BasicAuthenticationServiceImpl


1   /*
2   
3      Derby - Class org.apache.derby.impl.jdbc.authentication.BasicAuthenticationServiceImpl
4   
5      Licensed to the Apache Software Foundation (ASF) under one or more
6      contributor license agreements.  See the NOTICE file distributed with
7      this work for additional information regarding copyright ownership.
8      The ASF licenses this file to you under the Apache License, Version 2.0
9      (the "License"); you may not use this file except in compliance with
10     the License.  You may obtain a copy of the License at
11  
12        http://www.apache.org/licenses/LICENSE-2.0
13  
14     Unless required by applicable law or agreed to in writing, software
15     distributed under the License is distributed on an "AS IS" BASIS,
16     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17     See the License for the specific language governing permissions and
18     limitations under the License.
19  
20   */
21  
22  package org.apache.derby.impl.jdbc.authentication;
23  
24  import org.apache.derby.iapi.reference.MessageId;
25  import org.apache.derby.iapi.reference.Attribute;
26  import org.apache.derby.authentication.UserAuthenticator;
27  import org.apache.derby.iapi.services.property.PropertyUtil;
28  import org.apache.derby.iapi.services.daemon.Serviceable;
29  import org.apache.derby.iapi.services.monitor.ModuleFactory;
30  import org.apache.derby.iapi.services.monitor.Monitor;
31  import org.apache.derby.iapi.services.sanity.SanityManager;
32  import org.apache.derby.iapi.error.StandardException;
33  import org.apache.derby.iapi.services.i18n.MessageService;
34  import org.apache.derby.iapi.store.access.TransactionController;
35  import org.apache.derby.iapi.jdbc.AuthenticationService;
36  import org.apache.derby.iapi.util.StringUtil;
37  
38  import java.util.Properties  ;
39  // security imports - for SHA-1 digest
40  import java.security.MessageDigest  ;
41  import java.security.NoSuchAlgorithmException  ;
42  import java.io.Serializable  ;
43  import java.util.Dictionary  ;
44  
45  /**
46   * This authentication service is the basic Cloudscape User authentication
47   * level support.
48   *
49   * It is activated upon setting derby.authentication.provider database
50   * or system property to 'BUILTIN'.
51   * <p>
52   * It instantiates & calls the basic User authentication scheme at runtime.
53   * <p>
54   * In 2.0, users can now be defined as database properties.
55   * If derby.database.propertiesOnly is set to true, then in this
56   * case, only users defined as database properties for the current database
57   * will be considered.
58   *
59   * @author Francois
60   */
61  public final class BasicAuthenticationServiceImpl
62      extends AuthenticationServiceBase implements UserAuthenticator {
63  
64      //
65      // ModuleControl implementation (overriden)
66      //
67  
68      /**
69       *  Check if we should activate this authentication service.
70       */
71      public boolean canSupport(Properties   properties) {
72  
73          if (!requireAuthentication(properties))
74              return false;
75  
76          //
77          // We check 2 System/Database properties:
78          //
79          //
80          // - if derby.authentication.provider is set to 'BUILTIN'.
81          //
82          // and in that case we are the authentication service that should
83          // be run.
84          //
85  
86          String   authenticationProvider = PropertyUtil.getPropertyFromSet(
87                      properties,
88                      org.apache.derby.iapi.reference.Property.AUTHENTICATION_PROVIDER_PARAMETER);
89  
90          if ( (authenticationProvider != null) &&
91               (authenticationProvider.length() != 0) &&
92               (!(StringUtil.SQLEqualsIgnoreCase(authenticationProvider,
93                    org.apache.derby.iapi.reference.Property.AUTHENTICATION_PROVIDER_BUILTIN))))
94              return false;
95          else
96              return true;    // Yep, we're on!
97      }
98  
99      /**
100      * @see org.apache.derby.iapi.services.monitor.ModuleControl#boot
101      * @exception StandardException upon failure to load/boot the expected
102      * authentication service.
103      */
104     public void boot(boolean create, Properties   properties)
105       throws StandardException {
106 
107         // We need authentication
108         // setAuthentication(true);
109 
110         // we call the super in case there is anything to get initialized.
111         super.boot(create, properties);
112 
113         // Initialize the MessageDigest class engine here
114         // (we don't need to do that ideally, but there is some
115         // overhead the first time it is instantiated.
116         // SHA-1 is expected in jdk 1.1x and jdk1.2
117         // This is a standard name: check,
118         // http://java.sun.com/products/jdk/1.{1,2}
119         //                  /docs/guide/security/CryptoSpec.html#AppA 
120         try {
121             MessageDigest   digestAlgorithm = MessageDigest.getInstance("SHA-1");
122             digestAlgorithm.reset();
123 
124         } catch (NoSuchAlgorithmException   nsae) {
125             throw Monitor.exceptionStartingModule(nsae);
126         }
127 
128         // Set ourselves as being ready and loading the proper
129         // authentication scheme for this service
130         //
131         this.setAuthenticationService(this);
132     }
133 
134     /*
135     ** UserAuthenticator methods.
136     */
137 
138     /**
139      * Authenticate the passed-in user's credentials.
140      *
141      * @param userName      The user's name used to connect to JBMS system
142      * @param userPassword  The user's password used to connect to JBMS system
143      * @param databaseName  The database which the user wants to connect to.
144      * @param info          Additional jdbc connection info.
145      */
146     public boolean  authenticateUser(String   userName,
147                                  String   userPassword,
148                                  String   databaseName,
149                                  Properties   info
150                                     )
151     {
152         // Client security mechanism if any specified
153         // Note: Right now it is only used to handle clients authenticating
154         // via DRDA SECMEC_USRSSBPWD mechanism
155         String   clientSecurityMechanism = null;
156         // Client security mechanism (if any) short representation
157         // Default value is none.
158         int secMec = 0;
159 
160         // let's check if the user has been defined as a valid user of the
161         // JBMS system.
162         // We expect to find and match a System property corresponding to the
163         // credentials passed-in.
164         //
165         if (userName == null)
166             // We don't tolerate 'guest' user for now.
167             return false;
168 
169         String   definedUserPassword = null, passedUserPassword = null;
170 
171         // If a security mechanism is specified as part of the connection
172         // properties, it indicates that we've to account as far as how the
173         // password is presented to us - in the case of SECMEC_USRSSBPWD
174         // (only expected one at the moment), the password is a substitute
175         // one which has already been hashed differently than what we store
176         // at the database level (for instance) - this will influence how we
177         // assess the substitute password to be legitimate for Derby's
178         // BUILTIN authentication scheme/provider.
179         if ((clientSecurityMechanism =
180                 info.getProperty(Attribute.CLIENT_SECURITY_MECHANISM)) != null)
181         {
182             secMec = Integer.parseInt(clientSecurityMechanism);
183         }
184 
185         //
186         // Check if user has been defined at the database or/and
187         // system level. The user (administrator) can configure it the
188         // way he/she wants (as well as forcing users properties to
189         // be retrieved at the datbase level only).
190         //
191         String   userNameProperty =
192           org.apache.derby.iapi.reference.Property.USER_PROPERTY_PREFIX.concat(
193                         userName);
194 
195         // check if user defined at the database level
196         definedUserPassword = getDatabaseProperty(userNameProperty);
197 
198         if (definedUserPassword != null)
199         {
200             if (secMec != SECMEC_USRSSBPWD)
201             {
202                 // encrypt passed-in password
203                 passedUserPassword = encryptPassword(userPassword);
204             }
205             else
206             {
207                 // Dealing with a client SECMEC - password checking is
208                 // slightly different and we need to generate a
209                 // password substitute to compare with the substitute
210                 // generated one from the client.
211                 definedUserPassword = substitutePassword(userName,
212                                                          definedUserPassword,
213                                                          info, true);
214                 // As SecMec is SECMEC_USRSSBPWD, expected passed-in password
215                 // to be HexString'ified already
216                 passedUserPassword = userPassword;
217             }
218         }
219         else
220         {
221             // check if user defined at the system level
222             definedUserPassword = getSystemProperty(userNameProperty);
223             passedUserPassword = userPassword;
224 
225             if ((definedUserPassword != null) &&
226                 (secMec == SECMEC_USRSSBPWD))
227             {
228                 // Dealing with a client SECMEC - see above comments
229                 definedUserPassword = substitutePassword(userName,
230                                                          definedUserPassword,
231                                                          info, false);
232             }
233         }
234 
235         if (definedUserPassword == null)
236             // no such user found
237             return false;
238 
239         // check if the passwords match
240         if (!definedUserPassword.equals(passedUserPassword))
241             return false;
242 
243         // NOTE: We do not look at the passed-in database name value as
244         // we rely on the authorization service that was put in
245         // in 2.0 . (if a database name was passed-in)
246 
247         // We do have a valid user
248         return true;
249     }
250 }
251
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags