Package org.opends.server.api

Class PasswordStorageScheme<T extends PasswordStorageSchemeCfg>

    • Constructor Detail

      • PasswordStorageScheme

        public PasswordStorageScheme()

    • Method Detail

      • initializePasswordStorageScheme

        public abstract void initializePasswordStorageScheme​(T configuration,
                                                     ServerContext serverContext)
                                              throws ConfigException,
                                                     InitializationException
        Initializes this password storage scheme handler based on the information in the provided configuration entry. It should also register itself with the Directory Server for the particular storage scheme that it will manage.
        Parameters:
        configuration - The configuration entry that contains the information to use to initialize this password storage scheme handler.
        serverContext - The server context
        Throws:
        ConfigException - If an unrecoverable problem arises in the process of performing the initialization.
        InitializationException - If a problem occurs during initialization that is not related to the server configuration.

      • isConfigurationAcceptable

        public boolean isConfigurationAcceptable​(T configuration,
                                         List<LocalizableMessage> unacceptableReasons)
        Indicates whether the provided configuration is acceptable for this password storage scheme. It should be possible to call this method on an uninitialized password storage scheme instance in order to determine whether the password storage scheme would be able to use the provided configuration.
        Parameters:
        configuration - The password storage scheme configuration for which to make the determination.
        unacceptableReasons - A list that may be used to hold the reasons that the provided configuration is not acceptable.
        Returns:
        true if the provided configuration is acceptable for this password storage scheme, or false if not.

      • finalizePasswordStorageScheme

        public void finalizePasswordStorageScheme()
        Performs any necessary finalization that might be required when this password storage scheme is no longer needed (e.g., the scheme is disabled or the server is shutting down).

      • getStorageSchemeName

        public abstract String getStorageSchemeName()
        Retrieves the name of the password storage scheme provided by this handler.
        Returns:
        The name of the password storage scheme provided by this handler.

      • encodePassword

        public abstract ByteString encodePassword​(ByteSequence plaintext)
                                   throws LdapException
        Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme. Note that the provided plaintext password should not be altered in any way.
        Parameters:
        plaintext - The plaintext version of the password.
        Returns:
        The password that has been encoded using this storage scheme.
        Throws:
        LdapException - If a problem occurs while processing.

      • encodePasswordWithScheme

        public ByteString encodePasswordWithScheme​(ByteSequence plaintext)
                                    throws LdapException
        Encodes the provided plaintext password for this storage scheme, prepending the name of the scheme in curly braces. Note that the provided plaintext password should not be altered in any way.
        Parameters:
        plaintext - The plaintext version of the password.
        Returns:
        The encoded password, including the name of the storage scheme.
        Throws:
        LdapException - If a problem occurs while processing.

      • passwordMatches

        public abstract boolean passwordMatches​(ByteSequence plaintextPassword,
                                        ByteSequence storedPassword)
        Indicates whether the provided plaintext password included in a bind request matches the given stored value. The provided stored value should not include the scheme name in curly braces.
        Parameters:
        plaintextPassword - The plaintext password provided by the user as part of a simple bind attempt.
        storedPassword - The stored password to compare against the provided plaintext password.
        Returns:
        true if the provided plaintext password matches the provided stored password, or false if not.

      • supportsAuthPasswordSyntax

        public boolean supportsAuthPasswordSyntax()
        Indicates whether this password storage scheme supports the ability to interact with values using the authentication password syntax defined in RFC 3112.
        Returns:
        true if this password storage scheme supports the ability to interact with values using the authentication password syntax, or false if it does not.

      • getAuthPasswordSchemeName

        public String getAuthPasswordSchemeName()
        Retrieves the scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax. This default implementation will return the same value as the getStorageSchemeName method.
        Returns:
        The scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax.

      • encodeAuthPassword

        public ByteString encodeAuthPassword​(ByteSequence plaintext)
                              throws LdapException
        Encodes the provided plaintext password for this storage scheme using the authentication password syntax defined in RFC 3112. Note that the provided plaintext password should not be altered in any way.
        Parameters:
        plaintext - The plaintext version of the password.
        Returns:
        The password that has been encoded in the authentication password syntax.
        Throws:
        LdapException - If a problem occurs while processing of if this storage scheme does not support the authentication password syntax.

      • authPasswordMatches

        public boolean authPasswordMatches​(ByteSequence plaintextPassword,
                                   String authInfo,
                                   String authValue)
        Indicates whether the provided plaintext password matches the encoded password using the authentication password syntax with the given authInfo and authValue components.

        This is the historical method signature used by clients' custom password storage scheme. Be careful to not modify it.

        Parameters:
        plaintextPassword - The plaintext password provided by the user.
        authInfo - The authInfo component of the password encoded in the authentication password syntax.
        authValue - The authValue component of the password encoded in the authentication password syntax.
        Returns:
        true if the provided plaintext password matches the encoded password according to the authentication password info syntax, or false if it does not or this storage scheme does not support the authentication password syntax.

      • isReversible

        public boolean isReversible()
        Indicates whether this storage scheme is reversible (i.e., it is possible to obtain the original plaintext value from the stored password).
        Returns:
        true if this is a reversible password storage scheme, or false if it is not.

      • getPlaintextValue

        public ByteString getPlaintextValue​(ByteSequence storedPassword)
                             throws LdapException
        Retrieves the original plaintext value for the provided stored password. Note that this should only be called if isReversible returns true.
        Parameters:
        storedPassword - The password for which to obtain the plaintext value. It should not include the scheme name in curly braces.
        Returns:
        The plaintext value for the provided stored password.
        Throws:
        LdapException - If it is not possible to obtain the plaintext value for the provided stored password.

      • getAuthPasswordPlaintextValue

        public ByteString getAuthPasswordPlaintextValue​(String authInfo,
                                                String authValue)
                                         throws LdapException
        Retrieves the original plaintext value for the provided password stored in the authPassword syntax. Note that this should only be called if isReversible returns true.
        Parameters:
        authInfo - The authInfo component of the password encoded in the authentication password syntax.
        authValue - The authValue component of the password encoded in the authentication password syntax.
        Returns:
        The plaintext value for the provided stored password.
        Throws:
        LdapException - If it is not possible to obtain the plaintext value for the provided stored password, or if this storage scheme does not support the authPassword syntax..

      • isStorageSchemeSecure

        public abstract boolean isStorageSchemeSecure()
        Indicates whether this password storage scheme should be considered "secure". If the encoding used for this scheme does not obscure the value at all, or if it uses a method that is trivial to reverse (e.g., base64), then it should not be considered secure.

        This may be used to determine whether a password may be included in a set of search results, including the possibility of overriding access controls in the case that access controls would allow the password to be returned but the password is considered too insecure to reveal.
        Returns:
        false if it may be trivial to discover the original plain-text password from the encoded form, or true if the scheme offers sufficient protection that revealing the encoded password will not easily reveal the corresponding plain-text value.

      • isRehashNeeded

        public boolean isRehashNeeded​(ByteSequence storedPassword)
        Indicates whether the encoded password needs to be rehashed because the password storage scheme configuration changed. Only password storage schemes with specific configuration parameters, such as PBKDF2, need to override this method.
        Parameters:
        storedPassword - An existing hashed password including the name of the storage scheme.
        Returns:
        whether the stored password should be rehashed.

      • destroySilently

        protected static void destroySilently​(SecretKey secretKey)
        Invokes Destroyable.destroy() ignoring any errors which occurred.
        Parameters:
        secretKey - The secretKey to be destroyed, which may be null.