org.jasig.cas.authentication

Class LdapAuthenticationHandler

java.lang.Object

org.jasig.cas.authentication.AbstractAuthenticationHandler

org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

org.jasig.cas.authentication.LdapAuthenticationHandler

All Implemented Interfaces:

org.jasig.cas.authentication.AuthenticationHandler

public class LdapAuthenticationHandler
extends org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

LDAP authentication handler that uses the ldaptive Authenticator component underneath. This handler provides simple attribute resolution machinery by reading attributes from the entry corresponding to the DN of the bound user (in the bound security context) upon successful authentication. Principal resolution is controlled by the following properties:

• setPrincipalIdAttribute(String)
• setPrincipalAttributeMap(java.util.Map)

Since:

4.0.0

Field Summary

Fields

Modifier and Type	Field and Description
protected java.util.List<java.lang.String>	additionalAttributes List of additional attributes to be fetched but are not principal attributes.
protected java.util.Map<java.lang.String,java.lang.String>	principalAttributeMap Mapping of LDAP attribute name to principal attribute name.

Fields inherited from class org.jasig.cas.authentication.AbstractAuthenticationHandler

logger, principalFactory, servicesManager

Constructor Summary

Constructors

Constructor and Description
LdapAuthenticationHandler(org.ldaptive.auth.Authenticator authenticator) Creates a new authentication handler that delegates to the given authenticator.

Method Summary

Methods

Modifier and Type	Method and Description
protected org.jasig.cas.authentication.HandlerResult	authenticateUsernamePasswordInternal(org.jasig.cas.authentication.UsernamePasswordCredential upc)
protected org.jasig.cas.authentication.principal.Principal	createPrincipal(java.lang.String username, org.ldaptive.LdapEntry ldapEntry) Creates a CAS principal with attributes if the LDAP entry contains principal attributes.
java.lang.String	getName()
void	initialize() Initialize the handler, setup the authentication entry attributes.
void	setAdditionalAttributes(java.util.List<java.lang.String> additionalAttributes) Sets the list of additional attributes to be fetched from the user entry during authentication.
void	setAllowMultiplePrincipalAttributeValues(boolean allowed) Sets a flag that determines whether multiple values are allowed for the principalIdAttribute.
void	setName(java.lang.String name) Sets the component name.
void	setPrincipalAttributeList(java.util.List<java.lang.String> attributeList) Sets the mapping of additional principal attributes where the key and value is the LDAP attribute name.
void	setPrincipalAttributeMap(java.util.Map<java.lang.String,java.lang.String> attributeNameMap) Sets the mapping of additional principal attributes where the key is the LDAP attribute name and the value is the principal attribute name.
void	setPrincipalIdAttribute(java.lang.String attributeName) Sets the name of the LDAP principal attribute whose value should be used for the principal ID.
boolean	supports(org.jasig.cas.authentication.Credential credential) Handle post authentication processing.

Methods inherited from class org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

doAuthentication, getPasswordEncoder, getPasswordPolicyConfiguration, getPrincipalNameTransformer, setPasswordEncoder, setPasswordPolicyConfiguration, setPrincipalNameTransformer

Methods inherited from class org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

authenticate, createHandlerResult, postAuthenticate, preAuthenticate

Methods inherited from class org.jasig.cas.authentication.AbstractAuthenticationHandler

setPrincipalFactory

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

principalAttributeMap

@NotNull
protected java.util.Map<java.lang.String,java.lang.String> principalAttributeMap

Mapping of LDAP attribute name to principal attribute name.

additionalAttributes

@NotNull
protected java.util.List<java.lang.String> additionalAttributes

List of additional attributes to be fetched but are not principal attributes.

Constructor Detail

LdapAuthenticationHandler

public LdapAuthenticationHandler(@NotNull
                         org.ldaptive.auth.Authenticator authenticator)

Creates a new authentication handler that delegates to the given authenticator.

Parameters:

authenticator - Ldaptive authenticator component.

Method Detail

setName

public void setName(java.lang.String name)

Sets the component name. Defaults to simple class name.

Overrides:

setName in class org.jasig.cas.authentication.AbstractAuthenticationHandler

Parameters:

name - Authentication handler name.

setPrincipalIdAttribute

public void setPrincipalIdAttribute(java.lang.String attributeName)

Sets the name of the LDAP principal attribute whose value should be used for the principal ID.

Parameters:

attributeName - LDAP attribute name.

setAllowMultiplePrincipalAttributeValues

public void setAllowMultiplePrincipalAttributeValues(boolean allowed)

Sets a flag that determines whether multiple values are allowed for the principalIdAttribute. This flag only has an effect if principalIdAttribute is configured. If multiple values are detected when the flag is false, the first value is used and a warning is logged. If multiple values are detected when the flag is true, an exception is raised.

Parameters:

allowed - True to allow multiple principal ID attribute values, false otherwise.

setPrincipalAttributeMap

public void setPrincipalAttributeMap(java.util.Map<java.lang.String,java.lang.String> attributeNameMap)

Sets the mapping of additional principal attributes where the key is the LDAP attribute name and the value is the principal attribute name. The key set defines the set of attributes read from the LDAP entry at authentication time. Note that the principal ID attribute should not be listed among these attributes.

Parameters:

attributeNameMap - Map of LDAP attribute name to principal attribute name.

setPrincipalAttributeList

public void setPrincipalAttributeList(java.util.List<java.lang.String> attributeList)

Sets the mapping of additional principal attributes where the key and value is the LDAP attribute name. Note that the principal ID attribute should not be listed among these attributes.

Parameters:

attributeList - List of LDAP attribute names

setAdditionalAttributes

public void setAdditionalAttributes(java.util.List<java.lang.String> additionalAttributes)

Sets the list of additional attributes to be fetched from the user entry during authentication. These attributes are not bound to the principal.

A common use case for these attributes is to support password policy machinery.

Parameters:

additionalAttributes - List of operational attributes to fetch when resolving an entry.

authenticateUsernamePasswordInternal

protected org.jasig.cas.authentication.HandlerResult authenticateUsernamePasswordInternal(org.jasig.cas.authentication.UsernamePasswordCredential upc)
                                                                                   throws java.security.GeneralSecurityException,
                                                                                          org.jasig.cas.authentication.PreventedException

Specified by:

authenticateUsernamePasswordInternal in class org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

Throws:

java.security.GeneralSecurityException

org.jasig.cas.authentication.PreventedException

supports

public boolean supports(org.jasig.cas.authentication.Credential credential)

Handle post authentication processing.

Specified by:

supports in interface org.jasig.cas.authentication.AuthenticationHandler

Overrides:

supports in class org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

Parameters:

credential - the credential

Returns:

the handler result

getName

public java.lang.String getName()

Specified by:

getName in interface org.jasig.cas.authentication.AuthenticationHandler

Overrides:

getName in class org.jasig.cas.authentication.AbstractAuthenticationHandler

createPrincipal

protected org.jasig.cas.authentication.principal.Principal createPrincipal(java.lang.String username,
                                                               org.ldaptive.LdapEntry ldapEntry)
                                                                    throws javax.security.auth.login.LoginException

Creates a CAS principal with attributes if the LDAP entry contains principal attributes.

Parameters:

username - Username that was successfully authenticated which is used for principal ID when setPrincipalIdAttribute(String) is not specified.

ldapEntry - LDAP entry that may contain principal attributes.

Returns:

Principal if the LDAP entry contains at least a principal ID attribute value, null otherwise.

Throws:

javax.security.auth.login.LoginException - On security policy errors related to principal creation.

initialize

@PostConstruct
public void initialize()

Initialize the handler, setup the authentication entry attributes.