Package com.ibm.security.access.user

Class UserLookupHelper

  • public class UserLookupHelper
extends java.lang.Object
    Performs lookups on users based on username

    If search filter is not provided, will use the default search filter of: 

     (|(objectClass=ePerson)(objectClass=Person))


    This class will attempt to cache configurations, shutdown does not need to be called per request. Init will not initialize a configuration which is already running. However since it is a common cache there could be a race condition occassionally which is not able to differentiate different init search options. This means that if if you have infomap1 that does an init with search option1, and then infomap2 does it’s init with search option 2, when infomap1 tries to use it’s cached infomap it will get the search option 2 instead of the one it expected. The result of this is that if you have multiple infomaps running with multiple different inits, we cannot guarantee that the userLookupHelper operation is 100% threadsafe. An option is to do the init, then use it and then do the shutdown after usage away to minimize this rare mix up chances of issues.

    The configuration for the ldap client can be sourced from 3 different places:
    1. The Verify Access RTE. This is the Runtime configuration under the menu:
    Secure Web Settings -> Runtime Component. To use this configuration method, the [bind-credentials] stanza must be populated in the ldap.conf configuration file. If basic user support is enabled, then federated directories will be used.

    2. Username Password Authentication mechanism: The username password mechanism houses configuration for connecting to an ldap. This can also be used by this lookup util. Federated directories can be used with this method - depending on the module configuration. For details on how to configure this mechanism see: http://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2/com.ibm.isam.doc/config/task/configuringusernamepwd.html

    3. A server connection. The server connection can be retireved with the ServerConnectionFactory class. Basic users / federated directories are not supported with this configuration.
    Since:
    9.0.2.1

    • Constructor Summary

      Constructors 
      Constructor Description
      UserLookupHelper()
      Create a lookup helper.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      User createUser​(java.lang.String username, java.lang.String dn, java.lang.String password, boolean bypassPasswordPolicy, java.lang.String firstName, java.lang.String lastName, boolean accountValid, boolean passwordValid)
      Create a user in the registry.
      boolean deleteUser​(java.lang.String username, boolean removeNativeUser)
      Remove a user.
      User getUser​(java.lang.String username)
      Retrieve a user from the registry
      User getUserByNativeId​(java.lang.String nativeId)
      Retrieve a user from the registry using their native Id
      void init()
      Using this initializer will use the configuration of this appliances Verify Access RTE.
      void init​(boolean useAuthService)
      Initialize a UserLookupHelper which will use either the configuration in the Verify Access RTE, or the configuration in the Username Password authentication mechanism.
      void init​(boolean useAuthService, java.util.Properties overrideProperties)
      Initialize a UserLookupHelper which will use either the configuration in the Verify Access RTE, or the configuration in the Username Password authentication mechanism.
      void init​(LdapServerConnection connection, java.lang.String mgmtDomain)
      Initialize this lookup with a server connection.
      void init​(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain)
      Initialize this lookup util with a server connection.
      void init​(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain, boolean loginFailuresPersistent)
      Initialize this lookup util with a server connection.
      void init​(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain, boolean loginFailuresPersistent, java.util.Properties overrideProperties)
      Initialize this lookup util with a server connection.
      void init​(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String mgmtDomain, int connectionTimeout)
      Basic initialize.
      void init​(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String mgmtDomain, int connectionTimeout)
      Basic initialize with TLS.
      void init​(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout)
      Full initialize with options for client cert authentication and custom search filter.
      void init​(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent)  
      void init​(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent, java.util.Properties overrideProperties)  
      void init​(java.util.Properties overrideProperties)
      Using this initializer will use the configuration of this appliances Verify Access RTE.
      boolean isReady()
      Check if this helper is ready and has had init() called
      java.lang.String[] search​(java.lang.String searchAttr, java.lang.String attrPattern, int maxReturned)
      Search users based on a given attribute pattern.
      java.lang.String[] search​(java.lang.String searchAttr, java.lang.String attrPattern, int maxReturned, int pageSize)
      Search users based on a given attribute pattern.
      void shutdown()
      Close any connections held by this lookup helper.

      • Methods inherited from class java.lang.Object

        equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • UserLookupHelper_java_sourceCodeID

        public static final java.lang.String UserLookupHelper_java_sourceCodeID
        See Also:
        Constant Field Values

      • UserLookupHelper_java_copyright

        public static final java.lang.String UserLookupHelper_java_copyright

    • Constructor Detail

      • UserLookupHelper

        public UserLookupHelper()
        Create a lookup helper. The helper should not be used before init is called.

    • Method Detail

      • isReady

        public boolean isReady()
        Check if this helper is ready and has had init() called

      • init

        public void init()
        Using this initializer will use the configuration of this appliances Verify Access RTE. The values in ldap.conf will be used. This calls equivalent to calling init(false, null);

      • init

        public void init​(java.util.Properties overrideProperties)
        Using this initializer will use the configuration of this appliances Verify Access RTE. The values in ldap.conf will be used.
        Parameters:
        overrideProperties - properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored. This calls equivalent to calling init(false, properties);

      • init

        public void init​(boolean useAuthService)
        Initialize a UserLookupHelper which will use either the configuration in the Verify Access RTE, or the configuration in the Username Password authentication mechanism.
        Parameters:
        userAuthService - if true then the username password configuration will be used, if false then the call is the same as using

      • init

        public void init​(boolean useAuthService,
                 java.util.Properties overrideProperties)
        Initialize a UserLookupHelper which will use either the configuration in the Verify Access RTE, or the configuration in the Username Password authentication mechanism.
        Parameters:
        userAuthService - if true then the username password configuration will be used, if false then the call is the same as using
        overrideProperties - properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored.

      • init

        public void init​(LdapServerConnection connection,
                 java.lang.String mgmtDomain)
        Initialize this lookup with a server connection. Only uses the first host in the connection loginFailuresPersistent will be defaulted to false.
        Parameters:
        connection - the server connection to use
        mgmtDomain - secure domain to use

      • init

        public void init​(LdapServerConnection connection,
                 java.lang.String searchFilter,
                 java.lang.String mgmtDomain)
        Initialize this lookup util with a server connection. Only uses the first host in the connection. loginFailuresPersistent will be defaulted to false.
        Parameters:
        connection - the server connection to use.
        custom - search filter to use.
        mgmtDomain - secure domain to use

      • init

        public void init​(LdapServerConnection connection,
                 java.lang.String searchFilter,
                 java.lang.String mgmtDomain,
                 boolean loginFailuresPersistent)
        Initialize this lookup util with a server connection. Only uses the first host in the connection
        Parameters:
        connection - the server connection to use.
        custom - search filter to use.
        mgmtDomain - secure domain to use
        loginFailuresPersistent - will failures to login be persisted.

      • init

        public void init​(LdapServerConnection connection,
                 java.lang.String searchFilter,
                 java.lang.String mgmtDomain,
                 boolean loginFailuresPersistent,
                 java.util.Properties overrideProperties)
        Initialize this lookup util with a server connection. Only uses the first host in the connection
        Parameters:
        connection - the server connection to use.
        custom - search filter to use.
        mgmtDomain - secure domain to use
        loginFailuresPersistent - will failures to login be persisted.
        overrideProperties - properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored.

      • init

        public void init​(java.lang.String hostname,
                 int port,
                 java.lang.String bindDn,
                 java.lang.String bindDnPwd,
                 java.lang.String mgmtDomain,
                 int connectionTimeout)
        Basic initialize. Uses the default search filter. login failures will not be persisted.
        Parameters:
        hostname - to connect to.
        port - port to connect to.
        bindDn - user to bind as.
        BindDnPwd - used to bind.
        mgmtDomain - Verify Access domain to use.
        connectionTimeout - time in seconds that an inactive connection should be held

      • init

        public void init​(java.lang.String hostname,
                 int port,
                 java.lang.String bindDn,
                 java.lang.String bindDnPwd,
                 java.lang.String keystore,
                 java.lang.String mgmtDomain,
                 int connectionTimeout)
        Basic initialize with TLS. Uses the default search filter. login failures will no be persisted.
        Parameters:
        hostname - to connect to
        port - port to connect to
        bindDn - user to bind as
        BindDnPwd - used to bind
        keystore - to be used as ssl trust store
        mgmtDomain - Verify Access domain to use.
        connectionTimeout - time in seconds that an inactive connection should be held

      • init

        public void init​(java.lang.String hostname,
                 int port,
                 java.lang.String bindDn,
                 java.lang.String bindDnPwd,
                 java.lang.String keystore,
                 java.lang.String clientCertLabel,
                 java.lang.String searchFilter,
                 java.lang.String mgmtDomain,
                 int connectionTimeout)
        Full initialize with options for client cert authentication and custom search filter. login failures will not be persisted.
        Parameters:
        hostname - to connect to
        port - port to connect to
        bindDn - user to bind as
        BindDnPwd - used to bind
        keystore - to be used as ssl trust store
        clientCertLabel - certificate to use for client cert auth. Sourced from the specified keystore
        searchFilter - to use for user lookups
        mgmtDomain - Verify Access domain to use.
        connectionTimeout - time in seconds that an inactive connection should be held
        loginFailuresPersistent - should login failures be persisted Its ok to pass null for keystore and client cert

      • init

        public void init​(java.lang.String hostname,
                 int port,
                 java.lang.String bindDn,
                 java.lang.String bindDnPwd,
                 java.lang.String keystore,
                 java.lang.String clientCertLabel,
                 java.lang.String searchFilter,
                 java.lang.String mgmtDomain,
                 int connectionTimeout,
                 boolean loginFailuresPersistent)

      • init

        public void init​(java.lang.String hostname,
                 int port,
                 java.lang.String bindDn,
                 java.lang.String bindDnPwd,
                 java.lang.String keystore,
                 java.lang.String clientCertLabel,
                 java.lang.String searchFilter,
                 java.lang.String mgmtDomain,
                 int connectionTimeout,
                 boolean loginFailuresPersistent,
                 java.util.Properties overrideProperties)

      • shutdown

        public void shutdown()
        Close any connections held by this lookup helper. Will remove the helper from the cache. Does not need to be called per request.

      • getUser

        public User getUser​(java.lang.String username)
        Retrieve a user from the registry
        Parameters:
        username - to retrieve
        Returns:
        the user found / null if the user was not found or an error occured

      • getUserByNativeId

        public User getUserByNativeId​(java.lang.String nativeId)
        Retrieve a user from the registry using their native Id
        Parameters:
        native - id of the user to retrieve
        Returns:
        the user found / null if the user was not found or an error occured

      • createUser

        public User createUser​(java.lang.String username,
                       java.lang.String dn,
                       java.lang.String password,
                       boolean bypassPasswordPolicy,
                       java.lang.String firstName,
                       java.lang.String lastName,
                       boolean accountValid,
                       boolean passwordValid)
        Create a user in the registry. Only supported when using an Verify Access user registry.
        Parameters:
        username - userid for the user to create.
        dn - the registry id for the user to create.
        password - the password for the user.
        bypassPasswordPolicy - if password policy should be enforced when creating this user.
        accountValid - is this account valid.
        passwordValid - is the password valid.
        Returns:
        the created user object

      • deleteUser

        public boolean deleteUser​(java.lang.String username,
                          boolean removeNativeUser)
        Remove a user.
        Parameters:
        username - of the user to remove
        removeNativeUser - if the user should be removed from the directory instead of just the secure domain.
        Returns:
        true if the user was removed / false if the user was not removed.

      • search

        public java.lang.String[] search​(java.lang.String searchAttr,
                                 java.lang.String attrPattern,
                                 int maxReturned)
        Search users based on a given attribute pattern. Returns an array of native ids which match the provided attribute pattern.
        Parameters:
        searchAttr - the attribute to search on
        attrPattern - the pattern the provided attribute must match. Wildcards('*') are allowed.
        maxReturned - Limit on search results

      • search

        public java.lang.String[] search​(java.lang.String searchAttr,
                                 java.lang.String attrPattern,
                                 int maxReturned,
                                 int pageSize)
        Search users based on a given attribute pattern. Returns an array of native ids which match the provided attribute pattern.
        Parameters:
        searchAttr - the attribute to search on
        attrPattern - the pattern the provided attribute must match. Wildcards('*') are allowed.
        maxReturned - Limit on search results
        pageSize - indicates to the registry the pagesize to be used. Will be ignored if value passed in is not a positive integer.