Package org.opends.server.extensions
Class ScramSha256PasswordStorageScheme
java.lang.Object
org.opends.server.api.PasswordStorageScheme<C>
org.opends.server.extensions.ScramSha256PasswordStorageScheme
- All Implemented Interfaces:
ConfigurationChangeListener<ScramSha256PasswordStorageSchemeCfg>
This class defines a Directory Server password storage scheme based on the SCRAM-SHA-256 SASL mechanism defined in
RFCs 5802, 5803 and 7677.
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionfinal ConfigChangeResult
applyConfigurationChange
(ScramSha256PasswordStorageSchemeCfg configuration) Applies the configuration changes to this change listener.final boolean
authPasswordMatches
(ByteString plaintextPassword, String authInfo, String authValue) Indicates whether the provided plaintext password matches the encoded password using the authentication password syntax with the given authInfo and authValue components.final ByteString
encodeAuthPassword
(ByteString plaintext) Encodes the provided plaintext password for this storage scheme using the authentication password syntax defined in RFC 3112.final ByteString
encodePassword
(ByteString plaintext) Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme.final void
Performs any necessary finalization that might be required when this password storage scheme is no longer needed (e.g., the scheme is disabled or the server is shutting down).final String
Retrieves the scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax.Retrieves the name of the password storage scheme provided by this handler.final void
initializePasswordStorageScheme
(ScramSha256PasswordStorageSchemeCfg configuration, ServerContext serverContext) Initializes this password storage scheme handler based on the information in the provided configuration entry.final boolean
isConfigurationChangeAcceptable
(ScramSha256PasswordStorageSchemeCfg configuration, List<LocalizableMessage> unacceptableReasons) Indicates whether the proposed change to the configuration is acceptable to this change listener.final boolean
Indicates whether this password storage scheme should be considered "secure".final boolean
passwordMatches
(ByteString plaintextPassword, ByteString storedPassword) Indicates whether the provided plaintext password included in a bind request matches the given stored value.final boolean
Indicates whether this password storage scheme supports the ability to interact with values using the authentication password syntax defined in RFC 3112.Methods inherited from class org.opends.server.api.PasswordStorageScheme
destroySilently, encodePasswordWithScheme, getAuthPasswordPlaintextValue, getPlaintextValue, isConfigurationAcceptable, isRehashNeeded, isReversible
-
Constructor Details
-
ScramSha256PasswordStorageScheme
public ScramSha256PasswordStorageScheme()
-
-
Method Details
-
getStorageSchemeName
Description copied from class:PasswordStorageScheme
Retrieves the name of the password storage scheme provided by this handler.- Specified by:
getStorageSchemeName
in classPasswordStorageScheme<ScramSha256PasswordStorageSchemeCfg>
- Returns:
- The name of the password storage scheme provided by this handler.
-
initializePasswordStorageScheme
public final void initializePasswordStorageScheme(ScramSha256PasswordStorageSchemeCfg configuration, ServerContext serverContext) throws ConfigException Description copied from class:PasswordStorageScheme
Initializes this password storage scheme handler based on the information in the provided configuration entry. It should also register itself with the Directory Server for the particular storage scheme that it will manage.- Specified by:
initializePasswordStorageScheme
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
- Parameters:
configuration
- The configuration entry that contains the information to use to initialize this password storage scheme handler.serverContext
- The server context- Throws:
ConfigException
- If an unrecoverable problem arises in the process of performing the initialization.
-
finalizePasswordStorageScheme
public final void finalizePasswordStorageScheme()Description copied from class:PasswordStorageScheme
Performs any necessary finalization that might be required when this password storage scheme is no longer needed (e.g., the scheme is disabled or the server is shutting down).- Overrides:
finalizePasswordStorageScheme
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
-
isConfigurationChangeAcceptable
public final boolean isConfigurationChangeAcceptable(ScramSha256PasswordStorageSchemeCfg configuration, List<LocalizableMessage> unacceptableReasons) Description copied from interface:ConfigurationChangeListener
Indicates whether the proposed change to the configuration is acceptable to this change listener.- Specified by:
isConfigurationChangeAcceptable
in interfaceConfigurationChangeListener<C extends PasswordStorageSchemeCfg>
- Parameters:
configuration
- The new configuration containing the changes.unacceptableReasons
- A list that can be used to hold messages about why the provided configuration is not acceptable.- Returns:
- Returns
true
if the proposed change is acceptable, orfalse
if it is not.
-
applyConfigurationChange
public final ConfigChangeResult applyConfigurationChange(ScramSha256PasswordStorageSchemeCfg configuration) Description copied from interface:ConfigurationChangeListener
Applies the configuration changes to this change listener.- Specified by:
applyConfigurationChange
in interfaceConfigurationChangeListener<C extends PasswordStorageSchemeCfg>
- Parameters:
configuration
- The new configuration containing the changes.- Returns:
- Returns information about the result of changing the configuration.
-
encodePassword
Description copied from class:PasswordStorageScheme
Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme. Note that the provided plaintext password should not be altered in any way.- Specified by:
encodePassword
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
- Parameters:
plaintext
- The plaintext version of the password.- Returns:
- The password that has been encoded using this storage scheme.
-
passwordMatches
Description copied from class:PasswordStorageScheme
Indicates whether the provided plaintext password included in a bind request matches the given stored value. The provided stored value should not include the scheme name in curly braces.- Specified by:
passwordMatches
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
- Parameters:
plaintextPassword
- The plaintext password provided by the user as part of a simple bind attempt.storedPassword
- The stored password to compare against the provided plaintext password.- Returns:
true
if the provided plaintext password matches the provided stored password, orfalse
if not.
-
supportsAuthPasswordSyntax
public final boolean supportsAuthPasswordSyntax()Description copied from class:PasswordStorageScheme
Indicates whether this password storage scheme supports the ability to interact with values using the authentication password syntax defined in RFC 3112.- Overrides:
supportsAuthPasswordSyntax
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
- Returns:
true
if this password storage scheme supports the ability to interact with values using the authentication password syntax, orfalse
if it does not.
-
getAuthPasswordSchemeName
Description copied from class:PasswordStorageScheme
Retrieves the scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax. This default implementation will return the same value as thegetStorageSchemeName
method.- Overrides:
getAuthPasswordSchemeName
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
- Returns:
- The scheme name that should be used with this password storage scheme when it is used in the context of the authentication password syntax.
-
encodeAuthPassword
Description copied from class:PasswordStorageScheme
Encodes the provided plaintext password for this storage scheme using the authentication password syntax defined in RFC 3112. Note that the provided plaintext password should not be altered in any way.- Overrides:
encodeAuthPassword
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
- Parameters:
plaintext
- The plaintext version of the password.- Returns:
- The password that has been encoded in the authentication password syntax.
-
authPasswordMatches
public final boolean authPasswordMatches(ByteString plaintextPassword, String authInfo, String authValue) Description copied from class:PasswordStorageScheme
Indicates whether the provided plaintext password matches the encoded password using the authentication password syntax with the given authInfo and authValue components.This is the historical method signature used by clients' custom password storage scheme. Be careful to not modify it.
- Overrides:
authPasswordMatches
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
- Parameters:
plaintextPassword
- The plaintext password provided by the user.authInfo
- The authInfo component of the password encoded in the authentication password syntax.authValue
- The authValue component of the password encoded in the authentication password syntax.- Returns:
true
if the provided plaintext password matches the encoded password according to the authentication password info syntax, orfalse
if it does not or this storage scheme does not support the authentication password syntax.
-
isStorageSchemeSecure
public final boolean isStorageSchemeSecure()Description copied from class:PasswordStorageScheme
Indicates whether this password storage scheme should be considered "secure". If the encoding used for this scheme does not obscure the value at all, or if it uses a method that is trivial to reverse (e.g., base64), then it should not be considered secure.
This may be used to determine whether a password may be included in a set of search results, including the possibility of overriding access controls in the case that access controls would allow the password to be returned but the password is considered too insecure to reveal.- Specified by:
isStorageSchemeSecure
in classPasswordStorageScheme<C extends PasswordStorageSchemeCfg>
- Returns:
false
if it may be trivial to discover the original plain-text password from the encoded form, ortrue
if the scheme offers sufficient protection that revealing the encoded password will not easily reveal the corresponding plain-text value.
-