Revision 5158
Added by daigle over 14 years ago
AuthLdap.java | ||
---|---|---|
77 | 77 |
private int ldapSearchTimeLimit; |
78 | 78 |
private int ldapSearchCountLimit; |
79 | 79 |
private String currentReferralInfo; |
80 |
Hashtable env = new Hashtable(11);
|
|
80 |
Hashtable<String, String> env = new Hashtable<String, String>(11);
|
|
81 | 81 |
private Context rContext; |
82 | 82 |
private String userName; |
83 | 83 |
private String userPassword; |
... | ... | |
272 | 272 |
logMetacat.warn("AuthLdap.ldapAuthenticate - Trying to authenticate: " + |
273 | 273 |
userDN + " Using server: " + server); |
274 | 274 |
|
275 |
LdapContext ctx = null; |
|
276 |
double startTime; |
|
277 |
double stopTime; |
|
278 | 275 |
try { |
279 |
Hashtable env = new Hashtable();
|
|
276 |
Hashtable<String, String> env = new Hashtable<String, String>();
|
|
280 | 277 |
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); |
281 | 278 |
env.put(Context.PROVIDER_URL, server); |
282 | 279 |
env.put(Context.REFERRAL, "throw"); |
280 |
|
|
283 | 281 |
try { |
282 |
authenticated = authenticateTLS(env, userDN, password); |
|
283 |
} catch (AuthTLSException ate) { |
|
284 |
logMetacat.info("AuthLdap.ldapAuthenticate - error while negotiating TLS: " |
|
285 |
+ ate.getMessage()); |
|
284 | 286 |
|
285 |
startTime = System.currentTimeMillis(); |
|
286 |
ctx = new InitialLdapContext(env, null); |
|
287 |
// Start up TLS here so that we don't pass our jewels in |
|
288 |
// cleartext |
|
289 |
StartTlsResponse tls = (StartTlsResponse) ctx |
|
290 |
.extendedOperation(new StartTlsRequest()); |
|
291 |
// tls.setHostnameVerifier(new SampleVerifier()); |
|
292 |
SSLSession sess = tls.negotiate(); |
|
293 |
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); |
|
294 |
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN); |
|
295 |
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); |
|
296 |
ctx.reconnect(null); |
|
297 |
stopTime = System.currentTimeMillis(); |
|
298 |
logMetacat.info("AuthLdap.ldapAuthenticate - Connection time thru " + ldapsUrl + " was: " |
|
299 |
+ (stopTime - startTime) / 1000 + " seconds."); |
|
300 |
authenticated = true; |
|
301 |
} catch (IOException ioe) { |
|
302 |
logMetacat.info("AuthLdap.ldapAuthenticate - Caught IOException in login while negotiating TLS: " |
|
303 |
+ ioe.getMessage()); |
|
304 |
|
|
305 | 287 |
if (secureConnectionOnly) { |
306 | 288 |
return authenticated; |
307 | 289 |
|
308 | 290 |
} else { |
309 |
logMetacat.info("AuthLdap.ldapAuthenticate - Trying to authenticate without TLS"); |
|
310 |
env.put(Context.SECURITY_AUTHENTICATION, "simple"); |
|
311 |
env.put(Context.SECURITY_PRINCIPAL, userDN); |
|
312 |
env.put(Context.SECURITY_CREDENTIALS, password); |
|
313 |
|
|
314 |
startTime = System.currentTimeMillis(); |
|
315 |
ctx = new InitialLdapContext(env, null); |
|
316 |
stopTime = System.currentTimeMillis(); |
|
317 |
logMetacat.info("AuthLdap.ldapAuthenticate - Connection time thru " + ldapsUrl + " was: " |
|
318 |
+ (stopTime - startTime) / 1000 + " seconds."); |
|
319 |
authenticated = true; |
|
291 |
authenticated = authenticateNonTLS(env, userDN, password); |
|
320 | 292 |
} |
321 | 293 |
} |
322 | 294 |
} catch (AuthenticationException ae) { |
... | ... | |
331 | 303 |
|
332 | 304 |
return authenticated; |
333 | 305 |
} |
306 |
|
|
307 |
private boolean authenticateTLS(Hashtable<String, String> env, String userDN, String password) |
|
308 |
throws AuthTLSException{ |
|
309 |
logMetacat.info("AuthLdap.authenticateTLS - Trying to authenticate with TLS"); |
|
310 |
try { |
|
311 |
LdapContext ctx = null; |
|
312 |
double startTime; |
|
313 |
double stopTime; |
|
314 |
startTime = System.currentTimeMillis(); |
|
315 |
ctx = new InitialLdapContext(env, null); |
|
316 |
// Start up TLS here so that we don't pass our jewels in |
|
317 |
// cleartext |
|
318 |
StartTlsResponse tls = |
|
319 |
(StartTlsResponse) ctx.extendedOperation(new StartTlsRequest()); |
|
320 |
// tls.setHostnameVerifier(new SampleVerifier()); |
|
321 |
SSLSession sess = tls.negotiate(); |
|
322 |
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); |
|
323 |
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN); |
|
324 |
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); |
|
325 |
ctx.reconnect(null); |
|
326 |
stopTime = System.currentTimeMillis(); |
|
327 |
logMetacat.info("AuthLdap.authenticateTLS - Connection time thru " |
|
328 |
+ ldapsUrl + " was: " + (stopTime - startTime) / 1000 + " seconds."); |
|
329 |
} catch (NamingException ne) { |
|
330 |
throw new AuthTLSException("AuthLdap.authenticateTLS - Naming error when athenticating via TLS: " + ne.getMessage()); |
|
331 |
} catch (IOException ioe) { |
|
332 |
throw new AuthTLSException("AuthLdap.authenticateTLS - I/O error when athenticating via TLS: " + ioe.getMessage()); |
|
333 |
} |
|
334 |
return true; |
|
335 |
} |
|
336 |
|
|
337 |
private boolean authenticateNonTLS(Hashtable<String, String> env, String userDN, String password) |
|
338 |
throws NamingException { |
|
339 |
LdapContext ctx = null; |
|
340 |
double startTime; |
|
341 |
double stopTime; |
|
342 |
|
|
343 |
logMetacat.info("AuthLdap.authenticateNonTLS - Trying to authenticate without TLS"); |
|
344 |
env.put(Context.SECURITY_AUTHENTICATION, "simple"); |
|
345 |
env.put(Context.SECURITY_PRINCIPAL, userDN); |
|
346 |
env.put(Context.SECURITY_CREDENTIALS, password); |
|
334 | 347 |
|
348 |
startTime = System.currentTimeMillis(); |
|
349 |
ctx = new InitialLdapContext(env, null); |
|
350 |
stopTime = System.currentTimeMillis(); |
|
351 |
logMetacat.info("AuthLdap.authenticateNonTLS - Connection time thru " + ldapsUrl + " was: " |
|
352 |
+ (stopTime - startTime) / 1000 + " seconds."); |
|
353 |
|
|
354 |
return true; |
|
355 |
} |
|
356 |
|
|
335 | 357 |
/** |
336 | 358 |
* Get the identifying name for a given userid or name. This is the name |
337 | 359 |
* that is used in conjunction withthe LDAP BaseDN to create a distinguished |
Also available in: Unified diff
Separate code to do tls and non-tls authentication. Introduce AuthTLSException to make error handling easier.