org.apereo.cas.authentication

Class LdapAuthenticationHandler

java.lang.Object

org.apereo.cas.authentication.AbstractAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

org.apereo.cas.authentication.LdapAuthenticationHandler

All Implemented Interfaces:

org.apereo.cas.authentication.AuthenticationHandler, org.apereo.cas.authentication.PrePostAuthenticationHandler, org.springframework.core.Ordered

public class LdapAuthenticationHandler
extends org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

LDAP authentication handler that uses the ldaptive Authenticator component underneath. This handler provides simple attribute resolution machinery by reading attributes from the entry corresponding to the DN of the bound user (in the bound security context) upon successful authentication. Principal resolution is controlled by the following properties:

• setPrincipalIdAttribute(String)
• setPrincipalAttributeMap(java.util.Map)

Since:

4.0.0

Field Summary

Fields

Modifier and Type	Field and Description
protected java.util.Map<java.lang.String,java.lang.String>	principalAttributeMap Mapping of LDAP attribute name to principal attribute name.

Fields inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

principalFactory, servicesManager

Fields inherited from interface org.apereo.cas.authentication.AuthenticationHandler

SUCCESSFUL_AUTHENTICATION_HANDLERS

Fields inherited from interface org.springframework.core.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

Constructors

Constructor and Description
LdapAuthenticationHandler(java.lang.String name, org.apereo.cas.services.ServicesManager servicesManager, org.apereo.cas.authentication.principal.PrincipalFactory principalFactory, java.lang.Integer order, org.ldaptive.auth.Authenticator authenticator) Creates a new authentication handler that delegates to the given authenticator.

Method Summary

Modifier and Type	Method and Description
protected org.apereo.cas.authentication.HandlerResult	authenticateUsernamePasswordInternal(org.apereo.cas.authentication.UsernamePasswordCredential upc, java.lang.String originalPassword)
protected org.apereo.cas.authentication.principal.Principal	createPrincipal(java.lang.String username, org.ldaptive.LdapEntry ldapEntry) Creates a CAS principal with attributes if the LDAP entry contains principal attributes.
protected java.lang.String	getLdapPrincipalIdentifier(java.lang.String username, org.ldaptive.LdapEntry ldapEntry) Gets ldap principal identifier.
void	initialize() Initialize the handler, setup the authentication entry attributes.
void	setAllowMissingPrincipalAttributeValue(boolean allowMissingPrincipalAttributeValue)
void	setAllowMultiplePrincipalAttributeValues(boolean allowed) Sets a flag that determines whether multiple values are allowed for the principalIdAttribute.
void	setCollectDnAttribute(boolean collectDnAttribute)
void	setPrincipalAttributeList(java.util.List<java.lang.String> attributeList) Sets the mapping of additional principal attributes where the key and value is the LDAP attribute name.
void	setPrincipalAttributeMap(java.util.Map<java.lang.String,java.lang.String> attributeNameMap) Sets the mapping of additional principal attributes where the key is the LDAP attribute name and the value is the principal attribute name.
void	setPrincipalDnAttributeName(java.lang.String principalDnAttributeName) Sets the name of the principal's dn attribute.
void	setPrincipalIdAttribute(java.lang.String attributeName) Sets the name of the LDAP principal attribute whose value should be used for the principal ID.

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

doAuthentication, getPasswordPolicyConfiguration, matches, setCredentialSelectionPredicate, setPasswordEncoder, setPasswordPolicyConfiguration, setPrincipalNameTransformer, supports

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

authenticate, createHandlerResult

Methods inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

getName, getOrder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apereo.cas.authentication.PrePostAuthenticationHandler

postAuthenticate, preAuthenticate

Methods inherited from interface org.apereo.cas.authentication.AuthenticationHandler

getName

Methods inherited from interface org.springframework.core.Ordered

getOrder

Field Detail

principalAttributeMap

protected java.util.Map<java.lang.String,java.lang.String> principalAttributeMap

Mapping of LDAP attribute name to principal attribute name.

Constructor Detail

LdapAuthenticationHandler

public LdapAuthenticationHandler(java.lang.String name,
                                 org.apereo.cas.services.ServicesManager servicesManager,
                                 org.apereo.cas.authentication.principal.PrincipalFactory principalFactory,
                                 java.lang.Integer order,
                                 org.ldaptive.auth.Authenticator authenticator)

Creates a new authentication handler that delegates to the given authenticator.

Parameters:

name - the name

servicesManager - the services manager

principalFactory - the principal factory

order - the order

authenticator - Ldaptive authenticator component.

Method Detail

setPrincipalIdAttribute

public void setPrincipalIdAttribute(java.lang.String attributeName)

Sets the name of the LDAP principal attribute whose value should be used for the principal ID.

Parameters:

attributeName - LDAP attribute name.

setCollectDnAttribute

public void setCollectDnAttribute(boolean collectDnAttribute)

setPrincipalDnAttributeName

public void setPrincipalDnAttributeName(java.lang.String principalDnAttributeName)

Sets the name of the principal's dn attribute.

Parameters:

principalDnAttributeName - principal's DN attribute name.

setAllowMultiplePrincipalAttributeValues

public void setAllowMultiplePrincipalAttributeValues(boolean allowed)

Sets a flag that determines whether multiple values are allowed for the principalIdAttribute. This flag only has an effect if principalIdAttribute is configured. If multiple values are detected when the flag is false, the first value is used and a warning is logged. If multiple values are detected when the flag is true, an exception is raised.

Parameters:

allowed - True to allow multiple principal ID attribute values, false otherwise.

setPrincipalAttributeMap

public void setPrincipalAttributeMap(java.util.Map<java.lang.String,java.lang.String> attributeNameMap)

Sets the mapping of additional principal attributes where the key is the LDAP attribute name and the value is the principal attribute name. The key set defines the set of attributes read from the LDAP entry at authentication time. Note that the principal ID attribute should not be listed among these attributes.

Parameters:

attributeNameMap - Map of LDAP attribute name to principal attribute name.

setPrincipalAttributeList

public void setPrincipalAttributeList(java.util.List<java.lang.String> attributeList)

Sets the mapping of additional principal attributes where the key and value is the LDAP attribute name. Note that the principal ID attribute should not be listed among these attributes.

Parameters:

attributeList - List of LDAP attribute names

authenticateUsernamePasswordInternal

protected org.apereo.cas.authentication.HandlerResult authenticateUsernamePasswordInternal(org.apereo.cas.authentication.UsernamePasswordCredential upc,
                                                                                           java.lang.String originalPassword)
                                                                                    throws java.security.GeneralSecurityException,
                                                                                           org.apereo.cas.authentication.PreventedException

Specified by:

authenticateUsernamePasswordInternal in class org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

Throws:

java.security.GeneralSecurityException

org.apereo.cas.authentication.PreventedException

createPrincipal

protected org.apereo.cas.authentication.principal.Principal createPrincipal(java.lang.String username,
                                                                            org.ldaptive.LdapEntry ldapEntry)
                                                                     throws javax.security.auth.login.LoginException

Creates a CAS principal with attributes if the LDAP entry contains principal attributes.

Parameters:

username - Username that was successfully authenticated which is used for principal ID when setPrincipalIdAttribute(String) is not specified.

ldapEntry - LDAP entry that may contain principal attributes.

Returns:

Principal if the LDAP entry contains at least a principal ID attribute value, null otherwise.

Throws:

javax.security.auth.login.LoginException - On security policy errors related to principal creation.

getLdapPrincipalIdentifier

protected java.lang.String getLdapPrincipalIdentifier(java.lang.String username,
                                                      org.ldaptive.LdapEntry ldapEntry)
                                               throws javax.security.auth.login.LoginException

Gets ldap principal identifier. If the principal id attribute is defined, it's retrieved. If no attribute value is found, a warning is generated and the provided username is used instead. If no attribute is defined, username is used instead.

Parameters:

username - the username

ldapEntry - the ldap entry

Returns:

the ldap principal identifier

Throws:

javax.security.auth.login.LoginException - in case the principal id cannot be determined.

setAllowMissingPrincipalAttributeValue

public void setAllowMissingPrincipalAttributeValue(boolean allowMissingPrincipalAttributeValue)

initialize

@PostConstruct
public void initialize()

Initialize the handler, setup the authentication entry attributes.