Class AbstractTlsDirContextAuthenticationStrategy
- All Implemented Interfaces:
DirContextAuthenticationStrategy
- Direct Known Subclasses:
DefaultTlsDirContextAuthenticationStrategy
,ExternalTlsDirContextAuthenticationStrategy
DirContextAuthenticationStrategy
implementations that apply TLS security to the connections. The supported TLS
behavior differs between servers. E.g., some servers expect the TLS
connection be shut down gracefully before the actual target context is
closed, whereas other servers do not support that. The
shutdownTlsGracefully
property controls this behavior; the
property defaults to false
.
The SSLSocketFactory
used for TLS negotiation can be customized
using the sslSocketFactory
property. This allows for example a
socket factory that can load the keystore/truststore using the Spring
Resource abstraction. This provides a much more Spring-like strategy for
configuring PKI credentials for authentication, in addition to allowing
application-specific keystores and truststores running in the same JVM.
In some rare occasions there is a need to supply a
HostnameVerifier
to the TLS processing instructions in order to
have the returned certificate properly validated. If a
HostnameVerifier
is supplied to
setHostnameVerifier(HostnameVerifier)
, that will be applied to the
processing.
For further information regarding TLS, refer to this page.
NB: TLS negotiation is an expensive process, which is why you will most likely want to use connection pooling, to make sure new connections are not created for each individual request. It is imperative however, that the built-in LDAP connection pooling is not used in combination with the TLS AuthenticationStrategy implementations - this will not work. You should use the Spring LDAP PoolingContextSource instead.
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected abstract void
applyAuthentication
(LdapContext ctx, String userDn, String password) Apply the actual authentication to the specifiedLdapContext
.final DirContext
processContextAfterCreation
(DirContext ctx, String userDn, String password) This method is responsible for post-processing theDirContext
instance after it has been created.void
setHostnameVerifier
(HostnameVerifier hostnameVerifier) Set the optionalHostnameVerifier
to use for verifying incoming certificates.void
setShutdownTlsGracefully
(boolean shutdownTlsGracefully) Specify whether the TLS should be shut down gracefully before the target context is closed.void
setSslSocketFactory
(SSLSocketFactory sslSocketFactory) Sets the optional SSL socket factory used for startTLS negotiation.final void
This method is responsible for preparing the environment to be used when creating theDirContext
instance.
-
Constructor Details
-
AbstractTlsDirContextAuthenticationStrategy
public AbstractTlsDirContextAuthenticationStrategy()
-
-
Method Details
-
setShutdownTlsGracefully
public void setShutdownTlsGracefully(boolean shutdownTlsGracefully) Specify whether the TLS should be shut down gracefully before the target context is closed. Defaults tofalse
.- Parameters:
shutdownTlsGracefully
-true
to shut down the TLS connection explicitly,false
closes the target context immediately.
-
setHostnameVerifier
Set the optionalHostnameVerifier
to use for verifying incoming certificates. Defaults tonull
, meaning that the default hostname verification will take place.- Parameters:
hostnameVerifier
- TheHostnameVerifier
to use, if any.
-
setSslSocketFactory
Sets the optional SSL socket factory used for startTLS negotiation. Defaults tonull
to indicate that the default socket factory provided by the underlying JSSE provider should be used.- Parameters:
sslSocketFactory
- SSL socket factory to use, if any.
-
setupEnvironment
Description copied from interface:DirContextAuthenticationStrategy
This method is responsible for preparing the environment to be used when creating theDirContext
instance. The base environment (including URL,ContextFactory
etc. will already be set, and this method is called just before the actual Context is to be created.- Specified by:
setupEnvironment
in interfaceDirContextAuthenticationStrategy
- Parameters:
env
- TheHashtable
to be sent to theDirContext
instance on initialization. Pre-configured with the basic settings; the implementation of this method is responsible for manipulating the environment as appropriate for the particular authentication mechanism.userDn
- the user DN to authenticate, as received from theAuthenticationSource
of theContextSource
.password
- the password to authenticate with, as received from theAuthenticationSource
of theContextSource
.
-
processContextAfterCreation
public final DirContext processContextAfterCreation(DirContext ctx, String userDn, String password) throws NamingException Description copied from interface:DirContextAuthenticationStrategy
This method is responsible for post-processing theDirContext
instance after it has been created. It will be called immediately after the instance has been created. Some authentication mechanisms, e.g. TLS, require particular stuff to happen before the actual target Context is closed. This method provides the possibility to replace or wrap the actual DirContext with a proxy so that any calls on it may be intercepted.- Specified by:
processContextAfterCreation
in interfaceDirContextAuthenticationStrategy
- Parameters:
ctx
- the freshly createdDirContext
instance. The actual implementation class (e.g.InitialLdapContext
) depends on theContextSource
implementation.userDn
- the user DN to authenticate, as received from theAuthenticationSource
of theContextSource
.password
- the password to authenticate with, as received from theAuthenticationSource
of theContextSource
.- Returns:
- the DirContext, possibly modified, replaced or wrapped.
- Throws:
NamingException
- if anything goes wrong. This will cause theDirContext
creation to be aborted and the exception to be translated and rethrown.
-
applyAuthentication
protected abstract void applyAuthentication(LdapContext ctx, String userDn, String password) throws NamingException Apply the actual authentication to the specifiedLdapContext
. Typically, this will involve adding stuff to the environment.- Parameters:
ctx
- theLdapContext
instance.userDn
- the user dn of the user to authenticate.password
- the password of the user to authenticate.- Throws:
NamingException
- if any error occurs.
-