Package com.unboundid.ldap.listener

Class InMemoryPasswordEncoder

java.lang.Object
com.unboundid.ldap.listener.InMemoryPasswordEncoder
Direct Known Subclasses:
ClearInMemoryPasswordEncoder, SaltedMessageDigestInMemoryPasswordEncoder, UnsaltedMessageDigestInMemoryPasswordEncoder
@Extensible @ThreadSafety(level=INTERFACE_NOT_THREADSAFE) public abstract class InMemoryPasswordEncoder extends Object
This class defines an API that may be used to interact with clear-text passwords provided to the in-memory directory server. It can be used to ensure that clear-text passwords are encoded when storing them in the server, and to determine whether a provided clear-text password matches an encoded value.

  • Constructor Details

    • InMemoryPasswordEncoder

      protected InMemoryPasswordEncoder(@NotNull String prefix, @Nullable PasswordEncoderOutputFormatter outputFormatter)
      Creates a new instance of this in-memory directory server password encoder with the provided information.
      Parameters:
      prefix - The string that will appear at the beginning of encoded passwords. It must not be null or empty.
      outputFormatter - The output formatter that will be used to format the encoded representation of clear-text passwords. It may be null if no special formatting should be applied to the raw bytes.

  • Method Details

    • getPrefix

      @NotNull public final String getPrefix()
      Retrieves the string that will appear at the beginning of encoded passwords.
      Returns:
      The string that will appear at the beginning of encoded passwords.

    • getOutputFormatter

      @Nullable public final PasswordEncoderOutputFormatter getOutputFormatter()
      Retrieves the output formatter that will be used when generating the encoded representation of a password.
      Returns:
      The output formatter that will be used when generating the encoded representation of a password, or nulL if no output formatting will be applied.

    • encodePassword

      @NotNull public final ASN1OctetString encodePassword(@NotNull ASN1OctetString clearPassword, @NotNull ReadOnlyEntry userEntry, @NotNull List<Modification> modifications) throws LDAPException
      Encodes the provided clear-text password for storage in the in-memory directory server. The encoded password that is returned will include the prefix, and any appropriate output formatting will have been applied.

      This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations.
      Parameters:
      clearPassword - The clear-text password to be encoded. It must not be null or empty, and it must not be pre-encoded.
      userEntry - The entry in which the encoded password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.
      modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.
      Returns:
      The encoded representation of the provided clear-text password. It will include the prefix, and any appropriate output formatting will have been applied.
      Throws:
      LDAPException - If a problem is encountered while trying to encode the provided clear-text password.

    • encodePassword

      @NotNull protected abstract byte[] encodePassword(@NotNull byte[] clearPassword, @NotNull ReadOnlyEntry userEntry, @NotNull List<Modification> modifications) throws LDAPException
      Encodes the provided clear-text password for storage in the in-memory directory server. The encoded password that is returned must not include the prefix, and no output formatting should have been applied.

      This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations.
      Parameters:
      clearPassword - The bytes that comprise the clear-text password to be encoded. It must not be null or empty.
      userEntry - The entry in which the encoded password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.
      modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.
      Returns:
      The bytes that comprise encoded representation of the provided clear-text password, without the prefix, and without any output formatting applied.
      Throws:
      LDAPException - If a problem is encountered while trying to encode the provided clear-text password.

    • ensurePreEncodedPasswordAppearsValid

      public final void ensurePreEncodedPasswordAppearsValid(@NotNull ASN1OctetString prefixedFormattedEncodedPassword, @NotNull ReadOnlyEntry userEntry, @NotNull List<Modification> modifications) throws LDAPException
      Verifies that the provided pre-encoded password (including the prefix, and with any appropriate output formatting applied) is compatible with the validation performed by this password encoder.

      This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations. Any password included in any of these entries that starts with a prefix registered with the in-memory directory server will be validated with the encoder that corresponds to that password's prefix.
      Parameters:
      prefixedFormattedEncodedPassword - The pre-encoded password to validate. It must not be null, and it should include the prefix and any applicable output formatting.
      userEntry - The entry in which the password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.
      modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.
      Throws:
      LDAPException - If the provided encoded password is not compatible with the validation performed by this password encoder, or if a problem is encountered while making the determination.

    • ensurePreEncodedPasswordAppearsValid

      protected abstract void ensurePreEncodedPasswordAppearsValid(@NotNull byte[] unPrefixedUnFormattedEncodedPasswordBytes, @NotNull ReadOnlyEntry userEntry, @NotNull List<Modification> modifications) throws LDAPException
      Verifies that the provided pre-encoded password (with the prefix removed and any output formatting reverted) is compatible with the validation performed by this password encoder.

      Note that this method should return true if the provided unPrefixedUnFormattedEncodedPasswordBytes value could be used in conjunction with the passwordMatches(byte[], byte[], com.unboundid.ldap.sdk.ReadOnlyEntry) method, even if it does not exactly match the format of the output that would have been generated by the encodePassword(com.unboundid.asn1.ASN1OctetString, com.unboundid.ldap.sdk.ReadOnlyEntry, java.util.List<com.unboundid.ldap.sdk.Modification>) method. For example, if this password encoder uses a salt, then it may be desirable to accept passwords encoded with a salt that has a different length than the encodePassword method would use when encoding a clear-test password. This may allow the in-memory directory server to support pre-encoded passwords generated from other types of directory servers that may use different settings when encoding passwords, but still generates encoded passwords that are compatible with this password encoder.
      Parameters:
      unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the pre-encoded password to validate, with the prefix stripped off and the output formatting reverted.
      userEntry - The entry in which the password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.
      modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.
      Throws:
      LDAPException - If the provided encoded password is not compatible with the validation performed by this password encoder, or if a problem is encountered while making the determination.

    • clearPasswordMatchesEncodedPassword

      public final boolean clearPasswordMatchesEncodedPassword(@NotNull ASN1OctetString clearPassword, @NotNull ASN1OctetString prefixedFormattedEncodedPassword, @NotNull ReadOnlyEntry userEntry) throws LDAPException
      Indicates whether the provided clear-text password could have been used to generate the given encoded password. This method will be invoked when verifying a provided clear-text password during bind processing, or when removing an existing password in a modify operation.
      Parameters:
      clearPassword - The clear-text password to be compared against the encoded password. It must not be null or empty.
      prefixedFormattedEncodedPassword - The encoded password to compare against the clear-text password. It must not be null, it must include the prefix, and any appropriate output formatting must have been applied.
      userEntry - The entry in which the encoded password appears. It must not be null.
      Returns:
      true if the provided clear-text password could be used to generate the given encoded password, or false if not.
      Throws:
      LDAPException - If a problem is encountered while making the determination.

    • passwordMatches

      protected abstract boolean passwordMatches(@NotNull byte[] clearPasswordBytes, @NotNull byte[] unPrefixedUnFormattedEncodedPasswordBytes, @NotNull ReadOnlyEntry userEntry) throws LDAPException
      Indicates whether the provided clear-text password could have been used to generate the given encoded password. This method will be invoked when verifying a provided clear-text password during bind processing, or when removing an existing password in a modify operation.
      Parameters:
      clearPasswordBytes - The bytes that comprise the clear-text password to be compared against the encoded password. It must not be null or empty.
      unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the encoded password, with the prefix stripped off and the output formatting reverted.
      userEntry - The entry in which the encoded password appears. It must not be null.
      Returns:
      true if the provided clear-text password could have been used to generate the given encoded password, or false if not.
      Throws:
      LDAPException - If a problem is encountered while attempting to make the determination.

    • extractClearPasswordFromEncodedPassword

      @NotNull public final ASN1OctetString extractClearPasswordFromEncodedPassword(@NotNull ASN1OctetString prefixedFormattedEncodedPassword, @NotNull ReadOnlyEntry userEntry) throws LDAPException
      Attempts to extract the clear-text password used to generate the provided encoded representation, if possible. Many password encoder implementations may use one-way encoding mechanisms, so it will often not be possible to obtain the original clear-text password from its encoded representation.
      Parameters:
      prefixedFormattedEncodedPassword - The encoded password from which to extract the clear-text password. It must not be null, it must include the prefix, and any appropriate output formatting must have been applied.
      userEntry - The entry in which the encoded password appears. It must not be null.
      Returns:
      The clear-text password used to generate the provided encoded representation.
      Throws:
      LDAPException - If this password encoder is not reversible, or if a problem occurs while trying to extract the clear-text representation from the provided encoded password.

    • extractClearPassword

      @NotNull protected abstract byte[] extractClearPassword(@NotNull byte[] unPrefixedUnFormattedEncodedPasswordBytes, @NotNull ReadOnlyEntry userEntry) throws LDAPException
      Attempts to extract the clear-text password used to generate the provided encoded representation, if possible. Many password encoder implementations may use one-way encoding mechanisms, so it will often not be possible to obtain the original clear-text password from its encoded representation.
      Parameters:
      unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the encoded password, with the prefix stripped off and the output formatting reverted.
      userEntry - The entry in which the encoded password appears. It must not be null.
      Returns:
      The clear-text password used to generate the provided encoded representation.
      Throws:
      LDAPException - If this password encoder is not reversible, or if a problem occurs while trying to extract the clear-text representation from the provided encoded password.

    • passwordStartsWithPrefix

      public final boolean passwordStartsWithPrefix(@NotNull ASN1OctetString password)
      Indicates whether the provided password starts with the encoded password prefix.
      Parameters:
      password - The password for which to make the determination.
      Returns:
      true if the provided password starts with the encoded password prefix, or false if not.

    • toString

      @NotNull public final String toString()
      Retrieves a string representation of this password encoder.
      Overrides:
      toString in class Object
      Returns:
      A string representation of this password encoder.

    • toString

      public abstract void toString(@NotNull StringBuilder buffer)
      Appends a string representation of this password encoder to the provided buffer.
      Parameters:
      buffer - The buffer to which the information should be appended.