Package org.springframework.ldap.core.support

Class AbstractTlsDirContextAuthenticationStrategy

  • All Implemented Interfaces:
    DirContextAuthenticationStrategy
    Direct Known Subclasses:
    DefaultTlsDirContextAuthenticationStrategy, ExternalTlsDirContextAuthenticationStrategy
    public abstract class AbstractTlsDirContextAuthenticationStrategy
extends java.lang.Object
implements DirContextAuthenticationStrategy
    Abstract superclass for DirContextAuthenticationStrategy implementations that apply TLS security to the connections. The supported TLS behavior differs between servers. E.g., some servers expect the TLS connection be shut down gracefully before the actual target context is closed, whereas other servers do not support that. The shutdownTlsGracefully property controls this behavior; the property defaults to false.

    The SSLSocketFactory used for TLS negotiation can be customized using the sslSocketFactory property. This allows for example a socket factory that can load the keystore/truststore using the Spring Resource abstraction. This provides a much more Spring-like strategy for configuring PKI credentials for authentication, in addition to allowing application-specific keystores and truststores running in the same JVM.

    In some rare occasions there is a need to supply a HostnameVerifier to the TLS processing instructions in order to have the returned certificate properly validated. If a HostnameVerifier is supplied to setHostnameVerifier(HostnameVerifier), that will be applied to the processing.

    For further information regarding TLS, refer to this page.

    NB: TLS negotiation is an expensive process, which is why you will most likely want to use connection pooling, to make sure new connections are not created for each individual request. It is imperative however, that the built-in LDAP connection pooling is not used in combination with the TLS AuthenticationStrategy implementations - this will not work. You should use the Spring LDAP PoolingContextSource instead.

    • Method Summary

      All Methods Instance Methods Abstract Methods Concrete Methods 
      Modifier and Type Method Description
      protected abstract void applyAuthentication​(javax.naming.ldap.LdapContext ctx, java.lang.String userDn, java.lang.String password)
      Apply the actual authentication to the specified LdapContext .
      javax.naming.directory.DirContext processContextAfterCreation​(javax.naming.directory.DirContext ctx, java.lang.String userDn, java.lang.String password)
      This method is responsible for post-processing the DirContext instance after it has been created.
      void setHostnameVerifier​(javax.net.ssl.HostnameVerifier hostnameVerifier)
      Set the optional HostnameVerifier to use for verifying incoming certificates.
      void setShutdownTlsGracefully​(boolean shutdownTlsGracefully)
      Specify whether the TLS should be shut down gracefully before the target context is closed.
      void setSslSocketFactory​(javax.net.ssl.SSLSocketFactory sslSocketFactory)
      Sets the optional SSL socket factory used for startTLS negotiation.
      void setupEnvironment​(java.util.Hashtable<java.lang.String,​java.lang.Object> env, java.lang.String userDn, java.lang.String password)
      This method is responsible for preparing the environment to be used when creating the DirContext instance.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • AbstractTlsDirContextAuthenticationStrategy

        public AbstractTlsDirContextAuthenticationStrategy()

    • Method Detail

      • setShutdownTlsGracefully

        public void setShutdownTlsGracefully​(boolean shutdownTlsGracefully)
        Specify whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.
        Parameters:
        shutdownTlsGracefully - true to shut down the TLS connection explicitly, false closes the target context immediately.

      • setHostnameVerifier

        public void setHostnameVerifier​(javax.net.ssl.HostnameVerifier hostnameVerifier)
        Set the optional HostnameVerifier to use for verifying incoming certificates. Defaults to null , meaning that the default hostname verification will take place.
        Parameters:
        hostnameVerifier - The HostnameVerifier to use, if any.

      • setSslSocketFactory

        public void setSslSocketFactory​(javax.net.ssl.SSLSocketFactory sslSocketFactory)
        Sets the optional SSL socket factory used for startTLS negotiation. Defaults to null to indicate that the default socket factory provided by the underlying JSSE provider should be used.
        Parameters:
        sslSocketFactory - SSL socket factory to use, if any.

      • setupEnvironment

        public final void setupEnvironment​(java.util.Hashtable<java.lang.String,​java.lang.Object> env,
                                   java.lang.String userDn,
                                   java.lang.String password)
        Description copied from interface: DirContextAuthenticationStrategy
        This method is responsible for preparing the environment to be used when creating the DirContext instance. The base environment (including URL, ContextFactory etc. will already be set, and this method is called just before the actual Context is to be created.
        Specified by:
        setupEnvironment in interface DirContextAuthenticationStrategy
        Parameters:
        env - The Hashtable to be sent to the DirContext instance on initialization. Pre-configured with the basic settings; the implementation of this method is responsible for manipulating the environment as appropriate for the particular authentication mechanism.
        userDn - the user DN to authenticate, as received from the AuthenticationSource of the ContextSource.
        password - the password to authenticate with, as received from the AuthenticationSource of the ContextSource.

      • processContextAfterCreation

        public final javax.naming.directory.DirContext processContextAfterCreation​(javax.naming.directory.DirContext ctx,
                                                                           java.lang.String userDn,
                                                                           java.lang.String password)
                                                                    throws javax.naming.NamingException
        Description copied from interface: DirContextAuthenticationStrategy
        This method is responsible for post-processing the DirContext instance after it has been created. It will be called immediately after the instance has been created. Some authentication mechanisms, e.g. TLS, require particular stuff to happen before the actual target Context is closed. This method provides the possibility to replace or wrap the actual DirContext with a proxy so that any calls on it may be intercepted.
        Specified by:
        processContextAfterCreation in interface DirContextAuthenticationStrategy
        Parameters:
        ctx - the freshly created DirContext instance. The actual implementation class (e.g. InitialLdapContext) depends on the ContextSource implementation.
        userDn - the user DN to authenticate, as received from the AuthenticationSource of the ContextSource.
        password - the password to authenticate with, as received from the AuthenticationSource of the ContextSource.
        Returns:
        the DirContext, possibly modified, replaced or wrapped.
        Throws:
        javax.naming.NamingException - if anything goes wrong. This will cause the DirContext creation to be aborted and the exception to be translated and rethrown.

      • applyAuthentication

        protected abstract void applyAuthentication​(javax.naming.ldap.LdapContext ctx,
                                            java.lang.String userDn,
                                            java.lang.String password)
                                     throws javax.naming.NamingException
        Apply the actual authentication to the specified LdapContext . Typically, this will involve adding stuff to the environment.
        Parameters:
        ctx - the LdapContext instance.
        userDn - the user dn of the user to authenticate.
        password - the password of the user to authenticate.
        Throws:
        javax.naming.NamingException - if any error occurs.