GSSAPISASLMechanismHandler.java revision a395dd575518d9e5280fc5d5d5ef47c61b174647
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2008 Sun Microsystems, Inc.
*/
/**
* This class provides an implementation of a SASL mechanism that authenticates
* clients through Kerberos over GSSAPI.
*/
public class GSSAPISASLMechanismHandler
implements ConfigurationChangeListener<
{
/**
* The tracer object for the debug logger.
*/
// The DN of the configuration entry for this SASL mechanism handler.
private DN configEntryDN;
// The current configuration for this SASL mechanism handler.
// The identity mapper that will be used to map the Kerberos principal to a
// directory user.
private IdentityMapper<?> identityMapper;
// The fully-qualified domain name for the server system.
private String serverFQDN;
/**
* Creates a new instance of this SASL mechanism handler. No initialization
* should be done in this method, as it should all be performed in the
* <CODE>initializeSASLMechanismHandler</CODE> method.
*/
public GSSAPISASLMechanismHandler()
{
super();
}
/**
* {@inheritDoc}
*/
@Override()
public void initializeSASLMechanismHandler(
{
// Get the identity mapper that should be used to find users.
// Determine the fully-qualified hostname for this system. It may be
// provided, but if not, then try to determine it programmatically.
if (serverFQDN == null)
{
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
throw new InitializationException(message, e);
}
}
// Since we're going to be using JAAS behind the scenes, we need to have a
// JAAS configuration. Rather than always requiring the user to provide it,
// we'll write one to a temporary file that will be deleted when the JVM
// exits.
try
{
w.newLine();
w.write(" com.sun.security.auth.module.Krb5LoginModule required " +
"storeKey=true useKeyTab=true ");
if (keyTabFile != null)
{
}
// FIXME -- Should we add the ability to include "debug=true"?
// FIXME -- Can we get away from hard-coding a protocol here?
{
}
w.write("\";");
w.newLine();
w.write("};");
w.newLine();
w.flush();
w.close();
}
catch (Exception e)
{
if (debugEnabled())
{
}
throw new InitializationException(message, e);
}
}
/**
* {@inheritDoc}
*/
@Override()
public void finalizeSASLMechanismHandler()
{
}
/**
* {@inheritDoc}
*/
@Override()
{
// GSSAPI binds use multiple stages, so we need to determine whether this is
// the first stage or a subsequent one. To do that, see if we have SASL
// state information in the client connection.
if (clientConnection == null)
{
return;
}
{
}
else
{
try
{
}
catch (InitializationException ie)
{
if (debugEnabled())
{
}
return;
}
}
{
// The authentication was successful, so set the proper state information
// in the client connection and return success.
// FIXME -- If we're using integrity or confidentiality, then we can't do
// this.
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
}
}
{
// We need to store the SASL auth state with the client connection so we
// can resume authentication the next time around.
}
else
{
// The authentication failed. We don't want to keep the SASL state
// around.
// FIXME -- Are there other result codes that we need to check for and
// preserve the auth state?
}
}
/**
* Retrieves the user account for the user associated with the provided
* authorization ID.
*
* @param bindOperation The bind operation from which the provided
* authorization ID was derived.
* @param authzID The authorization ID for which to retrieve the
* associated user.
*
* @return The user entry for the user with the specified authorization ID,
* or <CODE>null</CODE> if none is identified.
*
* @throws DirectoryException If a problem occurs while searching the
* directory for the associated user, or if
* multiple matching entries are found.
*/
throws DirectoryException
{
}
/**
* {@inheritDoc}
*/
@Override()
{
// This is not a password-based mechanism.
return false;
}
/**
* {@inheritDoc}
*/
@Override()
{
// This may be considered a secure mechanism.
return true;
}
/**
* {@inheritDoc}
*/
@Override()
public boolean isConfigurationAcceptable(
{
}
/**
* {@inheritDoc}
*/
public boolean isConfigurationChangeAcceptable(
{
return true;
}
/**
* {@inheritDoc}
*/
{
boolean adminActionRequired = false;
// Get the identity mapper that should be used to find users.
// Determine the fully-qualified hostname for this system. It may be
// provided, but if not, then try to determine it programmatically.
{
try
{
}
catch (Exception e)
{
if (debugEnabled())
{
}
{
}
getExceptionMessage(e)));
}
}
{
try
{
w.newLine();
w.write(" com.sun.security.auth.module.Krb5LoginModule required " +
"storeKey=true useKeyTab=true ");
if (keyTabFile != null)
{
}
// FIXME -- Should we add the ability to include "debug=true"?
// FIXME -- Can we get away from hard-coding a protocol here?
{
}
w.write("\";");
w.newLine();
w.write("};");
w.newLine();
w.flush();
w.close();
}
catch (Exception e)
{
if (debugEnabled())
{
}
getExceptionMessage(e)));
}
}
}
}