LDAP Authentication
diff --git a/src/main/java/de/ids_mannheim/korap/exceptions/StatusCodes.java b/src/main/java/de/ids_mannheim/korap/exceptions/StatusCodes.java
index 66c89b5..b30a915 100644
--- a/src/main/java/de/ids_mannheim/korap/exceptions/StatusCodes.java
+++ b/src/main/java/de/ids_mannheim/korap/exceptions/StatusCodes.java
@@ -27,6 +27,13 @@
public static final int NOT_SUPPORTED = 108;
/**
+ * 300 status codes for query language and serialization
+ */
+
+ public static final int NO_QUERY = 301;
+
+
+ /**
* 400 status codes for authorization and rewrite functions
*/
@@ -72,15 +79,18 @@
public static final int ARGUMENT_VALIDATION_FAILURE = 700;
// public static final int ARGUMENT_VALIDATION_FAILURE = 701;
+ // service status codes
+ public static final int CREATE_ACCOUNT_SUCCESSFUL = 700;
+ public static final int CREATE_ACCOUNT_FAILED = 701;
+ public static final int DELETE_ACCOUNT_SUCCESSFUL = 702;
+ public static final int DELETE_ACCOUNT_FAILED = 703;
+ public static final int UPDATE_ACCOUNT_SUCCESSFUL = 704;
+ public static final int UPDATE_ACCOUNT_FAILED = 705;
- /**
- * 300 status codes for query language and serialization
- */
-
- public static final int NO_QUERY = 301;
-
-
-
+ public static final int GET_ACCOUNT_SUCCESSFUL = 706;
+ public static final int GET_ACCOUNT_FAILED = 707;
+
+
public static final int STATUS_OK = 1000;
public static final int NOTHING_CHANGED = 1001;
public static final int REQUEST_INVALID = 1002;
@@ -90,7 +100,6 @@
* 2000 status and error codes for service level messages and callbacks
*/
-
public static final int ACCOUNT_DEACTIVATED = 2000;
public static final int ACCOUNT_CONFIRMATION_FAILED = 2001;
public static final int ALREADY_LOGGED_IN = 2002;
@@ -110,20 +119,10 @@
public static final int CLIENT_REMOVAL_FAILURE = 2012;
public static final int CLIENT_AUTHORIZATION_FAILURE = 2013;
-
-
- // service status codes
- public static final int CREATE_ACCOUNT_SUCCESSFUL = 700;
- public static final int CREATE_ACCOUNT_FAILED = 701;
- public static final int DELETE_ACCOUNT_SUCCESSFUL = 702;
- public static final int DELETE_ACCOUNT_FAILED = 703;
- public static final int UPDATE_ACCOUNT_SUCCESSFUL = 704;
- public static final int UPDATE_ACCOUNT_FAILED = 705;
-
- public static final int GET_ACCOUNT_SUCCESSFUL = 706;
- public static final int GET_ACCOUNT_FAILED = 707;
-
-
+ // 2020 - 2029 reserviert für LDAP-Fehlercodes - 21.04.17/FB
+ public static final int LDAP_BASE_ERRCODE = 2020;
+
+ /**/
private static StatusCodes codes;
private final Properties props;
diff --git a/src/main/java/de/ids_mannheim/korap/handlers/EntityDao.java b/src/main/java/de/ids_mannheim/korap/handlers/EntityDao.java
index a13eeeb..16279bc 100644
--- a/src/main/java/de/ids_mannheim/korap/handlers/EntityDao.java
+++ b/src/main/java/de/ids_mannheim/korap/handlers/EntityDao.java
@@ -29,6 +29,11 @@
import java.util.List;
import java.util.Map;
+/* WKP: In computer software, a data access object (DAO) is an object that provides an abstract interface to some type
+ * of database or other persistence mechanism. By mapping application calls to the persistence layer, the DAO provides
+ * some specific data operations without exposing details of the database.
+ */
+
/**
* @author hanl
* @date 13/01/2014
diff --git a/src/main/java/de/ids_mannheim/korap/handlers/OAuth2Handler.java b/src/main/java/de/ids_mannheim/korap/handlers/OAuth2Handler.java
index 8ddeb33..28e848b 100644
--- a/src/main/java/de/ids_mannheim/korap/handlers/OAuth2Handler.java
+++ b/src/main/java/de/ids_mannheim/korap/handlers/OAuth2Handler.java
@@ -35,8 +35,8 @@
}
- public void authorize (AuthCodeInfo info, User user)
- throws KustvaktException {
+ public void authorize (AuthCodeInfo info, User user) throws KustvaktException {
+
info.setUserId(user.getId());
this.storeInCache(info.getCode(), info);
}
diff --git a/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java b/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
index f72140a..0be7418 100644
--- a/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
+++ b/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
@@ -171,8 +171,7 @@
@Override
public ClientInfo mapRow (ResultSet rs, int rowNum)
throws SQLException {
- ClientInfo info = new ClientInfo(rs.getString("client_id"),
- "*****");
+ ClientInfo info = new ClientInfo(rs.getString("client_id"), "*****");
info.setConfidential(rs.getBoolean("is_confidential"));
info.setUrl(rs.getString("url"));
info.setId(rs.getInt("id"));
diff --git a/src/main/java/de/ids_mannheim/korap/security/auth/KustvaktAuthenticationManager.java b/src/main/java/de/ids_mannheim/korap/security/auth/KustvaktAuthenticationManager.java
index 4f18a76..3f04e5b 100644
--- a/src/main/java/de/ids_mannheim/korap/security/auth/KustvaktAuthenticationManager.java
+++ b/src/main/java/de/ids_mannheim/korap/security/auth/KustvaktAuthenticationManager.java
@@ -18,8 +18,13 @@
import de.ids_mannheim.korap.user.*;
import de.ids_mannheim.korap.utils.StringUtils;
import de.ids_mannheim.korap.utils.TimeUtils;
+import de.ids_mannheim.korap.security.auth.LdapAuth3;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+// import com.novell.ldap.*; search() funktioniert nicht korrekt, ausgewechselt gegen unboundID's Bibliothek 20.04.17/FB
+//Using JAR from unboundID:
+import com.unboundid.ldap.sdk.LDAPException;
+
import java.io.IOException;
import java.io.UnsupportedEncodingException;
@@ -167,6 +172,10 @@
// todo:
user = authenticateShib(attributes);
break;
+ case 2:
+ // IdM/LDAP: (09.02.17/FB)
+ user = authenticateIdM(username, password, attributes);
+ break;
default:
user = authenticate(username, password, attributes);
break;
@@ -228,8 +237,8 @@
//todo: what if attributes null?
- private User authenticate (String username, String password,
- Map<String, Object> attr) throws KustvaktException {
+ private User authenticate (String username, String password, Map<String, Object> attr) throws KustvaktException {
+
Map<String, Object> attributes = validator.validateMap(attr);
User unknown;
// just to make sure that the plain password does not appear anywhere in the logs!
@@ -246,7 +255,8 @@
else {
try {
unknown = entHandler.getAccount(username);
- } catch (EmptyResultException e) {
+ }
+ catch (EmptyResultException e) {
// mask exception to disable user guessing in possible attacks
throw new WrappedException(new KustvaktException(username,
StatusCodes.BAD_CREDENTIALS), StatusCodes.LOGIN_FAILED,
@@ -277,7 +287,7 @@
username);
}
- // bad credentials error has presedence over account locked or unconfirmed codes
+ // bad credentials error has precedence over account locked or unconfirmed codes
// since latter can lead to account guessing of third parties
if (user.isAccountLocked()) {
URIParam param = (URIParam) user.getField(URIParam.class);
@@ -316,6 +326,152 @@
}
+ /**
+ * authenticate using IdM (Identitätsmanagement) accessed by LDAP.
+ * @param username
+ * @param password
+ * @param attr
+ * @return
+ * @throws KustvaktException
+ * @date 09.02.17/FB
+ */
+ //todo: what if attributes null?
+
+ private User authenticateIdM (String username, String password, Map<String, Object> attr) throws KustvaktException {
+
+ Map<String, Object> attributes = validator.validateMap(attr);
+ User unknown = null;
+ // just to make sure that the plain password does not appear anywhere in the logs!
+
+ System.out.printf("Debug: authenticateIdM: entering for '%s'...\n", username);
+
+ /** wozu Apache Validatoren für User/Passwort für IdM/LDAP?
+ * siehe validation.properties. Abgeschaltet 21.04.17/FB
+ try {
+ validator.validateEntry(username, Attributes.USERNAME);
+ }
+ catch (KustvaktException e) {
+ throw new WrappedException(e, StatusCodes.LOGIN_FAILED, username);
+ }
+ */
+ if (username == null || username.isEmpty() || password == null || password.isEmpty() )
+ throw new WrappedException(new KustvaktException(username,
+ StatusCodes.BAD_CREDENTIALS), StatusCodes.LOGIN_FAILED);
+
+ // LDAP Access:
+ try {
+ // todo: unknown = ...
+ int ret = LdapAuth3.login(username, password);
+ System.out.printf("Debug: autenticationIdM: Ldap.login(%s) returns: %d.\n", username, ret);
+ if( ret != LdapAuth3.LDAP_AUTH_ROK )
+ {
+ jlog.error("LdapAuth3.login(username='{}') returns '{}'='{}'!", username, ret,
+ LdapAuth3.getErrMessage(ret));
+
+ // mask exception to disable user guessing in possible attacks
+ /* by Hanl
+ throw new WrappedException(new KustvaktException(username,
+ StatusCodes.BAD_CREDENTIALS), StatusCodes.LOGIN_FAILED,
+ username);
+ */
+ throw new WrappedException(
+ new KustvaktException(
+ username,
+ StatusCodes.LDAP_BASE_ERRCODE+ret,
+ LdapAuth3.getErrMessage(ret),
+ null),
+ StatusCodes.LOGIN_FAILED,
+ username);
+ }
+ }
+ catch ( LDAPException e ) {
+
+ jlog.error("Error: username='{}' -> '{}'!", username, e);
+ // mask exception to disable user guessing in possible attacks
+ /* by Hanl:
+ throw new WrappedException(new KustvaktException(username,
+ StatusCodes.BAD_CREDENTIALS), StatusCodes.LOGIN_FAILED,
+ username);
+ */
+ throw new WrappedException(
+ new KustvaktException(
+ username,
+ StatusCodes.LDAP_BASE_ERRCODE+LdapAuth3.LDAP_AUTH_RINTERR,
+ LdapAuth3.getErrMessage(LdapAuth3.LDAP_AUTH_RINTERR),
+ null),
+ StatusCodes.LOGIN_FAILED,
+ username);
+ }
+
+ // Create a User
+ User user = new KorAPUser();
+ user.setUsername(username);
+ unknown = user;
+
+ jlog.trace("Authentication: found username " + unknown.getUsername());
+
+ if (unknown instanceof KorAPUser) {
+ /* password already checked using LDAP:
+ if (password == null || password.isEmpty())
+ throw new WrappedException(new KustvaktException(
+ unknown.getId(), StatusCodes.BAD_CREDENTIALS),
+ StatusCodes.LOGIN_FAILED, username);
+
+ KorAPUser user = (KorAPUser) unknown;
+ boolean check = crypto.checkHash(password, user.getPassword());
+
+ if (!check) {
+ // the fail counter only applies for wrong password
+ jlog.warn("Wrong Password!");
+ processLoginFail(unknown);
+ throw new WrappedException(new KustvaktException(user.getId(),
+ StatusCodes.BAD_CREDENTIALS), StatusCodes.LOGIN_FAILED,
+ username);
+ }
+ */
+ // bad credentials error has precedence over account locked or unconfirmed codes
+ // since latter can lead to account guessing of third parties
+ /*
+ if (user.isAccountLocked()) {
+
+ URIParam param = (URIParam) user.getField(URIParam.class);
+
+ if (param.hasValues()) {
+ jlog.debug("Account is not yet activated for user '{}'",
+ user.getUsername());
+ if (TimeUtils.getNow().isAfter(param.getUriExpiration())) {
+ jlog.error(
+ "URI token is expired. Deleting account for user {}",
+ user.getUsername());
+ deleteAccount(user);
+ throw new WrappedException(new KustvaktException(
+ unknown.getId(), StatusCodes.EXPIRED,
+ "account confirmation uri has expired!",
+ param.getUriFragment()),
+ StatusCodes.LOGIN_FAILED, username);
+ }
+ throw new WrappedException(new KustvaktException(
+ unknown.getId(), StatusCodes.ACCOUNT_NOT_CONFIRMED),
+ StatusCodes.LOGIN_FAILED, username);
+ }
+ jlog.error("ACCESS DENIED: account not active for '{}'",
+ unknown.getUsername());
+ throw new WrappedException(new KustvaktException(
+ unknown.getId(), StatusCodes.ACCOUNT_DEACTIVATED),
+ StatusCodes.LOGIN_FAILED, username);
+ }
+ */
+
+ }
+ else if (unknown instanceof ShibUser) {
+ //todo
+ }
+
+ jlog.debug("Authentication done: " + username);
+ return unknown;
+
+ } // authenticateIdM
+
public boolean isRegistered (String username) {
User user;
if (username == null || username.isEmpty())
diff --git a/src/main/java/de/ids_mannheim/korap/security/auth/LdapAuth3.java b/src/main/java/de/ids_mannheim/korap/security/auth/LdapAuth3.java
new file mode 100644
index 0000000..c7f69fd
--- /dev/null
+++ b/src/main/java/de/ids_mannheim/korap/security/auth/LdapAuth3.java
@@ -0,0 +1,355 @@
+/* - Klasse zum Implementieren einer Benutzer-Authentifikation mittels LDAP
+ * in der IDM-Datenbank (Identit�tsmanagement) von Eric Seubert, IDS.
+ * - externe Bibliothek ist Novel JLDAP.
+ * 27.01.17/FB
+ *
+ * Sourcen:
+ * - https://www.novell.com/documentation/developer/samplecode/jldap_sample/VerifyPassword.java.html
+ * - https://www.novell.com/documentation/developer/samplecode/jldap_sample/LDAPOIDs.java.html
+ * - https://www.novell.com/documentation/developer/jldap/jldapenu/data/a90352e.html
+ * WICHTIG:
+ * - Novell-Bibliothek liefert 0 Treffer, wenn man nacheinander sucht!
+ * Grund daf�r nicht gefunden.
+ *
+ * Version von unboundID - 19.04.17/FB
+ *
+ * UnboundID LDAP SDK For Java � 3.2.1
+ * The UnboundID LDAP SDK for Java is a fast, comprehensive, and easy-to-use Java API for
+ * communicating with LDAP directory servers and performing related tasks like reading and writing LDIF,
+ * encoding and decoding data using base64 and ASN.1 BER, and performing secure communication. This package
+ * contains the Standard Edition of the LDAP SDK, which is a complete, general-purpose library for
+ * communicating with LDAPv3 directory servers.
+ * TODO:
+ * - gesichertes Login mit gesch�tztem Passwort.
+ * - Passwort des Admin verschl�sseln.
+ */
+
+package de.ids_mannheim.korap.security.auth;
+
+import com.unboundid.ldap.sdk.*;
+
+import java.io.*;
+import java.util.*;
+
+
+/**
+ * LDAP Login Tests
+ *
+ */
+public class LdapAuth3
+
+{
+ /* For SSL Connection to LDAP, see: https://www.novell.com/documentation/developer/jldap/jldapenu/data/cchcbejj.html.
+ * and use DEFAULT_SSL_PORT.
+ * For now, plain text connection is used.
+ * FB
+ */
+ final static Boolean DEBUGLOG = false; // log debug output.
+ final static String attC2 = "idsC2"; // if value == TRUE: registered for COSMAS II (KorAP) Service.
+ final static String attStatus = "idsStatus"; // value must be 0..2, 3 = locked account.
+ final static int ldapPort = 389; //LDAPConnection.DEFAULT_PORT;
+ // final static int ldapVersion = LDAPConnection.LDAP_V3;
+ final static String ldapHost = "ldap.ids-mannheim.de";
+ final static String ldapBase = "dc=ids-mannheim,dc=de";
+ final static String sLoginDN = "cn=casaling,dc=ids-mannheim,dc=de";
+ static String sPwd = null;
+
+ /**
+ * return : 0 = OK, User Account + Pwd are OK, no restrictions;
+ * 1 = internal error: cannot verify User+Pwd;
+ * 2 = User Account or Pwd unknown;
+ * 3 = User Account locked;
+ * 4 = User known, but has not registered to KorAP/C2 Service yet;
+ */
+
+ public static final int LDAP_AUTH_ROK = 0;
+ public static final int LDAP_AUTH_RINTERR = 1;
+ public static final int LDAP_AUTH_RUNKNOWN = 2;
+ public static final int LDAP_AUTH_RLOCKED = 3;
+ public static final int LDAP_AUTH_RNOTREG = 4;
+
+ /**
+ * getErrMessage:
+ * returns String Message for LDAP_AUTH_Rxxx code.
+ * @date 20.04.17/FB
+ * @param code
+ * @return Message in string form.
+ */
+ static String getErrMessage(int code)
+
+ {
+ switch(code)
+ {
+ case LDAP_AUTH_ROK:
+ return "LDAP Authentication successfull.";
+ case LDAP_AUTH_RINTERR:
+ return "LDAP Authentication failed due to an internal error!";
+ case LDAP_AUTH_RUNKNOWN:
+ return "LDAP Authentication failed due to unknown user or password!";
+ case LDAP_AUTH_RLOCKED:
+ return "LDAP Authentication: known user is locked!";
+ case LDAP_AUTH_RNOTREG:
+ return "LDAP Authentication: known user has not registered yet for COSMAS II/KorAP!";
+ default:
+ return "LDAP Authentication failed with unknown error code!";
+ }
+ } // getErrMessage
+
+ /**
+ * ldapCode2StatusCode:
+ * - converts a LDAP_AUTH_xxx Error Code to an Error Code of StatusCode.java.
+ * @param base : Base value inside of StatusCode.java reserved for LDAP_AUTH Error Codes.
+ * @param ldapErrCode : the LDAP_AUTH Error code
+ * @return the StatusCode in the range reserved for LDAP_AUTH Errors.
+ * @date 21.04.17/FB
+ */
+ public int ldapCode2StatusCode(int base, int ldapErrCode)
+
+ {
+ return base + ldapErrCode;
+ } // ldapCode2StatusCode
+
+ /*
+ * load properties for LDAP Handling.
+ * 17.02.17/FB
+ */
+
+ static String loadProp() throws IOException
+
+ {
+ String sPwd = null;
+ String sConfFile = System.getProperty("user.home") + "/.config/ldap.conf";
+ FileInputStream in;
+ Properties prop;
+
+ try {
+ in = new FileInputStream(sConfFile);
+ }
+ catch( IOException ex )
+ {
+ System.err.printf("Error: LDAP.loadProp: cannot load Property file '%s'!\n", sConfFile);
+ ex.printStackTrace();
+ return null;
+ }
+
+ if( in == null )
+ {
+ System.err.printf("Error: LDAP.loadProp: cannot load Property file '%s'!\n", sConfFile);
+ return null;
+ }
+ else
+ {
+ if( DEBUGLOG ) System.out.println("Debug: loaded: " + sConfFile);
+ }
+
+ prop = new Properties();
+ Enumeration<?> e;
+
+ try {
+ prop.load(in);
+ e = prop.propertyNames();
+
+ while( e.hasMoreElements() )
+ {
+ String key = (String)e.nextElement();
+ String val = prop.getProperty(key);
+ if( key.compareTo("pwd") == 0 )
+ return val;
+
+ //System.out.println("Property '" + key + "' = '" + val + "'.");
+ }
+ }
+ catch( IOException ex )
+ {
+ ex.printStackTrace();
+ }
+
+ return sPwd;
+
+ } // loadProp
+
+ /**
+ * ldapLogin
+ * Arguments:
+ * sUserDN : either COSMAS II specific Account Name or IDS wide (IDM) account name;
+ * sUserPwd : either COSMAS II specific Password or IDS wide (IDM) password;
+ * return : 0 = OK, User Account + Pwd are OK, no restrictions;
+ * 1 = internal error: cannot verify User+Pwd;
+ * 2 = User Account or Pwd unknown;
+ * 3 = User Account locked;
+ * 4 = User known, but has not registered to KorAP/C2 Service yet;
+ * LDAP Attributes that are checked (definition by Eric Seubert, 02.02.17):
+ * idsC2 = TRUE -> Zugang zu C2 (registriert und zugelassen)
+ * idsC2 = FALSE (bzw Attribut nicht vorhanden)
+ * -> kein Zugang zu C2 (nicht zugelassen, egal ob registriert oder nicht)
+ *
+ * idsStatus = 0 -> Nutzerkennung OK;
+ * idsStatus = 1 -> Nutzer ist kein aktiver IDS-Mitarbeiter
+ * idsStatus = 3 -> Nutzer ist LDAP-weit gesperrt
+ */
+
+ public static int login(String sUserDN, String sUserPwd) throws LDAPException
+
+ {
+
+ String sUserC2DN = sUserDN;
+ String sUserC2Pwd = sUserPwd;
+
+ String ldapFilter = String.format("(|(&(uid=%s)(userPassword=%s))(&(idsC2Profile=%s)(idsC2Password=%s)))",
+ sUserDN, sUserPwd, sUserC2DN, sUserC2Pwd);
+ SearchResult srchRes = null;
+
+ try{
+ sPwd = loadProp();
+ }
+ catch( IOException e )
+ {
+ System.out.println("Error: LDAPAuth.login: cannot load Property file!");
+ return LDAP_AUTH_RINTERR;
+ }
+
+ if( DEBUGLOG )
+ {
+ //System.out.printf("LDAP Version = %d.\n", LDAPConnection.LDAP_V3);
+ System.out.printf("LDAP Host & Port = '%s':%d.\n", ldapHost, ldapPort);
+ System.out.printf("Login User & Pwd = '%s' + '%s'\n", sUserDN, sUserPwd);
+ }
+
+ // LDAP Connection:
+ if( DEBUGLOG ) System.out.println("");
+
+ LDAPConnection lc = new LDAPConnection();
+ try {
+ // connect to LDAP Server:
+ lc.connect(ldapHost, ldapPort);
+ if( DEBUGLOG ) System.out.println("LDAP Connection = OK\n");
+ }
+ catch( LDAPException e)
+ {
+ System.out.printf("Connecting to LDAP Server: failed: '%s'!\n", e.toString());
+ return LDAP_AUTH_RINTERR;
+ }
+
+ if( DEBUGLOG )
+ System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
+
+ try {
+ // bind to server:
+ if( DEBUGLOG ) System.out.printf("Binding with '%s' + '%s'...\n", sLoginDN, sPwd);
+ lc.bind(sLoginDN, sPwd);
+ if( DEBUGLOG ) System.out.printf("Binding: OK.\n");
+ }
+ catch( LDAPException e )
+ {
+ System.out.printf("Binding failed: '%s'!\n", e.toString());
+ return ldapTerminate(lc, LDAP_AUTH_RINTERR);
+ }
+
+ if( DEBUGLOG )
+ System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
+
+ if( DEBUGLOG ) System.out.printf("Finding user '%s'...\n", sUserDN);
+ try{
+ // SCOPE_SUB = Scope Subtree.
+ if( DEBUGLOG ) System.out.printf("Finding Filter: '%s'.\n", ldapFilter);
+
+ // hier werden alle Attribute abgefragt:
+ //srchRes = lc.search(ldapBase, SearchScope.SUB, ldapFilter, null);
+ // wir fragen nur diese Attribute ab:
+ srchRes = lc.search(ldapBase, SearchScope.SUB, ldapFilter, attStatus, attC2);
+
+ if( DEBUGLOG ) System.out.printf("Finding '%s': %d entries.\n", sUserDN, srchRes.getEntryCount());
+ }
+ catch( LDAPSearchException e )
+ {
+ System.out.printf("Search for User failed: '%s'!\n", e.toString());
+ return ldapTerminate(lc, LDAP_AUTH_RUNKNOWN);
+ }
+
+ if( srchRes.getEntryCount() == 0 )
+ {
+ if( DEBUGLOG ) System.out.printf("Finding '%s': no entry found!\n", sUserDN);
+ return ldapTerminate(lc, LDAP_AUTH_RUNKNOWN);
+ }
+
+ if( DEBUGLOG ) System.out.println("Display results:");
+
+ Boolean
+ bStatus = false,
+ bC2 = false;
+
+ // Attribute pr�fen:
+ for (SearchResultEntry e : srchRes.getSearchEntries())
+ {
+ for( Attribute attr : e.getAttributes() )
+ {
+ Integer val;
+
+ if( DEBUGLOG )
+ System.out.printf(" att: '%s'='%s'.\n", attr.getName(), attr.getValue());
+
+ // checking pertinent attribut/value pairs:
+ // "idsStatus": values 0=OK, 1-3 = locked account.
+ if( attr.getName().equals(attStatus) )
+ {
+ if( (val = attr.getValueAsInteger()) == null || val != 0 )
+ {
+ if( DEBUGLOG ) System.out.printf("idsStatus = '%s' -> User locked!\n", attr.getValue());
+ return ldapTerminate(lc, LDAP_AUTH_RLOCKED);
+ }
+ if( DEBUGLOG ) System.out.printf(" att: '%s'='%s': OK.\n", attr.getName(), attr.getValue());
+ bStatus = true;
+ }
+
+ // "c2IDS" must be set to "TRUE" = User known, but has not yet registered to C2 Service -> KorAP Service.
+ if( attr.getName().equals(attC2) )
+ {
+ if( attr.getValue().equals("FALSE") )
+ {
+ if( DEBUGLOG )
+ System.out.printf("idsC2 = '%s'-> User known, but has not registered C2/KorAP Service yet!\n",
+ attr.getValue());
+ return ldapTerminate(lc, LDAP_AUTH_RNOTREG);
+ }
+ if( DEBUGLOG )
+ System.out.printf(" att: idsC2 = '%s'-> registered User: OK.\n", attr.getValue());
+ bC2 = true;
+ }
+ }
+
+ if( DEBUGLOG ) System.out.println();
+ }
+
+ if( bStatus == true && bC2 == true )
+ return ldapTerminate(lc, LDAP_AUTH_ROK); // OK.
+ else
+ return ldapTerminate(lc, LDAP_AUTH_RNOTREG); // Attribute konnten nicht gepr�ft werden.
+
+ } // ldapLogin
+
+/**
+ * ldapTerminate
+ */
+
+public static int ldapTerminate(LDAPConnection lc, int ret)
+
+ {
+ if( DEBUGLOG ) System.out.println("Terminating...");
+ /*
+ try{
+ lc.finalize();
+ if( DEBUGLOG ) System.out.println("Debug: finalize: OK.");
+ }
+ catch( LDAPException e )
+ {
+ System.out.printf("finalize failed: '%s'!\n", e.toString());
+ }
+ */
+
+ lc.close(null);
+ if( DEBUGLOG ) System.out.println("closing connection: done.\n");
+ return ret;
+ } // ldapTerminate
+
+}
+
diff --git a/src/main/java/de/ids_mannheim/korap/web/KustvaktBaseServer.java b/src/main/java/de/ids_mannheim/korap/web/KustvaktBaseServer.java
index 2939a2a..85e4bc5 100644
--- a/src/main/java/de/ids_mannheim/korap/web/KustvaktBaseServer.java
+++ b/src/main/java/de/ids_mannheim/korap/web/KustvaktBaseServer.java
@@ -105,7 +105,7 @@
contextHandler.addServlet(new ServletHolder(
new ServletContainer(rc)), "/api/*");
- server.setHandler(contextHandler);
+ server.setHandler(contextHandler);
if (kargs.sslContext != null) {
SslSocketConnector sslConnector = new SslSocketConnector(
diff --git a/src/main/java/de/ids_mannheim/korap/web/SearchKrill.java b/src/main/java/de/ids_mannheim/korap/web/SearchKrill.java
index aac0f2f..16f4506 100644
--- a/src/main/java/de/ids_mannheim/korap/web/SearchKrill.java
+++ b/src/main/java/de/ids_mannheim/korap/web/SearchKrill.java
@@ -40,6 +40,8 @@
*/
// todo: use korap.config to get index location
public SearchKrill (String path) {
+
+ System.out.println("Debug: SearchKrill: path='" + path + "'.");
try {
if (path.equals(":temp:")) {
this.index = new KrillIndex();
@@ -48,7 +50,7 @@
File f = new File(path);
jlog.info("Loading index from " + path);
if (!f.exists()) {
- jlog.error("Index not found!");
+ jlog.error("Index not found: " + path + "!");
System.exit(-1);
}
this.index = new KrillIndex(new MMapDirectory(Paths.get(path)));
diff --git a/src/main/java/de/ids_mannheim/korap/web/service/full/AuthService.java b/src/main/java/de/ids_mannheim/korap/web/service/full/AuthService.java
index 8a7515a..ee63565 100644
--- a/src/main/java/de/ids_mannheim/korap/web/service/full/AuthService.java
+++ b/src/main/java/de/ids_mannheim/korap/web/service/full/AuthService.java
@@ -2,6 +2,7 @@
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ResourceFilters;
+
import de.ids_mannheim.korap.config.Attributes;
import de.ids_mannheim.korap.config.BeansFactory;
import de.ids_mannheim.korap.exceptions.KustvaktException;
@@ -15,14 +16,21 @@
import de.ids_mannheim.korap.web.KustvaktServer;
import de.ids_mannheim.korap.web.filter.*;
import de.ids_mannheim.korap.web.utils.KustvaktResponseHandler;
+
import org.slf4j.Logger;
+import javax.servlet.http.HttpServletRequest; // FB
import javax.ws.rs.*;
import javax.ws.rs.core.*;
+import javax.xml.ws.WebServiceContext; // FB
+import javax.xml.ws.handler.MessageContext; // FB
+import javax.annotation.Resource; // FB
+
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
+import java.util.Iterator; // 07.02.17/FB
//import com.sun.xml.internal.messaging.saaj.util.Base64;
@@ -35,13 +43,14 @@
@Produces(MediaType.TEXT_HTML + ";charset=utf-8")
public class AuthService {
+ private static Boolean DEBUG_LOG = false;
+
//todo: bootstrap function to transmit certain default configuration settings and examples (example user queries,
// default usersettings, etc.)
private static Logger jlog = KustvaktLogger.getLogger(AuthService.class);
private AuthenticationManagerIface controller;
-
// private SendMail mail;
public AuthService () {
@@ -51,7 +60,7 @@
// this.mail = new SendMail(ExtConfiguration.getMailProperties());
}
-
+
/**
* represents json string with data. All GUI clients can access
* this method to get certain default values
@@ -90,17 +99,56 @@
@GET
@Path("apiToken")
//@ResourceFilters({HeaderFilter.class})
- public Response requestAPIToken (@Context HttpHeaders headers,
+ public Response requestAPIToken (
+ @Context HttpHeaders headers,
@Context Locale locale,
@HeaderParam(ContainerRequest.USER_AGENT) String agent,
@HeaderParam(ContainerRequest.HOST) String host,
@HeaderParam("referer-url") String referer,
- @QueryParam("scope") String scopes) {
+ @QueryParam("scope") String scopes,
+ // @Context WebServiceContext wsContext, // FB
+ @Context SecurityContext secCtx) {
+
List<String> auth = headers
.getRequestHeader(ContainerRequest.AUTHORIZATION);
String[] values = BasicHttpAuth.decode(auth.get(0));
+ if( DEBUG_LOG == true )
+ {
+ System.out.printf("Debug: AuthService.requestAPIToken...:\n");
+ System.out.printf("Debug: auth.size=%d\n", auth.size());
+ System.out.printf("auth.get(0)='%s'\n", auth.get(0));
+ System.out.printf("Debug: values.length=%d\n", values.length);
+ if( auth.size() > 0 )
+ {
+ Iterator it = auth.iterator();
+ while( it.hasNext() )
+ System.out.printf(" header '%s'\n", it.next());
+ }
+ if( values.length > 0 )
+ {
+ for(int i=0; i< values.length; i++)
+ {
+ System.out.printf(" values[%d]='%s'\n", i, values[i]);
+ }
+ }
+
+ MultivaluedMap<String,String> headerMap = headers.getRequestHeaders();
+ if( headerMap != null && headerMap.size() > 0 )
+ {
+ Iterator<String> it = headerMap.keySet().iterator();
+ while( it.hasNext() )
+ {
+ String key = (String)it.next();
+ List<String> vals= headerMap.get(key);
+ System.out.printf("Debug: requestAPIToken: '%s' = '%s'\n", key, vals);
+ }
+
+ }
+ System.out.printf("Debug: requestAPIToken: isSecure = %s.\n", secCtx.isSecure() ? "yes" : "no");
+ } // DEBUG_LOG
+
// "Invalid syntax for username and password"
if (values == null)
throw KustvaktResponseHandler
@@ -118,13 +166,12 @@
attr.put(Attributes.USER_AGENT, agent);
TokenContext context;
try {
- User user = controller.authenticate(0, values[0], values[1], attr);
- Userdata data = this.controller
- .getUserData(user, UserDetails.class);
+ // User user = controller.authenticate(0, values[0], values[1], attr); Implementation by Hanl
+ User user = controller.authenticate(2, values[0], values[1], attr); // Implementation with IdM/LDAP
+ // Userdata data = this.controller.getUserData(user, UserDetails.class); // Implem. by Hanl
// todo: is this necessary?
// attr.putAll(data.fields());
- context = controller.createTokenContext(user, attr,
- Attributes.API_AUTHENTICATION);
+ context = controller.createTokenContext(user, attr, Attributes.API_AUTHENTICATION);
}
catch (KustvaktException e) {
throw KustvaktResponseHandler.throwit(e);
@@ -175,8 +222,11 @@
throw KustvaktResponseHandler
.throwit(StatusCodes.BAD_CREDENTIALS);
+ // Implementation Hanl mit '|'. 16.02.17/FB
+ //if (values[0].equalsIgnoreCase("null")
+ // | values[1].equalsIgnoreCase("null"))
if (values[0].equalsIgnoreCase("null")
- | values[1].equalsIgnoreCase("null"))
+ || values[1].equalsIgnoreCase("null"))
throw KustvaktResponseHandler.throwit(StatusCodes.REQUEST_INVALID);
Map<String, Object> attr = new HashMap<>();
diff --git a/src/main/resources/validation.properties b/src/main/resources/validation.properties
index 22f27c5..a38ae80 100644
--- a/src/main/resources/validation.properties
+++ b/src/main/resources/validation.properties
@@ -32,5 +32,6 @@
# as used by apache commons validator for strings
# Validator.string=^[\\.;:,\\=&\\*\\/\\/_()\\[\\]@\\|\\-0-9\\p{L}\\p{Space}]{0,1024}$
-Validator.username=^[A-Za-z_.\\d]{6,15}$
+#Validator.username=^[A-Za-z_.\\d]{6,15}$ by Hanl
+Validator.username=^[A-Za-z_.\\d]{3,20}$ # 21.04.17/FB
Validator.password=^((?=.*\\d)(?=.*[A-Za-z])(?!.*[\\(\\)-]).{8,20})$
\ No newline at end of file