Class LDAPAuthenticationSchemeImpl

  • All Implemented Interfaces:
    UserAuthenticator

    public final class LDAPAuthenticationSchemeImpl
    extends JNDIAuthenticationSchemeBase
    This is the Derby LDAP authentication scheme implementation. JNDI system/environment properties can be set at the database level as database properties. They will be picked-up and set in the JNDI initial context if any are found. We do connect first to the LDAP server in order to retrieve the user's distinguished name (DN) and then we reconnect and try to authenticate with the user's DN and passed-in password. In 2.0 release, we first connect to do a search (user full DN lookup). This initial lookup can be done through anonymous bind or using special LDAP search credentials that the user may have configured on the LDAP settings for the database or the system. It is a typical operation with LDAP servers where sometimes it is hard to tell/guess in advance a users' full DN's. NOTE: In a future release, we will cache/maintain the user DN within the the Derby database or system to avoid the initial lookup. Also note that LDAP search/retrieval operations are usually very fast. The default LDAP url is ldap:/// (ldap://localhost:389/)
    See Also:
    UserAuthenticator
    • Field Detail

      • searchBaseDN

        private java.lang.String searchBaseDN
      • leftSearchFilter

        private java.lang.String leftSearchFilter
      • rightSearchFilter

        private java.lang.String rightSearchFilter
      • useUserPropertyAsDN

        private boolean useUserPropertyAsDN
      • searchAuthDN

        private java.lang.String searchAuthDN
      • searchAuthPW

        private java.lang.String searchAuthPW
      • attrDN

        private static final java.lang.String[] attrDN
      • LDAP_SEARCH_BASE

        private static final java.lang.String LDAP_SEARCH_BASE
        See Also:
        Constant Field Values
      • LDAP_SEARCH_FILTER

        private static final java.lang.String LDAP_SEARCH_FILTER
        See Also:
        Constant Field Values
      • LDAP_SEARCH_AUTH_DN

        private static final java.lang.String LDAP_SEARCH_AUTH_DN
        See Also:
        Constant Field Values
      • LDAP_SEARCH_AUTH_PW

        private static final java.lang.String LDAP_SEARCH_AUTH_PW
        See Also:
        Constant Field Values
      • LDAP_LOCAL_USER_DN

        private static final java.lang.String LDAP_LOCAL_USER_DN
        See Also:
        Constant Field Values
      • LDAP_SEARCH_FILTER_USERNAME

        private static final java.lang.String LDAP_SEARCH_FILTER_USERNAME
        See Also:
        Constant Field Values
    • Constructor Detail

      • LDAPAuthenticationSchemeImpl

        public LDAPAuthenticationSchemeImpl​(JNDIAuthenticationService as,
                                            java.util.Properties dbProperties)
    • Method Detail

      • authenticateUser

        public boolean authenticateUser​(java.lang.String userName,
                                        java.lang.String userPassword,
                                        java.lang.String databaseName,
                                        java.util.Properties info)
                                 throws java.sql.SQLException
        Authenticate the passed-in user's credentials. We authenticate against a LDAP Server.
        Parameters:
        userName - The user's name used to connect to JBMS system
        userPassword - The user's password used to connect to JBMS system
        databaseName - The database which the user wants to connect to.
        info - Additional jdbc connection info.
        Returns:
        false if the connection request should be denied, true if the connection request should proceed. If false is returned the connection attempt will receive a SQLException with SQL State 08004.
        Throws:
        java.sql.SQLException - An exception processing the request, connection request will be denied. The SQL exception will be returned to the connection attempt.
      • doFilterEscaping

        protected java.lang.String doFilterEscaping​(java.lang.String inString)
        Given an LDAP search string, returns the string with certain characters escaped according to RFC 2254 guidelines. Cribbed from org.apache.catalina.realm.JNDIRealm. The character mapping is as follows: char -> Replacement --------------------------- * -> \2a ( -> \28 ) -> \29 \ -> \5c \0 -> \00
        Parameters:
        inString - string to escape according to RFC 2254 guidelines
        Returns:
        String the escaped/encoded result
      • privInitialDirContext

        private javax.naming.directory.DirContext privInitialDirContext​(java.util.Properties env)
                                                                 throws javax.naming.NamingException
        Call new InitialDirContext in a privilege block
        Parameters:
        env - environment used to create the initial DirContext. Null indicates an empty environment.
        Returns:
        an initial DirContext using the supplied environment.
        Throws:
        javax.naming.NamingException
      • setJNDIProviderProperties

        protected void setJNDIProviderProperties()
        This method basically tests and sets default/expected JNDI properties for the JNDI provider scheme (here it is LDAP).
        Specified by:
        setJNDIProviderProperties in class JNDIAuthenticationSchemeBase
      • getDNFromUID

        private java.lang.String getDNFromUID​(java.lang.String uid)
                                       throws javax.naming.NamingException
        Search for the full user's DN in the LDAP server. LDAP server bind may or not be anonymous. If the admin does not want us to do anonymous bind/search, then we must have been given principal/credentials in order to successfully bind to perform the user's DN search.
        Throws:
        javax.naming.NamingException - if could not retrieve the user DN.