com.atlassian.crowd.directory

Class DelegatedAuthenticationDirectory

java.lang.Object

com.atlassian.crowd.directory.AbstractForwardingDirectory

com.atlassian.crowd.directory.DelegatedAuthenticationDirectory

All Implemented Interfaces:

RemoteDirectory, Attributes

public class DelegatedAuthenticationDirectory
extends AbstractForwardingDirectory
implements RemoteDirectory

This implementation of a RemoteDirectory provides delegated authentication to an underlying remote LDAP implementation.

In essence this means that a User's groups and roles are managed internally to Crowd and only authentication is delegated to the LDAP directory.

Users, group and memberships exist in an internal directory and all query and mutation operations execute on the internal directory.

For a user to successfully authenticate, they must exist in LDAP and must authenticate against LDAP. Passwords are not stored internally.

If the ATTRIBUTE_CREATE_USER_ON_AUTH attribute is enabled, the delegated authentication directory will automatically create the user in the internal portion of this directory, once they successfully authenticate against LDAP. The initial user details, in this case, will be obtained from LDAP.

If the ATTRIBUTE_UPDATE_USER_ON_AUTH attribute is enabled, the delegated authentication directory will also update the user's details from LDAP automatically whenever they authenticate. The same behaviour will happen if the attribute is not enabled and the user is deleted internally and then re-authenticates.

If the create-on-auth option is not enabled, then users must always be manually created in this directory, before they can authenticate against LDAP. In this scenario, the user details will never be retrieved from LDAP. This is OSUser's default LDAP behaviour.

Field Summary

Fields

Modifier and Type	Field and Description
static String	ATTRIBUTE_CREATE_USER_ON_AUTH
static String	ATTRIBUTE_KEY_IMPORT_GROUPS
static String	ATTRIBUTE_LDAP_DIRECTORY_CLASS
static String	ATTRIBUTE_UPDATE_USER_ON_AUTH

Constructor Summary

Constructors

Constructor and Description
DelegatedAuthenticationDirectory(RemoteDirectory ldapDirectory, InternalRemoteDirectory internalDirectory, com.atlassian.event.api.EventPublisher eventPublisher, DirectoryDao directoryDao)

Method Summary

Modifier and Type	Method and Description
Group	addGroup(GroupTemplate group) Adds a group to the directory store.
User	addOrUpdateLdapUser(String name) Copies or updates a user in the internal directory from their counterpart in the LDAP directory.
User	authenticate(String name, PasswordCredential credential) In addition to the normal authentication behaviour, following a successful authentication the following may occur: If the user does not exist in the internal directory and ATTRIBUTE_CREATE_USER_ON_AUTH is enabled, the user's details will be added to the internal directory. If the user exists in the internal directory and ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled, the user's details will be updated in the internal directory. If the user exists in the internal directory and ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled and the username was changed in remote directory, the user's name will be updated in the internal directory. A user marked as inactive locally will not be authenticated, retrieved, renamed or updated from the LDAP server.
RemoteDirectory	getAuthoritativeDirectory()
protected InternalRemoteDirectory	getDelegate()
String	getDescriptiveName() Returns a descriptive name for the type of directory.
boolean	isRolesDisabled() Expose whether the directory has roles disabled.
void	setAttributes(Map<String,String> attributes) When a directory store is loaded, the attributes map will be set by the Crowd framework.
void	setDirectoryId(long directoryId) When a directory store is loaded, the directoryId will be set by the crowd framework.
boolean	supportsNestedGroups() Allows us to only display nested-group related UI for directories that support it.
boolean	supportsPasswordExpiration() Return true if this directory supports manually expiring passwords.
boolean	supportsSettingEncryptedCredential() Delegated authentication directories don't support setting non-hashed credentials, let alone hashed credentials.
void	testConnection() Test if a connection to the directory server can be established.
void	updateUserCredential(String username, PasswordCredential credential) Updates the password for a user.
User	updateUserFromRemoteDirectory(User ldapUser)
User	userAuthenticated(String username)

Methods inherited from class com.atlassian.crowd.directory.AbstractForwardingDirectory

addGroupToGroup, addUser, addUser, addUserToGroup, countDirectMembersOfGroup, expireAllPasswords, findGroupByName, findGroupWithAttributesByName, findUserByExternalId, findUserByName, findUserWithAttributesByName, getDirectoryId, getKeys, getMemberships, getUserAvatarByName, getValue, getValues, isEmpty, isGroupDirectGroupMember, isUserDirectGroupMember, removeGroup, removeGroupAttributes, removeGroupFromGroup, removeUser, removeUserAttributes, removeUserFromGroup, renameGroup, renameUser, searchGroupRelationships, searchGroups, searchUsers, storeGroupAttributes, storeUserAttributes, supportsInactiveAccounts, updateGroup, updateUser

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.atlassian.crowd.directory.RemoteDirectory

addGroupToGroup, addUser, addUser, addUserToGroup, countDirectMembersOfGroup, expireAllPasswords, findGroupByName, findGroupWithAttributesByName, findUserByExternalId, findUserByName, findUserWithAttributesByName, getDirectoryId, getMemberships, getUserAvatarByName, isGroupDirectGroupMember, isUserDirectGroupMember, removeGroup, removeGroupAttributes, removeGroupFromGroup, removeUser, removeUserAttributes, removeUserFromGroup, renameGroup, renameUser, searchGroupRelationships, searchGroups, searchUsers, storeGroupAttributes, storeUserAttributes, supportsInactiveAccounts, updateGroup, updateUser

Methods inherited from interface com.atlassian.crowd.embedded.api.Attributes

getKeys, getValue, getValues, isEmpty

Field Detail

ATTRIBUTE_CREATE_USER_ON_AUTH

public static final String ATTRIBUTE_CREATE_USER_ON_AUTH

See Also:

Constant Field Values

ATTRIBUTE_UPDATE_USER_ON_AUTH

public static final String ATTRIBUTE_UPDATE_USER_ON_AUTH

See Also:

Constant Field Values

ATTRIBUTE_LDAP_DIRECTORY_CLASS

public static final String ATTRIBUTE_LDAP_DIRECTORY_CLASS

See Also:

Constant Field Values

ATTRIBUTE_KEY_IMPORT_GROUPS

public static final String ATTRIBUTE_KEY_IMPORT_GROUPS

See Also:

Constant Field Values

Constructor Detail

DelegatedAuthenticationDirectory

public DelegatedAuthenticationDirectory(RemoteDirectory ldapDirectory,
                                        InternalRemoteDirectory internalDirectory,
                                        com.atlassian.event.api.EventPublisher eventPublisher,
                                        DirectoryDao directoryDao)

Method Detail

setDirectoryId

public void setDirectoryId(long directoryId)

Description copied from interface: RemoteDirectory

When a directory store is loaded, the directoryId will be set by the crowd framework.

Specified by:

setDirectoryId in interface RemoteDirectory

Overrides:

setDirectoryId in class AbstractForwardingDirectory

Parameters:

directoryId - The unique directoryId of the DirectoryImpl stored in the database.

getDescriptiveName

public String getDescriptiveName()

Description copied from interface: RemoteDirectory

Returns a descriptive name for the type of directory.

Specified by:

getDescriptiveName in interface RemoteDirectory

Overrides:

getDescriptiveName in class AbstractForwardingDirectory

Returns:

descriptive name.

setAttributes

public void setAttributes(Map<String,String> attributes)

Description copied from interface: RemoteDirectory

When a directory store is loaded, the attributes map will be set by the Crowd framework. Implementations may store a reference to this map in order to implement the Attributes

The Map is immutable and implementations are required to maintain immutability.

Specified by:

setAttributes in interface RemoteDirectory

Overrides:

setAttributes in class AbstractForwardingDirectory

Parameters:

attributes - attributes map.

authenticate

public User authenticate(String name,
                         PasswordCredential credential)
                  throws UserNotFoundException,
                         InactiveAccountException,
                         InvalidAuthenticationException,
                         ExpiredCredentialException,
                         OperationFailedException

In addition to the normal authentication behaviour, following a successful authentication the following may occur:

• If the user does not exist in the internal directory and ATTRIBUTE_CREATE_USER_ON_AUTH is enabled, the user's details will be added to the internal directory.
• If the user exists in the internal directory and ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled, the user's details will be updated in the internal directory.
• If the user exists in the internal directory and ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled and the username was changed in remote directory, the user's name will be updated in the internal directory.

A user marked as inactive locally will not be authenticated, retrieved, renamed or updated from the LDAP server.

Specified by:

authenticate in interface RemoteDirectory

Overrides:

authenticate in class AbstractForwardingDirectory

Parameters:

name - The name of the user (username).

credential - The supplied credentials (password).

Returns:

The populated user if the authentication is valid.

Throws:

OperationFailedException - when user rename is not possible

UserNotFoundException - The user with the supplied name does not exist.

InactiveAccountException - The supplied user is inactive.

InvalidAuthenticationException - Authentication with the provided credentials failed.

ExpiredCredentialException - The user's credentials have expired. The user must change their credentials in order to successfully authenticate.

See Also:

RemoteDirectory.authenticate(String, PasswordCredential)

userAuthenticated

public User userAuthenticated(String username)
                       throws OperationFailedException,
                              UserNotFoundException,
                              InactiveAccountException

Specified by:

userAuthenticated in interface RemoteDirectory

Throws:

OperationFailedException

UserNotFoundException

InactiveAccountException

updateUserFromRemoteDirectory

public User updateUserFromRemoteDirectory(@Nonnull
                                          User ldapUser)
                                   throws OperationFailedException,
                                          UserNotFoundException

Specified by:

updateUserFromRemoteDirectory in interface RemoteDirectory

Overrides:

updateUserFromRemoteDirectory in class AbstractForwardingDirectory

Throws:

OperationFailedException

UserNotFoundException

addOrUpdateLdapUser

public User addOrUpdateLdapUser(String name)
                         throws UserNotFoundException,
                                OperationFailedException

Copies or updates a user in the internal directory from their counterpart in the LDAP directory. Used by custom authenticators to ensure users exist when external authentication mechanisms just provide us with just a username.

Parameters:

name - the username of the user to copy

Returns:

the newly updated internal user

Throws:

UserNotFoundException - if no user with the given username exists in LDAP

OperationFailedException - if there was a problem communicating with the LDAP server or the user could not be cloned to the internal directory

updateUserCredential

public void updateUserCredential(String username,
                                 PasswordCredential credential)
                          throws UserNotFoundException,
                                 InvalidCredentialException,
                                 OperationFailedException

Description copied from interface: RemoteDirectory

Updates the password for a user.

Specified by:

updateUserCredential in interface RemoteDirectory

Overrides:

updateUserCredential in class AbstractForwardingDirectory

Parameters:

username - The name of the user (username).

credential - The new credential (password).

Throws:

UserNotFoundException - The user does not exist.

InvalidCredentialException - The supplied credential is invalid.

OperationFailedException - underlying directory implementation failed to execute the operation.

See Also:

RemoteDirectory.supportsSettingEncryptedCredential()

addGroup

public Group addGroup(GroupTemplate group)
               throws InvalidGroupException,
                      OperationFailedException

Description copied from interface: RemoteDirectory

Adds a group to the directory store.

Specified by:

addGroup in interface RemoteDirectory

Overrides:

addGroup in class AbstractForwardingDirectory

Parameters:

group - template of the group to add.

Returns:

the added group retrieved from the underlying store.

Throws:

InvalidGroupException - The supplied group is invalid or it already exists in the directory.

OperationFailedException - underlying directory implementation failed to execute the operation.

testConnection

public void testConnection()
                    throws OperationFailedException

Description copied from interface: RemoteDirectory

Test if a connection to the directory server can be established.

Specified by:

testConnection in interface RemoteDirectory

Overrides:

testConnection in class AbstractForwardingDirectory

Throws:

OperationFailedException - underlying directory implementation failed to execute the operation.

supportsNestedGroups

public boolean supportsNestedGroups()

Description copied from interface: RemoteDirectory

Allows us to only display nested-group related UI for directories that support it.

Specified by:

supportsNestedGroups in interface RemoteDirectory

Overrides:

supportsNestedGroups in class AbstractForwardingDirectory

Returns:

true if the directory can handle having a group added to a group.

supportsPasswordExpiration

public boolean supportsPasswordExpiration()

Description copied from interface: RemoteDirectory

Return true if this directory supports manually expiring passwords.

Specified by:

supportsPasswordExpiration in interface RemoteDirectory

Overrides:

supportsPasswordExpiration in class AbstractForwardingDirectory

Returns:

true if this directory supports manually expiring passwords

supportsSettingEncryptedCredential

public boolean supportsSettingEncryptedCredential()

Delegated authentication directories don't support setting non-hashed credentials, let alone hashed credentials.

Specified by:

supportsSettingEncryptedCredential in interface RemoteDirectory

Overrides:

supportsSettingEncryptedCredential in class AbstractForwardingDirectory

Returns:

false, always.

isRolesDisabled

public boolean isRolesDisabled()

Description copied from interface: RemoteDirectory

Expose whether the directory has roles disabled. Always true.

Specified by:

isRolesDisabled in interface RemoteDirectory

Overrides:

isRolesDisabled in class AbstractForwardingDirectory

Returns:

true

getAuthoritativeDirectory

public RemoteDirectory getAuthoritativeDirectory()

Specified by:

getAuthoritativeDirectory in interface RemoteDirectory

Overrides:

getAuthoritativeDirectory in class AbstractForwardingDirectory

Returns:

the directory that is the authoritative source of data for this directory, possibly itself.

getDelegate

protected InternalRemoteDirectory getDelegate()

Specified by:

getDelegate in class AbstractForwardingDirectory

Returns:

the directory to delegate method calls to