KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > com > sun > security > auth > module > JndiLoginModule


1 /*
2  * @(#)JndiLoginModule.java 1.11 04/05/05
3  *
4  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
5  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
6  */
7
8 package com.sun.security.auth.module;
9
10 import javax.security.auth.*;
11 import javax.security.auth.callback.*;
12 import javax.security.auth.login.*;
13 import javax.security.auth.spi.*;
14 import javax.naming.*;
15 import javax.naming.directory.*;
16
17 import java.io.IOException JavaDoc;
18 import java.util.Map JavaDoc;
19 import java.util.LinkedList JavaDoc;
20 import java.util.ResourceBundle JavaDoc;
21
22 import com.sun.security.auth.UnixPrincipal;
23 import com.sun.security.auth.UnixNumericUserPrincipal;
24 import com.sun.security.auth.UnixNumericGroupPrincipal;
25
26 import sun.security.util.AuthResources;
27
28 /**
29  * <p> The module prompts for a username and password
30  * and then verifies the password against the password stored in
31  * a directory service configured under JNDI.
32  *
33  * <p> This <code>LoginModule</code> interoperates with
34  * any conformant JNDI service provider. To direct this
35  * <code>LoginModule</code> to use a specific JNDI service provider,
36  * two options must be specified in the login <code>Configuration</code>
37  * for this <code>LoginModule</code>.
38  * <pre>
39  * user.provider.url=<b>name_service_url</b>
40  * group.provider.url=<b>name_service_url</b>
41  * </pre>
42  *
43  * <b>name_service_url</b> specifies
44  * the directory service and path where this <code>LoginModule</code>
45  * can access the relevant user and group information. Because this
46  * <code>LoginModule</code> only performs one-level searches to
47  * find the relevant user information, the <code>URL</code>
48  * must point to a directory one level above where the user and group
49  * information is stored in the directory service.
50  * For example, to instruct this <code>LoginModule</code>
51  * to contact a NIS server, the following URLs must be specified:
52  * <pre>
53  * user.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/user"
54  * group.provider.url="nis://<b>NISServerHostName</b>/<b>NISDomain</b>/system/group"
55  * </pre>
56  *
57  * <b>NISServerHostName</b> specifies the server host name of the
58  * NIS server (for example, <i>nis.sun.com</i>, and <b>NISDomain</b>
59  * specifies the domain for that NIS server (for example, <i>jaas.sun.com</i>.
60  * To contact an LDAP server, the following URLs must be specified:
61  * <pre>
62  * user.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"
63  * group.provider.url="ldap://<b>LDAPServerHostName</b>/<b>LDAPName</b>"
64  * </pre>
65  *
66  * <b>LDAPServerHostName</b> specifies the server host name of the
67  * LDAP server, which may include a port number
68  * (for example, <i>ldap.sun.com:389</i>),
69  * and <b>LDAPName</b> specifies the entry name in the LDAP directory
70  * (for example, <i>ou=People,o=Sun,c=US</i> and <i>ou=Groups,o=Sun,c=US</i>
71  * for user and group information, respectively).
72  *
73  * <p> The format in which the user's information must be stored in
74  * the directory service is specified in RFC 2307. Specifically,
75  * this <code>LoginModule</code> will search for the user's entry in the
76  * directory service using the user's <i>uid</i> attribute,
77  * where <i>uid=<b>username</b></i>. If the search succeeds,
78  * this <code>LoginModule</code> will then
79  * obtain the user's encrypted password from the retrieved entry
80  * using the <i>userPassword</i> attribute.
81  * This <code>LoginModule</code> assumes that the password is stored
82  * as a byte array, which when converted to a <code>String</code>,
83  * has the following format:
84  * <pre>
85  * "{crypt}<b>encrypted_password</b>"
86  * </pre>
87  *
88  * The LDAP directory server must be configured
89  * to permit read access to the userPassword attribute.
90  * If the user entered a valid username and password,
91  * this <code>LoginModule</code> associates a
92  * <code>UnixPrincipal</code>, <code>UnixNumericUserPrincipal</code>,
93  * and the relevant UnixNumericGroupPrincipals with the
94  * <code>Subject</code>.
95  *
96  * <p> This LoginModule also recognizes the following <code>Configuration</code>
97  * options:
98  * <pre>
99  * debug if, true, debug messages are output to System.out.
100  *
101  * useFirstPass if, true, this LoginModule retrieves the
102  * username and password from the module's shared state,
103  * using "javax.security.auth.login.name" and
104  * "javax.security.auth.login.password" as the respective
105  * keys. The retrieved values are used for authentication.
106  * If authentication fails, no attempt for a retry is made,
107  * and the failure is reported back to the calling
108  * application.
109  *
110  * tryFirstPass if, true, this LoginModule retrieves the
111  * the username and password from the module's shared state,
112  * using "javax.security.auth.login.name" and
113  * "javax.security.auth.login.password" as the respective
114  * keys. The retrieved values are used for authentication.
115  * If authentication fails, the module uses the
116  * CallbackHandler to retrieve a new username and password,
117  * and another attempt to authenticate is made.
118  * If the authentication fails, the failure is reported
119  * back to the calling application.
120  *
121  * storePass if, true, this LoginModule stores the username and password
122  * obtained from the CallbackHandler in the module's
123  * shared state, using "javax.security.auth.login.name" and
124  * "javax.security.auth.login.password" as the respective
125  * keys. This is not performed if existing values already
126  * exist for the username and password in the shared state,
127  * or if authentication fails.
128  *
129  * clearPass if, true, this <code>LoginModule</code> clears the
130  * username and password stored in the module's shared state
131  * after both phases of authentication (login and commit)
132  * have completed.
133  * </pre>
134  *
135  * @version 1.11, 05/05/04
136  */
137 public class JndiLoginModule implements LoginModule {
138
139     static final java.util.ResourceBundle JavaDoc rb =
140         java.util.ResourceBundle.getBundle("sun.security.util.AuthResources");
141
142     /** JNDI Provider */
143     public final String JavaDoc USER_PROVIDER = "user.provider.url";
144     public final String JavaDoc GROUP_PROVIDER = "group.provider.url";
145
146     // configurable options
147 private boolean debug = false;
148     private boolean strongDebug = false;
149     private String JavaDoc userProvider;
150     private String JavaDoc groupProvider;
151     private boolean useFirstPass = false;
152     private boolean tryFirstPass = false;
153     private boolean storePass = false;
154     private boolean clearPass = false;
155
156     // the authentication status
157 private boolean succeeded = false;
158     private boolean commitSucceeded = false;
159
160     // username, password, and JNDI context
161 private String JavaDoc username;
162     private char[] password;
163     DirContext ctx;
164
165     // the user (assume it is a UnixPrincipal)
166 private UnixPrincipal userPrincipal;
167     private UnixNumericUserPrincipal UIDPrincipal;
168     private UnixNumericGroupPrincipal GIDPrincipal;
169     private LinkedList JavaDoc supplementaryGroups = new LinkedList JavaDoc();
170
171     // initial state
172 private Subject subject;
173     private CallbackHandler callbackHandler;
174     private Map JavaDoc sharedState;
175     private Map JavaDoc options;
176
177     private static final String JavaDoc CRYPT = "{crypt}";
178     private static final String JavaDoc USER_PWD = "userPassword";
179     private static final String JavaDoc USER_UID = "uidNumber";
180     private static final String JavaDoc USER_GID = "gidNumber";
181     private static final String JavaDoc GROUP_ID = "gidNumber";
182     private static final String JavaDoc NAME = "javax.security.auth.login.name";
183     private static final String JavaDoc PWD = "javax.security.auth.login.password";
184
185     /**
186      * Initialize this <code>LoginModule</code>.
187      *
188      * <p>
189      *
190      * @param subject the <code>Subject</code> to be authenticated. <p>
191      *
192      * @param callbackHandler a <code>CallbackHandler</code> for communicating
193      * with the end user (prompting for usernames and
194      * passwords, for example). <p>
195      *
196      * @param sharedState shared <code>LoginModule</code> state. <p>
197      *
198      * @param options options specified in the login
199      * <code>Configuration</code> for this particular
200      * <code>LoginModule</code>.
201      */
202     public void initialize(Subject subject, CallbackHandler callbackHandler,
203                Map JavaDoc<String JavaDoc,?> sharedState,
204                Map JavaDoc<String JavaDoc,?> options) {
205
206     this.subject = subject;
207     this.callbackHandler = callbackHandler;
208     this.sharedState = sharedState;
209     this.options = options;
210
211     // initialize any configured options
212 debug = "true".equalsIgnoreCase((String JavaDoc)options.get("debug"));
213     strongDebug =
214         "true".equalsIgnoreCase((String JavaDoc)options.get("strongDebug"));
215     userProvider = (String JavaDoc)options.get(USER_PROVIDER);
216     groupProvider = (String JavaDoc)options.get(GROUP_PROVIDER);
217     tryFirstPass =
218         "true".equalsIgnoreCase((String JavaDoc)options.get("tryFirstPass"));
219     useFirstPass =
220         "true".equalsIgnoreCase((String JavaDoc)options.get("useFirstPass"));
221     storePass =
222         "true".equalsIgnoreCase((String JavaDoc)options.get("storePass"));
223     clearPass =
224         "true".equalsIgnoreCase((String JavaDoc)options.get("clearPass"));
225     }
226
227     /**
228      * <p> Prompt for username and password.
229      * Verify the password against the relevant name service.
230      *
231      * <p>
232      *
233      * @return true always, since this <code>LoginModule</code>
234      * should not be ignored.
235      *
236      * @exception FailedLoginException if the authentication fails. <p>
237      *
238      * @exception LoginException if this <code>LoginModule</code>
239      * is unable to perform the authentication.
240      */
241     public boolean login() throws LoginException {
242
243     if (userProvider == null) {
244         throw new LoginException
245         ("Error: Unable to locate JNDI user provider");
246     }
247     if (groupProvider == null) {
248         throw new LoginException
249         ("Error: Unable to locate JNDI group provider");
250     }
251
252     if (debug) {
253         System.out.println("\t\t[JndiLoginModule] user provider: " +
254                 userProvider);
255         System.out.println("\t\t[JndiLoginModule] group provider: " +
256                 groupProvider);
257     }
258
259     // attempt the authentication
260 if (tryFirstPass) {
261
262         try {
263         // attempt the authentication by getting the
264 // username and password from shared state
265 attemptAuthentication(true);
266
267         // authentication succeeded
268 succeeded = true;
269         if (debug) {
270             System.out.println("\t\t[JndiLoginModule] " +
271                 "tryFirstPass succeeded");
272         }
273         return true;
274         } catch (LoginException le) {
275         // authentication failed -- try again below by prompting
276 cleanState();
277         if (debug) {
278             System.out.println("\t\t[JndiLoginModule] " +
279                 "tryFirstPass failed with:" +
280                 le.toString());
281         }
282         }
283
284     } else if (useFirstPass) {
285
286         try {
287         // attempt the authentication by getting the
288 // username and password from shared state
289 attemptAuthentication(true);
290
291         // authentication succeeded
292 succeeded = true;
293         if (debug) {
294             System.out.println("\t\t[JndiLoginModule] " +
295                 "useFirstPass succeeded");
296         }
297         return true;
298         } catch (LoginException le) {
299         // authentication failed
300 cleanState();
301         if (debug) {
302             System.out.println("\t\t[JndiLoginModule] " +
303                 "useFirstPass failed");
304         }
305         throw le;
306         }
307     }
308
309     // attempt the authentication by prompting for the username and pwd
310 try {
311         attemptAuthentication(false);
312
313         // authentication succeeded
314 succeeded = true;
315         if (debug) {
316         System.out.println("\t\t[JndiLoginModule] " +
317                 "regular authentication succeeded");
318         }
319         return true;
320     } catch (LoginException le) {
321         cleanState();
322         if (debug) {
323         System.out.println("\t\t[JndiLoginModule] " +
324                 "regular authentication failed");
325         }
326         throw le;
327     }
328     }
329
330     /**
331      * Abstract method to commit the authentication process (phase 2).
332      *
333      * <p> This method is called if the LoginContext's
334      * overall authentication succeeded
335      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
336      * succeeded).
337      *
338      * <p> If this LoginModule's own authentication attempt
339      * succeeded (checked by retrieving the private state saved by the
340      * <code>login</code> method), then this method associates a
341      * <code>UnixPrincipal</code>
342      * with the <code>Subject</code> located in the
343      * <code>LoginModule</code>. If this LoginModule's own
344      * authentication attempted failed, then this method removes
345      * any state that was originally saved.
346      *
347      * <p>
348      *
349      * @exception LoginException if the commit fails
350      *
351      * @return true if this LoginModule's own login and commit
352      * attempts succeeded, or false otherwise.
353      */
354     public boolean commit() throws LoginException {
355
356     if (succeeded == false) {
357         return false;
358     } else {
359         if (subject.isReadOnly()) {
360         cleanState();
361         throw new LoginException ("Subject is Readonly");
362         }
363         // add Principals to the Subject
364 if (!subject.getPrincipals().contains(userPrincipal))
365         subject.getPrincipals().add(userPrincipal);
366         if (!subject.getPrincipals().contains(UIDPrincipal))
367         subject.getPrincipals().add(UIDPrincipal);
368         if (!subject.getPrincipals().contains(GIDPrincipal))
369         subject.getPrincipals().add(GIDPrincipal);
370         for (int i = 0; i < supplementaryGroups.size(); i++) {
371         if (!subject.getPrincipals().contains
372             ((UnixNumericGroupPrincipal)supplementaryGroups.get(i)))
373             subject.getPrincipals().add((UnixNumericGroupPrincipal)
374                         supplementaryGroups.get(i));
375         }
376         
377         if (debug) {
378         System.out.println("\t\t[JndiLoginModule]: " +
379                    "added UnixPrincipal,");
380         System.out.println("\t\t\t\tUnixNumericUserPrincipal,");
381         System.out.println("\t\t\t\tUnixNumericGroupPrincipal(s),");
382         System.out.println("\t\t\t to Subject");
383         }
384     }
385     // in any case, clean out state
386 cleanState();
387     commitSucceeded = true;
388     return true;
389     }
390
391     /**
392      * <p> This method is called if the LoginContext's
393      * overall authentication failed.
394      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
395      * did not succeed).
396      *
397      * <p> If this LoginModule's own authentication attempt
398      * succeeded (checked by retrieving the private state saved by the
399      * <code>login</code> and <code>commit</code> methods),
400      * then this method cleans up any state that was originally saved.
401      *
402      * <p>
403      *
404      * @exception LoginException if the abort fails.
405      *
406      * @return false if this LoginModule's own login and/or commit attempts
407      * failed, and true otherwise.
408      */
409     public boolean abort() throws LoginException {
410     if (debug)
411         System.out.println("\t\t[JndiLoginModule]: " +
412         "aborted authentication failed");
413
414     if (succeeded == false) {
415         return false;
416     } else if (succeeded == true && commitSucceeded == false) {
417
418         // Clean out state
419 succeeded = false;
420         cleanState();
421
422         userPrincipal = null;
423         UIDPrincipal = null;
424         GIDPrincipal = null;
425         supplementaryGroups = new LinkedList JavaDoc();
426     } else {
427         // overall authentication succeeded and commit succeeded,
428 // but someone else's commit failed
429 logout();
430     }
431     return true;
432     }
433
434     /**
435      * Logout a user.
436      *
437      * <p> This method removes the Principals
438      * that were added by the <code>commit</code> method.
439      *
440      * <p>
441      *
442      * @exception LoginException if the logout fails.
443      *
444      * @return true in all cases since this <code>LoginModule</code>
445      * should not be ignored.
446      */
447     public boolean logout() throws LoginException {
448     if (subject.isReadOnly()) {
449         cleanState();
450         throw new LoginException ("Subject is Readonly");
451     }
452     subject.getPrincipals().remove(userPrincipal);
453     subject.getPrincipals().remove(UIDPrincipal);
454     subject.getPrincipals().remove(GIDPrincipal);
455     for (int i = 0; i < supplementaryGroups.size(); i++) {
456         subject.getPrincipals().remove
457         ((UnixNumericGroupPrincipal)supplementaryGroups.get(i));
458     }
459     
460     
461     // clean out state
462 cleanState();
463     succeeded = false;
464     commitSucceeded = false;
465
466     userPrincipal = null;
467     UIDPrincipal = null;
468     GIDPrincipal = null;
469     supplementaryGroups = new LinkedList JavaDoc();
470
471     if (debug) {
472         System.out.println("\t\t[JndiLoginModule]: " +
473         "logged out Subject");
474     }
475     return true;
476     }
477
478     /**
479      * Attempt authentication
480      *
481      * <p>
482      *
483      * @param getPasswdFromSharedState boolean that tells this method whether
484      * to retrieve the password from the sharedState.
485      */
486     private void attemptAuthentication(boolean getPasswdFromSharedState)
487     throws LoginException {
488
489     String JavaDoc encryptedPassword = null;
490
491     // first get the username and password
492 getUsernamePassword(getPasswdFromSharedState);
493     
494     try {
495
496         // get the user's passwd entry from the user provider URL
497 InitialContext iCtx = new InitialContext();
498         ctx = (DirContext)iCtx.lookup(userProvider);
499
500         /*
501         SearchControls controls = new SearchControls
502                     (SearchControls.ONELEVEL_SCOPE,
503                     0,
504                     5000,
505                     new String[] { USER_PWD },
506                     false,
507                     false);
508         */
509
510         SearchControls controls = new SearchControls();
511         NamingEnumeration ne = ctx.search("",
512                     "(uid=" + username + ")",
513                     controls);
514         if (ne.hasMore()) {
515         SearchResult result = (SearchResult)ne.next();
516         Attributes attributes = result.getAttributes();
517
518         // get the password
519
520         // this module works only if the LDAP directory server
521 // is configured to permit read access to the userPassword
522 // attribute. The directory administrator need to grant
523 // this access.
524 //
525 // A workaround would be to make the server do authentication
526 // by setting the Context.SECURITY_PRINCIPAL
527 // and Context.SECURITY_CREDENTIALS property.
528 // However, this would make it not work with systems that
529 // don't do authentication at the server (like NIS).
530 //
531 // Setting the SECURITY_* properties and using "simple"
532 // authentication for LDAP is recommended only for secure
533 // channels. For nonsecure channels, SSL is recommended.
534
535         Attribute pwd = attributes.get(USER_PWD);
536         String JavaDoc encryptedPwd = new String JavaDoc((byte[])pwd.get(), "UTF8");
537         encryptedPassword = encryptedPwd.substring(CRYPT.length());
538
539         // check the password
540 if (verifyPassword
541             (encryptedPassword, new String JavaDoc(password)) == true) {
542
543             // authentication succeeded
544 if (debug)
545             System.out.println("\t\t[JndiLoginModule] " +
546                 "attemptAuthentication() succeeded");
547
548         } else {
549             // authentication failed
550 if (debug)
551             System.out.println("\t\t[JndiLoginModule] " +
552                 "attemptAuthentication() failed");
553             throw new FailedLoginException("Login incorrect");
554         }
555
556         // save input as shared state only if
557 // authentication succeeded
558 if (storePass &&
559             !sharedState.containsKey(NAME) &&
560             !sharedState.containsKey(PWD)) {
561             sharedState.put(NAME, username);
562             sharedState.put(PWD, password);
563         }
564
565         // create the user principal
566 userPrincipal = new UnixPrincipal(username);
567
568         // get the UID
569 Attribute uid = attributes.get(USER_UID);
570         String JavaDoc uidNumber = (String JavaDoc)uid.get();
571         UIDPrincipal = new UnixNumericUserPrincipal(uidNumber);
572         if (debug && uidNumber != null) {
573             System.out.println("\t\t[JndiLoginModule] " +
574                 "user: '" + username + "' has UID: " +
575                 uidNumber);
576         }
577
578         // get the GID
579 Attribute gid = attributes.get(USER_GID);
580         String JavaDoc gidNumber = (String JavaDoc)gid.get();
581         GIDPrincipal = new UnixNumericGroupPrincipal
582                 (gidNumber, true);
583         if (debug && gidNumber != null) {
584             System.out.println("\t\t[JndiLoginModule] " +
585                 "user: '" + username + "' has GID: " +
586                 gidNumber);
587         }
588
589         // get the supplementary groups from the group provider URL
590 ctx = (DirContext)iCtx.lookup(groupProvider);
591         ne = ctx.search("", new BasicAttributes("memberUid", username));
592
593         while (ne.hasMore()) {
594             result = (SearchResult)ne.next();
595             attributes = result.getAttributes();
596
597             gid = attributes.get(GROUP_ID);
598             String JavaDoc suppGid = (String JavaDoc)gid.get();
599             if (!gidNumber.equals(suppGid)) {
600             UnixNumericGroupPrincipal suppPrincipal =
601                 new UnixNumericGroupPrincipal(suppGid, false);
602             supplementaryGroups.add(suppPrincipal);
603             if (debug && suppGid != null) {
604                 System.out.println("\t\t[JndiLoginModule] " +
605                 "user: '" + username +
606                 "' has Supplementary Group: " +
607                 suppGid);
608             }
609             }
610         }
611
612         } else {
613         // bad username
614 if (debug) {
615             System.out.println("\t\t[JndiLoginModule]: User not found");
616         }
617         throw new FailedLoginException("User not found");
618         }
619     } catch (NamingException ne) {
620         // bad username
621 if (debug) {
622         System.out.println("\t\t[JndiLoginModule]: User not found");
623         ne.printStackTrace();
624         }
625         throw new FailedLoginException("User not found");
626     } catch (java.io.UnsupportedEncodingException JavaDoc uee) {
627         // password stored in incorrect format
628 if (debug) {
629         System.out.println("\t\t[JndiLoginModule]: " +
630                 "password incorrectly encoded");
631         uee.printStackTrace();
632         }
633         throw new LoginException("Login failure due to incorrect " +
634                 "password encoding in the password database");
635     }
636
637     // authentication succeeded
638 }
639  
640     /**
641      * Get the username and password.
642      * This method does not return any value.
643      * Instead, it sets global name and password variables.
644      *
645      * <p> Also note that this method will set the username and password
646      * values in the shared state in case subsequent LoginModules
647      * want to use them via use/tryFirstPass.
648      *
649      * <p>
650      *
651      * @param getPasswdFromSharedState boolean that tells this method whether
652      * to retrieve the password from the sharedState.
653      */
654     private void getUsernamePassword(boolean getPasswdFromSharedState)
655     throws LoginException {
656
657     if (getPasswdFromSharedState) {
658         // use the password saved by the first module in the stack
659 username = (String JavaDoc)sharedState.get(NAME);
660         password = (char[])sharedState.get(PWD);
661         return;
662     }
663
664     // prompt for a username and password
665 if (callbackHandler == null)
666         throw new LoginException("Error: no CallbackHandler available " +
667         "to garner authentication information from the user");
668
669     String JavaDoc protocol = userProvider.substring(0, userProvider.indexOf(":"));
670
671     Callback[] callbacks = new Callback[2];
672     callbacks[0] = new NameCallback(protocol + " "
673                         + rb.getString("username: "));
674     callbacks[1] = new PasswordCallback(protocol + " " +
675                             rb.getString("password: "),
676                         false);
677
678     try {
679         callbackHandler.handle(callbacks);
680         username = ((NameCallback)callbacks[0]).getName();
681         char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
682         password = new char[tmpPassword.length];
683         System.arraycopy(tmpPassword, 0,
684                 password, 0, tmpPassword.length);
685         ((PasswordCallback)callbacks[1]).clearPassword();
686
687     } catch (java.io.IOException JavaDoc ioe) {
688         throw new LoginException(ioe.toString());
689     } catch (UnsupportedCallbackException uce) {
690         throw new LoginException("Error: " + uce.getCallback().toString() +
691             " not available to garner authentication information " +
692             "from the user");
693     }
694
695     // print debugging information
696 if (strongDebug) {
697         System.out.println("\t\t[JndiLoginModule] " +
698                 "user entered username: " +
699                 username);
700         System.out.print("\t\t[JndiLoginModule] " +
701                 "user entered password: ");
702         for (int i = 0; i < password.length; i++)
703         System.out.print(password[i]);
704         System.out.println();
705     }
706     }
707
708     /**
709      * Verify a password against the encrypted passwd from /etc/shadow
710      */
711     private boolean verifyPassword(String JavaDoc encryptedPassword, String JavaDoc password) {
712
713     if (encryptedPassword == null)
714         return false;
715
716     Crypt c = new Crypt();
717     try {
718         byte oldCrypt[] = encryptedPassword.getBytes("UTF8");
719         byte newCrypt[] = c.crypt(password.getBytes("UTF8"),
720                       oldCrypt);
721         if (newCrypt.length != oldCrypt.length)
722             return false;
723         for (int i = 0; i < newCrypt.length; i++) {
724             if (oldCrypt[i] != newCrypt[i])
725             return false;
726         }
727     } catch (java.io.UnsupportedEncodingException JavaDoc uee) {
728         // cannot happen, but return false just to be safe
729 return false;
730     }
731     return true;
732     }
733
734     /**
735      * Clean out state because of a failed authentication attempt
736      */
737     private void cleanState() {
738     username = null;
739     if (password != null) {
740         for (int i = 0; i < password.length; i++)
741         password[i] = ' ';
742         password = null;
743     }
744     ctx = null;
745
746     if (clearPass) {
747         sharedState.remove(NAME);
748         sharedState.remove(PWD);
749     }
750     }
751 }
752
Popular Tags