/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* or http://forgerock.org/license/CDDLv1.0.html.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2010 Sun Microsystems, Inc.
* Portions Copyright 2014-2015 ForgeRock AS
*/
package org.opends.server.protocols.jmx;
import static org.opends.messages.ProtocolMessages.*;
import java.util.ArrayList;
import javax.management.remote.JMXAuthenticator;
import javax.security.auth.Subject;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.messages.CoreMessages;
import org.opends.server.api.plugin.PluginResult;
import org.opends.server.core.BindOperationBasis;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PluginConfigManager;
import org.opends.server.protocols.ldap.LDAPResultCode;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.DisconnectReason;
import org.opends.server.types.LDAPException;
import org.opends.server.types.Privilege;
/**
* A <code>RMIAuthenticator</code> manages authentication for the secure
* RMI connectors. It receives authentication requests from clients as a
* SASL/PLAIN challenge and relies on a SASL server plus the local LDAP
* authentication accept or reject the user being connected.
*/
public class RmiAuthenticator implements JMXAuthenticator
{
private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
/**
* Indicate if the we are in the finalized phase.
*
* @see JmxConnectionHandler
*/
private boolean finalizedPhase;
/** The JMX Client connection to be used to perform the bind (auth) call. */
private JmxConnectionHandler jmxConnectionHandler;
/**
* Constructs a <code>RmiAuthenticator</code>.
*
* @param jmxConnectionHandler
* The jmxConnectionHandler associated to this RmiAuthenticator
*/
public RmiAuthenticator(JmxConnectionHandler jmxConnectionHandler)
{
this.jmxConnectionHandler = jmxConnectionHandler;
}
/**
* Set that we are in the finalized phase.
*
* @param finalizedPhase Set to true, it indicates that we are in
* the finalized phase that that we other connection should be accepted.
*
* @see JmxConnectionHandler
*/
public synchronized void setFinalizedPhase(boolean finalizedPhase)
{
this.finalizedPhase = finalizedPhase;
}
/**
* Authenticates a RMI client. The credentials received are composed of
* a SASL/PLAIN authentication id and a password.
*
* @param credentials
* the SASL/PLAIN credentials to validate
* @return a <code>Subject</code> holding the principal(s)
* authenticated
*/
@Override
public Subject authenticate(Object credentials)
{
// If we are in the finalized phase, we should not accept new connection
if (finalizedPhase
|| credentials == null)
{
throw new SecurityException();
}
Object c[] = (Object[]) credentials;
String authcID = (String) c[0];
String password = (String) c[1];
// The authcID is used at forwarder level to identify the calling client
if (authcID == null)
{
logger.trace("User name is Null");
throw new SecurityException();
}
if (password == null)
{
logger.trace("User password is Null ");
throw new SecurityException();
}
logger.trace("UserName = %s", authcID);
// Try to see if we have an Ldap Authentication
// Which should be the case in the current implementation
JmxClientConnection jmxClientConnection;
try
{
jmxClientConnection = bind(authcID, password);
}
catch (Exception e)
{
logger.traceException(e);
SecurityException se = new SecurityException(e.getMessage());
throw se;
}
// If we've gotten here, then the authentication was successful.
// We'll take the connection so invoke the post-connect plugins.
PluginConfigManager pluginManager = DirectoryServer.getPluginConfigManager();
PluginResult.PostConnect pluginResult = pluginManager.invokePostConnectPlugins(jmxClientConnection);
if (!pluginResult.continueProcessing())
{
jmxClientConnection.disconnect(pluginResult.getDisconnectReason(),
pluginResult.sendDisconnectNotification(),
pluginResult.getErrorMessage());
if (logger.isTraceEnabled())
{
logger.trace("Disconnect result from post connect plugins: " +
"%s: %s ", pluginResult.getDisconnectReason(),
pluginResult.getErrorMessage());
}
throw new SecurityException();
}
// initialize a subject
Subject s = new Subject();
// Add the Principal. The current implementation doesn't use it
s.getPrincipals().add(new OpendsJmxPrincipal(authcID));
// add the connection client object
// this connection client is used at forwarder level to identify the calling client
s.getPrivateCredentials().add(new Credential(jmxClientConnection));
return s;
}
/**
* Process bind operation.
*
* @param authcID
* The LDAP user.
* @param password
* The Ldap password associated to the user.
*/
private JmxClientConnection bind(String authcID, String password)
{
try
{
DN.valueOf(authcID);
}
catch (Exception e)
{
LDAPException ldapEx = new LDAPException(
LDAPResultCode.INVALID_CREDENTIALS,
CoreMessages.INFO_RESULT_INVALID_CREDENTIALS.get());
throw new SecurityException(ldapEx);
}
ArrayList<Control> requestControls = new ArrayList<>();
ByteString bindPW = password != null ? ByteString.valueOfUtf8(password) : null;
AuthenticationInfo authInfo = new AuthenticationInfo();
JmxClientConnection jmxClientConnection = new JmxClientConnection(
jmxConnectionHandler, authInfo);
BindOperationBasis bindOp = new BindOperationBasis(jmxClientConnection,
jmxClientConnection.nextOperationID(),
jmxClientConnection.nextMessageID(), requestControls,
jmxConnectionHandler.getRMIConnector().getProtocolVersion(),
ByteString.valueOfUtf8(authcID), bindPW);
bindOp.run();
if (bindOp.getResultCode() == ResultCode.SUCCESS)
{
logger.trace("User is authenticated");
authInfo = bindOp.getAuthenticationInfo();
jmxClientConnection.setAuthenticationInfo(authInfo);
// Check JMX_READ privilege.
if (! jmxClientConnection.hasPrivilege(Privilege.JMX_READ, null))
{
LocalizableMessage message = ERR_JMX_INSUFFICIENT_PRIVILEGES.get();
jmxClientConnection.disconnect(DisconnectReason.CONNECTION_REJECTED,
false, message);
throw new SecurityException(message.toString());
}
return jmxClientConnection;
}
else
{
// Set the initcause.
LDAPException ldapEx = new LDAPException(
LDAPResultCode.INVALID_CREDENTIALS,
CoreMessages.INFO_RESULT_INVALID_CREDENTIALS.get());
SecurityException se = new SecurityException("return code: " + bindOp.getResultCode());
se.initCause(ldapEx);
throw se;
}
}
}