You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2013/05/15 17:06:39 UTC
svn commit: r1482887 - in /directory/apacheds/trunk:
core-annotations/src/main/java/org/apache/directory/server/core/annotations/
core-annotations/src/main/java/org/apache/directory/server/core/factory/
interceptors/authn/src/main/java/org/apache/direc...
Author: elecharny
Date: Wed May 15 15:06:39 2013
New Revision: 1482887
URL: http://svn.apache.org/r1482887
Log:
Made the delegated authentication working for SSL and TLS (default to NoVerificationTrustManager atm)
Added:
directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
Modified:
directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java
directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java
Modified: directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java?rev=1482887&r1=1482886&r2=1482887&view=diff
==============================================================================
--- directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java (original)
+++ directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java Wed May 15 15:06:39 2013
@@ -57,6 +57,22 @@ public @interface CreateAuthenticator
int delegatePort() default -1;
+ /** The base DN from which we will delegate authentication */
+ String delegateBaseDn() default "";
+
+
/** Tells if we use SSL to connect */
- boolean delegateSsl() default true;
+ boolean delegateSsl() default false;
+
+
+ /** Tells if we use startTls to connect */
+ boolean delegateTls() default true;
+
+
+ /** The SSL TrustManager FQCN */
+ String delegateSslTrustManagerFQCN() default "org.apache.directory.ldap.client.api.NoVerificationTrustManager";
+
+
+ /** The startTls TrustManager FQCN */
+ String delegateTlsTrustManagerFQCN() default "org.apache.directory.ldap.client.api.NoVerificationTrustManager";
}
Modified: directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java?rev=1482887&r1=1482886&r2=1482887&view=diff
==============================================================================
--- directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java (original)
+++ directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java Wed May 15 15:06:39 2013
@@ -125,6 +125,10 @@ public class DSAnnotationProcessor
dauth.setDelegateHost( createAuthenticator.delegateHost() );
dauth.setDelegatePort( createAuthenticator.delegatePort() );
dauth.setDelegateSsl( createAuthenticator.delegateSsl() );
+ dauth.setDelegateTls( createAuthenticator.delegateTls() );
+ dauth.setDelegateBaseDn( createAuthenticator.delegateBaseDn() );
+ dauth.setDelegateSslTrustManagerFQCN( createAuthenticator.delegateSslTrustManagerFQCN() );
+ dauth.setDelegateTlsTrustManagerFQCN( createAuthenticator.delegateTlsTrustManagerFQCN() );
}
authenticators.add( auth );
Modified: directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java?rev=1482887&r1=1482886&r2=1482887&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java (original)
+++ directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java Wed May 15 15:06:39 2013
@@ -28,8 +28,9 @@ import org.apache.directory.api.ldap.mod
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.util.Strings;
-import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
import org.apache.directory.server.core.api.LdapPrincipal;
import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
import org.apache.directory.server.i18n.I18n;
@@ -55,9 +56,18 @@ public class DelegatingAuthenticator ext
/** Tells if we use SSL to connect */
private boolean delegateSsl;
+ /** Tells if we use StartTLS to connect */
+ private boolean delegateTls;
+
/** The base DN which will be the starting point from which we use the delegator authenticator */
private String delegateBaseDn;
+ /** The SSL TrustManager FQCN to use */
+ private String delegateSslTrustManagerFQCN;
+
+ /** The startTLS TrustManager FQCN to use */
+ private String delegateTlsTrustManagerFQCN;
+
/**
* Creates a new instance.
@@ -153,6 +163,60 @@ public class DelegatingAuthenticator ext
/**
+ * @return the delegateTls
+ */
+ public boolean isDelegateTls()
+ {
+ return delegateTls;
+ }
+
+
+ /**
+ * @param delegateTls the delegateTls to set
+ */
+ public void setDelegateTls( boolean delegateTls )
+ {
+ this.delegateTls = delegateTls;
+ }
+
+
+ /**
+ * @return the delegateSslTrustManagerFQCN
+ */
+ public String getDelegateSslTrustManagerFQCN()
+ {
+ return delegateSslTrustManagerFQCN;
+ }
+
+
+ /**
+ * @param delegateSslTrustManagerFQCN the delegateSslTrustManagerFQCN to set
+ */
+ public void setDelegateSslTrustManagerFQCN( String delegateSslTrustManagerFQCN )
+ {
+ this.delegateSslTrustManagerFQCN = delegateSslTrustManagerFQCN;
+ }
+
+
+ /**
+ * @return the delegateTlsTrustManagerFQCN
+ */
+ public String getDelegateTlsTrustManagerFQCN()
+ {
+ return delegateTlsTrustManagerFQCN;
+ }
+
+
+ /**
+ * @param delegateTlsTrustManagerFQCN the delegateTlsTrustManagerFQCN to set
+ */
+ public void setDelegateTlsTrustManagerFQCN( String delegateTlsTrustManagerFQCN )
+ {
+ this.delegateTlsTrustManagerFQCN = delegateTlsTrustManagerFQCN;
+ }
+
+
+ /**
* {@inheritDoc}
*/
public LdapPrincipal authenticate( BindOperationContext bindContext )
@@ -165,8 +229,44 @@ public class DelegatingAuthenticator ext
LOG.debug( "Authenticating {}", bindContext.getDn() );
}
+ LdapConnectionConfig connectionConfig;
+ LdapNetworkConnection ldapConnection;
+
// Create a connection on the remote host
- LdapConnection ldapConnection = new LdapNetworkConnection( delegateHost, delegatePort, delegateSsl );
+ if ( delegateTls )
+ {
+ connectionConfig = new LdapConnectionConfig();
+ connectionConfig.setLdapHost( delegateHost );
+ connectionConfig.setLdapPort( delegatePort );
+ connectionConfig.setTrustManagers( new NoVerificationTrustManager() );
+
+ ldapConnection = new LdapNetworkConnection( connectionConfig );
+ ldapConnection.connect();
+ ldapConnection.startTls();
+ }
+ else if ( delegateSsl )
+ {
+ connectionConfig = new LdapConnectionConfig();
+ connectionConfig.setLdapHost( delegateHost );
+ connectionConfig.setUseSsl( true );
+ connectionConfig.setLdapPort( delegatePort );
+ connectionConfig.setTrustManagers( new NoVerificationTrustManager() );
+
+ ldapConnection = new LdapNetworkConnection( connectionConfig );
+ ldapConnection.connect();
+ }
+ else
+ {
+ connectionConfig = new LdapConnectionConfig();
+ connectionConfig.setLdapHost( delegateHost );
+ connectionConfig.setLdapPort( delegatePort );
+ connectionConfig.setTrustManagers( new NoVerificationTrustManager() );
+
+ ldapConnection = new LdapNetworkConnection( delegateHost, delegatePort );
+ ldapConnection.connect();
+ }
+
+ ldapConnection.setTimeOut( 0L );
try
{
@@ -211,6 +311,10 @@ public class DelegatingAuthenticator ext
LOG.info( message );
throw new LdapAuthenticationException( message );
}
+ finally
+ {
+ ldapConnection.close();
+ }
}
Added: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java?rev=1482887&view=auto
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java (added)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java Wed May 15 15:06:39 2013
@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.operations.bind;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
+import org.apache.directory.junit.tools.MultiThreadedMultiInvoker;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.CreateAuthenticator;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.authn.DelegatingAuthenticator;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.ldap.handlers.extended.StartTlsHandler;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Tests the Delegated authenticator using SSL
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(FrameworkRunner.class)
+@CreateDS(
+ allowAnonAccess = true,
+ name = "DelegatedAuthIT-class",
+ authenticators =
+ {
+ @CreateAuthenticator(
+ type = DelegatingAuthenticator.class,
+ delegateHost = "localhost",
+ delegatePort = 10201,
+ delegateSsl = true,
+ delegateTls = false) })
+@ApplyLdifs(
+ {
+ // Entry # 1
+ "dn: uid=emmanuel,ou=users,ou=system",
+ "objectClass: uidObject",
+ "objectClass: person",
+ "objectClass: top",
+ "uid: emmanuel",
+ "cn: Emmanuel Lecharny",
+ "sn: Lecharny",
+ "userPassword: sesame" })
+@CreateLdapServer(
+ transports =
+ {
+ @CreateTransport(protocol = "LDAP", port = 10200)
+ },
+ allowAnonymousAccess = true)
+public class DelegatedAuthOverSslIT extends AbstractLdapTestUnit
+{
+ @Rule
+ public MultiThreadedMultiInvoker i = new MultiThreadedMultiInvoker( MultiThreadedMultiInvoker.NOT_THREADSAFE );
+
+
+ /**
+ * Test with bindDn which is not even found under any namingContext of the
+ * server.
+ *
+ * @throws Exception
+ */
+ @CreateDS(
+ allowAnonAccess = true,
+ name = "DelegatedAuthIT-method")
+ @ApplyLdifs(
+ {
+ // Entry # 1
+ "dn: uid=antoine,ou=users,ou=system",
+ "objectClass: uidObject",
+ "objectClass: person",
+ "objectClass: top",
+ "uid: antoine",
+ "cn: Antoine Levy-Lambert",
+ "sn: Levy-Lambert",
+ "userPassword: secret" })
+ @CreateLdapServer(
+ transports =
+ {
+ @CreateTransport(protocol = "LDAPS", port = 10201)
+ },
+ extendedOpHandlers =
+ {
+ StartTlsHandler.class
+ }
+ )
+ @Test
+ public void testDelegatedSSLAuthentication() throws Exception
+ {
+ assertTrue( getService().isStarted() );
+ assertEquals( "DelegatedAuthIT-method", getService().getInstanceId() );
+ LdapConnection ldapConnection = new LdapNetworkConnection( "localhost", 10200 );
+
+ ldapConnection.setTimeOut( 0L );
+ ldapConnection.bind( "uid=antoine,ou=users,ou=system", "secret" );
+
+ assertTrue( ldapConnection.isAuthenticated() );
+
+ ldapConnection.unBind();
+
+ try
+ {
+ ldapConnection.bind( "uid=antoine,ou=users,ou=system", "sesame" );
+ fail();
+ }
+ catch ( LdapAuthenticationException lae )
+ {
+ assertTrue( true );
+ }
+
+ ldapConnection.unBind();
+ ldapConnection.close();
+ }
+}
Added: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java?rev=1482887&view=auto
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java (added)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java Wed May 15 15:06:39 2013
@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.operations.bind;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
+import org.apache.directory.junit.tools.MultiThreadedMultiInvoker;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.CreateAuthenticator;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.authn.DelegatingAuthenticator;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.ldap.handlers.extended.StartTlsHandler;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Tests the Delegated authenticator using SSL
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(FrameworkRunner.class)
+@CreateDS(
+ allowAnonAccess = true,
+ name = "DelegatedAuthIT-class",
+ authenticators =
+ {
+ @CreateAuthenticator(
+ type = DelegatingAuthenticator.class,
+ delegateHost = "localhost",
+ delegatePort = 10201,
+ delegateSsl = false,
+ delegateTls = true) })
+@ApplyLdifs(
+ {
+ // Entry # 1
+ "dn: uid=emmanuel,ou=users,ou=system",
+ "objectClass: uidObject",
+ "objectClass: person",
+ "objectClass: top",
+ "uid: emmanuel",
+ "cn: Emmanuel Lecharny",
+ "sn: Lecharny",
+ "userPassword: sesame" })
+@CreateLdapServer(
+ transports =
+ {
+ @CreateTransport(protocol = "LDAP", port = 10200)
+ },
+ allowAnonymousAccess = true)
+public class DelegatedAuthOverTlsIT extends AbstractLdapTestUnit
+{
+ @Rule
+ public MultiThreadedMultiInvoker i = new MultiThreadedMultiInvoker( MultiThreadedMultiInvoker.NOT_THREADSAFE );
+
+
+ /**
+ * Test with bindDn which is not even found under any namingContext of the
+ * server.
+ *
+ * @throws Exception
+ */
+ @CreateDS(
+ allowAnonAccess = true,
+ name = "DelegatedAuthIT-method")
+ @ApplyLdifs(
+ {
+ // Entry # 1
+ "dn: uid=antoine,ou=users,ou=system",
+ "objectClass: uidObject",
+ "objectClass: person",
+ "objectClass: top",
+ "uid: antoine",
+ "cn: Antoine Levy-Lambert",
+ "sn: Levy-Lambert",
+ "userPassword: secret" })
+ @CreateLdapServer(
+ transports =
+ {
+ @CreateTransport(protocol = "LDAP", port = 10201)
+ },
+ extendedOpHandlers =
+ {
+ StartTlsHandler.class
+ }
+ )
+ @Test
+ public void testDelegatedTlsAuthentication() throws Exception
+ {
+ assertTrue( getService().isStarted() );
+ assertEquals( "DelegatedAuthIT-method", getService().getInstanceId() );
+ LdapConnection ldapConnection = new LdapNetworkConnection( "localhost", 10200 );
+
+ ldapConnection.setTimeOut( 0L );
+ ldapConnection.bind( "uid=antoine,ou=users,ou=system", "secret" );
+
+ assertTrue( ldapConnection.isAuthenticated() );
+
+ ldapConnection.unBind();
+
+ try
+ {
+ ldapConnection.bind( "uid=antoine,ou=users,ou=system", "sesame" );
+ fail();
+ }
+ catch ( LdapAuthenticationException lae )
+ {
+ assertTrue( true );
+ }
+
+ ldapConnection.unBind();
+ ldapConnection.close();
+ }
+}