Search in sources :

Example 6 with AuthenticationNotSupportedException

use of javax.naming.AuthenticationNotSupportedException in project athenz by yahoo.

the class LDAPAuthority method authenticate.

@Override
public Principal authenticate(String creds, String remoteAddr, String httpMethod, StringBuilder errMsg) {
    if (!creds.startsWith("Basic ")) {
        errMsg.append("LDAPAuthority: authenticate: credentials do not start with 'Basic '");
        LOG.error(errMsg.toString());
        return null;
    }
    final String encodedCreds = creds.substring(6);
    String decodedCreds;
    try {
        decodedCreds = new String(Base64.getDecoder().decode(encodedCreds));
    } catch (Exception e) {
        errMsg.append("LDAPAuthority: authenticate: factory exc=").append(e.getMessage());
        LOG.error(errMsg.toString());
        return null;
    }
    int idx = decodedCreds.indexOf(':');
    if (idx == -1) {
        errMsg.append("LDAPAuthority: authenticate: no password specified");
        LOG.error(errMsg.toString());
        return null;
    }
    final String username = decodedCreds.substring(0, idx);
    final String password = decodedCreds.substring(idx + 1);
    final String finalDN = "cn=" + username + "," + baseDN;
    try {
        DirContext ctx = getDirContext(finalDN, password);
        ctx.close();
    } catch (AuthenticationException e) {
        errMsg.append("LDAPAuthority: failed: Wrong credentials");
        LOG.error(errMsg.toString());
        return null;
    } catch (AuthenticationNotSupportedException e) {
        errMsg.append("LDAPAuthority: failed: Authentication method not supported");
        LOG.error(errMsg.toString());
        return null;
    } catch (NamingException e) {
        errMsg.append("LDAPAuthority: failed: ").append(e.getMessage());
        LOG.error(errMsg.toString());
        return null;
    }
    SimplePrincipal simplePrincipal = getSimplePrincipal(creds, username);
    if (simplePrincipal == null) {
        errMsg.append("LDAPAuthority:authenticate: failed to create principal: user=").append(username);
        LOG.error(errMsg.toString());
        return null;
    }
    simplePrincipal.setUnsignedCreds(username);
    return simplePrincipal;
}
Also used : AuthenticationException(javax.naming.AuthenticationException) AuthenticationNotSupportedException(javax.naming.AuthenticationNotSupportedException) NamingException(javax.naming.NamingException) DirContext(javax.naming.directory.DirContext) InitialDirContext(javax.naming.directory.InitialDirContext) AuthenticationNotSupportedException(javax.naming.AuthenticationNotSupportedException) NamingException(javax.naming.NamingException) AuthenticationException(javax.naming.AuthenticationException)

Example 7 with AuthenticationNotSupportedException

use of javax.naming.AuthenticationNotSupportedException in project alfresco-repository by Alfresco.

the class LDAPInitialDirContextFactoryImpl method afterPropertiesSet.

public void afterPropertiesSet() throws Exception {
    logger.debug("after Properties Set");
    // Check Anonymous bind
    Hashtable<String, String> env = new Hashtable<String, String>(authenticatedEnvironment.size());
    env.putAll(authenticatedEnvironment);
    env.remove(Context.SECURITY_PRINCIPAL);
    env.remove(Context.SECURITY_CREDENTIALS);
    if (isSSLSocketFactoryRequired()) {
        KeyStore trustStore = initTrustStore();
        AlfrescoSSLSocketFactory.initTrustedSSLSocketFactory(trustStore);
        env.put("java.naming.ldap.factory.socket", AlfrescoSSLSocketFactory.class.getName());
    }
    try {
        new InitialDirContext(env);
        logger.warn("LDAP server supports anonymous bind " + env.get(Context.PROVIDER_URL));
    } catch (javax.naming.AuthenticationException ax) {
    } catch (AuthenticationNotSupportedException e) {
    } catch (NamingException nx) {
        logger.error("Unable to connect to LDAP Server; check LDAP configuration", nx);
        return;
    }
    // Simple DN and password
    env = new Hashtable<String, String>(authenticatedEnvironment.size());
    env.putAll(authenticatedEnvironment);
    env.put(Context.SECURITY_PRINCIPAL, "daftAsABrush");
    env.put(Context.SECURITY_CREDENTIALS, "daftAsABrush");
    if (isSSLSocketFactoryRequired()) {
        KeyStore trustStore = initTrustStore();
        AlfrescoSSLSocketFactory.initTrustedSSLSocketFactory(trustStore);
        env.put("java.naming.ldap.factory.socket", AlfrescoSSLSocketFactory.class.getName());
    }
    try {
        new InitialDirContext(env);
        throw new AuthenticationException("The ldap server at " + env.get(Context.PROVIDER_URL) + " falls back to use anonymous bind if invalid security credentials are presented. This is not supported.");
    } catch (javax.naming.AuthenticationException ax) {
        logger.info("LDAP server does not fall back to anonymous bind for a string uid and password at " + env.get(Context.PROVIDER_URL));
    } catch (AuthenticationNotSupportedException e) {
        logger.info("LDAP server does not fall back to anonymous bind for a string uid and password at " + env.get(Context.PROVIDER_URL));
    } catch (NamingException nx) {
        logger.info("LDAP server does not support simple string user ids and invalid credentials at " + env.get(Context.PROVIDER_URL));
    }
    // DN and password
    env = new Hashtable<String, String>(authenticatedEnvironment.size());
    env.putAll(authenticatedEnvironment);
    env.put(Context.SECURITY_PRINCIPAL, "cn=daftAsABrush,dc=woof");
    env.put(Context.SECURITY_CREDENTIALS, "daftAsABrush");
    if (isSSLSocketFactoryRequired()) {
        KeyStore trustStore = initTrustStore();
        AlfrescoSSLSocketFactory.initTrustedSSLSocketFactory(trustStore);
        env.put("java.naming.ldap.factory.socket", AlfrescoSSLSocketFactory.class.getName());
    }
    try {
        new InitialDirContext(env);
        throw new AuthenticationException("The ldap server at " + env.get(Context.PROVIDER_URL) + " falls back to use anonymous bind if invalid security credentials are presented. This is not supported.");
    } catch (javax.naming.AuthenticationException ax) {
        logger.info("LDAP server does not fall back to anonymous bind for a simple dn and password at " + env.get(Context.PROVIDER_URL));
    } catch (AuthenticationNotSupportedException e) {
        logger.info("LDAP server does not fall back to anonymous bind for a simple dn and password at " + env.get(Context.PROVIDER_URL));
    } catch (NamingException nx) {
        logger.info("LDAP server does not support simple DN and invalid password at " + env.get(Context.PROVIDER_URL));
    }
    // Check more if we have a real principal we expect to work
    String principal = defaultEnvironment.get(Context.SECURITY_PRINCIPAL);
    if (principal != null) {
        // Correct principal invalid password
        env = new Hashtable<String, String>(authenticatedEnvironment.size());
        env.putAll(authenticatedEnvironment);
        env.put(Context.SECURITY_PRINCIPAL, principal);
        env.put(Context.SECURITY_CREDENTIALS, "sdasdasdasdasd123123123");
        if (isSSLSocketFactoryRequired()) {
            KeyStore trustStore = initTrustStore();
            AlfrescoSSLSocketFactory.initTrustedSSLSocketFactory(trustStore);
            env.put("java.naming.ldap.factory.socket", AlfrescoSSLSocketFactory.class.getName());
        }
        if (!checkedEnvs.contains(env)) {
            try {
                new InitialDirContext(env);
                throw new AuthenticationException("The ldap server at " + env.get(Context.PROVIDER_URL) + " falls back to use anonymous bind for a known principal if  invalid security credentials are presented. This is not supported.");
            } catch (javax.naming.AuthenticationException ax) {
                logger.info("LDAP server does not fall back to anonymous bind for known principal and invalid credentials at " + env.get(Context.PROVIDER_URL));
            } catch (AuthenticationNotSupportedException e) {
                logger.info("LDAP server does not support the required authentication mechanism");
            } catch (NamingException nx) {
            // already done
            }
            // Record this environment as checked so that we don't check it again on further restarts / other subsystem
            // instances
            checkedEnvs.add(env);
        }
    }
}
Also used : AuthenticationNotSupportedException(javax.naming.AuthenticationNotSupportedException) AuthenticationException(org.alfresco.repo.security.authentication.AuthenticationException) Hashtable(java.util.Hashtable) AlfrescoSSLSocketFactory(org.alfresco.repo.security.authentication.AlfrescoSSLSocketFactory) NamingException(javax.naming.NamingException) InitialDirContext(javax.naming.directory.InitialDirContext) KeyStore(java.security.KeyStore)

Aggregations

AuthenticationNotSupportedException (javax.naming.AuthenticationNotSupportedException)7 AuthenticationException (javax.naming.AuthenticationException)5 NamingException (javax.naming.NamingException)4 InitialDirContext (javax.naming.directory.InitialDirContext)3 Hashtable (java.util.Hashtable)2 LdapResult (com.sun.jndi.ldap.LdapResult)1 PropertyVetoException (java.beans.PropertyVetoException)1 KeyStore (java.security.KeyStore)1 Properties (java.util.Properties)1 CommunicationException (javax.naming.CommunicationException)1 ContextNotEmptyException (javax.naming.ContextNotEmptyException)1 InitialContext (javax.naming.InitialContext)1 InvalidNameException (javax.naming.InvalidNameException)1 NameAlreadyBoundException (javax.naming.NameAlreadyBoundException)1 NameNotFoundException (javax.naming.NameNotFoundException)1 NoPermissionException (javax.naming.NoPermissionException)1 OperationNotSupportedException (javax.naming.OperationNotSupportedException)1 ServiceUnavailableException (javax.naming.ServiceUnavailableException)1 TimeLimitExceededException (javax.naming.TimeLimitExceededException)1 AttributeInUseException (javax.naming.directory.AttributeInUseException)1