Package org.opends.server.api

Class PasswordStorageScheme<T extends PasswordStorageSchemeCfg>

java.lang.Object
org.opends.server.api.PasswordStorageScheme<T>
Type Parameters:
T - The type of configuration handled by this password storage scheme
Direct Known Subclasses:
AESPasswordStorageScheme, Argon2PasswordStorageScheme, Base64PasswordStorageScheme, BcryptPasswordStorageScheme, BlowfishPasswordStorageScheme, ClearPasswordStorageScheme, CryptPasswordStorageScheme, MD5PasswordStorageScheme, PBKDF2HmacSHA256PasswordStorageScheme, PBKDF2HmacSHA512PasswordStorageScheme, PBKDF2PasswordStorageScheme, PKCS5S2PasswordStorageScheme, RC4PasswordStorageScheme, SaltedMD5PasswordStorageScheme, SaltedSHA1PasswordStorageScheme, SaltedSHA256PasswordStorageScheme, SaltedSHA384PasswordStorageScheme, SaltedSHA512PasswordStorageScheme, ScramSha256PasswordStorageScheme, ScramSha512PasswordStorageScheme, SHA1PasswordStorageScheme, TripleDESPasswordStorageScheme
public abstract class PasswordStorageScheme<T extends PasswordStorageSchemeCfg> extends Object
This class defines the set of methods and structures that must be implemented by a Directory Server module that implements a password storage scheme. Each subclass may only implement a single password storage scheme type.

  • Constructor Details

    • PasswordStorageScheme

      public PasswordStorageScheme()

  • Method Details

    • initializePasswordStorageScheme

      public abstract void initializePasswordStorageScheme(T configuration, ServerContext serverContext) throws ConfigException, InitializationException
      Initializes this password storage scheme handler based on the information in the provided configuration entry. It should also register itself with the Directory Server for the particular storage scheme that it will manage.
      Parameters:
      configuration - The configuration entry that contains the information to use to initialize this password storage scheme handler.
      serverContext - The server context
      Throws:
      ConfigException - If an unrecoverable problem arises in the process of performing the initialization.
      InitializationException - If a problem occurs during initialization that is not related to the server configuration.

    • isConfigurationAcceptable

      public boolean isConfigurationAcceptable(T configuration, List<LocalizableMessage> unacceptableReasons)
      Indicates whether the provided configuration is acceptable for this password storage scheme. It should be possible to call this method on an uninitialized password storage scheme instance in order to determine whether the password storage scheme would be able to use the provided configuration.
      Parameters:
      configuration - The password storage scheme configuration for which to make the determination.
      unacceptableReasons - A list that may be used to hold the reasons that the provided configuration is not acceptable.
      Returns:
      true if the provided configuration is acceptable for this password storage scheme, or false if not.

    • finalizePasswordStorageScheme

      public void finalizePasswordStorageScheme()
      Performs any necessary finalization that might be required when this password storage scheme is no longer needed (e.g., the scheme is disabled or the server is shutting down).

    • getStorageSchemeName

      public abstract String getStorageSchemeName()
      Retrieves the name of the password storage scheme provided by this handler.
      Returns:
      The name of the password storage scheme provided by this handler.

    • encodePassword

      public abstract ByteString encodePassword(ByteString plaintext) throws LdapException
      Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme. Note that the provided plaintext password should not be altered in any way.
      Parameters:
      plaintext - The plaintext version of the password.
      Returns:
      The password that has been encoded using this storage scheme.
      Throws:
      LdapException - If a problem occurs while processing.

    • encodePasswordWithScheme

      public ByteString encodePasswordWithScheme(ByteString plaintext) throws LdapException
      Encodes the provided plaintext password for this storage scheme, prepending the name of the scheme in curly braces. Note that the provided plaintext password should not be altered in any way.
      Parameters:
      plaintext - The plaintext version of the password.
      Returns:
      The encoded password, including the name of the storage scheme.
      Throws:
      LdapException - If a problem occurs while processing.

    • passwordMatches

      public abstract boolean passwordMatches(ByteString plaintextPassword, ByteString storedPassword)
      Indicates whether the provided plaintext password included in a bind request matches the given stored value. The provided stored value should not include the scheme name in curly braces.
      Parameters:
      plaintextPassword - The plaintext password provided by the user as part of a simple bind attempt.
      storedPassword - The stored password to compare against the provided plaintext password.
      Returns:
      true if the provided plaintext password matches the provided stored password, or false if not.

    • supportsAuthPasswordSyntax

      public boolean supportsAuthPasswordSyntax()
      Indicates whether this password storage scheme supports the ability to interact with values using the authentication password syntax defined in RFC 3112.
      Returns:
      true if this password storage scheme supports the ability to interact with values using the authentication password syntax, or false if it does not.

    • getAuthPasswordSchemeName

      public String getAuthPasswordSchemeName()
      Retrieves the scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax. This default implementation will return the same value as the getStorageSchemeName method.
      Returns:
      The scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax.

    • encodeAuthPassword

      public ByteString encodeAuthPassword(ByteString plaintext) throws LdapException
      Encodes the provided plaintext password for this storage scheme using the authentication password syntax defined in RFC 3112. Note that the provided plaintext password should not be altered in any way.
      Parameters:
      plaintext - The plaintext version of the password.
      Returns:
      The password that has been encoded in the authentication password syntax.
      Throws:
      LdapException - If a problem occurs while processing of if this storage scheme does not support the authentication password syntax.

    • authPasswordMatches

      public boolean authPasswordMatches(ByteString plaintextPassword, String authInfo, String authValue)
      Indicates whether the provided plaintext password matches the encoded password using the authentication password syntax with the given authInfo and authValue components.

      This is the historical method signature used by clients' custom password storage scheme. Be careful to not modify it.

      Parameters:
      plaintextPassword - The plaintext password provided by the user.
      authInfo - The authInfo component of the password encoded in the authentication password syntax.
      authValue - The authValue component of the password encoded in the authentication password syntax.
      Returns:
      true if the provided plaintext password matches the encoded password according to the authentication password info syntax, or false if it does not or this storage scheme does not support the authentication password syntax.

    • isReversible

      public boolean isReversible()
      Indicates whether this storage scheme is reversible (i.e., it is possible to obtain the original plaintext value from the stored password).
      Returns:
      true if this is a reversible password storage scheme, or false if it is not.

    • getPlaintextValue

      public ByteString getPlaintextValue(ByteString storedPassword) throws LdapException
      Retrieves the original plaintext value for the provided stored password. Note that this should only be called if isReversible returns true.
      Parameters:
      storedPassword - The password for which to obtain the plaintext value. It should not include the scheme name in curly braces.
      Returns:
      The plaintext value for the provided stored password.
      Throws:
      LdapException - If it is not possible to obtain the plaintext value for the provided stored password.

    • getAuthPasswordPlaintextValue

      public ByteString getAuthPasswordPlaintextValue(String authInfo, String authValue) throws LdapException
      Retrieves the original plaintext value for the provided password stored in the authPassword syntax. Note that this should only be called if isReversible returns true.
      Parameters:
      authInfo - The authInfo component of the password encoded in the authentication password syntax.
      authValue - The authValue component of the password encoded in the authentication password syntax.
      Returns:
      The plaintext value for the provided stored password.
      Throws:
      LdapException - If it is not possible to obtain the plaintext value for the provided stored password, or if this storage scheme does not support the authPassword syntax..

    • isStorageSchemeSecure

      public abstract boolean isStorageSchemeSecure()
      Indicates whether this password storage scheme should be considered "secure". If the encoding used for this scheme does not obscure the value at all, or if it uses a method that is trivial to reverse (e.g., base64), then it should not be considered secure.

      This may be used to determine whether a password may be included in a set of search results, including the possibility of overriding access controls in the case that access controls would allow the password to be returned but the password is considered too insecure to reveal.
      Returns:
      false if it may be trivial to discover the original plain-text password from the encoded form, or true if the scheme offers sufficient protection that revealing the encoded password will not easily reveal the corresponding plain-text value.

    • isRehashNeeded

      public boolean isRehashNeeded(ByteString storedPassword)
      Indicates whether the encoded password needs to be rehashed because the password storage scheme configuration changed. Only password storage schemes with specific configuration parameters, such as PBKDF2, need to override this method.
      Parameters:
      storedPassword - An existing hashed password including the name of the storage scheme.
      Returns:
      whether the stored password should be rehashed.

    • destroySilently

      protected static void destroySilently(SecretKey secretKey)
      Invokes Destroyable.destroy() ignoring any errors which occurred.
      Parameters:
      secretKey - The secretKey to be destroyed, which may be null.