Package org.opends.server.api
Class PasswordStorageScheme<T extends PasswordStorageSchemeCfg>
- java.lang.Object
-
- org.opends.server.api.PasswordStorageScheme<T>
-
- Type Parameters:
T
- The type of configuration handled by this password storage scheme
- Direct Known Subclasses:
AESPasswordStorageScheme
,Argon2PasswordStorageScheme
,Base64PasswordStorageScheme
,BcryptPasswordStorageScheme
,BlowfishPasswordStorageScheme
,ClearPasswordStorageScheme
,CryptPasswordStorageScheme
,MD5PasswordStorageScheme
,PBKDF2HmacSHA256PasswordStorageScheme
,PBKDF2HmacSHA512PasswordStorageScheme
,PBKDF2PasswordStorageScheme
,PKCS5S2PasswordStorageScheme
,RC4PasswordStorageScheme
,SaltedMD5PasswordStorageScheme
,SaltedSHA1PasswordStorageScheme
,SaltedSHA256PasswordStorageScheme
,SaltedSHA384PasswordStorageScheme
,SaltedSHA512PasswordStorageScheme
,ScramSha256PasswordStorageScheme
,ScramSha512PasswordStorageScheme
,SHA1PasswordStorageScheme
,TripleDESPasswordStorageScheme
@PublicAPI(stability=UNCOMMITTED, mayInstantiate=false, mayExtend=true, mayInvoke=false) public abstract class PasswordStorageScheme<T extends PasswordStorageSchemeCfg> extends Object
This class defines the set of methods and structures that must be implemented by a Directory Server module that implements a password storage scheme. Each subclass may only implement a single password storage scheme type.
-
-
Constructor Summary
Constructors Constructor Description PasswordStorageScheme()
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description boolean
authPasswordMatches(ByteString plaintextPassword, String authInfo, String authValue)
Indicates whether the provided plaintext password matches the encoded password using the authentication password syntax with the given authInfo and authValue components.protected static void
destroySilently(SecretKey secretKey)
InvokesDestroyable.destroy()
ignoring any errors which occurred.ByteString
encodeAuthPassword(ByteString plaintext)
Encodes the provided plaintext password for this storage scheme using the authentication password syntax defined in RFC 3112.abstract ByteString
encodePassword(ByteString plaintext)
Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme.ByteString
encodePasswordWithScheme(ByteString plaintext)
Encodes the provided plaintext password for this storage scheme, prepending the name of the scheme in curly braces.void
finalizePasswordStorageScheme()
Performs any necessary finalization that might be required when this password storage scheme is no longer needed (e.g., the scheme is disabled or the server is shutting down).ByteString
getAuthPasswordPlaintextValue(String authInfo, String authValue)
Retrieves the original plaintext value for the provided password stored in the authPassword syntax.String
getAuthPasswordSchemeName()
Retrieves the scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax.ByteString
getPlaintextValue(ByteString storedPassword)
Retrieves the original plaintext value for the provided stored password.abstract String
getStorageSchemeName()
Retrieves the name of the password storage scheme provided by this handler.abstract void
initializePasswordStorageScheme(T configuration, ServerContext serverContext)
Initializes this password storage scheme handler based on the information in the provided configuration entry.boolean
isConfigurationAcceptable(T configuration, List<LocalizableMessage> unacceptableReasons)
Indicates whether the provided configuration is acceptable for this password storage scheme.boolean
isRehashNeeded(ByteString storedPassword)
Indicates whether the encoded password needs to be rehashed because the password storage scheme configuration changed.boolean
isReversible()
Indicates whether this storage scheme is reversible (i.e., it is possible to obtain the original plaintext value from the stored password).abstract boolean
isStorageSchemeSecure()
Indicates whether this password storage scheme should be considered "secure".abstract boolean
passwordMatches(ByteString plaintextPassword, ByteString storedPassword)
Indicates whether the provided plaintext password included in a bind request matches the given stored value.boolean
supportsAuthPasswordSyntax()
Indicates whether this password storage scheme supports the ability to interact with values using the authentication password syntax defined in RFC 3112.
-
-
-
Method Detail
-
initializePasswordStorageScheme
public abstract void initializePasswordStorageScheme(T configuration, ServerContext serverContext) throws ConfigException, InitializationException
Initializes this password storage scheme handler based on the information in the provided configuration entry. It should also register itself with the Directory Server for the particular storage scheme that it will manage.- Parameters:
configuration
- The configuration entry that contains the information to use to initialize this password storage scheme handler.serverContext
- The server context- Throws:
ConfigException
- If an unrecoverable problem arises in the process of performing the initialization.InitializationException
- If a problem occurs during initialization that is not related to the server configuration.
-
isConfigurationAcceptable
public boolean isConfigurationAcceptable(T configuration, List<LocalizableMessage> unacceptableReasons)
Indicates whether the provided configuration is acceptable for this password storage scheme. It should be possible to call this method on an uninitialized password storage scheme instance in order to determine whether the password storage scheme would be able to use the provided configuration.- Parameters:
configuration
- The password storage scheme configuration for which to make the determination.unacceptableReasons
- A list that may be used to hold the reasons that the provided configuration is not acceptable.- Returns:
true
if the provided configuration is acceptable for this password storage scheme, orfalse
if not.
-
finalizePasswordStorageScheme
public void finalizePasswordStorageScheme()
Performs any necessary finalization that might be required when this password storage scheme is no longer needed (e.g., the scheme is disabled or the server is shutting down).
-
getStorageSchemeName
public abstract String getStorageSchemeName()
Retrieves the name of the password storage scheme provided by this handler.- Returns:
- The name of the password storage scheme provided by this handler.
-
encodePassword
public abstract ByteString encodePassword(ByteString plaintext) throws LdapException
Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme. Note that the provided plaintext password should not be altered in any way.- Parameters:
plaintext
- The plaintext version of the password.- Returns:
- The password that has been encoded using this storage scheme.
- Throws:
LdapException
- If a problem occurs while processing.
-
encodePasswordWithScheme
public ByteString encodePasswordWithScheme(ByteString plaintext) throws LdapException
Encodes the provided plaintext password for this storage scheme, prepending the name of the scheme in curly braces. Note that the provided plaintext password should not be altered in any way.- Parameters:
plaintext
- The plaintext version of the password.- Returns:
- The encoded password, including the name of the storage scheme.
- Throws:
LdapException
- If a problem occurs while processing.
-
passwordMatches
public abstract boolean passwordMatches(ByteString plaintextPassword, ByteString storedPassword)
Indicates whether the provided plaintext password included in a bind request matches the given stored value. The provided stored value should not include the scheme name in curly braces.- Parameters:
plaintextPassword
- The plaintext password provided by the user as part of a simple bind attempt.storedPassword
- The stored password to compare against the provided plaintext password.- Returns:
true
if the provided plaintext password matches the provided stored password, orfalse
if not.
-
supportsAuthPasswordSyntax
public boolean supportsAuthPasswordSyntax()
Indicates whether this password storage scheme supports the ability to interact with values using the authentication password syntax defined in RFC 3112.- Returns:
true
if this password storage scheme supports the ability to interact with values using the authentication password syntax, orfalse
if it does not.
-
getAuthPasswordSchemeName
public String getAuthPasswordSchemeName()
Retrieves the scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax. This default implementation will return the same value as thegetStorageSchemeName
method.- Returns:
- The scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax.
-
encodeAuthPassword
public ByteString encodeAuthPassword(ByteString plaintext) throws LdapException
Encodes the provided plaintext password for this storage scheme using the authentication password syntax defined in RFC 3112. Note that the provided plaintext password should not be altered in any way.- Parameters:
plaintext
- The plaintext version of the password.- Returns:
- The password that has been encoded in the authentication password syntax.
- Throws:
LdapException
- If a problem occurs while processing of if this storage scheme does not support the authentication password syntax.
-
authPasswordMatches
public boolean authPasswordMatches(ByteString plaintextPassword, String authInfo, String authValue)
Indicates whether the provided plaintext password matches the encoded password using the authentication password syntax with the given authInfo and authValue components.This is the historical method signature used by clients' custom password storage scheme. Be careful to not modify it.
- Parameters:
plaintextPassword
- The plaintext password provided by the user.authInfo
- The authInfo component of the password encoded in the authentication password syntax.authValue
- The authValue component of the password encoded in the authentication password syntax.- Returns:
true
if the provided plaintext password matches the encoded password according to the authentication password info syntax, orfalse
if it does not or this storage scheme does not support the authentication password syntax.
-
isReversible
public boolean isReversible()
Indicates whether this storage scheme is reversible (i.e., it is possible to obtain the original plaintext value from the stored password).- Returns:
true
if this is a reversible password storage scheme, orfalse
if it is not.
-
getPlaintextValue
public ByteString getPlaintextValue(ByteString storedPassword) throws LdapException
Retrieves the original plaintext value for the provided stored password. Note that this should only be called ifisReversible
returnstrue
.- Parameters:
storedPassword
- The password for which to obtain the plaintext value. It should not include the scheme name in curly braces.- Returns:
- The plaintext value for the provided stored password.
- Throws:
LdapException
- If it is not possible to obtain the plaintext value for the provided stored password.
-
getAuthPasswordPlaintextValue
public ByteString getAuthPasswordPlaintextValue(String authInfo, String authValue) throws LdapException
Retrieves the original plaintext value for the provided password stored in the authPassword syntax. Note that this should only be called ifisReversible
returnstrue
.- Parameters:
authInfo
- The authInfo component of the password encoded in the authentication password syntax.authValue
- The authValue component of the password encoded in the authentication password syntax.- Returns:
- The plaintext value for the provided stored password.
- Throws:
LdapException
- If it is not possible to obtain the plaintext value for the provided stored password, or if this storage scheme does not support the authPassword syntax..
-
isStorageSchemeSecure
public abstract boolean isStorageSchemeSecure()
Indicates whether this password storage scheme should be considered "secure". If the encoding used for this scheme does not obscure the value at all, or if it uses a method that is trivial to reverse (e.g., base64), then it should not be considered secure.
This may be used to determine whether a password may be included in a set of search results, including the possibility of overriding access controls in the case that access controls would allow the password to be returned but the password is considered too insecure to reveal.- Returns:
false
if it may be trivial to discover the original plain-text password from the encoded form, ortrue
if the scheme offers sufficient protection that revealing the encoded password will not easily reveal the corresponding plain-text value.
-
isRehashNeeded
public boolean isRehashNeeded(ByteString storedPassword)
Indicates whether the encoded password needs to be rehashed because the password storage scheme configuration changed. Only password storage schemes with specific configuration parameters, such as PBKDF2, need to override this method.- Parameters:
storedPassword
- An existing hashed password including the name of the storage scheme.- Returns:
- whether the stored password should be rehashed.
-
destroySilently
protected static void destroySilently(SecretKey secretKey)
InvokesDestroyable.destroy()
ignoring any errors which occurred.- Parameters:
secretKey
- The secretKey to be destroyed, which may benull
.
-
-