1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 * 19 */ 20 package org.apache.directory.server.core.authn; 21 22 23 import javax.naming.Context; 24 25 import org.apache.directory.api.ldap.model.constants.AuthenticationLevel; 26 import org.apache.directory.api.ldap.model.entry.Entry; 27 import org.apache.directory.api.ldap.model.exception.LdapException; 28 import org.apache.directory.api.ldap.model.name.Dn; 29 import org.apache.directory.server.core.api.DirectoryService; 30 import org.apache.directory.server.core.api.LdapPrincipal; 31 import org.apache.directory.server.core.api.interceptor.context.BindOperationContext; 32 import org.apache.directory.server.core.shared.partition.DefaultPartitionNexus; 33 34 35 /** 36 * Authenticates users who access {@link DefaultPartitionNexus}. 37 * <p> 38 * {@link Authenticator}s are registered to and configured by 39 * {@link AuthenticationInterceptor} interceptor. 40 * <p> 41 * {@link AuthenticationInterceptor} authenticates users by calling 42 * {@link #authenticate(BindOperationContext)}, and then {@link Authenticator} 43 * checks JNDI {@link Context} environment properties 44 * ({@link Context#SECURITY_PRINCIPAL} and {@link Context#SECURITY_CREDENTIALS}) 45 * of current {@link Context}. 46 * 47 * @see AbstractAuthenticator 48 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 49 */ 50 public interface Authenticator 51 { 52 /** 53 * Returns the type of this authenticator (e.g. <tt>'simple'</tt>, 54 * <tt>'none'</tt>,...). 55 * 56 * @return The authentication level 57 */ 58 AuthenticationLevel getAuthenticatorType(); 59 60 61 /** 62 * Called by {@link AuthenticationInterceptor} to indicate that this 63 * authenticator is being placed into service. 64 * 65 * @param directoryService The DirectoryService instance 66 * @throws LdapException If the initialization failed 67 */ 68 void init( DirectoryService directoryService ) throws LdapException; 69 70 71 /** 72 * Called by {@link AuthenticationInterceptor} to indicate that this 73 * authenticator is being removed from service. 74 */ 75 void destroy(); 76 77 78 /** 79 * Callback used to respond to password changes by invalidating a password 80 * cache if implemented. This is an additional feature of an authenticator 81 * which need not be implemented: empty implementation is sufficient. This 82 * is called on every del, modify, and modifyRdn operation. 83 * 84 * @param bindDn the already normalized distinguished name of the bind principal 85 */ 86 void invalidateCache( Dn bindDn ); 87 88 89 /** 90 * Performs authentication and returns the principal if succeeded. 91 * 92 * @param bindContext The Bind context 93 * @return The authenticated LdaapPrincipal 94 * @exception LdapException If the authentication failed 95 */ 96 LdapPrincipal authenticate( BindOperationContext bindContext ) throws LdapException; 97 98 99 /** 100 * performs checks on the given entry based on the specified password policy configuration 101 * 102 * @param userEntry the user entry to be checked for authentication 103 * @throws LdapException If the password policy is incorrect 104 */ 105 void checkPwdPolicy( Entry userEntry ) throws LdapException; 106 107 108 /** 109 * Check that this selector is a valid one. The DN we want to authenticate has to be 110 * part of the DIT selection associated with teh Authenticator 111 * 112 * @param bindDn The DN we want to authenticate 113 * @return <code>true</code> if the Auhenticator is supporting the DN 114 */ 115 boolean isValid( Dn bindDn ); 116 117 118 /** 119 * @return The Authenticator base DN 120 */ 121 Dn getBaseDn(); 122 123 124 /** 125 * Set the baseDN into the Authenticator 126 * 127 * @param baseDn The Base DN to set 128 */ 129 void setBaseDn( Dn baseDn ); 130 }