public class LdapSecurityProvider extends AbstractSecurityProvider implements SecurityProvider
SecurityProvider implementation that relies on LDAP to authenticate.SecurityProvider.SecurityProviderDeniedAuthentication| Modifier and Type | Field and Description |
|---|---|
static java.lang.String |
LDAP_CONTEXT_FACTORY |
static org.slf4j.Logger |
LOG |
| Constructor and Description |
|---|
LdapSecurityProvider(ManagementContext mgmt) |
LdapSecurityProvider(java.lang.String ldapUrl,
java.lang.String ldapRealm,
java.lang.String organizationUnit) |
| Modifier and Type | Method and Description |
|---|---|
boolean |
authenticate(javax.servlet.http.HttpServletRequest request,
java.util.function.Supplier<javax.servlet.http.HttpSession> sessionSupplierOnSuccess,
java.lang.String user,
java.lang.String pass)
Perform the authentication.
|
static void |
checkCanLoad() |
boolean |
requiresUserPass()
whether this provider requires a user/pass; if this returns false, the framework can
send null/null as the user/pass to
#authenticate(HttpSession, String, String),
and should do that if user/pass info is not immediately available
(ie for things like oauth, the framework should not require basic auth if this method returns false) |
isAuthenticated, logoutequals, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitisAuthenticated, logoutpublic static final org.slf4j.Logger LOG
public static final java.lang.String LDAP_CONTEXT_FACTORY
public LdapSecurityProvider(ManagementContext mgmt)
public LdapSecurityProvider(java.lang.String ldapUrl,
java.lang.String ldapRealm,
java.lang.String organizationUnit)
public boolean authenticate(javax.servlet.http.HttpServletRequest request,
java.util.function.Supplier<javax.servlet.http.HttpSession> sessionSupplierOnSuccess,
java.lang.String user,
java.lang.String pass)
throws SecurityProvider.SecurityProviderDeniedAuthentication
SecurityProviderSecurityProvider.requiresUserPass() returns false, user/pass may be null;
otherwise the framework will guarantee the basic auth is in effect and these values are set.
The provider should not send a response but should throw SecurityProvider.SecurityProviderDeniedAuthentication
if a custom response is required. It can include a response in that exception,
e.g. to provide more information or supply a redirect.
It should not create a session via HttpServletRequest.getSession(), especially if
auth is not successful (easy for DOS attack to chew up memory), and even on auth it should use
the Supplier given here to get a session (that will create a session) to install.
(Note that this will return the MultiSessionAttributeAdapter.getPreferredSession(),
not the request's local session.)
On successful auth this method may HttpSession.setAttribute(String, Object) so that
SecurityProvider.isAuthenticated(HttpSession) can return quickly on subsequent requests.
If so, see SecurityProvider.logout(HttpSession) about clearing those values.
authenticate in interface SecurityProviderSecurityProvider.SecurityProviderDeniedAuthenticationpublic static void checkCanLoad()
public boolean requiresUserPass()
SecurityProvider#authenticate(HttpSession, String, String),
and should do that if user/pass info is not immediately available
(ie for things like oauth, the framework should not require basic auth if this method returns false)requiresUserPass in interface SecurityProvider