Class AbstractTlsDirContextAuthenticationStrategy
- java.lang.Object
-
- org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy
-
- All Implemented Interfaces:
DirContextAuthenticationStrategy
- Direct Known Subclasses:
DefaultTlsDirContextAuthenticationStrategy
,ExternalTlsDirContextAuthenticationStrategy
public abstract class AbstractTlsDirContextAuthenticationStrategy extends java.lang.Object implements DirContextAuthenticationStrategy
Abstract superclass forDirContextAuthenticationStrategy
implementations that apply TLS security to the connections. The supported TLS behavior differs between servers. E.g., some servers expect the TLS connection be shut down gracefully before the actual target context is closed, whereas other servers do not support that. TheshutdownTlsGracefully
property controls this behavior; the property defaults tofalse
.The
SSLSocketFactory
used for TLS negotiation can be customized using thesslSocketFactory
property. This allows for example a socket factory that can load the keystore/truststore using the Spring Resource abstraction. This provides a much more Spring-like strategy for configuring PKI credentials for authentication, in addition to allowing application-specific keystores and truststores running in the same JVM.In some rare occasions there is a need to supply a
HostnameVerifier
to the TLS processing instructions in order to have the returned certificate properly validated. If aHostnameVerifier
is supplied tosetHostnameVerifier(HostnameVerifier)
, that will be applied to the processing.For further information regarding TLS, refer to this page.
NB: TLS negotiation is an expensive process, which is why you will most likely want to use connection pooling, to make sure new connections are not created for each individual request. It is imperative however, that the built-in LDAP connection pooling is not used in combination with the TLS AuthenticationStrategy implementations - this will not work. You should use the Spring LDAP PoolingContextSource instead.
-
-
Constructor Summary
Constructors Constructor Description AbstractTlsDirContextAuthenticationStrategy()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description protected abstract void
applyAuthentication(javax.naming.ldap.LdapContext ctx, java.lang.String userDn, java.lang.String password)
Apply the actual authentication to the specifiedLdapContext
.javax.naming.directory.DirContext
processContextAfterCreation(javax.naming.directory.DirContext ctx, java.lang.String userDn, java.lang.String password)
This method is responsible for post-processing theDirContext
instance after it has been created.void
setHostnameVerifier(javax.net.ssl.HostnameVerifier hostnameVerifier)
Set the optionalHostnameVerifier
to use for verifying incoming certificates.void
setShutdownTlsGracefully(boolean shutdownTlsGracefully)
Specify whether the TLS should be shut down gracefully before the target context is closed.void
setSslSocketFactory(javax.net.ssl.SSLSocketFactory sslSocketFactory)
Sets the optional SSL socket factory used for startTLS negotiation.void
setupEnvironment(java.util.Hashtable<java.lang.String,java.lang.Object> env, java.lang.String userDn, java.lang.String password)
This method is responsible for preparing the environment to be used when creating theDirContext
instance.
-
-
-
Method Detail
-
setShutdownTlsGracefully
public void setShutdownTlsGracefully(boolean shutdownTlsGracefully)
Specify whether the TLS should be shut down gracefully before the target context is closed. Defaults tofalse
.- Parameters:
shutdownTlsGracefully
-true
to shut down the TLS connection explicitly,false
closes the target context immediately.
-
setHostnameVerifier
public void setHostnameVerifier(javax.net.ssl.HostnameVerifier hostnameVerifier)
Set the optionalHostnameVerifier
to use for verifying incoming certificates. Defaults tonull
, meaning that the default hostname verification will take place.- Parameters:
hostnameVerifier
- TheHostnameVerifier
to use, if any.
-
setSslSocketFactory
public void setSslSocketFactory(javax.net.ssl.SSLSocketFactory sslSocketFactory)
Sets the optional SSL socket factory used for startTLS negotiation. Defaults tonull
to indicate that the default socket factory provided by the underlying JSSE provider should be used.- Parameters:
sslSocketFactory
- SSL socket factory to use, if any.
-
setupEnvironment
public final void setupEnvironment(java.util.Hashtable<java.lang.String,java.lang.Object> env, java.lang.String userDn, java.lang.String password)
Description copied from interface:DirContextAuthenticationStrategy
This method is responsible for preparing the environment to be used when creating theDirContext
instance. The base environment (including URL,ContextFactory
etc. will already be set, and this method is called just before the actual Context is to be created.- Specified by:
setupEnvironment
in interfaceDirContextAuthenticationStrategy
- Parameters:
env
- TheHashtable
to be sent to theDirContext
instance on initialization. Pre-configured with the basic settings; the implementation of this method is responsible for manipulating the environment as appropriate for the particular authentication mechanism.userDn
- the user DN to authenticate, as received from theAuthenticationSource
of theContextSource
.password
- the password to authenticate with, as received from theAuthenticationSource
of theContextSource
.
-
processContextAfterCreation
public final javax.naming.directory.DirContext processContextAfterCreation(javax.naming.directory.DirContext ctx, java.lang.String userDn, java.lang.String password) throws javax.naming.NamingException
Description copied from interface:DirContextAuthenticationStrategy
This method is responsible for post-processing theDirContext
instance after it has been created. It will be called immediately after the instance has been created. Some authentication mechanisms, e.g. TLS, require particular stuff to happen before the actual target Context is closed. This method provides the possibility to replace or wrap the actual DirContext with a proxy so that any calls on it may be intercepted.- Specified by:
processContextAfterCreation
in interfaceDirContextAuthenticationStrategy
- Parameters:
ctx
- the freshly createdDirContext
instance. The actual implementation class (e.g.InitialLdapContext
) depends on theContextSource
implementation.userDn
- the user DN to authenticate, as received from theAuthenticationSource
of theContextSource
.password
- the password to authenticate with, as received from theAuthenticationSource
of theContextSource
.- Returns:
- the DirContext, possibly modified, replaced or wrapped.
- Throws:
javax.naming.NamingException
- if anything goes wrong. This will cause theDirContext
creation to be aborted and the exception to be translated and rethrown.
-
applyAuthentication
protected abstract void applyAuthentication(javax.naming.ldap.LdapContext ctx, java.lang.String userDn, java.lang.String password) throws javax.naming.NamingException
Apply the actual authentication to the specifiedLdapContext
. Typically, this will involve adding stuff to the environment.- Parameters:
ctx
- theLdapContext
instance.userDn
- the user dn of the user to authenticate.password
- the password of the user to authenticate.- Throws:
javax.naming.NamingException
- if any error occurs.
-
-