Package com.atlassian.crowd.directory
Class DelegatedAuthenticationDirectory
java.lang.Object
com.atlassian.crowd.directory.AbstractForwardingDirectory
com.atlassian.crowd.directory.DelegatedAuthenticationDirectory
- All Implemented Interfaces:
MultiValuesQueriesSupport,RemoteDirectory,Attributes
public class DelegatedAuthenticationDirectory
extends AbstractForwardingDirectory
implements RemoteDirectory, MultiValuesQueriesSupport
This implementation of a
RemoteDirectory provides delegated
authentication to an underlying remote LDAP implementation.
In essence this means that a User's groups and roles are managed internally to Crowd and only authentication is delegated to the LDAP directory.
Users, group and memberships exist in an internal directory and all query and mutation operations execute on the internal directory.
For a user to successfully authenticate, they must exist in LDAP and must authenticate against LDAP. Passwords are not stored internally.
If the ATTRIBUTE_CREATE_USER_ON_AUTH attribute is
enabled, the delegated authentication directory will automatically
create the user in the internal portion of this directory, once they
successfully authenticate against LDAP. The initial user details, in
this case, will be obtained from LDAP.
If the ATTRIBUTE_UPDATE_USER_ON_AUTH attribute is
enabled, the delegated authentication directory will also update
the user's details from LDAP automatically whenever they
authenticate. The same behaviour will happen if the attribute is not
enabled and the user is deleted internally and then re-authenticates.
If the create-on-auth option is not enabled, then users must always be manually created in this directory, before they can authenticate against LDAP. In this scenario, the user details will never be retrieved from LDAP. This is OSUser's default LDAP behaviour.
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionDelegatedAuthenticationDirectory(RemoteDirectory ldapDirectory, InternalRemoteDirectory internalDirectory, com.atlassian.event.api.EventPublisher eventPublisher, DirectoryDao directoryDao) -
Method Summary
Modifier and TypeMethodDescriptionaddGroup(GroupTemplate group) Adds agroupto the directory store.addOrUpdateLdapUser(String name) Copies or updates a user in the internal directory from their counterpart in the LDAP directory.authenticate(String name, PasswordCredential credential) In addition to the normal authentication behaviour, following a successful authentication the following may occur: If the user does not exist in the internal directory andATTRIBUTE_CREATE_USER_ON_AUTHis enabled, the user's details will be added to the internal directory. If the user exists in the internal directory andATTRIBUTE_UPDATE_USER_ON_AUTHis enabled, the user's details will be updated in the internal directory. If the user exists in the internal directory andATTRIBUTE_UPDATE_USER_ON_AUTHis enabled and the username was changed in remote directory, the user's name will be updated in the internal directory. A user marked as inactive locally will not be authenticated, retrieved, renamed or updated from the LDAP server.protected InternalRemoteDirectoryReturns a descriptive name for the type of directory.booleanExpose whether the directory has roles disabled.Searches forgroupsthat match the supplied query criteria.voidsetAttributes(Map<String, String> attributes) When a directory store is loaded, the attributes map will be set by the Crowd framework.voidsetDirectoryId(long directoryId) When a directory store is loaded, thedirectoryIdwill be set by the crowd framework.booleanAllows us to only display nested-group related UI for directories that support it.booleanReturn true if this directory supports manually expiring passwords.booleanDelegated authentication directories don't support setting non-hashed credentials, let alone hashed credentials.voidTest if a connection to the directory server can be established.voidupdateUserCredential(String username, PasswordCredential credential) updateUserFromRemoteDirectory(User ldapUser) userAuthenticated(String username) Methods inherited from class com.atlassian.crowd.directory.AbstractForwardingDirectory
addGroupToGroup, addUser, addUser, addUserToGroup, countDirectMembersOfGroup, expireAllPasswords, findGroupByName, findGroupWithAttributesByName, findUserByExternalId, findUserByName, findUserWithAttributesByName, getDirectoryId, getKeys, getMemberships, getUserAvatarByName, getValue, getValues, isEmpty, isGroupDirectGroupMember, isUserDirectGroupMember, removeGroup, removeGroupAttributes, removeGroupFromGroup, removeUser, removeUserAttributes, removeUserFromGroup, renameGroup, renameUser, searchGroupRelationships, searchGroups, searchUsers, storeGroupAttributes, storeUserAttributes, supportsInactiveAccounts, updateGroup, updateUserMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface com.atlassian.crowd.embedded.api.Attributes
getKeys, getValue, getValues, isEmptyMethods inherited from interface com.atlassian.crowd.directory.MultiValuesQueriesSupport
searchGroupRelationshipsMethods inherited from interface com.atlassian.crowd.directory.RemoteDirectory
addGroupToGroup, addUser, addUser, addUserToGroup, countDirectMembersOfGroup, expireAllPasswords, findGroupByName, findGroupWithAttributesByName, findUserByExternalId, findUserByName, findUserWithAttributesByName, getDirectoryId, getLocallyFilteredGroupNames, getMemberships, getUserAvatarByName, isGroupDirectGroupMember, isUserDirectGroupMember, removeGroup, removeGroupAttributes, removeGroupFromGroup, removeUser, removeUserAttributes, removeUserFromGroup, renameGroup, renameUser, searchGroupRelationships, searchGroups, searchUsers, storeGroupAttributes, storeUserAttributes, supportsInactiveAccounts, updateGroup, updateUser
-
Field Details
-
ATTRIBUTE_CREATE_USER_ON_AUTH
- See Also:
-
ATTRIBUTE_UPDATE_USER_ON_AUTH
- See Also:
-
ATTRIBUTE_LDAP_DIRECTORY_CLASS
- See Also:
-
ATTRIBUTE_KEY_IMPORT_GROUPS
- See Also:
-
-
Constructor Details
-
DelegatedAuthenticationDirectory
public DelegatedAuthenticationDirectory(RemoteDirectory ldapDirectory, InternalRemoteDirectory internalDirectory, com.atlassian.event.api.EventPublisher eventPublisher, DirectoryDao directoryDao)
-
-
Method Details
-
setDirectoryId
public void setDirectoryId(long directoryId) Description copied from interface:RemoteDirectoryWhen a directory store is loaded, thedirectoryIdwill be set by the crowd framework.- Specified by:
setDirectoryIdin interfaceRemoteDirectory- Overrides:
setDirectoryIdin classAbstractForwardingDirectory- Parameters:
directoryId- The uniquedirectoryIdof theDirectoryImplstored in the database.
-
getDescriptiveName
Description copied from interface:RemoteDirectoryReturns a descriptive name for the type of directory.- Specified by:
getDescriptiveNamein interfaceRemoteDirectory- Overrides:
getDescriptiveNamein classAbstractForwardingDirectory- Returns:
- descriptive name.
-
setAttributes
Description copied from interface:RemoteDirectoryWhen a directory store is loaded, the attributes map will be set by the Crowd framework. Implementations may store a reference to this map in order to implement the AttributesThe Map is immutable and implementations are required to maintain immutability.
- Specified by:
setAttributesin interfaceRemoteDirectory- Overrides:
setAttributesin classAbstractForwardingDirectory- Parameters:
attributes- attributes map.
-
authenticate
public User authenticate(String name, PasswordCredential credential) throws UserNotFoundException, InactiveAccountException, InvalidAuthenticationException, ExpiredCredentialException, OperationFailedException In addition to the normal authentication behaviour, following a successful authentication the following may occur:- If the user does not exist in the internal directory and
ATTRIBUTE_CREATE_USER_ON_AUTHis enabled, the user's details will be added to the internal directory. - If the user exists in the internal directory and
ATTRIBUTE_UPDATE_USER_ON_AUTHis enabled, the user's details will be updated in the internal directory. - If the user exists in the internal directory and
ATTRIBUTE_UPDATE_USER_ON_AUTHis enabled and the username was changed in remote directory, the user's name will be updated in the internal directory.
- Specified by:
authenticatein interfaceRemoteDirectory- Overrides:
authenticatein classAbstractForwardingDirectory- Parameters:
name- The name of the user (username).credential- The supplied credentials (password).- Returns:
- The populated user if the authentication is valid.
- Throws:
OperationFailedException- when user rename is not possibleUserNotFoundException- The user with the supplied name does not exist.InactiveAccountException- The supplied user is inactive.InvalidAuthenticationException- Authentication with the provided credentials failed.ExpiredCredentialException- The user's credentials have expired. The user must change their credentials in order to successfully authenticate.- See Also:
- If the user does not exist in the internal directory and
-
userAuthenticated
public User userAuthenticated(String username) throws OperationFailedException, UserNotFoundException, InactiveAccountException - Specified by:
userAuthenticatedin interfaceRemoteDirectory- Throws:
OperationFailedExceptionUserNotFoundExceptionInactiveAccountException
-
updateUserFromRemoteDirectory
public User updateUserFromRemoteDirectory(@Nonnull User ldapUser) throws OperationFailedException, UserNotFoundException - Specified by:
updateUserFromRemoteDirectoryin interfaceRemoteDirectory- Overrides:
updateUserFromRemoteDirectoryin classAbstractForwardingDirectory- Throws:
OperationFailedExceptionUserNotFoundException
-
addOrUpdateLdapUser
Copies or updates a user in the internal directory from their counterpart in the LDAP directory. Used by custom authenticators to ensure users exist when external authentication mechanisms just provide us with just a username.- Parameters:
name- the username of the user to copy- Returns:
- the newly updated internal user
- Throws:
UserNotFoundException- if no user with the given username exists in LDAPOperationFailedException- if there was a problem communicating with the LDAP server or the user could not be cloned to the internal directory
-
updateUserCredential
public void updateUserCredential(String username, PasswordCredential credential) throws UserNotFoundException, InvalidCredentialException, OperationFailedException Description copied from interface:RemoteDirectory- Specified by:
updateUserCredentialin interfaceRemoteDirectory- Overrides:
updateUserCredentialin classAbstractForwardingDirectory- Parameters:
username- The name of the user (username).credential- The new credential (password).- Throws:
UserNotFoundException- The user does not exist.InvalidCredentialException- The supplied credential is invalid.OperationFailedException- underlying directory implementation failed to execute the operation.- See Also:
-
addGroup
Description copied from interface:RemoteDirectoryAdds agroupto the directory store.- Specified by:
addGroupin interfaceRemoteDirectory- Overrides:
addGroupin classAbstractForwardingDirectory- Parameters:
group- template of the group to add.- Returns:
- the added group retrieved from the underlying store.
- Throws:
InvalidGroupException- The supplied group is invalid or it already exists in the directory.OperationFailedException- underlying directory implementation failed to execute the operation.
-
testConnection
Description copied from interface:RemoteDirectoryTest if a connection to the directory server can be established. When executed for a directory already persisted in the database (ie with a non-null id) the connection will be taken using the same semantics as during regular directory operations, which means that the connection may be sourced from a connection pool and be subject to additional validation if applicable. This gives a good indicator as to the RemoteDirectory's status but can be problematic when used to verify correctness during a directory update. If absolute certainty about the RemoteDirectory's status is not needed or the RemoteDirectory's lifecycle will be limited strictly to the connection test,CrowdDirectoryService.testConnection(Directory)should be used instead.- Specified by:
testConnectionin interfaceRemoteDirectory- Overrides:
testConnectionin classAbstractForwardingDirectory- Throws:
OperationFailedException- underlying directory implementation failed to execute the operation.
-
supportsNestedGroups
public boolean supportsNestedGroups()Description copied from interface:RemoteDirectoryAllows us to only display nested-group related UI for directories that support it.- Specified by:
supportsNestedGroupsin interfaceRemoteDirectory- Overrides:
supportsNestedGroupsin classAbstractForwardingDirectory- Returns:
- true if the directory can handle having a group added to a group.
-
supportsPasswordExpiration
public boolean supportsPasswordExpiration()Description copied from interface:RemoteDirectoryReturn true if this directory supports manually expiring passwords.- Specified by:
supportsPasswordExpirationin interfaceRemoteDirectory- Overrides:
supportsPasswordExpirationin classAbstractForwardingDirectory- Returns:
- true if this directory supports manually expiring passwords
-
supportsSettingEncryptedCredential
public boolean supportsSettingEncryptedCredential()Delegated authentication directories don't support setting non-hashed credentials, let alone hashed credentials.- Specified by:
supportsSettingEncryptedCredentialin interfaceRemoteDirectory- Overrides:
supportsSettingEncryptedCredentialin classAbstractForwardingDirectory- Returns:
false, always.
-
isRolesDisabled
public boolean isRolesDisabled()Description copied from interface:RemoteDirectoryExpose whether the directory has roles disabled. Always true.- Specified by:
isRolesDisabledin interfaceRemoteDirectory- Overrides:
isRolesDisabledin classAbstractForwardingDirectory- Returns:
- true
-
getAuthoritativeDirectory
- Specified by:
getAuthoritativeDirectoryin interfaceRemoteDirectory- Overrides:
getAuthoritativeDirectoryin classAbstractForwardingDirectory- Returns:
- the directory that is the authoritative source of data for this directory, possibly itself.
-
getDelegate
- Specified by:
getDelegatein classAbstractForwardingDirectory- Returns:
- the directory to delegate method calls to
-
searchGroupRelationshipsGroupedByName
Description copied from interface:MultiValuesQueriesSupportSearches forgroupsthat match the supplied query criteria. This method is similar toMultiValuesQueriesSupport.searchGroupRelationships(MembershipQuery), but it additionally groups results by elements ofMembershipQuery.getEntityNamesToMatch().- Specified by:
searchGroupRelationshipsGroupedByNamein interfaceMultiValuesQueriesSupport- Parameters:
query- EntityQuery for Entity.GROUP.- Returns:
Map<String, List<T>>of groups/groupnames matching the search criteria, grouped byMembershipQuery.getEntityNamesToMatch(). Results are ordered by entity name, case-insensitive. An emptyMap
-