com.nitido.nimx.services.authentication.dirpool
Class AuthenticationServiceImpl

java.lang.Object
  com.nitido.nim.NiMKernelService
      com.nitido.nim.AuthenticationService
          com.nitido.nimx.services.authentication.dirpool.AuthenticationServiceImpl

All Implemented Interfaces:

CredentialConstants, NiMConstants

public class AuthenticationServiceImpl
extends AuthenticationService
implements CredentialConstants

This implementation of the AuthenticaitonService utilizes the DirPoolService to authenticate against the backend directory server.

This implementation of AuthenticationService requires the following settings:

• com.nitido.nimx.services.authentication.dirpool.readpool
  • The directory connection pool name for read access.
  • The constant of the key is CONF_KEY_READ_POOL.
  • This is a required configuration. The valid value is a directory pool name that has been configured for the DirPoolService.
• com.nitido.nimx.services.authentication.dirpool.writepool
  • The directory connection pool name for write access.
  • The constant of the key is CONF_KEY_WRITE_POOL
  • This is a required configuration. The valid value is a directory pool name that has been configured for the DirPoolService.
• com.nitido.nimx.services.authentication.sleep.changepwd
  • The time to sleep after changing the authentication credential.
  • The constant of the key is CONF_KEY_SLEEP_CHANGEPWD
  • This is an optional configuration. The valid value is an integer in milliseconds. If no value is specified, 0 will be used, which implies no wait at all. Negative value will be treated as if it is 0 (i.e. no wait).
  • This configuration is useful if the underlying LDAP data store are configured in master-slave architecture. It usually takes some time before a password changes got replicated on all server. During this replication, the application should sleep for a while. Otherwise, we will fail to re-authenticate the new credential.

For each credential type that this AuthenticationService support, you must also provide the following settings, (where <CredType> is the credential type name):

• com.nitido.nimx.services.authentication.dirpool.cred.dnprefix.<CredType>
  • This configuration defined the DN's prefix to be used for credential type <CredType>l;. This class build the user entry's DN in the format of <prefix><uid><postfix>, where <prefix> is defined by this configuration, and <uid> is the credential's entity ID.
  • The constant of the key prefix is CONF_KEY_PREFIX_DN_PREFIX.
  • If this configuration is defined, the credential type <CredType> is regarded as "declared to be supported". This implementation will expect the configurations "com.nitido.nimx.services.authentication.dirpool.cred.postfix.<CredType>" and "com.nitido.nimx.services.authentication.dirpool.cred.passwordmap.<CredType>" are also defined.
  • This is a required configuration.
  • If the specified credential has no DN prefix, you can passs an empty string as this configuration.
  • The LDAP special characters must be escaped as specified in RFC 2251 and RFC 2253. This implementation will not perform further character escaping.
• com.nitido.nimx.services.authentication.dirpool.cred.postfix.<CredType>
  • This configuration defined the DN's postfix to be used for credential type <CredType>l;. This class build the user entry's DN in the format of <prefix><uid><postfix>, where <postfix> is defined by this configuration, and <uid> is the credential's entity ID.
  • The constant of the key prefix is CONF_KEY_PREFIX_DN_POSTFIX.
  • This configuration is required if the credential type is declared
  • If the specified credential has no DN postfix, you can passs an empty string as this configuration.
  • The LDAP special characters must be escaped as specified in RFC 2251 and RFC 2253. This implementation will not perform further character escaping.
• com.nitido.nimx.services.authentication.dirpool.cred.passwordmap.<CredType>
  • The mapping between the credential token key to the LDAP attribute name.
  • The constant of the key prefix is CONF_KEY_PREFIX_PASSWORD_MAP.
  • This configuration value should have the format of "pwdTokenKey:pwdLdapName", where pwdTokenKey is the key of the password to be stored in the credential token, pwdLdapName is the actual LDAP attribute name of the password field. If the underlying schema extends from the standard inetOrgPerson family, the password LDAP name is usually "userPassword".
  • For example, if the credential stores the password under the token "PWD" and the underlying LDAP attribute is "userPassword", this configuration should have the value "PWD:userPassword".
  • This configuration is required if the credential type is declared to be supported.
• com.nitido.nimx.services.authentication.dirpool.cred.alwaysgood.<CredType>
  • This is an optional configuration. If it is not set, the default is false.
  • It is a boolean flag. If it is set to true, the authentication service will not bind to the backend. Instead, it will authenticate all credential belonging to this credential type.

Field Summary

protected java.util.HashMap	_credMapSettingHash
protected java.lang.String	_readPoolName
protected int	_sleepForChangePwd
protected java.lang.String	_writePoolName
static java.lang.String	CONF_KEY_PREFIX_ALWAYS_GOOD Configuration key prefix for the "always good" boolean flag for a credential type.
static java.lang.String	CONF_KEY_PREFIX_DN_POSTFIX Configuration key prefix for the DN postfix to be generated from the credential.
static java.lang.String	CONF_KEY_PREFIX_DN_PREFIX Configuration key prefix for the DN prefix to be generated from the credential.
static java.lang.String	CONF_KEY_PREFIX_PASSWORD_MAP Configuration key prefix for the password mapping to be used for the specified credential.
static java.lang.String	CONF_KEY_READ_POOL Constant for the configuration key for the directory pool name for read access.
static java.lang.String	CONF_KEY_SLEEP_CHANGE_PWD Constant for the configuration key that specifies the time to sleep after changing the password.
static java.lang.String	CONF_KEY_WRITE_POOL Constant for the configuration key for the directory pool name for write access.

Fields inherited from interface com.nitido.nim.CredentialConstants

CRED_ADMIN, CRED_CONTAINER, CRED_HELPDESK, CRED_SYSTEM, CRED_USER, KEY_PASSWORD

Fields inherited from interface com.nitido.nim.NiMConstants

ACTION_CREATE_NUGGET, ACTION_CREATE_NUGGET_BY_NAME, ACTION_CRED_SPACE_ADD, ACTION_CRED_SPACE_GET_KEYS, ACTION_CRED_SPACE_GET_KEYS_START_WITH, ACTION_CRED_SPACE_GET_VALUE, ACTION_CRED_SPACE_GET_VALUES, ACTION_CRED_SPACE_MODIFY, ACTION_CRED_SPACE_REMOVE_VALUE, ACTION_CRED_SPACE_REMOVE_VALUES, ACTION_CRED_SPACE_REPLACE, ACTION_DEPROVISION_ENTITY, ACTION_ENTITY_CHANGE_CRED, ACTION_LOG_EVENT, ACTION_PROVISION_ENTITY, ACTION_USER_SPACE_ADD, ACTION_USER_SPACE_GET_KEYS, ACTION_USER_SPACE_GET_KEYS_START_WITH, ACTION_USER_SPACE_GET_VALUE, ACTION_USER_SPACE_GET_VALUES, ACTION_USER_SPACE_MODIFY, ACTION_USER_SPACE_REMOVE_VALUE, ACTION_USER_SPACE_REMOVE_VALUES, ACTION_USER_SPACE_REPLACE, CONF_PREFIX_SECURITY_ACCESS, CONF_PREFIX_SECURITY_ALLOW, CONF_PREFIX_SECURITY_ASSIGN, CONF_PREFIX_SECURITY_RESOURCE, PARAM_CHANGE_CRED, PARAM_DEPROVISION_CREDENTIAL, PARAM_EVENT_NAME, PARAM_MODIFIER_CONTAINER, PARAM_NUGGET_CREATE_CRED, PARAM_NUGGET_NAME, PARAM_NUGGET_SETTINGS, PARAM_NUGGET_TYPE, PARAM_PROVISION_DESCRIPTOR, PARAM_SPACE_KEY, PARAM_SPACE_KEYS_START_WITH, PARAM_SPACE_VALUE, PREFIX_ACCESS_CLASS_IN_PACKAGE

Constructor Summary

AuthenticationServiceImpl(NiMKernelServiceVisa visa)
This class constructor is used by NiMKernel to instantiate a new directory AuthenticationService.

Method Summary

protected Credential	authenticateImpl(Credential cred) This method is used to authenticate the given credential against a directory server.
void	changeAuthenticationCredential(Credential oldCred, Credential newCred) This method is used to change the identifying credentials on an entity.
protected Directory	connectForRead(java.lang.String dn, java.lang.String pwd) This method returns a connected directory object to the backend server obtained from the read access directory pool.
protected Directory	connectForWrite(java.lang.String dn, java.lang.String pwd) This method returns a connected directory object to the backend server obtained from the write access directory pool.
protected void	init(NiMKernel kernel, ConfigurationService confService) This method is called by the NiMKernel to initialize the AuthenticationService.
protected void	postAuthenticate(Directory dir, Credential inCred, java.lang.String dn) This method performs additional check on an entry's user profile after binding to the backend LDAP server with the credential sucessfully.

Methods inherited from class com.nitido.nim.AuthenticationService

authenticate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CONF_KEY_READ_POOL

public static final java.lang.String CONF_KEY_READ_POOL

Constant for the configuration key for the directory pool name for read access.

See Also:

Constant Field Values

CONF_KEY_WRITE_POOL

public static final java.lang.String CONF_KEY_WRITE_POOL

Constant for the configuration key for the directory pool name for write access.

See Also:

Constant Field Values

CONF_KEY_SLEEP_CHANGE_PWD

public static final java.lang.String CONF_KEY_SLEEP_CHANGE_PWD

Constant for the configuration key that specifies the time to sleep after changing the password.

See Also:

Constant Field Values

CONF_KEY_PREFIX_DN_PREFIX

public static final java.lang.String CONF_KEY_PREFIX_DN_PREFIX

Configuration key prefix for the DN prefix to be generated from the credential.

See Also:

Constant Field Values

CONF_KEY_PREFIX_DN_POSTFIX

public static final java.lang.String CONF_KEY_PREFIX_DN_POSTFIX

Configuration key prefix for the DN postfix to be generated from the credential.

See Also:

Constant Field Values

CONF_KEY_PREFIX_PASSWORD_MAP

public static final java.lang.String CONF_KEY_PREFIX_PASSWORD_MAP

Configuration key prefix for the password mapping to be used for the specified credential.

See Also:

Constant Field Values

CONF_KEY_PREFIX_ALWAYS_GOOD

public static final java.lang.String CONF_KEY_PREFIX_ALWAYS_GOOD

Configuration key prefix for the "always good" boolean flag for a credential type.

See Also:

Constant Field Values

_credMapSettingHash

protected final java.util.HashMap _credMapSettingHash

_readPoolName

protected java.lang.String _readPoolName

_writePoolName

protected java.lang.String _writePoolName

_sleepForChangePwd

protected int _sleepForChangePwd

Constructor Detail

AuthenticationServiceImpl

public AuthenticationServiceImpl(NiMKernelServiceVisa visa)

This class constructor is used by NiMKernel to instantiate a new directory AuthenticationService.

Parameters:

visa - Reference to the NiMKernelServiceVisa object required to instantiate the service. This parameter is required to ensure that only the NiMkernel can instantiate a reference to this service.

Method Detail

init

protected void init(NiMKernel kernel,
                    ConfigurationService confService)
             throws InitializationFailedException,
                    NiMException

This method is called by the NiMKernel to initialize the AuthenticationService.

Specified by:

init in class AuthenticationService

Parameters:

kernel - Reference to the Kernel that instantiated and initialized this service.

confService - Reference to the ConfigurationService. The ConfigurationService must provide all of the following settings in order to initialize this service successfully. The detail of the required configuration can be found in the class description JavaDoc of this object.

Throws:

InitializationFailedException - If unable to initialize the kernel service.

NiMException - If service initialization can not be done due to failure in establish a connection to the back-end service.

authenticateImpl

protected Credential authenticateImpl(Credential cred)
                               throws AuthenticationFailedException,
                                      IllegalCredentialException,
                                      NiMException

This method is used to authenticate the given credential against a directory server. This method retrieves the following settings from the configuration service:

• The distinguish name prefix for the entity type being authenticated.
• The distinguish name postfix for the entity type being authenticated.
• The name of the token key in the credential object that holds the entity's authentication password.

Specified by:

authenticateImpl in class AuthenticationService

Parameters:

cred - The credential to authenticate against the directory

Returns:

The Entity's authenticated Credential. NOTE: even if the credential tokens are not changed during the authentication process, this method should always return a clone of the original Credential. It should never return the original credential.

Throws:

IllegalCredentialException - If the credential is invalid or the configuration settings do not support the given entity type.

AuthenticationFailedException - If unable to authenticate the given credential because of incorrect user id/password combination.

NiMException - If unable to establish connection to the directory server.

postAuthenticate

protected void postAuthenticate(Directory dir,
                                Credential inCred,
                                java.lang.String dn)
                         throws AuthenticationFailedException,
                                IllegalCredentialException,
                                NiMException

This method performs additional check on an entry's user profile after binding to the backend LDAP server with the credential sucessfully. This method is usually overrided by extended implementation to provide application specific authentication checks, e.g. check the user's active status or account validity before allowing the user to authenticate.

Throws:

AuthenticationFailedException

IllegalCredentialException

NiMException

connectForRead

protected Directory connectForRead(java.lang.String dn,
                                   java.lang.String pwd)
                            throws DirAuthenticationFailedException,
                                   DirectoryException,
                                   NiMException

This method returns a connected directory object to the backend server obtained from the read access directory pool.

Throws:

DirAuthenticationFailedException

DirectoryException

NiMException

connectForWrite

protected Directory connectForWrite(java.lang.String dn,
                                    java.lang.String pwd)
                             throws DirAuthenticationFailedException,
                                    DirectoryException,
                                    NiMException

This method returns a connected directory object to the backend server obtained from the write access directory pool.

Throws:

DirAuthenticationFailedException

DirectoryException

NiMException

changeAuthenticationCredential

public void changeAuthenticationCredential(Credential oldCred,
                                           Credential newCred)
                                    throws AuthenticationFailedException,
                                           IllegalCredentialException,
                                           NiMException

Description copied from class: AuthenticationService

This method is used to change the identifying credentials on an entity.

Specified by:

changeAuthenticationCredential in class AuthenticationService

Parameters:

oldCred - The original credential

newCred - The new credential

Throws:

AuthenticationFailedException - If unable to authenticate the given credential

IllegalCredentialException - If the credential is invalid or belongs to a type that is not supported by this AuthenticationService.

NiMException - If the kernel service fails to connect to back-end authentication system.