/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* docs/licenses/cddl.txt
* or http://www.opensource.org/licenses/cddl1.php.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* docs/licenses/cddl.txt. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Portions Copyright 2019-2024 Ping Identity Corporation
*/
package com.unboundid.directory.sdk.examples;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import com.unboundid.asn1.ASN1OctetString;
import com.unboundid.directory.sdk.common.operation.SASLBindRequest;
import com.unboundid.directory.sdk.common.operation.UpdatableSASLBindRequest;
import com.unboundid.directory.sdk.common.operation.UpdatableSimpleBindRequest;
import com.unboundid.directory.sdk.common.types.LogSeverity;
import com.unboundid.directory.sdk.common.types.OperationContext;
import com.unboundid.directory.sdk.common.types.ServerContext;
import com.unboundid.directory.sdk.ds.api.SASLMechanismHandler;
import com.unboundid.directory.sdk.ds.config.SASLMechanismHandlerConfig;
import com.unboundid.directory.sdk.ds.types.DirectoryServerContext;
import com.unboundid.directory.sdk.ds.types.SASLBindResult;
import com.unboundid.directory.sdk.ds.types.SASLBindResultFactory;
import com.unboundid.ldap.sdk.Control;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.util.ByteString;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.Validator;
import com.unboundid.util.args.ArgumentParser;
/**
* This class provides a Server SDK SASL mechanism handler implementation that
* uses attachments on the associated bind operation to specify the behavior
* that the server should exhibit when processing the bind operation. This is
* only intended to be used internally within the server and should not be
* directly requested by an external client. It is primarily expected to be
* used in conjunction with a pre-parse bind plugin that performs all of the
* authentication processing itself, but then converts the bind request to this
* mechanism to use the information provided in attachments to define the result
* of the operation processing.
* <BR><BR>
* This SASL mechanism handler actually implements support for four related SASL
* mechanisms:
* <BR>
* <UL>
* <LI>
* PING-SECURE-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT: Indicates
* that the authentication used a password provided by the client, and that
* the password and any other associated credentials were provided in a
* secure manner (that is, in a manner that is not vulnerable to
* eavesdropping, replay, or alteration attacks).
* </LI>
* <LI>
* PING-NON-SECURE-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT: Indicates
* that the authentication used a password provided by the client, and that
* the password or any other associated credentials were provided in a
* non-secure manner (that is, in a manner that may be vulnerable to
* eavesdropping, replay, or alteration attacks).
* </LI>
* <LI>
* PING-SECURE-NON-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT: Indicates
* that the authentication did not use a password provided by the client,
* and that any credentials used were provided in a secure manner (that is,
* in a manner that is not vulnerable to eavesdropping, replay, or
* alteration attacks).
* </LI>
* <LI>
* PING-NON-SECURE-NON-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT:
* Indicates that the authentication did not use a password provided by the
* client, but that it did use credentials that were provided in a
* non-secure manner (that is, in a manner that may be vulnerable to
* eavesdropping, replay, or alteration attacks).
* </LI>
* </UL>
* <BR><BR>
* All four SASL mechanisms implemented by this handler implement support for
* the same set of operation attachments. Supported attachments include:
* <BR>
* <UL>
* <LI>
* {@code internal-op-sasl-handler-authentication-succeeded} -- indicates
* whether the authentication attempt was successful. This attachment is
* required, and its value must be a {@code java.lang.Boolean}.
* </LI>
* <LI>
* {@code internal-op-sasl-handler-diagnostic-message} -- a diagnostic
* message that should be included in the bind response to the client. This
* attachment is optional and may be included regardless of whether the
* authentication attempt succeeded or failed. If it is provided, then its
* value must be an instance of {@code java.lang.CharSequence}.
* </LI>
* <LI>
* {@code internal-op-sasl-handler-matched-dn} -- the matched DN value that
* should be included in the bind response to the client to indicate that a
* provided bind DN did not refer to an entry that exists in the server, and
* to provide the DN of its closest ancestor that does exist. This
* attachment is optional and should only be used if the authentication
* attempt failed. If it is provided, then its value must be an instance of
* {@code com.unboundid.ldap.sdk.DN}.
* </LI>
* <LI>
* {@code internal-op-sasl-handler-server-sasl-credentials} -- an encoded
* set of server SASL credentials that should be included in the bind
* response to the client. This attachment is optional and should only be
* set if the original bind request was itself a SASL bind request and
* server SASL credentials are appropriate for that request. If provided,
* the value of the attachment must be an instance of
* {@code com.unboundid.asn1.ASN1OctetString}.
* </LI>
* <LI>
* {@code internal-op-sasl-handler-response-controls} -- a set of controls
* that should be included in the bind response to the client. This
* attachment is optional, and if it is not set, then the SASL mechanism
* handler will not add any controls to the response (although other
* components of the server may add response controls if appropriate for the
* operation). If provided, the value of the attachment must be an instance
* of {@code com.unboundid.ldap.sdk.Control[]}.
* </LI>
* <LI>
* {@code internal-op-sasl-handler-bind-dn} -- the DN of the user
* attempting to authenticate. This attachment must be set if the
* authentication is successful, and it will be set as the authentication
* identity for the associated connection (unless the bind request also
* included the retain identity request control). Even if the bind attempt
* failed, this attachment should be set if it is possible to determine the
* identity of the user that was trying to authenticate so that any
* appropriate password policy state updates can be applied to that account.
* If provided, the value of the attachment must be an instance of
* {@code com.unboundid.ldap.sdk.DN}.
* </LI>
* <LI>
* {@code internal-op-sasl-handler-authentication-failure-reason} -- a
* message that will not appear in the bind response to the client, but will
* be included in the server's access log to provide additional information
* about the reason that the authentication attempt failed. This attachment
* is optional and should only be used if the authentication attempt failed.
* If it is provided, then its value must be an instance of
* {@code java.lang.CharSequence}.
* </LI>
* <LI>
* {@code internal-op-sasl-handler-authorization-dn} -- the DN of the user
* that is the alternate authorization identity for the bind operation.
* This should only be set if the bind attempt succeeded and requested an
* alternate authorization identity. If provided, the value of the
* attachment must be an instance of {@code com.unboundid.ldap.sdk.DN}.
* </LI>
* <LI>
* {@code internal-op-sasl-handler-password-used} -- the password that the
* client provided during the authentication attempt. This attachment is
* optional and should only be used if the authentication attempt was
* successful and used a password. If provided, the value of the attachment
* must be an instance of {@code com.unboundid.asn1.ASN1OctetString}.
* </LI>
* </UL>
*/
public final class InternalOperationAttachmentSASLMechanismHandler
extends SASLMechanismHandler
{
/**
* The name for the SASL mechanism that indicates that the authentication used
* a password provided by the client, and that the password and any other
* associated credentials were provided in a secure manner (that is, in a
* manner that is not vulnerable to eavesdropping, replay, or alteration
* attacks).
*/
public static final String SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME =
"PING-SECURE-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT";
/**
* The name for the SASL mechanism that indicates that the authentication used
* a password provided by the client, and that the password or any other
* associated credentials were provided in a non-secure manner (that is, in a
* manner that may be vulnerable to eavesdropping, replay, or alteration
* attacks).
*/
public static final String NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME =
"PING-NON-SECURE-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT";
/**
* The name for the SASL mechanism that indicates that the authentication did
* not use a password provided by the client, and that any credentials used
* were provided in a secure manner (that is, in a manner that is not
* vulnerable to eavesdropping, replay, or alteration attacks).
*/
public static final String SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME =
"PING-SECURE-NON-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT";
/**
* The name for the SASL mechanism that indicates that the authentication did
* not use a password provided by the client, but that it did use credentials
* that were provided in a non-secure manner (that is, in a manner that may be
* vulnerable to eavesdropping, replay, or alteration attacks).
*/
public static final String NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME =
"PING-NON_SECURE-NON-PASSWORD-BASED-INTERNAL-OPERATION-ATTACHMENT";
/**
* The name of the attachment used to indicate whether the authentication
* attempt was successful. This attachment is required, and its value must be
* a {@code java.lang.Boolean}.
*/
public static final String ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED =
"internal-op-sasl-handler-authentication-succeeded";
/**
* The name of the attachment used to hold a diagnostic message that should be
* included in the bind response to the client. This attachment is optional
* and may be included regardless of whether the authentication attempt
* succeeded or failed. If it is provided, then its value must be an instance
* of {@code java.lang.CharSequence}.
*/
public static final String ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE =
"internal-op-sasl-handler-diagnostic-message";
/**
* The name of the attachment used to hold the matched DN value that should be
* included in the bind response to the client to indicate that a provided
* bind DN did not refer to an entry that exists in the server, and to provide
* the DN of its closest ancestor that does exist. This attachment is
* optional and should only be used if the authentication attempt failed. If
* it is provided, then its value must be an instance of
* {@code com.unboundid.ldap.sdk.DN}.
*/
public static final String ATTACHMENT_NAME_MATCHED_DN =
"internal-op-sasl-handler-matched-dn";
/**
* The name of the attachment used to hold an encoded set of server SASL
* credentials that should be included in the bind response to the client.
* This attachment is optional and should only be set if the original bind
* request was itself a SASL bind request and server SASL credentials are
* appropriate for that request. If provided, the value of the attachment
* must be an instance of {@code com.unboundid.asn1.ASN1OctetString}.
*/
public static final String ATTACHMENT_NAME_SERVER_SASL_CREDENTIALS =
"internal-op-sasl-handler-server-sasl-credentials";
/**
* The name of the attachment used to hold a set of controls that should be
* included in the bind response to the client. This attachment is optional,
* and if it is not set, then the SASL mechanism handler will not add any
* controls to the response (although other components of the server may add
* response controls if appropriate for the operation). If provided, the
* value of the attachment must be an instance of
* {@code com.unboundid.ldap.sdk.Control[]}.
*/
public static final String ATTACHMENT_NAME_RESPONSE_CONTROLS =
"internal-op-sasl-handler-response-controls";
/**
* The name of the attachment used to hold the DN of the user attempting to
* authenticate. This attachment must be set if the authentication is
* successful, and it will be set as the authentication identity for the
* associated connection (unless the bind request also included the retain
* identity request control). Even if the bind attempt failed, this
* attachment should be set if it is possible to determine the identity of the
* user that was trying to authenticate so that any appropriate password
* policy state updates can be applied to that account. If provided, the
* value of the attachment must be an instance of
* {@code com.unboundid.ldap.sdk.DN}.
*/
public static final String ATTACHMENT_NAME_BIND_DN =
"internal-op-sasl-handler-bind-dn";
/**
* The name of the attachment used to hold a message that will not appear in
* the bind response to the client, but will be included in the server's
* access log to provide additional information about the reason that the
* authentication attempt failed. This attachment is optional and should only
* be used if the authentication attempt failed. If it is provided, then its
* value must be an instance of {@code java.lang.CharSequence}.
*/
public static final String ATTACHMENT_NAME_AUTHENTICATION_FAILURE_REASON =
"internal-op-sasl-handler-authentication-failure-reason";
/**
* The name of the attachment used to hold the DN of the user that is the
* alternate authorization identity for the bind operation. This should only
* be set if the bind attempt succeeded and requested an alternate
* authorization identity. If provided, the value of the attachment must be
* an instance of {@code com.unboundid.ldap.sdk.DN}.
*/
public static final String ATTACHMENT_NAME_AUTHORIZATION_DN =
"internal-op-sasl-handler-authorization-dn";
/**
* The name of the attachment used to hold the password that the client
* provided during the authentication attempt. This attachment is optional
* and should only be used if the authentication attempt was successful and
* used a password. If provided, the value of the attachment must be an
* instance of {@code com.unboundid.asn1.ASN1OctetString}.
*/
public static final String ATTACHMENT_NAME_PASSWORD_USED =
"internal-op-sasl-handler-password-used";
// A handle to the server context in which this extension is running.
private volatile DirectoryServerContext serverContext = null;
/**
* Creates a new instance of this SASL mechanism handler. All SASL
* mechanism handler implementations must include a default constructor, but
* any initialization
* should generally be done in the {@code initializeSASLMechanismHandler}
* method.
*/
public InternalOperationAttachmentSASLMechanismHandler()
{
// No implementation is required.
}
/**
* Retrieves a human-readable name for this extension.
*
* @return A human-readable name for this extension.
*/
@Override()
public String getExtensionName()
{
return "Internal Operation Attachment SASL Mechanism Handler";
}
/**
* Retrieves a human-readable description for this extension. Each element
* of the array that is returned will be considered a separate paragraph in
* generated documentation.
*
* @return A human-readable description for this extension, or {@code null}
* or an empty array if no description should be available.
*/
@Override()
public String[] getExtensionDescription()
{
return new String[]
{
"Implements support for a number of related SASL mechanisms that use " +
"operation attachments to define the behavior the server should " +
"exhibit when processing the bind operation. This is only " +
"intended to be used internally within the server and should not " +
"be directly requested by an external client. It is primarily " +
"expected to be used in conjunction with a pre-parse bind plugin " +
"that performs all of the authentication processing itself, but " +
"then converts the bind request to this mechanism to use the " +
"information provided in attachments to define the result of the " +
"operation processing.",
"The " + SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME + " mechanism " +
"should be used if the authentication used a password provided by " +
"the client, and that the password and any other associated " +
"credentials were provided in a secure manner (that is, in a " +
"manner that is not vulnerable to eavesdropping, replay, or " +
"alteration attacks).",
"The " + NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME + " mechanism " +
"should be used if the authentication used a password provided by " +
"the client, and that the password or any other associated " +
"credentials were provided in a non-secure manner (that is, in a " +
"manner that may be vulnerable to eavesdropping, replay, or " +
"alteration attacks).",
"The " + SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME + " mechanism " +
"should be used if the authentication did not use a password " +
"provided by the client, and that any credentials used were " +
"provided in a secure manner (that is, in a manner that is not " +
"vulnerable to eavesdropping, replay, or alteration attacks).",
"The " + NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME +
" mechanism should be used if the authentication did not use a " +
"password provided by the client, but that it did use credentials " +
"that were provided in a non-secure manner (that is, in a manner " +
"that may be vulnerable to eavesdropping, replay, or alteration " +
"attacks).",
"All four SASL mechanisms implemented by this handler implement " +
"support for the same set of operation attachments. Supported " +
"attachments include:",
"internal-op-sasl-handler-authentication-succeeded -- indicates " +
"whether the authentication attempt was successful. This " +
"attachment is required, and its value must be an instance of " +
Boolean.class.getName() + '.',
"internal-op-sasl-handler-diagnostic-message -- a diagnostic message " +
"that should be included in the bind response to the client. " +
"This attachment is optional and may be included regardless of " +
"whether the authentication attempt succeeded or failed. If it " +
"is provided, then its value must be an instance of " +
CharSequence.class.getName() + '.',
"internal-op-sasl-handler-matched-dn -- the matched DN value that " +
"should be included in the bind response to the client to " +
"indicate that a provided bind DN did not refer to an entry that " +
"exists in the server, and to provide the DN of its closest " +
"ancestor that does exist. This attachment is optional and " +
"should only be used if the authentication attempt failed. If it " +
"is provided, then its value must be an instance of " +
DN.class.getName() + '.',
"internal-op-sasl-handler-server-sasl-credentials -- an encoded set " +
"of server SASL credentials that should be included in the bind " +
"response to the client. This attachment is optional and should " +
"only be set if the original bind request was itself a SASL bind " +
"request and server SASL credentials are appropriate for that " +
"request. If provided, the value of the attachment must be an " +
"instance of " + ASN1OctetString.class.getName() + '.',
"internal-op-sasl-handler-response-controls -- a set of controls that " +
"should be included in the bind response to the client. This " +
"attachment is optional, and if it is not set, then the SASL " +
"mechanism handler will not add any controls to the response " +
"(although other components of the server may add response " +
"controls if appropriate for the operation). If provided, the " +
"value of the attachment must be an instance of " +
Control.class.getName() + "[].",
"internal-op-sasl-handler-bind-dn -- the DN of the user attempting to " +
"authenticate. This attachment must be set if the " +
"authentication is successful, and it will be set as the " +
"authentication identity for the associated connection (unless " +
"the bind request also included the retain identity request " +
"control). Even if the bind attempt failed, this attachment " +
"should be set if it is possible to determine the identity of the " +
"user that was trying to authenticate so that any appropriate " +
"password policy state updates can be applied to that account. " +
"If provided, the value of the attachment must be an instance of " +
DN.class.getName() + '.',
"internal-op-sasl-handler-authentication-failure-reason -- a message " +
"that will not appear in the bind response to the client, but " +
"will be included in the server's access log to provide " +
"additional information about the reason that the authentication " +
"attempt failed. This attachment is optional and should only be " +
"used if the authentication attempt failed. If it is provided, " +
"then its value must be an instance of " +
CharSequence.class.getName() + '.',
"internal-op-sasl-handler-authorization-dn -- the DN of the user that " +
"is the alternate authorization identity for the bind operation. " +
"This should only be set if the bind attempt succeeded and " +
"requested an alternate authorization identity. If provided, the " +
"value of the attachment must be an instance of " +
DN.class.getName() + '.',
"internal-op-sasl-handler-password-used -- the password that the " +
"client provided during the authentication attempt. This " +
"attachment is optional and should only be used if the " +
"authentication attempt was successful and used a password. If " +
"provided, the value of the attachment must be an instance of " +
ASN1OctetString.class.getName() + '.',
};
}
/**
* Updates the provided argument parser to define any configuration arguments
* which may be used by this extension. The argument parser may also be
* updated to define relationships between arguments (e.g., to specify
* required, exclusive, or dependent argument sets).
*
* @param parser The argument parser to be updated with the configuration
* arguments which may be used by this extension.
*/
@Override()
public void defineConfigArguments(final ArgumentParser parser)
{
// No arguments will be allowed by default.
}
/**
* Initializes this SASL mechanism handler.
*
* @param serverContext A handle to the server context for the server in
* which this extension is running.
* @param config The general configuration for this SASL mechanism
* handler.
* @param parser The argument parser which has been initialized from
* the configuration for this SASL mechanism handler.
*/
@Override()
public void initializeSASLMechanismHandler(
final DirectoryServerContext serverContext,
final SASLMechanismHandlerConfig config,
final ArgumentParser parser)
{
if (this.serverContext == null)
{
this.serverContext = serverContext;
}
}
/**
* Indicates whether the configuration represented by the provided argument
* parser is acceptable for use by this extension. The parser will have been
* used to parse any configuration available for this extension, and any
* automatic validation will have been performed. This method may be used to
* perform any more complex validation which cannot be performed automatically
* by the argument parser.
*
* @param config The general configuration for this extension.
* @param parser The argument parser that has been used to
* parse the proposed configuration for this
* extension.
* @param unacceptableReasons A list to which messages may be added to
* provide additional information about why the
* provided configuration is not acceptable.
*
* @return {@code true} if the configuration in the provided argument parser
* appears to be acceptable, or {@code false} if not.
*/
@Override()
public boolean isConfigurationAcceptable(
final SASLMechanismHandlerConfig config,
final ArgumentParser parser,
final List<String> unacceptableReasons)
{
if (serverContext == null)
{
serverContext = config.getServerContext();
}
// No validation is needed.
return true;
}
/**
* Attempts to apply the configuration from the provided argument parser to
* this extension.
*
* @param config The general configuration for this extension.
* @param parser The argument parser that has been used to
* parse the new configuration for this
* extension.
* @param adminActionsRequired A list to which messages may be added to
* provide additional information about any
* additional administrative actions that may
* be required to apply some of the
* configuration changes.
* @param messages A list to which messages may be added to
* provide additional information about the
* processing performed by this method.
*
* @return A result code providing information about the result of applying
* the configuration change. A result of {@code SUCCESS} should be
* used to indicate that all processing completed successfully. Any
* other result will indicate that a problem occurred during
* processing.
*/
@Override()
public ResultCode applyConfiguration(final SASLMechanismHandlerConfig config,
final ArgumentParser parser,
final List<String> adminActionsRequired,
final List<String> messages)
{
if (serverContext == null)
{
serverContext = config.getServerContext();
}
// There is no configuration to apply.
return ResultCode.SUCCESS;
}
/**
* Performs any cleanup which may be necessary when this SASL mechanism
* handler is to be taken out of service.
*/
@Override()
public void finalizeSASLMechanismHandler()
{
// No finalization is needed.
}
/**
* Retrieves a list of the names of the SASL mechanisms supported by this
* SASL mechanism handler. This method will be invoked only immediately after
* the {@link #initializeSASLMechanismHandler} method is called.
*
* @return A list of the names of the SASL mechanisms supported by this SASL
* mechanism handler.
*/
@Override()
public List<String> getSASLMechanismNames()
{
return Collections.unmodifiableList(Arrays.asList(
SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME,
NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME,
SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME,
NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME));
}
/**
* Indicates whether the SASL authentication process using the specified
* mechanism may be considered secure (i.e., that a third party able to
* observe the communication, potentially over an insecure communication
* channel, would not be able to reproduce the authentication process).
*
* @param mechanism The name of the mechanism for which to make the
* determination. This will only be invoked with names of
* mechanisms returned by the
* {@link #getSASLMechanismNames} method.
*
* @return {@code true} if the specified SASL mechanism should be considered
* secure, or {@code false} if not.
*/
@Override()
public boolean isSecure(final String mechanism)
{
switch (mechanism)
{
case SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
case SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
// These mechanisms are considered secure.
return true;
case NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
case NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
// These mechanisms are considered non-secure.
return false;
default:
// This should never happen. Throw a RuntimeException to ensure that
// this is more visible than other types of non-successful operations.
final String message = getClass().getName() +
".isSecure called with an unsupported SASL mechanism of '" +
mechanism + "'.";
if (serverContext != null)
{
serverContext.logMessage(LogSeverity.SEVERE_WARNING, message);
}
throw new RuntimeException(message);
}
}
/**
* Indicates whether the SASL authentication process using the specified
* mechanism involves the use of a password stored locally in the server
* (optionally in combination with other forms of credentials).
*
* @param mechanism The name of the mechanism for which to make the
* determination. This will only be invoked with names of
* mechanisms returned by the
* {@link #getSASLMechanismNames} method.
*
* @return {@code true} if the specified SASL mechanism makes use of a local
* password, or {@code false} if not.
*/
@Override()
public boolean isPasswordBased(final String mechanism)
{
switch (mechanism)
{
case SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
case NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
// These mechanisms are password-based.
return true;
case SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
case NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
// These mechanisms are not password-based.
return false;
default:
// This should never happen. Throw a RuntimeException to ensure that
// this is more visible than other types of non-successful operations.
final String message = getClass().getName() +
".isPasswordBased called with an unsupported SASL mechanism " +
"of '" + mechanism + "'.";
if (serverContext != null)
{
serverContext.logMessage(LogSeverity.SEVERE_WARNING, message);
}
throw new RuntimeException(message);
}
}
/**
* Performs the appropriate processing for the provided SASL bind request.
*
* @param operationContext The context for the bind operation.
* @param bindRequest The SASL bind request to be processed.
* @param resultFactory A factory object that will be used to construct
* the result to return.
*
* @return An object with information about the result of the SASL bind
* processing.
*/
@Override()
public SASLBindResult processSASLBind(final OperationContext operationContext,
final SASLBindRequest bindRequest,
final SASLBindResultFactory resultFactory)
{
final String mechanism = bindRequest.getSASLMechanism();
boolean authenticationSucceeded;
final Object authenticationSucceededObject = operationContext.getAttachment(
ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED);
if (authenticationSucceededObject == null)
{
authenticationSucceeded = false;
operationContext.appendAdditionalLogMessage("Indicating that the " +
"authentication was unsuccessful because the operation was " +
"missing the " + ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED +
" attachment required for use with the " + mechanism +
" mechanism.");
}
else if (authenticationSucceededObject instanceof Boolean)
{
authenticationSucceeded =
((Boolean) authenticationSucceededObject).booleanValue();
}
else
{
authenticationSucceeded = false;
operationContext.appendAdditionalLogMessage("Indicating that the " +
"authentication was unsuccessful because the " +
ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED +
" attachment was an instance of " +
authenticationSucceededObject.getClass().getName() +
" instead of the required " + Boolean.class.getName() + '.');
}
final String diagnosticMessage;
final Object diagnosticMessageObject =
operationContext.getAttachment(ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE);
if (diagnosticMessageObject == null)
{
diagnosticMessage = null;
}
else if (diagnosticMessageObject instanceof CharSequence)
{
diagnosticMessage = String.valueOf(diagnosticMessageObject);
}
else
{
diagnosticMessage = null;
operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE +
" attachment because it was an instance of " +
diagnosticMessageObject.getClass().getName() +
" instead of the required " + CharSequence.class.getName() + '.');
}
final String matchedDN;
final Object matchedDNObject =
operationContext.getAttachment(ATTACHMENT_NAME_MATCHED_DN);
if (matchedDNObject == null)
{
matchedDN = null;
}
else if (matchedDNObject instanceof DN)
{
matchedDN = ((DN) matchedDNObject).toString();
}
else
{
matchedDN = null;
operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
ATTACHMENT_NAME_MATCHED_DN +
" attachment because it was an instance of " +
matchedDNObject.getClass().getName() +
" instead of the required " + DN.class.getName() + '.');
}
final ASN1OctetString serverSASLCredentials;
final Object serverSASLCredentialsObject = operationContext.getAttachment(
ATTACHMENT_NAME_SERVER_SASL_CREDENTIALS);
if (serverSASLCredentialsObject == null)
{
serverSASLCredentials = null;
}
else if (serverSASLCredentialsObject instanceof ASN1OctetString)
{
serverSASLCredentials = (ASN1OctetString) serverSASLCredentialsObject;
}
else
{
serverSASLCredentials = null;
operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
ATTACHMENT_NAME_SERVER_SASL_CREDENTIALS +
" attachment because it was an instance of " +
serverSASLCredentialsObject.getClass().getName() +
" instead of the required " + ASN1OctetString.class.getName() + '.');
}
final List<Control> responseControls;
final Object responseControlsObject =
operationContext.getAttachment(ATTACHMENT_NAME_RESPONSE_CONTROLS);
if (responseControlsObject == null)
{
responseControls = null;
}
else if (responseControlsObject instanceof Control[])
{
final Control[] responseControlArray = (Control[]) responseControlsObject;
responseControls =
Collections.unmodifiableList(Arrays.asList(responseControlArray));
}
else
{
responseControls = null;
operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
ATTACHMENT_NAME_RESPONSE_CONTROLS +
" attachment because it was an instance of " +
responseControlsObject.getClass().getName() +
" instead of the required " + Control.class.getName() + "[].");
}
String authenticationFailureReason;
final Object authenticationFailureReasonObject =
operationContext.getAttachment(
ATTACHMENT_NAME_AUTHENTICATION_FAILURE_REASON);
if (authenticationFailureReasonObject == null)
{
authenticationFailureReason = null;
}
else if (authenticationFailureReasonObject instanceof CharSequence)
{
authenticationFailureReason =
String.valueOf(authenticationFailureReasonObject);
}
else
{
authenticationFailureReason = null;
operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
ATTACHMENT_NAME_AUTHENTICATION_FAILURE_REASON +
" attachment because it was an instance of " +
authenticationFailureReasonObject.getClass().getName() +
" instead of the required " + CharSequence.class.getName() + '.');
}
final String bindDN;
final Object bindDNObject =
operationContext.getAttachment(ATTACHMENT_NAME_BIND_DN);
if (bindDNObject == null)
{
if (authenticationSucceeded)
{
bindDN = null;
authenticationSucceeded = false;
authenticationFailureReason = "The " + mechanism +
" bind operation did not have the " +
ATTACHMENT_NAME_BIND_DN + " attachment set, which is required " +
"for a successful authentication.";
}
else
{
bindDN = null;
}
}
else if (bindDNObject instanceof DN)
{
bindDN = ((DN) bindDNObject).toString();
}
else
{
bindDN = null;
if (authenticationSucceeded)
{
authenticationSucceeded = false;
authenticationFailureReason = "The " + ATTACHMENT_NAME_BIND_DN +
" attachment was set in the " + mechanism +
" bind operation, but its value was of type " +
bindDNObject.getClass().getName() + " instead of the required " +
"type of " + DN.class.getName() + '.';
}
else
{
operationContext.appendAdditionalLogMessage("Ignoring the value of " +
"the " + ATTACHMENT_NAME_BIND_DN +
" attachment because it was an instance of " +
bindDNObject.getClass().getName() +
" instead of the required " + DN.class.getName() + '.');
}
}
final String authorizationDN;
final Object authorizationDNObject =
operationContext.getAttachment(ATTACHMENT_NAME_AUTHORIZATION_DN);
if (authorizationDNObject == null)
{
authorizationDN = bindDN;
}
else if (authorizationDNObject instanceof DN)
{
authorizationDN = ((DN) authorizationDNObject).toString();
}
else
{
authorizationDN = null;
if (authenticationSucceeded)
{
authenticationSucceeded = false;
authenticationFailureReason = "The " +
ATTACHMENT_NAME_AUTHORIZATION_DN + " attachment was set in the " +
mechanism + " bind operation, but its value was of type " +
bindDNObject.getClass().getName() + " instead of the required " +
"type of " + DN.class.getName() + '.';
}
else
{
operationContext.appendAdditionalLogMessage("Ignoring the value of " +
"the " + ATTACHMENT_NAME_AUTHORIZATION_DN +
" attachment because it was an instance of " +
authorizationDNObject.getClass().getName() +
" instead of the required " + DN.class.getName() + '.');
}
}
final ASN1OctetString passwordUsed;
final Object passwordUsedObject =
operationContext.getAttachment(ATTACHMENT_NAME_PASSWORD_USED);
if (passwordUsedObject == null)
{
passwordUsed = null;
}
else if (passwordUsedObject instanceof ASN1OctetString)
{
passwordUsed = (ASN1OctetString) passwordUsedObject;
}
else
{
passwordUsed = null;
operationContext.appendAdditionalLogMessage("Ignoring the value of the " +
ATTACHMENT_NAME_PASSWORD_USED +
" attachment because it was an instance of " +
passwordUsedObject.getClass().getName() +
" instead of the required " + ASN1OctetString.class.getName() + '.');
}
if (authenticationSucceeded)
{
return resultFactory.createSuccessResult(bindDN, authorizationDN,
diagnosticMessage, responseControls, serverSASLCredentials,
passwordUsed);
}
else
{
return resultFactory.createFailureResult(authenticationFailureReason,
diagnosticMessage, matchedDN, responseControls,
serverSASLCredentials, bindDN);
}
}
/**
* Indicates whether the specified SASL mechanism may require multiple stages
* to process.
*
* @param mechanism The mechanism for which to make the determination.
*
* @return {@code true} if the specified SASL mechanism may require multiple
* stages to process, {@code false} if not, or {@code null} if the
* answer is not known for the specified mechanism.
*/
@Override()
public Boolean isMultiStageMechanism(final String mechanism)
{
switch (mechanism)
{
case SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
case NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME:
case SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
case NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME:
// None of these mechanisms involve multiple stages of authentication
// processing.
return false;
default:
// This should never happen. Throw a RuntimeException to ensure that
// this is more visible than other types of non-successful operations.
final String message = getClass().getName() +
".isMultiStageMechanism called with an unsupported SASL " +
"mechanism of '" + mechanism + "'.";
if (serverContext != null)
{
serverContext.logMessage(LogSeverity.SEVERE_WARNING, message);
}
throw new RuntimeException(message);
}
}
/**
* Retrieves a map containing examples of configurations that may be used for
* this extension. The map key should be a list of sample arguments, and the
* corresponding value should be a description of the behavior that will be
* exhibited by the extension when used with that configuration.
*
* @return A map containing examples of configurations that may be used for
* this extension. It may be {@code null} or empty if there should
* not be any example argument sets.
*/
@Override()
public Map<List<String>,String> getExamplesArgumentSets()
{
return Collections.singletonMap(
Collections.emptyList(),
"This SASL mechanism handler does not take any arguments.");
}
/**
* Converts the provided simple bind request to an
* {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
* mechanism handler to process a successful authentication as the specified
* user. All of the appropriate attachments for this SASL mechanism handler
* will be set on the associated operation. It will use the following
* settings:
* <UL>
* <LI>
* The authentication attempt will be considered successful.
* </LI>
* <LI>
* There will not be any diagnostic message, matched DN, response
* controls, or server SASL credentials.
* </LI>
* <LI>
* The bind DN from the simple bind request will be used as both the
* authentication and authorization identity for the SASL bind.
* </LI>
* <LI>
* The password used will be the password from the simple bind request.
* </LI>
* <LI>
* The SASL bind will be considered password-based.
* </LI>
* <LI>
* The SASL bind will be considered secure if and only if the simple bind
* request was received over a secure connection.
* </LI>
* </UL>
*
* @param simpleBindRequest The simple bind request to use to create the
* corresponding SASL bind request. It must not
* be {@code null}.
* @param operationContext The operation context with which the provided
* simple bind request is associated. It must not
* be {@code null}.
*
* @return The {@code UpdatableSASLBindRequest} object created from the
* provided {@code UpdatableSimpleBindRequest} object.
*
* @throws LDAPException If a problem is encountered while trying to create
* the SASL bind request.
*/
public static UpdatableSASLBindRequest convertToSuccessfulSASLBindRequest(
final UpdatableSimpleBindRequest simpleBindRequest,
final OperationContext operationContext)
throws LDAPException
{
Validator.ensureNotNullWithMessage(simpleBindRequest,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createSuccessfulSASLBindRequest.simpleBindRequest must not " +
"be null.");
Validator.ensureNotNullWithMessage(operationContext,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createSuccessfulSASLBindRequest.operationContext must not be " +
"null.");
final String diagnosticMessage = null;
final List<Control> responseControls = Collections.emptyList();
return convertToSuccessfulSASLBindRequest(simpleBindRequest,
operationContext, diagnosticMessage, responseControls);
}
/**
* Converts the provided simple bind request to an
* {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
* mechanism handler to process a successful authentication as the specified
* user. All of the appropriate attachments for this SASL mechanism handler
* will be set on the associated operation. It will use the following
* settings:
* <UL>
* <LI>
* The authentication attempt will be considered successful.
* </LI>
* <LI>
* There will not be any matched DN or server SASL credentials.
* </LI>
* <LI>
* The bind DN from the simple bind request will be used as both the
* authentication and authorization identity for the SASL bind.
* </LI>
* <LI>
* The password used will be the password from the simple bind request.
* </LI>
* <LI>
* The SASL bind will be considered password-based.
* </LI>
* <LI>
* The SASL bind will be considered secure if and only if the simple bind
* request was received over a secure connection.
* </LI>
* </UL>
*
* @param simpleBindRequest The simple bind request to use to create the
* corresponding SASL bind request. It must not
* be {@code null}.
* @param operationContext The operation context with which the provided
* simple bind request is associated. It must not
* be {@code null}.
* @param diagnosticMessage A diagnostic message to include in the response
* to the client. It may be {@code null} if no
* diagnostic message should be returned.
* @param responseControls A set of controls to include in the response to
* the client. It may be {@code null} or empty if
* no response controls should be returned.
*
* @return The {@code UpdatableSASLBindRequest} object created from the
* provided information.
*
* @throws LDAPException If a problem is encountered while trying to create
* the SASL bind request.
*/
public static UpdatableSASLBindRequest convertToSuccessfulSASLBindRequest(
final UpdatableSimpleBindRequest simpleBindRequest,
final OperationContext operationContext,
final String diagnosticMessage,
final List<Control> responseControls)
throws LDAPException
{
Validator.ensureNotNullWithMessage(simpleBindRequest,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createSuccessfulSASLBindRequest.simpleBindRequest must not " +
"be null.");
Validator.ensureNotNullWithMessage(operationContext,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createSuccessfulSASLBindRequest.operationContext must not be " +
"null.");
final ServerContext serverContext = operationContext.getServerContext();
final boolean isPasswordBased = true;
final boolean isSecure = operationContext.isSecure();
final DN authenticationDN;
try
{
authenticationDN = new DN(simpleBindRequest.getDN());
}
catch (final LDAPException e)
{
serverContext.debugCaught(e);
throw new LDAPException(ResultCode.INVALID_DN_SYNTAX,
"Unable to parse the bind DN from the provided simple bind " +
"request: " + StaticUtils.getExceptionMessage(e),
e);
}
final DN authorizationDN = authenticationDN;
final ByteString passwordUsed = simpleBindRequest.getPassword();
return convertToSuccessfulSASLBindRequest(simpleBindRequest,
operationContext, isPasswordBased, isSecure, authenticationDN,
authorizationDN, diagnosticMessage, responseControls, passwordUsed);
}
/**
* Converts the provided simple bind request to an
* {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
* mechanism handler to process a successful authentication using the provided
* information. All of the appropriate attachments for this SASL mechanism
* will be set on the associated operation.
*
* @param simpleBindRequest The simple bind request to use to create the
* corresponding SASL bind request. It must not
* be {@code null}.
* @param operationContext The operation context with which the provided
* simple bind request is associated. It must not
* be {@code null}.
* @param isPasswordBased Indicates whether the resulting SASL bind should
* be considered password based.
* @param isSecure Indicates whether the resulting SASL bind should
* be considered secure.
* @param authenticationDN The DN of the authentication identity for the
* resulting SASL bind operation. It must not be
* {@code null}, but may be {@code DN.NULL_DN} to
* indicate an anonymous authentication identity.
* @param authorizationDN The DN of the authorization identity for the
* resulting SASL bind operation. It must not be
* {@code null}, but may be {@code DN.NULL_DN} to
* indicate an anonymous authentication identity.
* In most cases, this will be the same as the
* authentication DN, but they may differ if
* operations should be processed under the
* authority of a different user than the
* authentication identity.
* @param diagnosticMessage A diagnostic message to include in the response
* to the client. It may be {@code null} if no
* diagnostic message should be returned.
* @param responseControls A set of controls to include in the response to
* the client. It may be {@code null} or empty if
* no response controls should be returned.
* @param passwordUsed The password used to authenticate the client.
* It may be {@code null} if the authentication
* was not password-based, or if the password used
* is not known.
*
* @return The {@code UpdatableSASLBindRequest} object created from the
* provided information.
*/
public static UpdatableSASLBindRequest convertToSuccessfulSASLBindRequest(
final UpdatableSimpleBindRequest simpleBindRequest,
final OperationContext operationContext,
final boolean isPasswordBased, final boolean isSecure,
final DN authenticationDN, final DN authorizationDN,
final String diagnosticMessage,
final List<Control> responseControls,
final ByteString passwordUsed)
{
Validator.ensureNotNullWithMessage(simpleBindRequest,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createSuccessfulSASLBindRequest.simpleBindRequest must not " +
"be null.");
Validator.ensureNotNullWithMessage(operationContext,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createSuccessfulSASLBindRequest.operationContext must not be " +
"null.");
Validator.ensureNotNullWithMessage(authenticationDN,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createSuccessfulSASLBindRequest.authenticationDN must not be " +
"null.");
Validator.ensureNotNullWithMessage(authorizationDN,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createSuccessfulSASLBindRequest.authorizationDN must not be " +
"null.");
final String saslMechanism;
if (isPasswordBased)
{
if (isSecure)
{
saslMechanism = SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME;
}
else
{
saslMechanism = NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME;
}
}
else
{
if (isSecure)
{
saslMechanism = SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME;
}
else
{
saslMechanism = NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME;
}
}
operationContext.setAttachment(ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED,
Boolean.TRUE);
operationContext.setAttachment(ATTACHMENT_NAME_BIND_DN, authenticationDN);
if (! authenticationDN.equals(authorizationDN))
{
operationContext.setAttachment(ATTACHMENT_NAME_AUTHORIZATION_DN,
authorizationDN);
}
if (diagnosticMessage != null)
{
operationContext.setAttachment(ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE,
diagnosticMessage);
}
if ((responseControls != null) && (! responseControls.isEmpty()))
{
final Control[] responseControlArray =
new Control[responseControls.size()];
responseControls.toArray(responseControlArray);
operationContext.setAttachment(ATTACHMENT_NAME_RESPONSE_CONTROLS,
responseControlArray);
}
if (passwordUsed != null)
{
operationContext.setAttachment(ATTACHMENT_NAME_PASSWORD_USED,
passwordUsed);
}
return simpleBindRequest.convertToSASLBindRequest(saslMechanism, null);
}
/**
* Converts the provided simple bind request to an
* {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
* mechanism handler to process a failed authentication attempt . All of the
* appropriate attachments for this SASL mechanism handler will be set on the
* associated operation. It will use the following settings:
* <UL>
* <LI>
* The authentication attempt will be considered a failure.
* </LI>
* <LI>
* There will not be any diagnostic message, authentication failure
* reason, matched DN, response controls, or server SASL credentials.
* </LI>
* <LI>
* The bind DN from the simple bind request will be used as both the
* target user DN for the SASL bind.
* </LI>
* <LI>
* The SASL bind will be considered password-based.
* </LI>
* <LI>
* The SASL bind will be considered secure if and only if the simple bind
* request was received over a secure connection.
* </LI>
* </UL>
*
* @param simpleBindRequest The simple bind request to use to create the
* corresponding SASL bind request. It must not
* be {@code null}.
* @param operationContext The operation context with which the provided
* simple bind request is associated. It must not
* be {@code null}.
*
* @return The {@code UpdatableSASLBindRequest} object created from the
* provided information.
*
* @throws LDAPException If a problem is encountered while trying to create
* the SASL bind request.
*/
public static UpdatableSASLBindRequest convertToFailedSASLBindRequest(
final UpdatableSimpleBindRequest simpleBindRequest,
final OperationContext operationContext)
throws LDAPException
{
Validator.ensureNotNullWithMessage(simpleBindRequest,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createFailedSASLBindRequest.simpleBindRequest must not " +
"be null.");
Validator.ensureNotNullWithMessage(operationContext,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createFailedSASLBindRequest.operationContext must not be " +
"null.");
final boolean isPasswordBased = true;
final boolean isSecure = operationContext.isSecure();
final String diagnosticMessage = null;
final String authenticationFailureReason = null;
final DN matchedDN = null;
final DN targetUserDN = null;
final List<Control> responseControls = Collections.emptyList();
return convertToFailedSASLBindRequest(simpleBindRequest, operationContext,
isPasswordBased, isSecure, diagnosticMessage,
authenticationFailureReason, matchedDN, targetUserDN,
responseControls);
}
/**
* Converts the provided simple bind request to an
* {@code UpdatableSASLBindRequest} object that can be used to cause this SASL
* mechanism handler to process a failed authentication attempt using the
* provided information. All of the appropriate attachments for this SASL
* mechanism will be set on the associated operation.
*
* @param simpleBindRequest The simple bind request to use to
* create the corresponding SASL bind
* request. It must not be {@code null}.
* @param operationContext The operation context with which the
* provided simple bind request is
* associated. It must not be
* {@code null}.
* @param isPasswordBased Indicates whether the resulting SASL
* bind should be considered password
* based.
* @param isSecure Indicates whether the resulting SASL
* bind should be considered secure.
* @param diagnosticMessage A diagnostic message to include in the
* response to the client. It may be
* {@code null} if no diagnostic message
* should be returned.
* @param authenticationFailureReason A message that describes the reason
* for the authentication failure. This
* message will not be returned to the
* client, but will be included in the
* access log message for the operation
* so that administrators may better
* diagnose the failure. It may be
* {@code null} if no authentication
* failure reason is available.
* @param matchedDN The matched DN to include in the
* response to the client. It may be
* {@code null} if no matched DN should
* be included.
* @param targetUserDN The DN of the user that attempted to
* authenticate. It may be {@code null}
* if the target user DN is not known.
* @param responseControls A set of controls to include in the
* response to the client. It may be
* {@code null} or empty if no response
* controls should be returned.
*
* @return The {@code UpdatableSASLBindRequest} object created from the
* provided information.
*/
public static UpdatableSASLBindRequest convertToFailedSASLBindRequest(
final UpdatableSimpleBindRequest simpleBindRequest,
final OperationContext operationContext,
final boolean isPasswordBased, final boolean isSecure,
final String diagnosticMessage,
final String authenticationFailureReason,
final DN matchedDN, final DN targetUserDN,
final List<Control> responseControls)
{
Validator.ensureNotNullWithMessage(simpleBindRequest,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createFailedSASLBindRequest.simpleBindRequest must not " +
"be null.");
Validator.ensureNotNullWithMessage(operationContext,
InternalOperationAttachmentSASLMechanismHandler.class.getName() +
".createFailedSASLBindRequest.operationContext must not be " +
"null.");
final String saslMechanism;
if (isPasswordBased)
{
if (isSecure)
{
saslMechanism = SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME;
}
else
{
saslMechanism = NON_SECURE_PASSWORD_BASED_SASL_MECHANISM_NAME;
}
}
else
{
if (isSecure)
{
saslMechanism = SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME;
}
else
{
saslMechanism = NON_SECURE_NON_PASSWORD_BASED_SASL_MECHANISM_NAME;
}
}
operationContext.setAttachment(ATTACHMENT_NAME_AUTHENTICATION_SUCCEEDED,
Boolean.FALSE);
if (diagnosticMessage != null)
{
operationContext.setAttachment(ATTACHMENT_NAME_DIAGNOSTIC_MESSAGE,
diagnosticMessage);
}
if (authenticationFailureReason != null)
{
operationContext.setAttachment(
ATTACHMENT_NAME_AUTHENTICATION_FAILURE_REASON,
authenticationFailureReason);
}
if (matchedDN != null)
{
operationContext.setAttachment(ATTACHMENT_NAME_MATCHED_DN, matchedDN);
}
if (targetUserDN != null)
{
operationContext.setAttachment(ATTACHMENT_NAME_BIND_DN, targetUserDN);
}
if ((responseControls != null) && (! responseControls.isEmpty()))
{
final Control[] responseControlArray =
new Control[responseControls.size()];
responseControls.toArray(responseControlArray);
operationContext.setAttachment(ATTACHMENT_NAME_RESPONSE_CONTROLS,
responseControlArray);
}
return simpleBindRequest.convertToSASLBindRequest(saslMechanism, null);
}
}
