Example 1 with LdapUserPrincipal
use of org.apache.druid.security.basic.authentication.LdapUserPrincipal in project druid by druid-io.
the class LDAPCredentialsValidator method validateCredentials.
@Override
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
SearchResult userResult;
LdapName userDn;
Map<String, Object> contextMap = new HashMap<>();
LdapUserPrincipal principal = this.cache.getOrExpire(username);
if (principal != null && principal.hasSameCredentials(password)) {
contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, principal.getSearchResult());
return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
} else {
ClassLoader currentClassLoader = Thread.currentThread().getContextClassLoader();
try {
// Set the context classloader same as the loader of this class so that BasicSecuritySSLSocketFactory
// class can be found
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
InitialDirContext dirContext = new InitialDirContext(bindProperties(this.ldapConfig));
try {
userResult = getLdapUserObject(this.ldapConfig, dirContext, username);
if (userResult == null) {
LOG.debug("User not found: %s", username);
return null;
}
userDn = new LdapName(userResult.getNameInNamespace());
} finally {
try {
dirContext.close();
} catch (Exception ignored) {
// ignored
}
}
} catch (NamingException e) {
LOG.error(e, "Exception during user lookup");
return null;
} finally {
Thread.currentThread().setContextClassLoader(currentClassLoader);
}
if (!validatePassword(this.ldapConfig, userDn, password)) {
LOG.debug("Password incorrect for LDAP user %s", username);
throw new BasicSecurityAuthenticationException("User LDAP authentication failed.");
}
byte[] salt = BasicAuthUtils.generateSalt();
byte[] hash = BasicAuthUtils.hashPassword(password, salt, this.ldapConfig.getCredentialIterations());
LdapUserPrincipal newPrincipal = new LdapUserPrincipal(username, new BasicAuthenticatorCredentials(salt, hash, this.ldapConfig.getCredentialIterations()), userResult);
this.cache.put(username, newPrincipal);
contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userResult);
return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
}
}
Also used :
BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
SearchResult(javax.naming.directory.SearchResult)
InitialDirContext(javax.naming.directory.InitialDirContext)
BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException)
NamingException(javax.naming.NamingException)
AuthenticationException(javax.naming.AuthenticationException)
LdapName(javax.naming.ldap.LdapName)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials)
NamingException(javax.naming.NamingException)
LdapUserPrincipal(org.apache.druid.security.basic.authentication.LdapUserPrincipal)
Aggregations
HashMap (java.util.HashMap)1
LinkedHashMap (java.util.LinkedHashMap)1
AuthenticationException (javax.naming.AuthenticationException)1
NamingException (javax.naming.NamingException)1
InitialDirContext (javax.naming.directory.InitialDirContext)1
SearchResult (javax.naming.directory.SearchResult)1
LdapName (javax.naming.ldap.LdapName)1
BasicSecurityAuthenticationException (org.apache.druid.security.basic.BasicSecurityAuthenticationException)1
LdapUserPrincipal (org.apache.druid.security.basic.authentication.LdapUserPrincipal)1
BasicAuthenticatorCredentials (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials)1
AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)1
