 |
startTime = System.currentTimeMillis(); |
|
| 315 |
ctx = new InitialLdapContext(env, null); |
|
| 316 |
// Start up TLS here so that we don't pass our jewels in |
|
| 317 |
// cleartext |
|
| 318 |
StartTlsResponse tls = |
|
| 319 |
(StartTlsResponse) ctx.extendedOperation(new StartTlsRequest()); |
|
| 320 |
// tls.setHostnameVerifier(new SampleVerifier()); |
|
| 321 |
SSLSession sess = tls.negotiate(); |
|
| 322 |
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); |
|
| 323 |
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN); |
|
| 324 |
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); |
|
| 325 |
ctx.reconnect(null); |
|
| 326 |
stopTime = System.currentTimeMillis(); |
|
| 327 |
logMetacat.info("AuthLdap.authenticateTLS - Connection time thru "
|
|
| 328 |
+ ldapsUrl + " was: " + (stopTime - startTime) / 1000 + " seconds."); |
|
| 329 |
} catch (NamingException ne) {
|
|
| 330 |
throw new AuthTLSException("AuthLdap.authenticateTLS - Naming error when athenticating via TLS: " + ne.getMessage());
|
|
| 331 |
} catch (IOException ioe) {
|
|
| 332 |
throw new AuthTLSException("AuthLdap.authenticateTLS - I/O error when athenticating via TLS: " + ioe.getMessage());
|
|
| 333 |
} |
|
| 334 |
return true; |
|
| 335 |
} |
|
| 336 |
|
|
| 337 |
private boolean authenticateNonTLS(Hashtable<String, String> env, String userDN, String password) |
|
| 338 |
throws NamingException {
|
|
| 339 |
LdapContext ctx = null; |
|
| 340 |
double startTime; |
|
| 341 |
double stopTime; |
|
| 342 |
|
|
| 343 |
logMetacat.info("AuthLdap.authenticateNonTLS - Trying to authenticate without TLS");
|
|
| 344 |
env.put(Context.SECURITY_AUTHENTICATION, "simple"); |
|
| 345 |
env.put(Context.SECURITY_PRINCIPAL, userDN); |
|
| 346 |
env.put(Context.SECURITY_CREDENTIALS, password); |
|
| 334 | 347 |
|
| 348 |
startTime = System.currentTimeMillis(); |
|
| 349 |
ctx = new InitialLdapContext(env, null); |
|
| 350 |
stopTime = System.currentTimeMillis(); |
|
| 351 |
logMetacat.info("AuthLdap.authenticateNonTLS - Connection time thru " + ldapsUrl + " was: "
|
|
| 352 |
+ (stopTime - startTime) / 1000 + " seconds."); |
|
| 353 |
|
|
| 354 |
return true; |
|
| 355 |
} |
|
| 356 |
|
|
| 335 | 357 |
/** |
| 336 | 358 |
* Get the identifying name for a given userid or name. This is the name |
| 337 | 359 |
* that is used in conjunction withthe LDAP BaseDN to create a distinguished |
Also available in: Unified diff
Separate code to do tls and non-tls authentication. Introduce AuthTLSException to make error handling easier.