001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020package org.apache.directory.server.core.authn; 021 022 023import javax.naming.Context; 024 025import org.apache.directory.api.ldap.model.constants.AuthenticationLevel; 026import org.apache.directory.api.ldap.model.entry.Entry; 027import org.apache.directory.api.ldap.model.exception.LdapException; 028import org.apache.directory.api.ldap.model.name.Dn; 029import org.apache.directory.server.core.api.DirectoryService; 030import org.apache.directory.server.core.api.LdapPrincipal; 031import org.apache.directory.server.core.api.interceptor.context.BindOperationContext; 032import org.apache.directory.server.core.shared.partition.DefaultPartitionNexus; 033 034 035/** 036 * Authenticates users who access {@link DefaultPartitionNexus}. 037 * <p> 038 * {@link Authenticator}s are registered to and configured by 039 * {@link AuthenticationInterceptor} interceptor. 040 * <p> 041 * {@link AuthenticationInterceptor} authenticates users by calling 042 * {@link #authenticate(BindOperationContext)}, and then {@link Authenticator} 043 * checks JNDI {@link Context} environment properties 044 * ({@link Context#SECURITY_PRINCIPAL} and {@link Context#SECURITY_CREDENTIALS}) 045 * of current {@link Context}. 046 * 047 * @see AbstractAuthenticator 048 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 049 */ 050public interface Authenticator 051{ 052 /** 053 * Returns the type of this authenticator (e.g. <tt>'simple'</tt>, 054 * <tt>'none'</tt>,...). 055 * 056 * @return The authentication level 057 */ 058 AuthenticationLevel getAuthenticatorType(); 059 060 061 /** 062 * Called by {@link AuthenticationInterceptor} to indicate that this 063 * authenticator is being placed into service. 064 * 065 * @param directoryService The DirectoryService instance 066 * @throws LdapException If the initialization failed 067 */ 068 void init( DirectoryService directoryService ) throws LdapException; 069 070 071 /** 072 * Called by {@link AuthenticationInterceptor} to indicate that this 073 * authenticator is being removed from service. 074 */ 075 void destroy(); 076 077 078 /** 079 * Callback used to respond to password changes by invalidating a password 080 * cache if implemented. This is an additional feature of an authenticator 081 * which need not be implemented: empty implementation is sufficient. This 082 * is called on every del, modify, and modifyRdn operation. 083 * 084 * @param bindDn the already normalized distinguished name of the bind principal 085 */ 086 void invalidateCache( Dn bindDn ); 087 088 089 /** 090 * Performs authentication and returns the principal if succeeded. 091 * 092 * @param bindContext The Bind context 093 * @return The authenticated LdaapPrincipal 094 * @exception LdapException If the authentication failed 095 */ 096 LdapPrincipal authenticate( BindOperationContext bindContext ) throws LdapException; 097 098 099 /** 100 * performs checks on the given entry based on the specified password policy configuration 101 * 102 * @param userEntry the user entry to be checked for authentication 103 * @throws LdapException If the password policy is incorrect 104 */ 105 void checkPwdPolicy( Entry userEntry ) throws LdapException; 106 107 108 /** 109 * Check that this selector is a valid one. The DN we want to authenticate has to be 110 * part of the DIT selection associated with teh Authenticator 111 * 112 * @param bindDn The DN we want to authenticate 113 * @return <code>true</code> if the Auhenticator is supporting the DN 114 */ 115 boolean isValid( Dn bindDn ); 116 117 118 /** 119 * @return The Authenticator base DN 120 */ 121 Dn getBaseDn(); 122 123 124 /** 125 * Set the baseDN into the Authenticator 126 * 127 * @param baseDn The Base DN to set 128 */ 129 void setBaseDn( Dn baseDn ); 130}