Package org.opends.server.api

Class AuthenticationPolicyState

  • Direct Known Subclasses:
    PasswordPolicyState
    public abstract class AuthenticationPolicyState
extends Object
    The authentication policy context associated with a user's entry, which is responsible for managing the user's account, their password, as well as authenticating the user.

    • Field Detail

      • isDisabled

        protected ConditionResult isDisabled
        A boolean indicating whether the account associated with this authentication state has been administratively disabled.

      • userEntry

        protected final Entry userEntry
        The user entry associated with this authentication policy state.

    • Constructor Detail

      • AuthenticationPolicyState

        protected AuthenticationPolicyState​(Entry userEntry)
        Creates a new abstract authentication policy context.
        Parameters:
        userEntry - The user's entry.

    • Method Detail

      • forUser

        public static AuthenticationPolicyState forUser​(Entry userEntry,
                                                boolean useDefaultOnError)
                                         throws LdapException
        Returns the authentication policy state for the user provided user. This method is equivalent to the following: 
         AuthenticationPolicy policy = AuthenticationPolicy.forUser(userEntry, useDefaultOnError);
 AuthenticationPolicyState state = policy.createAuthenticationPolicyState(userEntry);
        See the documentation of AuthenticationPolicy.forUser(org.forgerock.opendj.ldap.Entry, boolean) for a description of the algorithm used to find a user's authentication policy.
        Parameters:
        userEntry - The user entry.
        useDefaultOnError - Indicates whether the server should fall back to using the default password policy if there is a problem with the configured policy for the user.
        Returns:
        The password policy for the user.
        Throws:
        LdapException - If a problem occurs while attempting to determine the password policy for the user.
        See Also:
        AuthenticationPolicy.forUser(Entry, boolean)

      • forUser

        public static AuthenticationPolicyState forUser​(Entry userEntry,
                                                boolean useDefaultOnError,
                                                Consumer<LocalizableMessage> onMultiplePasswordPolicies)
                                         throws LdapException
        Returns the authentication policy state for the user provided user. This method is equivalent to the following: 
         AuthenticationPolicy policy = AuthenticationPolicy.forUser(userEntry, useDefaultOnError,
                                                            onMultiplePasswordPolicies);
 AuthenticationPolicyState state = policy.createAuthenticationPolicyState(userEntry);
        See the documentation of AuthenticationPolicy.forUser(org.forgerock.opendj.ldap.Entry, boolean) for a description of the algorithm used to find a user's authentication policy.
        Parameters:
        userEntry - The user entry.
        useDefaultOnError - Indicates whether the server should fall back to using the default password policy if there is a problem with the configured policy for the user.
        onMultiplePasswordPolicies - Invoked when multiple password policy subentries are detected to the entry.
        Returns:
        The password policy for the user.
        Throws:
        LdapException - If a problem occurs while attempting to determine the password policy for the user.
        See Also:
        AuthenticationPolicy.forUser(Entry, boolean, java.util.function.Consumer)

      • getBoolean

        protected static ConditionResult getBoolean​(Entry entry,
                                            String attributeName)
                                     throws LdapException
        A utility method which may be used by implementations in order to obtain the value of the specified attribute from the provided entry as a boolean.
        Parameters:
        entry - The entry whose attribute is to be parsed as a boolean.
        attributeName - The attribute name whose value should be parsed as a boolean.
        Returns:
        The attribute's value represented as a ConditionResult value, or ConditionResult.UNDEFINED if the specified attribute does not exist in the entry.
        Throws:
        LdapException - If the value cannot be decoded as a boolean.

      • getGeneralizedTime

        protected static long getGeneralizedTime​(Entry entry,
                                         AttributeDescription attrDesc)
                                  throws LdapException
        A utility method which may be used by implementations in order to obtain the value of the specified attribute from the provided entry as a time in generalized time format.
        Parameters:
        entry - The entry whose attribute is to be parsed as a boolean.
        attrDesc - The attribute description whose value should be parsed as a generalized time value.
        Returns:
        The requested time, or -1 if it could not be determined.
        Throws:
        LdapException - If a problem occurs while attempting to decode the value as a generalized time.

      • finalizeStateAfterBind

        public void finalizeStateAfterBind()
                            throws LdapException
        Performs any finalization required after a bind operation has completed. Implementations may perform internal operations in order to persist internal state to the user's entry if needed.
        Throws:
        LdapException - If a problem occurs during finalization.

      • getAuthenticationPolicy

        public abstract AuthenticationPolicy getAuthenticationPolicy()
        Returns the authentication policy associated with this state.
        Returns:
        The authentication policy associated with this state.

      • isDisabled

        public boolean isDisabled()
        Returns true if this authentication policy state is associated with a user whose account has been administratively disabled.

        The default implementation is use the value of the "ds-pwp-account-disable" attribute in the user's entry.

        Returns:
        true if this authentication policy state is associated with a user whose account has been administratively disabled.

      • passwordMatches

        public abstract boolean passwordMatches​(ByteString password,
                                        AtomicReference<ByteString> matchedEncodedPassword)
                                 throws LdapException
        Returns true if the provided password value matches any of the user's passwords.
        Parameters:
        password - The user-provided password to verify.
        matchedEncodedPassword - If true is returned, the matching stored password may be returned.
        Returns:
        true if the provided password value matches any of the user's passwords.
        Throws:
        LdapException - If verification unexpectedly failed.

      • passwordMatches

        public boolean passwordMatches​(ByteString password)
                        throws LdapException
        Returns true if the provided password value matches any of the user's passwords.
        Parameters:
        password - The user-provided password to verify.
        Returns:
        true if the provided password value matches any of the user's passwords.
        Throws:
        LdapException - If verification unexpectedly failed.