org.jasig.cas.authentication

Class LdapAuthenticationHandler

java.lang.Object

org.jasig.cas.authentication.AbstractAuthenticationHandler

org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

org.jasig.cas.authentication.LdapAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

public class LdapAuthenticationHandler
extends AbstractUsernamePasswordAuthenticationHandler

LDAP authentication handler that uses the ldaptive Authenticator component underneath. This handler provides simple attribute resolution machinery by reading attributes from the entry corresponding to the DN of the bound user (in the bound security context) upon successful authentication. Principal resolution is controlled by the following properties:

setPrincipalIdAttribute(String)
setPrincipalAttributeMap(java.util.Map)

Since:

4.0

Author:

Marvin S. Addison

Field Summary

Fields

Modifier and Type	Field and Description
protected List<String>	additionalAttributes List of additional attributes to be fetched but are not principal attributes.
protected Map<String,String>	principalAttributeMap Mapping of LDAP attribute name to principal attribute name.

Fields inherited from class org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

logger

Constructor Summary

Constructors

Constructor and Description
LdapAuthenticationHandler(org.ldaptive.auth.Authenticator authenticator) Creates a new authentication handler that delegates to the given authenticator.

Method Summary

Methods

Modifier and Type	Method and Description
protected HandlerResult	authenticateUsernamePasswordInternal(UsernamePasswordCredential upc)
protected Principal	createPrincipal(String username, org.ldaptive.LdapEntry ldapEntry) Creates a CAS principal with attributes if the LDAP entry contains principal attributes.
String	getName()
void	initialize()
void	setAdditionalAttributes(List<String> additionalAttributes) Sets the list of additional attributes to be fetched from the user entry during authentication.
void	setAllowMultiplePrincipalAttributeValues(boolean allowed) Sets a flag that determines whether multiple values are allowed for the principalIdAttribute.
void	setName(String name) Sets the component name.
void	setPrincipalAttributeMap(Map<String,String> attributeNameMap) Sets the mapping of additional principal attributes where the key is the LDAP attribute name and the value is the principal attribute name.
void	setPrincipalIdAttribute(String attributeName) Sets the name of the LDAP principal attribute whose value should be used for the principal ID.
boolean	supports(Credential credential)

Methods inherited from class org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

createHandlerResult, doAuthentication, getPasswordEncoder, getPasswordPolicyConfiguration, getPrincipalNameTransformer, setPasswordEncoder, setPasswordPolicyConfiguration, setPrincipalNameTransformer

Methods inherited from class org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

authenticate, postAuthenticate, preAuthenticate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

principalAttributeMap

@NotNull
protected Map<String,String> principalAttributeMap

Mapping of LDAP attribute name to principal attribute name.

additionalAttributes

@NotNull
protected List<String> additionalAttributes

List of additional attributes to be fetched but are not principal attributes.

Constructor Detail

LdapAuthenticationHandler

public LdapAuthenticationHandler(@NotNull
                         org.ldaptive.auth.Authenticator authenticator)

Creates a new authentication handler that delegates to the given authenticator.

Parameters:

authenticator - Ldaptive authenticator component.

Method Detail

setName

public void setName(String name)

Sets the component name. Defaults to simple class name.

Overrides:

setName in class AbstractAuthenticationHandler

Parameters:

name - Authentication handler name.

setPrincipalIdAttribute

public void setPrincipalIdAttribute(String attributeName)

Sets the name of the LDAP principal attribute whose value should be used for the principal ID.

Parameters:

attributeName - LDAP attribute name.

setAllowMultiplePrincipalAttributeValues

public void setAllowMultiplePrincipalAttributeValues(boolean allowed)

Sets a flag that determines whether multiple values are allowed for the principalIdAttribute. This flag only has an effect if principalIdAttribute is configured. If multiple values are detected when the flag is false, the first value is used and a warning is logged. If multiple values are detected when the flag is true, an exception is raised.

Parameters:

allowed - True to allow multiple principal ID attribute values, false otherwise.

setPrincipalAttributeMap

public void setPrincipalAttributeMap(Map<String,String> attributeNameMap)

Sets the mapping of additional principal attributes where the key is the LDAP attribute name and the value is the principal attribute name. The key set defines the set of attributes read from the LDAP entry at authentication time. Note that the principal ID attribute should not be listed among these attributes.

Parameters:

attributeNameMap - Map of LDAP attribute name to principal attribute name.

setAdditionalAttributes

public void setAdditionalAttributes(List<String> additionalAttributes)

Sets the list of additional attributes to be fetched from the user entry during authentication. These attributes are not bound to the principal.

A common use case for these attributes is to support password policy machinery.

Parameters:

additionalAttributes - List of operational attributes to fetch when resolving an entry.

authenticateUsernamePasswordInternal

protected HandlerResult authenticateUsernamePasswordInternal(UsernamePasswordCredential upc)
                                                      throws GeneralSecurityException,
                                                             PreventedException

Specified by:

authenticateUsernamePasswordInternal in class AbstractUsernamePasswordAuthenticationHandler

Throws:

GeneralSecurityException

PreventedException

supports

public boolean supports(Credential credential)

Specified by:

supports in interface AuthenticationHandler

Overrides:

supports in class AbstractUsernamePasswordAuthenticationHandler

getName

public String getName()

Specified by:

getName in interface AuthenticationHandler

Overrides:

getName in class AbstractAuthenticationHandler

createPrincipal

protected Principal createPrincipal(String username,
                        org.ldaptive.LdapEntry ldapEntry)
                             throws LoginException

Creates a CAS principal with attributes if the LDAP entry contains principal attributes.

Parameters:

username - Username that was successfully authenticated which is used for principal ID when setPrincipalIdAttribute(String) is not specified.

ldapEntry - LDAP entry that may contain principal attributes.

Returns:

Principal if the LDAP entry contains at least a principal ID attribute value, null otherwise.

Throws:

LoginException - On security policy errors related to principal creation.

initialize

@PostConstruct
public void initialize()