Module io.inverno.mod.security.ldap
Package io.inverno.mod.security.ldap.authentication

Class ActiveDirectoryAuthenticator

java.lang.Object
io.inverno.mod.security.ldap.authentication.ActiveDirectoryAuthenticator
All Implemented Interfaces:
Authenticator<LoginCredentials,LDAPAuthentication>
public class ActiveDirectoryAuthenticator extends Object implements Authenticator<LoginCredentials,LDAPAuthentication>

Specialized LDAP authenticator that uses Active Directory semantic.

The domain is appended to the username before authentication unless it already provides the domain. If not specified, it is assumed that the username provides the domain.

Since:
1.5
Author:
Jeremy Kuhn

  • Field Details

    • DEFAULT_SEARCH_USER_FILTER

      public static final String DEFAULT_SEARCH_USER_FILTER
      The default search user filter.
      See Also:

  • Constructor Details

    • ActiveDirectoryAuthenticator

      public ActiveDirectoryAuthenticator(LDAPClient ldapClient, String domain)

      Creates an Active Directory authenticator with the specified LDAP client and domain.

      The resulting authenticator is terminal and returns denied authentication on failed authentication.

      Parameters:
      ldapClient - the LDAP client
      domain - the domain

    • ActiveDirectoryAuthenticator

      public ActiveDirectoryAuthenticator(LDAPClient ldapClient, String domain, String base)

      Creates an Active Directory authenticator with the specified LDAP client, domain and base DN.

      The resulting authenticator is terminal and returns denied authentication on failed authentication.

      Parameters:
      ldapClient - the LDAP client
      domain - the domain
      base - the base DN

    • ActiveDirectoryAuthenticator

      public ActiveDirectoryAuthenticator(LDAPClient ldapClient, String domain, String base, String searchUserFilter)

      Creates an Active Directory authenticator with the specified LDAP client, domain, base DN and search user filter.

      The resulting authenticator is terminal and returns denied authentication on failed authentication.

      Parameters:
      ldapClient - the LDAP client
      domain - the domain
      base - the base DN
      searchUserFilter - the search user filter

  • Method Details

    • setTerminal

      public void setTerminal(boolean terminal)

      Sets whether the authenticator is terminal and should return denied authentication on failed authentication or no authentication to indicate it was not able to authenticate credentials.

      Parameters:
      terminal - true to terminate authentication, false otherwise

    • getDomain

      public String getDomain()

      Returns the domain.

      Returns:
      the domain

    • getBase

      public String getBase()

      Returns the base DN where to search for users.

      Returns:
      the base DN

    • getSearchUserFilter

      public String getSearchUserFilter()

      Returns the search user filter.

      Returns:
      a filter

    • authenticate

      public Mono<LDAPAuthentication> authenticate(LoginCredentials credentials)
      Description copied from interface: Authenticator

      Authenticates the specified credentials and returns an authentication.

      Implementations can return an empty mono to indicate that they were unable to authenticate the credentials. This does not mean credentials are invalid, this simply mean that a particular authenticator does not manage them and therefore can's possibly determine whether they are valid. For example, when considering login credentials composed of a user and a password, an authenticator which does not manage that particular user can return an empty mono.

      Implementations must return denied authentications with AuthenticationException when they were able to authenticate credentials which turned out to be invalid. For example, a login credentials authenticator must return a denied authentication exception when it does manage a particular username but the provided password was invalid.

      A denied authentication can also bre reported by throwing an AuthenticationException when returning an actual authentication instance is not practical.

      Specified by:
      authenticate in interface Authenticator<LoginCredentials,LDAPAuthentication>
      Parameters:
      credentials - the credentials to authenticate
      Returns:
      a mono emitting an authentication, an error mono or an empty mono if the authenticator could not authenticate the credentials

    • getBindDN

      protected String getBindDN(String username, String domain)

      Resolves the bind operation DN from the specified username and domain.

      This method basically appends the domain to the username if it doesn't already provides a domain to obtain an Active Directory login name of the form: <username>@<domain>.

      Parameters:
      username - the name of the user to authenticate
      domain - the domain
      Returns:
      bind operation DN

    • boundDNToBaseDN

      protected String boundDNToBaseDN(String boundDN) throws InvalidCredentialsException

      Extracts the base DN from bind operation DN.

      This basically converts the domain to a valid LDAP DN (e.g. example.com to dc=example,dc=com).

      Parameters:
      boundDN - the bind operation DN
      Returns:
      a base DN
      Throws:
      InvalidCredentialsException - if the bind operation DN is invalid (i.e. it does not provides a domain)