1 /*
2 * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /**
25 * @test
26 * @author Vincent Ryan
27 * @bug 4814522
28 * @summary Check that an LdapLoginModule can be initialized using various
29 * JAAS configurations.
30 * (LdapLoginModule replaces the JndiLoginModule for LDAP access)
31 *
32 * Run this test twice, once using the default security manager:
33 *
34 * @run main/othervm CheckConfigs
35 * @run main/othervm/policy=CheckConfigs.policy CheckConfigs
36 */
37
38 import java.io.IOException;
39 import java.util.Collections;
40 import java.util.Map;
41 import java.util.HashMap;
42
43 import javax.naming.CommunicationException;
44 import javax.security.auth.*;
45 import javax.security.auth.login.*;
46 import javax.security.auth.callback.*;
47 import com.sun.security.auth.module.LdapLoginModule;
48
49 public class CheckConfigs {
50
51 public static void main(String[] args) throws Exception {
52 SecurityManager securityManager = System.getSecurityManager();
53 System.out.println(securityManager == null
54 ? "[security manager is not running]"
55 : "[security manager is running: " +
56 securityManager.getClass().getName() + "]");
57 init();
58 checkConfigModes();
59 }
60
61 private static void init() throws Exception {
62 }
63
64 private static void checkConfigModes() throws Exception {
65
66 LoginContext ldapLogin;
67
68 // search-first mode
69 System.out.println("Testing search-first mode...");
70 try {
71 ldapLogin = new LoginContext(LdapConfiguration.LOGIN_CONFIG_NAME,
72 null, new TestCallbackHandler(), new SearchFirstMode());
73 ldapLogin.login();
74 throw new SecurityException("expected a LoginException");
75
76 } catch (LoginException le) {
77 // expected behaviour (because no LDAP server is available)
78 if (!(le.getCause() instanceof CommunicationException)) {
79 throw le;
80 }
81 }
82
83 // authentication-first mode
84 System.out.println("\nTesting authentication-first mode...");
85 try {
86 ldapLogin = new LoginContext(LdapConfiguration.LOGIN_CONFIG_NAME,
87 null, new TestCallbackHandler(), new AuthFirstMode());
88 ldapLogin.login();
89 throw new SecurityException("expected a LoginException");
90
91 } catch (LoginException le) {
92 // expected behaviour (because no LDAP server is available)
93 if (!(le.getCause() instanceof CommunicationException)) {
94 throw le;
95 }
96 }
97
98 // authentication-only mode
99 System.out.println("\nTesting authentication-only mode...");
100 try {
101 ldapLogin = new LoginContext(LdapConfiguration.LOGIN_CONFIG_NAME,
102 null, new TestCallbackHandler(), new AuthOnlyMode());
103 ldapLogin.login();
104 throw new SecurityException("expected a LoginException");
105
106 } catch (LoginException le) {
107 // expected behaviour (because no LDAP server is available)
108 if (!(le.getCause() instanceof CommunicationException)) {
109 throw le;
110 }
111 }
112 }
113
114 private static class TestCallbackHandler implements CallbackHandler {
115
116 public void handle(Callback[] callbacks)
117 throws IOException, UnsupportedCallbackException {
118
119 for (int i = 0; i < callbacks.length; i++) {
120 if (callbacks[i] instanceof NameCallback) {
121 ((NameCallback)callbacks[i]).setName("myname");
122
123 } else if (callbacks[i] instanceof PasswordCallback) {
124 ((PasswordCallback)callbacks[i])
125 .setPassword("mypassword".toCharArray());
126
127 } else {
128 throw new UnsupportedCallbackException
129 (callbacks[i], "Unrecognized callback");
130 }
131 }
132 }
133 }
134 }
135
136 class LdapConfiguration extends Configuration {
137
138 // The JAAS configuration name for ldap-based authentication
139 public static final String LOGIN_CONFIG_NAME = "TestAuth";
140
141 // The JAAS configuration for ldap-based authentication
142 protected static AppConfigurationEntry[] entries;
143
144 // The classname of the login module for ldap-based authentication
145 protected static final String LDAP_LOGIN_MODULE =
146 LdapLoginModule.class.getName();
147
148 /**
149 * Gets the JAAS configuration for ldap-based authentication
150 */
151 public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
152 return name.equals(LOGIN_CONFIG_NAME) ? entries : null;
153 }
154
155 /**
156 * Refreshes the configuration.
157 */
158 public void refresh() {
159 // the configuration is fixed
160 }
161 }
162
163 /**
164 * This class defines the JAAS configuration for ldap-based authentication.
165 * It is equivalent to the following textual configuration entry:
166 * <pre>
167 * TestAuth {
168 * com.sun.security.auth.module.LdapLoginModule REQUIRED
169 * userProvider="ldap://localhost:23456/dc=example,dc=com"
170 * userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))"
171 * authzIdentity="{EMPLOYEENUMBER}"
172 * debug=true;
173 * };
174 * </pre>
175 */
176 class SearchFirstMode extends LdapConfiguration {
177
178 public SearchFirstMode() {
179 super();
180
181 Map<String, String> options = new HashMap<>(4);
182 options.put("userProvider", "ldap://localhost:23456/dc=example,dc=com");
183 options.put("userFilter",
184 "(&(uid={USERNAME})(objectClass=inetOrgPerson))");
185 options.put("authzIdentity", "{EMPLOYEENUMBER}");
186 options.put("debug", "true");
187
188 entries = new AppConfigurationEntry[] {
189 new AppConfigurationEntry(LDAP_LOGIN_MODULE,
190 AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
191 options)
192 };
193 }
194
195 }
196
197 /**
198 * This class defines the JAAS configuration for ldap-based authentication.
199 * It is equivalent to the following textual configuration entry:
200 * <pre>
201 * TestAuth {
202 * com.sun.security.auth.module.LdapLoginModule REQUIRED
203 * userProvider="ldap://localhost:23456/dc=example,dc=com"
204 * authIdentity="{USERNAME}"
205 * userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
206 * useSSL=false
207 * debug=true;
208 * };
209 * </pre>
210 */
211 class AuthFirstMode extends LdapConfiguration {
212
213 public AuthFirstMode() {
214 super();
215
216 Map<String, String> options = new HashMap<>(5);
217 options.put("userProvider", "ldap://localhost:23456/dc=example,dc=com");
218 options.put("authIdentity", "{USERNAME}");
219 options.put("userFilter",
220 "(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})" +
221 "(cn={USERNAME}))(objectClass=user))");
222 options.put("useSSL", "false");
223 options.put("debug", "true");
224
225 entries = new AppConfigurationEntry[] {
226 new AppConfigurationEntry(LDAP_LOGIN_MODULE,
227 AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
228 options)
229 };
230 }
231 }
232
233 /**
234 * This class defines the JAAS configuration for ldap-based authentication.
235 * It is equivalent to the following textual configuration entry:
236 * <pre>
237 * TestAuth {
238 * com.sun.security.auth.module.LdapLoginModule REQUIRED
239 * userProvider="ldap://localhost:23456 ldap://localhost:23457"
240 * authIdentity="cn={USERNAME},ou=people,dc=example,dc=com"
241 * authzIdentity="staff"
242 * debug=true;
243 * };
244 * </pre>
245 */
246 class AuthOnlyMode extends LdapConfiguration {
247
248 public AuthOnlyMode() {
249 super();
250
251 Map<String, String> options = new HashMap<>(4);
252 options.put("userProvider",
253 "ldap://localhost:23456 ldap://localhost:23457");
254 options.put("authIdentity",
255 "cn={USERNAME},ou=people,dc=example,dc=com");
256 options.put("authzIdentity", "staff");
257 options.put("debug", "true");
258
259 entries = new AppConfigurationEntry[] {
260 new AppConfigurationEntry(LDAP_LOGIN_MODULE,
261 AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
262 options)
263 };
264 }
265
266 }