com.atlassian.crowd.directory
Class DelegatedAuthenticationDirectory
java.lang.Object
com.atlassian.crowd.directory.DelegatedAuthenticationDirectory
- All Implemented Interfaces:
- RemoteDirectory, Attributes
public class DelegatedAuthenticationDirectory
- extends Object
- implements RemoteDirectory
This implementation of a RemoteDirectory provides delegated
authentication to an underlying remote LDAP implementation.
In essence this means that a User's groups and roles are managed
internally to Crowd and only authentication is delegated to the
LDAP directory.
Users, group and memberships exist in an internal directory and all
query and mutation operations execute on the internal directory.
For a user to successfully authenticate, they must exist in LDAP
and must authenticate against LDAP. Passwords are not stored
internally.
If the ATTRIBUTE_CREATE_USER_ON_AUTH attribute is
enabled, the delegated authentication directory will automatically
create the user in the internal portion of this directory, once they
successfully authenticate against LDAP. The initial user details, in
this case, will be obtained from LDAP.
If the ATTRIBUTE_UPDATE_USER_ON_AUTH attribute is
enabled, the delegated authentication directory will also update
the user's details from LDAP automatically whenever they
authenticate. The same behaviour will happen if the attribute is not
enabled and the user is deleted internally and then re-authenticates.
If the create-on-auth option is not enabled, then users must always
be manually created in this directory, before they can authenticate
against LDAP. In this scenario, the user details will never be retrieved
from LDAP. This is OSUser's default LDAP behaviour.
|
Method Summary |
Group |
addGroup(GroupTemplate group)
|
void |
addGroupToGroup(String childGroup,
String parentGroup)
|
User |
addOrUpdateLdapUser(String name)
Copies or updates a user in the internal directory from their counterpart in the LDAP directory. |
User |
addUser(UserTemplate user,
PasswordCredential credential)
|
void |
addUserToGroup(String username,
String groupName)
|
User |
authenticate(String name,
PasswordCredential credential)
In addition to the normal authentication behaviour, following a successful
authentication the following may occur:
If the user does not exist in the internal directory and
ATTRIBUTE_CREATE_USER_ON_AUTH is enabled, the user's details
will be added to the internal directory.
If the user exists in the internal directory and
ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled, the user's details
will be updated in the internal directory.
If the user exists in the internal directory and
ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled and
the username was changed in remote directory, the user's name
will be updated in the internal directory.
A user marked as inactive locally will not be authenticated, retrieved,
renamed or updated from the LDAP server. |
BoundedCount |
countDirectMembersOfGroup(String groupName,
int querySizeHint)
|
void |
expireAllPasswords()
|
Group |
findGroupByName(String name)
|
GroupWithAttributes |
findGroupWithAttributesByName(String name)
|
User |
findUserByExternalId(String externalId)
|
User |
findUserByName(String name)
|
UserWithAttributes |
findUserWithAttributesByName(String name)
|
RemoteDirectory |
getAuthoritativeDirectory()
|
String |
getDescriptiveName()
|
long |
getDirectoryId()
|
Set<String> |
getKeys()
|
Iterable<Membership> |
getMemberships()
|
String |
getValue(String key)
|
Set<String> |
getValues(String key)
|
boolean |
isEmpty()
|
boolean |
isGroupDirectGroupMember(String childGroup,
String parentGroup)
|
boolean |
isRolesDisabled()
|
boolean |
isUserDirectGroupMember(String username,
String groupName)
|
void |
removeGroup(String name)
|
void |
removeGroupAttributes(String groupName,
String attributeName)
|
void |
removeGroupFromGroup(String childGroup,
String parentGroup)
|
void |
removeUser(String name)
|
void |
removeUserAttributes(String username,
String attributeName)
|
void |
removeUserFromGroup(String username,
String groupName)
|
Group |
renameGroup(String oldName,
String newName)
|
User |
renameUser(String oldName,
String newName)
|
|
searchGroupRelationships(MembershipQuery<T> query)
|
|
searchGroups(EntityQuery<T> query)
|
|
searchUsers(EntityQuery<T> query)
|
void |
setAttributes(Map<String,String> attributes)
|
void |
setDirectoryId(long directoryId)
|
void |
storeGroupAttributes(String groupName,
Map<String,Set<String>> attributes)
|
void |
storeUserAttributes(String username,
Map<String,Set<String>> attributes)
|
boolean |
supportsInactiveAccounts()
|
boolean |
supportsNestedGroups()
|
boolean |
supportsPasswordExpiration()
|
boolean |
supportsSettingEncryptedCredential()
Delegated authentication directories don't support setting non-hashed credentials, let alone hashed credentials. |
void |
testConnection()
|
Group |
updateGroup(GroupTemplate group)
|
User |
updateUser(UserTemplate user)
|
void |
updateUserCredential(String username,
PasswordCredential credential)
|
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
ATTRIBUTE_CREATE_USER_ON_AUTH
public static final String ATTRIBUTE_CREATE_USER_ON_AUTH
- See Also:
- Constant Field Values
ATTRIBUTE_UPDATE_USER_ON_AUTH
public static final String ATTRIBUTE_UPDATE_USER_ON_AUTH
- See Also:
- Constant Field Values
ATTRIBUTE_LDAP_DIRECTORY_CLASS
public static final String ATTRIBUTE_LDAP_DIRECTORY_CLASS
- See Also:
- Constant Field Values
ATTRIBUTE_KEY_IMPORT_GROUPS
public static final String ATTRIBUTE_KEY_IMPORT_GROUPS
- See Also:
- Constant Field Values
DelegatedAuthenticationDirectory
public DelegatedAuthenticationDirectory(RemoteDirectory ldapDirectory,
InternalRemoteDirectory internalDirectory,
com.atlassian.event.api.EventPublisher eventPublisher,
DirectoryDao directoryDao)
getDirectoryId
public long getDirectoryId()
- Specified by:
getDirectoryId in interface RemoteDirectory
setDirectoryId
public void setDirectoryId(long directoryId)
- Specified by:
setDirectoryId in interface RemoteDirectory
getDescriptiveName
public String getDescriptiveName()
- Specified by:
getDescriptiveName in interface RemoteDirectory
setAttributes
public void setAttributes(Map<String,String> attributes)
- Specified by:
setAttributes in interface RemoteDirectory
findUserByName
public User findUserByName(String name)
throws UserNotFoundException,
OperationFailedException
- Specified by:
findUserByName in interface RemoteDirectory
- Throws:
UserNotFoundException
OperationFailedException
findUserWithAttributesByName
public UserWithAttributes findUserWithAttributesByName(String name)
throws UserNotFoundException,
OperationFailedException
- Specified by:
findUserWithAttributesByName in interface RemoteDirectory
- Throws:
UserNotFoundException
OperationFailedException
findUserByExternalId
public User findUserByExternalId(String externalId)
throws UserNotFoundException
- Specified by:
findUserByExternalId in interface RemoteDirectory
- Throws:
UserNotFoundException
authenticate
public User authenticate(String name,
PasswordCredential credential)
throws UserNotFoundException,
InactiveAccountException,
InvalidAuthenticationException,
ExpiredCredentialException,
OperationFailedException
- In addition to the normal authentication behaviour, following a successful
authentication the following may occur:
- If the user does not exist in the internal directory and
ATTRIBUTE_CREATE_USER_ON_AUTH is enabled, the user's details
will be added to the internal directory.
- If the user exists in the internal directory and
ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled, the user's details
will be updated in the internal directory.
- If the user exists in the internal directory and
ATTRIBUTE_UPDATE_USER_ON_AUTH is enabled and
the username was changed in remote directory, the user's name
will be updated in the internal directory.
A user marked as inactive locally will not be authenticated, retrieved,
renamed or updated from the LDAP server.
- Specified by:
authenticate in interface RemoteDirectory
- Throws:
OperationFailedException - when user rename is not possible
UserNotFoundException
InactiveAccountException
InvalidAuthenticationException
ExpiredCredentialException- See Also:
RemoteDirectory.authenticate(String, PasswordCredential)
addOrUpdateLdapUser
public User addOrUpdateLdapUser(String name)
throws UserNotFoundException,
OperationFailedException
- Copies or updates a user in the internal directory from their counterpart in the LDAP directory.
Used by custom authenticators to ensure users exist when external authentication mechanisms
just provide us with just a username.
- Parameters:
name - the username of the user to copy
- Returns:
- the newly updated internal user
- Throws:
UserNotFoundException - if no user with the given username exists in LDAP
OperationFailedException - if there was a problem communicating with the LDAP server or the user
could not be cloned to the internal directory
addUser
public User addUser(UserTemplate user,
PasswordCredential credential)
throws InvalidUserException,
InvalidCredentialException,
UserAlreadyExistsException,
OperationFailedException
- Specified by:
addUser in interface RemoteDirectory
- Throws:
InvalidUserException
InvalidCredentialException
UserAlreadyExistsException
OperationFailedException
updateUser
public User updateUser(UserTemplate user)
throws InvalidUserException,
UserNotFoundException,
OperationFailedException
- Specified by:
updateUser in interface RemoteDirectory
- Throws:
InvalidUserException
UserNotFoundException
OperationFailedException
updateUserCredential
public void updateUserCredential(String username,
PasswordCredential credential)
throws UserNotFoundException,
InvalidCredentialException,
OperationFailedException
- Specified by:
updateUserCredential in interface RemoteDirectory
- Throws:
UserNotFoundException
InvalidCredentialException
OperationFailedException
renameUser
public User renameUser(String oldName,
String newName)
throws UserNotFoundException,
InvalidUserException,
UserAlreadyExistsException,
OperationFailedException
- Specified by:
renameUser in interface RemoteDirectory
- Throws:
UserNotFoundException
InvalidUserException
UserAlreadyExistsException
OperationFailedException
storeUserAttributes
public void storeUserAttributes(String username,
Map<String,Set<String>> attributes)
throws UserNotFoundException,
OperationFailedException
- Specified by:
storeUserAttributes in interface RemoteDirectory
- Throws:
UserNotFoundException
OperationFailedException
removeUserAttributes
public void removeUserAttributes(String username,
String attributeName)
throws UserNotFoundException,
OperationFailedException
- Specified by:
removeUserAttributes in interface RemoteDirectory
- Throws:
UserNotFoundException
OperationFailedException
removeUser
public void removeUser(String name)
throws UserNotFoundException,
OperationFailedException
- Specified by:
removeUser in interface RemoteDirectory
- Throws:
UserNotFoundException
OperationFailedException
searchUsers
public <T> List<T> searchUsers(EntityQuery<T> query)
throws OperationFailedException
- Specified by:
searchUsers in interface RemoteDirectory
- Throws:
OperationFailedException
findGroupByName
public Group findGroupByName(String name)
throws GroupNotFoundException,
OperationFailedException
- Specified by:
findGroupByName in interface RemoteDirectory
- Throws:
GroupNotFoundException
OperationFailedException
findGroupWithAttributesByName
public GroupWithAttributes findGroupWithAttributesByName(String name)
throws GroupNotFoundException,
OperationFailedException
- Specified by:
findGroupWithAttributesByName in interface RemoteDirectory
- Throws:
GroupNotFoundException
OperationFailedException
addGroup
public Group addGroup(GroupTemplate group)
throws InvalidGroupException,
OperationFailedException
- Specified by:
addGroup in interface RemoteDirectory
- Throws:
InvalidGroupException
OperationFailedException
updateGroup
public Group updateGroup(GroupTemplate group)
throws InvalidGroupException,
GroupNotFoundException,
OperationFailedException,
ReadOnlyGroupException
- Specified by:
updateGroup in interface RemoteDirectory
- Throws:
InvalidGroupException
GroupNotFoundException
OperationFailedException
ReadOnlyGroupException
renameGroup
public Group renameGroup(String oldName,
String newName)
throws GroupNotFoundException,
InvalidGroupException,
OperationFailedException
- Specified by:
renameGroup in interface RemoteDirectory
- Throws:
GroupNotFoundException
InvalidGroupException
OperationFailedException
storeGroupAttributes
public void storeGroupAttributes(String groupName,
Map<String,Set<String>> attributes)
throws GroupNotFoundException,
OperationFailedException
- Specified by:
storeGroupAttributes in interface RemoteDirectory
- Throws:
GroupNotFoundException
OperationFailedException
removeGroupAttributes
public void removeGroupAttributes(String groupName,
String attributeName)
throws GroupNotFoundException,
OperationFailedException
- Specified by:
removeGroupAttributes in interface RemoteDirectory
- Throws:
GroupNotFoundException
OperationFailedException
removeGroup
public void removeGroup(String name)
throws GroupNotFoundException,
OperationFailedException,
ReadOnlyGroupException
- Specified by:
removeGroup in interface RemoteDirectory
- Throws:
GroupNotFoundException
OperationFailedException
ReadOnlyGroupException
searchGroups
public <T> List<T> searchGroups(EntityQuery<T> query)
throws OperationFailedException
- Specified by:
searchGroups in interface RemoteDirectory
- Throws:
OperationFailedException
isUserDirectGroupMember
public boolean isUserDirectGroupMember(String username,
String groupName)
throws OperationFailedException
- Specified by:
isUserDirectGroupMember in interface RemoteDirectory
- Throws:
OperationFailedException
isGroupDirectGroupMember
public boolean isGroupDirectGroupMember(String childGroup,
String parentGroup)
throws OperationFailedException
- Specified by:
isGroupDirectGroupMember in interface RemoteDirectory
- Throws:
OperationFailedException
countDirectMembersOfGroup
public BoundedCount countDirectMembersOfGroup(String groupName,
int querySizeHint)
throws OperationFailedException
- Specified by:
countDirectMembersOfGroup in interface RemoteDirectory
- Throws:
OperationFailedException
addUserToGroup
public void addUserToGroup(String username,
String groupName)
throws GroupNotFoundException,
UserNotFoundException,
OperationFailedException,
ReadOnlyGroupException,
MembershipAlreadyExistsException
- Specified by:
addUserToGroup in interface RemoteDirectory
- Throws:
GroupNotFoundException
UserNotFoundException
OperationFailedException
ReadOnlyGroupException
MembershipAlreadyExistsException
addGroupToGroup
public void addGroupToGroup(String childGroup,
String parentGroup)
throws GroupNotFoundException,
InvalidMembershipException,
OperationFailedException,
ReadOnlyGroupException,
MembershipAlreadyExistsException
- Specified by:
addGroupToGroup in interface RemoteDirectory
- Throws:
GroupNotFoundException
InvalidMembershipException
OperationFailedException
ReadOnlyGroupException
MembershipAlreadyExistsException
removeUserFromGroup
public void removeUserFromGroup(String username,
String groupName)
throws GroupNotFoundException,
UserNotFoundException,
MembershipNotFoundException,
OperationFailedException,
ReadOnlyGroupException
- Specified by:
removeUserFromGroup in interface RemoteDirectory
- Throws:
GroupNotFoundException
UserNotFoundException
MembershipNotFoundException
OperationFailedException
ReadOnlyGroupException
removeGroupFromGroup
public void removeGroupFromGroup(String childGroup,
String parentGroup)
throws GroupNotFoundException,
InvalidMembershipException,
MembershipNotFoundException,
OperationFailedException,
ReadOnlyGroupException
- Specified by:
removeGroupFromGroup in interface RemoteDirectory
- Throws:
GroupNotFoundException
InvalidMembershipException
MembershipNotFoundException
OperationFailedException
ReadOnlyGroupException
searchGroupRelationships
public <T> List<T> searchGroupRelationships(MembershipQuery<T> query)
throws OperationFailedException
- Specified by:
searchGroupRelationships in interface RemoteDirectory
- Throws:
OperationFailedException
testConnection
public void testConnection()
throws OperationFailedException
- Specified by:
testConnection in interface RemoteDirectory
- Throws:
OperationFailedException
supportsInactiveAccounts
public boolean supportsInactiveAccounts()
- Specified by:
supportsInactiveAccounts in interface RemoteDirectory
supportsNestedGroups
public boolean supportsNestedGroups()
- Specified by:
supportsNestedGroups in interface RemoteDirectory
supportsPasswordExpiration
public boolean supportsPasswordExpiration()
- Specified by:
supportsPasswordExpiration in interface RemoteDirectory
supportsSettingEncryptedCredential
public boolean supportsSettingEncryptedCredential()
- Delegated authentication directories don't support setting non-hashed credentials, let alone hashed credentials.
- Specified by:
supportsSettingEncryptedCredential in interface RemoteDirectory
- Returns:
false, always.
isRolesDisabled
public boolean isRolesDisabled()
- Specified by:
isRolesDisabled in interface RemoteDirectory
getValues
public Set<String> getValues(String key)
- Specified by:
getValues in interface Attributes
getValue
public String getValue(String key)
- Specified by:
getValue in interface Attributes
getKeys
public Set<String> getKeys()
- Specified by:
getKeys in interface Attributes
isEmpty
public boolean isEmpty()
- Specified by:
isEmpty in interface Attributes
getAuthoritativeDirectory
public RemoteDirectory getAuthoritativeDirectory()
- Specified by:
getAuthoritativeDirectory in interface RemoteDirectory
getMemberships
public Iterable<Membership> getMemberships()
throws OperationFailedException
- Specified by:
getMemberships in interface RemoteDirectory
- Throws:
OperationFailedException
expireAllPasswords
public void expireAllPasswords()
throws OperationFailedException
- Specified by:
expireAllPasswords in interface RemoteDirectory
- Throws:
OperationFailedException
Copyright © 2016 Atlassian. All Rights Reserved.