com.unboundid.ldap.listener

Class InMemoryPasswordEncoder

java.lang.Object

com.unboundid.ldap.listener.InMemoryPasswordEncoder

Direct Known Subclasses:

ClearInMemoryPasswordEncoder, SaltedMessageDigestInMemoryPasswordEncoder, UnsaltedMessageDigestInMemoryPasswordEncoder

@Extensible
 @ThreadSafety(level=INTERFACE_NOT_THREADSAFE)
public abstract class InMemoryPasswordEncoder
extends java.lang.Object

This class defines an API that may be used to interact with clear-text passwords provided to the in-memory directory server. It can be used to ensure that clear-text passwords are encoded when storing them in the server, and to determine whether a provided clear-text password matches an encoded value.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	InMemoryPasswordEncoder(java.lang.String prefix, PasswordEncoderOutputFormatter outputFormatter) Creates a new instance of this in-memory directory server password encoder with the provided information.

Method Summary

Modifier and Type	Method and Description
boolean	clearPasswordMatchesEncodedPassword(ASN1OctetString clearPassword, ASN1OctetString prefixedFormattedEncodedPassword, ReadOnlyEntry userEntry) Indicates whether the provided clear-text password could have been used to generate the given encoded password.
ASN1OctetString	encodePassword(ASN1OctetString clearPassword, ReadOnlyEntry userEntry, java.util.List<Modification> modifications) Encodes the provided clear-text password for storage in the in-memory directory server.
protected abstract byte[]	encodePassword(byte[] clearPassword, ReadOnlyEntry userEntry, java.util.List<Modification> modifications) Encodes the provided clear-text password for storage in the in-memory directory server.
void	ensurePreEncodedPasswordAppearsValid(ASN1OctetString prefixedFormattedEncodedPassword, ReadOnlyEntry userEntry, java.util.List<Modification> modifications) Verifies that the provided pre-encoded password (including the prefix, and with any appropriate output formatting applied) is compatible with the validation performed by this password encoder.
protected abstract void	ensurePreEncodedPasswordAppearsValid(byte[] unPrefixedUnFormattedEncodedPasswordBytes, ReadOnlyEntry userEntry, java.util.List<Modification> modifications) Verifies that the provided pre-encoded password (with the prefix removed and any output formatting reverted) is compatible with the validation performed by this password encoder.
protected abstract byte[]	extractClearPassword(byte[] unPrefixedUnFormattedEncodedPasswordBytes, ReadOnlyEntry userEntry) Attempts to extract the clear-text password used to generate the provided encoded representation, if possible.
ASN1OctetString	extractClearPasswordFromEncodedPassword(ASN1OctetString prefixedFormattedEncodedPassword, ReadOnlyEntry userEntry) Attempts to extract the clear-text password used to generate the provided encoded representation, if possible.
PasswordEncoderOutputFormatter	getOutputFormatter() Retrieves the output formatter that will be used when generating the encoded representation of a password.
java.lang.String	getPrefix() Retrieves the string that will appear at the beginning of encoded passwords.
protected abstract boolean	passwordMatches(byte[] clearPasswordBytes, byte[] unPrefixedUnFormattedEncodedPasswordBytes, ReadOnlyEntry userEntry) Indicates whether the provided clear-text password could have been used to generate the given encoded password.
boolean	passwordStartsWithPrefix(ASN1OctetString password) Indicates whether the provided password starts with the encoded password prefix.
java.lang.String	toString() Retrieves a string representation of this password encoder.
abstract void	toString(java.lang.StringBuilder buffer) Appends a string representation of this password encoder to the provided buffer.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

InMemoryPasswordEncoder

protected InMemoryPasswordEncoder(@NotNull
                                  java.lang.String prefix,
                                  @Nullable
                                  PasswordEncoderOutputFormatter outputFormatter)

Creates a new instance of this in-memory directory server password encoder with the provided information.

Parameters:

prefix - The string that will appear at the beginning of encoded passwords. It must not be null or empty.

outputFormatter - The output formatter that will be used to format the encoded representation of clear-text passwords. It may be null if no special formatting should be applied to the raw bytes.

Method Detail

getPrefix

@NotNull
public final java.lang.String getPrefix()

Retrieves the string that will appear at the beginning of encoded passwords.

Returns:

The string that will appear at the beginning of encoded passwords.

getOutputFormatter

@Nullable
public final PasswordEncoderOutputFormatter getOutputFormatter()

Retrieves the output formatter that will be used when generating the encoded representation of a password.

Returns:

The output formatter that will be used when generating the encoded representation of a password, or nulL if no output formatting will be applied.

encodePassword

@NotNull
public final ASN1OctetString encodePassword(@NotNull
                                                     ASN1OctetString clearPassword,
                                                     @NotNull
                                                     ReadOnlyEntry userEntry,
                                                     @NotNull
                                                     java.util.List<Modification> modifications)
                                              throws LDAPException

Encodes the provided clear-text password for storage in the in-memory directory server. The encoded password that is returned will include the prefix, and any appropriate output formatting will have been applied.

This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations.

Parameters:

clearPassword - The clear-text password to be encoded. It must not be null or empty, and it must not be pre-encoded.

userEntry - The entry in which the encoded password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.

modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.

Returns:

The encoded representation of the provided clear-text password. It will include the prefix, and any appropriate output formatting will have been applied.

Throws:

LDAPException - If a problem is encountered while trying to encode the provided clear-text password.

encodePassword

@NotNull
protected abstract byte[] encodePassword(@NotNull
                                                  byte[] clearPassword,
                                                  @NotNull
                                                  ReadOnlyEntry userEntry,
                                                  @NotNull
                                                  java.util.List<Modification> modifications)
                                           throws LDAPException

Encodes the provided clear-text password for storage in the in-memory directory server. The encoded password that is returned must not include the prefix, and no output formatting should have been applied.

This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations.

Parameters:

clearPassword - The bytes that comprise the clear-text password to be encoded. It must not be null or empty.

userEntry - The entry in which the encoded password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.

modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.

Returns:

The bytes that comprise encoded representation of the provided clear-text password, without the prefix, and without any output formatting applied.

Throws:

LDAPException - If a problem is encountered while trying to encode the provided clear-text password.

ensurePreEncodedPasswordAppearsValid

public final void ensurePreEncodedPasswordAppearsValid(@NotNull
                                                       ASN1OctetString prefixedFormattedEncodedPassword,
                                                       @NotNull
                                                       ReadOnlyEntry userEntry,
                                                       @NotNull
                                                       java.util.List<Modification> modifications)
                                                throws LDAPException

Verifies that the provided pre-encoded password (including the prefix, and with any appropriate output formatting applied) is compatible with the validation performed by this password encoder.

This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations. Any password included in any of these entries that starts with a prefix registered with the in-memory directory server will be validated with the encoder that corresponds to that password's prefix.

Parameters:

prefixedFormattedEncodedPassword - The pre-encoded password to validate. It must not be null, and it should include the prefix and any applicable output formatting.

userEntry - The entry in which the password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.

modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.

Throws:

LDAPException - If the provided encoded password is not compatible with the validation performed by this password encoder, or if a problem is encountered while making the determination.

ensurePreEncodedPasswordAppearsValid

protected abstract void ensurePreEncodedPasswordAppearsValid(@NotNull
                                                             byte[] unPrefixedUnFormattedEncodedPasswordBytes,
                                                             @NotNull
                                                             ReadOnlyEntry userEntry,
                                                             @NotNull
                                                             java.util.List<Modification> modifications)
                                                      throws LDAPException

Verifies that the provided pre-encoded password (with the prefix removed and any output formatting reverted) is compatible with the validation performed by this password encoder.

Note that this method should return true if the provided unPrefixedUnFormattedEncodedPasswordBytes value could be used in conjunction with the passwordMatches(byte[], byte[], com.unboundid.ldap.sdk.ReadOnlyEntry) method, even if it does not exactly match the format of the output that would have been generated by the encodePassword(com.unboundid.asn1.ASN1OctetString, com.unboundid.ldap.sdk.ReadOnlyEntry, java.util.List<com.unboundid.ldap.sdk.Modification>) method. For example, if this password encoder uses a salt, then it may be desirable to accept passwords encoded with a salt that has a different length than the encodePassword method would use when encoding a clear-test password. This may allow the in-memory directory server to support pre-encoded passwords generated from other types of directory servers that may use different settings when encoding passwords, but still generates encoded passwords that are compatible with this password encoder.

Parameters:

unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the pre-encoded password to validate, with the prefix stripped off and the output formatting reverted.

userEntry - The entry in which the password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.

modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.

Throws:

LDAPException - If the provided encoded password is not compatible with the validation performed by this password encoder, or if a problem is encountered while making the determination.

clearPasswordMatchesEncodedPassword

public final boolean clearPasswordMatchesEncodedPassword(@NotNull
                                                         ASN1OctetString clearPassword,
                                                         @NotNull
                                                         ASN1OctetString prefixedFormattedEncodedPassword,
                                                         @NotNull
                                                         ReadOnlyEntry userEntry)
                                                  throws LDAPException

Indicates whether the provided clear-text password could have been used to generate the given encoded password. This method will be invoked when verifying a provided clear-text password during bind processing, or when removing an existing password in a modify operation.

Parameters:

clearPassword - The clear-text password to be compared against the encoded password. It must not be null or empty.

prefixedFormattedEncodedPassword - The encoded password to compare against the clear-text password. It must not be null, it must include the prefix, and any appropriate output formatting must have been applied.

userEntry - The entry in which the encoded password appears. It must not be null.

Returns:

true if the provided clear-text password could be used to generate the given encoded password, or false if not.

Throws:

LDAPException - If a problem is encountered while making the determination.

passwordMatches

protected abstract boolean passwordMatches(@NotNull
                                           byte[] clearPasswordBytes,
                                           @NotNull
                                           byte[] unPrefixedUnFormattedEncodedPasswordBytes,
                                           @NotNull
                                           ReadOnlyEntry userEntry)
                                    throws LDAPException

Indicates whether the provided clear-text password could have been used to generate the given encoded password. This method will be invoked when verifying a provided clear-text password during bind processing, or when removing an existing password in a modify operation.

Parameters:

clearPasswordBytes - The bytes that comprise the clear-text password to be compared against the encoded password. It must not be null or empty.

unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the encoded password, with the prefix stripped off and the output formatting reverted.

userEntry - The entry in which the encoded password appears. It must not be null.

Returns:

true if the provided clear-text password could have been used to generate the given encoded password, or false if not.

Throws:

LDAPException - If a problem is encountered while attempting to make the determination.

extractClearPasswordFromEncodedPassword

@NotNull
public final ASN1OctetString extractClearPasswordFromEncodedPassword(@NotNull
                                                                              ASN1OctetString prefixedFormattedEncodedPassword,
                                                                              @NotNull
                                                                              ReadOnlyEntry userEntry)
                                                                       throws LDAPException

Attempts to extract the clear-text password used to generate the provided encoded representation, if possible. Many password encoder implementations may use one-way encoding mechanisms, so it will often not be possible to obtain the original clear-text password from its encoded representation.

Parameters:

prefixedFormattedEncodedPassword - The encoded password from which to extract the clear-text password. It must not be null, it must include the prefix, and any appropriate output formatting must have been applied.

userEntry - The entry in which the encoded password appears. It must not be null.

Returns:

The clear-text password used to generate the provided encoded representation.

Throws:

LDAPException - If this password encoder is not reversible, or if a problem occurs while trying to extract the clear-text representation from the provided encoded password.

extractClearPassword

@NotNull
protected abstract byte[] extractClearPassword(@NotNull
                                                        byte[] unPrefixedUnFormattedEncodedPasswordBytes,
                                                        @NotNull
                                                        ReadOnlyEntry userEntry)
                                                 throws LDAPException

Attempts to extract the clear-text password used to generate the provided encoded representation, if possible. Many password encoder implementations may use one-way encoding mechanisms, so it will often not be possible to obtain the original clear-text password from its encoded representation.

Parameters:

unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the encoded password, with the prefix stripped off and the output formatting reverted.

userEntry - The entry in which the encoded password appears. It must not be null.

Returns:

The clear-text password used to generate the provided encoded representation.

Throws:

LDAPException - If this password encoder is not reversible, or if a problem occurs while trying to extract the clear-text representation from the provided encoded password.

passwordStartsWithPrefix

public final boolean passwordStartsWithPrefix(@NotNull
                                              ASN1OctetString password)

Indicates whether the provided password starts with the encoded password prefix.

Parameters:

password - The password for which to make the determination.

Returns:

true if the provided password starts with the encoded password prefix, or false if not.

toString

@NotNull
public final java.lang.String toString()

Retrieves a string representation of this password encoder.

Overrides:

toString in class java.lang.Object

Returns:

A string representation of this password encoder.

toString

public abstract void toString(@NotNull
                              java.lang.StringBuilder buffer)

Appends a string representation of this password encoder to the provided buffer.

Parameters:

buffer - The buffer to which the information should be appended.