Package com.ibm.security.access.user
Class UserLookupHelper
- java.lang.Object
-
- com.ibm.security.access.user.UserLookupHelper
-
public class UserLookupHelper extends java.lang.Object
Performs lookups on users based on username
If search filter is not provided, will use the default search filter of:
(|(objectClass=ePerson)(objectClass=Person))
This class will attempt to cache configurations, shutdown does not need to be called per request. Init will not initialize a configuration which is already running. However since it is a common cache there could be a race condition occassionally which is not able to differentiate different init search options. This means that if if you have infomap1 that does an init with search option1, and then infomap2 does it’s init with search option 2, when infomap1 tries to use it’s cached infomap it will get the search option 2 instead of the one it expected. The result of this is that if you have multiple infomaps running with multiple different inits, we cannot guarantee that the userLookupHelper operation is 100% threadsafe. An option is to do the init, then use it and then do the shutdown after usage away to minimize this rare mix up chances of issues.
The configuration for the ldap client can be sourced from 3 different places:
1. The Verify Access RTE. This is the Runtime configuration under the menu:
Secure Web Settings -> Runtime Component. To use this configuration method, the [bind-credentials] stanza must be populated in the ldap.conf configuration file. If basic user support is enabled, then federated directories will be used.
2. Username Password Authentication mechanism: The username password mechanism houses configuration for connecting to an ldap. This can also be used by this lookup util. Federated directories can be used with this method - depending on the module configuration. For details on how to configure this mechanism see: http://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2/com.ibm.isam.doc/config/task/configuringusernamepwd.html
3. A server connection. The server connection can be retireved with the ServerConnectionFactory class. Basic users / federated directories are not supported with this configuration.- Since:
- 9.0.2.1
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
UserLookupHelper_java_copyright
static java.lang.String
UserLookupHelper_java_sourceCodeID
-
Constructor Summary
Constructors Constructor Description UserLookupHelper()
Create a lookup helper.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description User
createUser(java.lang.String username, java.lang.String dn, java.lang.String password, boolean bypassPasswordPolicy, java.lang.String firstName, java.lang.String lastName, boolean accountValid, boolean passwordValid)
Create a user in the registry.boolean
deleteUser(java.lang.String username, boolean removeNativeUser)
Remove a user.User
getUser(java.lang.String username)
Retrieve a user from the registryUser
getUserByNativeId(java.lang.String nativeId)
Retrieve a user from the registry using their native IdUser
getUserWithDomain(java.lang.String username, java.lang.String domain)
Retrieve a user from the registryvoid
init()
Using this initializer will use the configuration of this appliances Verify Access RTE.void
init(boolean useAuthService)
Initialize a UserLookupHelper which will use either the configuration in the Verify Access RTE, or the configuration in the Username Password authentication mechanism.void
init(boolean useAuthService, java.util.Properties overrideProperties)
Initialize a UserLookupHelper which will use either the configuration in the Verify Access RTE, or the configuration in the Username Password authentication mechanism.void
init(LdapServerConnection connection, java.lang.String mgmtDomain)
Initialize this lookup with a server connection.void
init(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain)
Initialize this lookup util with a server connection.void
init(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain, boolean loginFailuresPersistent)
Initialize this lookup util with a server connection.void
init(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain, boolean loginFailuresPersistent, java.util.Properties overrideProperties)
Initialize this lookup util with a server connection.void
init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String mgmtDomain, int connectionTimeout)
Basic initialize.void
init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String mgmtDomain, int connectionTimeout)
Basic initialize with TLS.void
init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout)
Full initialize with options for client cert authentication and custom search filter.void
init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent)
void
init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent, java.util.Properties overrideProperties)
void
init(java.util.Properties overrideProperties)
Using this initializer will use the configuration of this appliances Verify Access RTE.boolean
isReady()
Check if this helper is ready and has had init() calledjava.lang.String[]
search(java.lang.String searchAttr, java.lang.String attrPattern, int maxReturned)
Search users based on a given attribute pattern.java.lang.String[]
search(java.lang.String searchAttr, java.lang.String attrPattern, int maxReturned, int pageSize)
Search users based on a given attribute pattern.void
shutdown()
Close any connections held by this lookup helper.
-
-
-
Field Detail
-
UserLookupHelper_java_sourceCodeID
public static final java.lang.String UserLookupHelper_java_sourceCodeID
- See Also:
- Constant Field Values
-
UserLookupHelper_java_copyright
public static final java.lang.String UserLookupHelper_java_copyright
-
-
Method Detail
-
isReady
public boolean isReady()
Check if this helper is ready and has had init() called
-
init
public void init()
Using this initializer will use the configuration of this appliances Verify Access RTE. The values in ldap.conf will be used. This calls equivalent to calling init(false, null);
-
init
public void init(java.util.Properties overrideProperties)
Using this initializer will use the configuration of this appliances Verify Access RTE. The values in ldap.conf will be used.- Parameters:
overrideProperties
- properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored. This calls equivalent to calling init(false, properties);
-
init
public void init(boolean useAuthService)
Initialize a UserLookupHelper which will use either the configuration in the Verify Access RTE, or the configuration in the Username Password authentication mechanism.- Parameters:
userAuthService
- if true then the username password configuration will be used, if false then the call is the same as using
-
init
public void init(boolean useAuthService, java.util.Properties overrideProperties)
Initialize a UserLookupHelper which will use either the configuration in the Verify Access RTE, or the configuration in the Username Password authentication mechanism.- Parameters:
userAuthService
- if true then the username password configuration will be used, if false then the call is the same as usingoverrideProperties
- properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored. If provided, the UserLookupHelper will cache the configuration based on the supplied properties.
-
init
public void init(LdapServerConnection connection, java.lang.String mgmtDomain)
Initialize this lookup with a server connection. Only uses the first host in the connection loginFailuresPersistent will be defaulted to false.- Parameters:
connection
- the server connection to usemgmtDomain
- secure domain to use
-
init
public void init(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain)
Initialize this lookup util with a server connection. Only uses the first host in the connection. loginFailuresPersistent will be defaulted to false.- Parameters:
connection
- the server connection to use.custom
- search filter to use.mgmtDomain
- secure domain to use
-
init
public void init(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain, boolean loginFailuresPersistent)
Initialize this lookup util with a server connection. Only uses the first host in the connection- Parameters:
connection
- the server connection to use.custom
- search filter to use.mgmtDomain
- secure domain to useloginFailuresPersistent
- will failures to login be persisted.
-
init
public void init(LdapServerConnection connection, java.lang.String searchFilter, java.lang.String mgmtDomain, boolean loginFailuresPersistent, java.util.Properties overrideProperties)
Initialize this lookup util with a server connection. Only uses the first host in the connection- Parameters:
connection
- the server connection to use.custom
- search filter to use.mgmtDomain
- secure domain to useloginFailuresPersistent
- will failures to login be persisted.overrideProperties
- properties to pass down to rgy. Will be applied after the usual properties are loaded, meaning they will override any configuration which the util attempts to populate. If null will be ignored.
-
init
public void init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String mgmtDomain, int connectionTimeout)
Basic initialize. Uses the default search filter. login failures will not be persisted.- Parameters:
hostname
- to connect to.port
- port to connect to.bindDn
- user to bind as.BindDnPwd
- used to bind.mgmtDomain
- Verify Access domain to use.connectionTimeout
- time in seconds that an inactive connection should be held
-
init
public void init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String mgmtDomain, int connectionTimeout)
Basic initialize with TLS. Uses the default search filter. login failures will no be persisted.- Parameters:
hostname
- to connect toport
- port to connect tobindDn
- user to bind asBindDnPwd
- used to bindkeystore
- to be used as ssl trust storemgmtDomain
- Verify Access domain to use.connectionTimeout
- time in seconds that an inactive connection should be held
-
init
public void init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout)
Full initialize with options for client cert authentication and custom search filter. login failures will not be persisted.- Parameters:
hostname
- to connect toport
- port to connect tobindDn
- user to bind asBindDnPwd
- used to bindkeystore
- to be used as ssl trust storeclientCertLabel
- certificate to use for client cert auth. Sourced from the specified keystoresearchFilter
- to use for user lookupsmgmtDomain
- Verify Access domain to use.connectionTimeout
- time in seconds that an inactive connection should be heldloginFailuresPersistent
- should login failures be persisted Its ok to pass null for keystore and client cert
-
init
public void init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent)
-
init
public void init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent, java.util.Properties overrideProperties)
-
shutdown
public void shutdown()
Close any connections held by this lookup helper. Will remove the helper from the cache. Does not need to be called per request.
-
getUser
public User getUser(java.lang.String username)
Retrieve a user from the registry- Parameters:
username
- to retrieve- Returns:
- the user found / null if the user was not found or an error occured
-
getUserWithDomain
public User getUserWithDomain(java.lang.String username, java.lang.String domain)
Retrieve a user from the registry- Parameters:
username
- to retrievedomain
- to retrieve from- Returns:
- the user found / null if the user was not found or an error occured
-
getUserByNativeId
public User getUserByNativeId(java.lang.String nativeId)
Retrieve a user from the registry using their native Id- Parameters:
native
- id of the user to retrieve- Returns:
- the user found / null if the user was not found or an error occured
-
createUser
public User createUser(java.lang.String username, java.lang.String dn, java.lang.String password, boolean bypassPasswordPolicy, java.lang.String firstName, java.lang.String lastName, boolean accountValid, boolean passwordValid)
Create a user in the registry. Only supported when using an Verify Access user registry.- Parameters:
username
- userid for the user to create.dn
- the registry id for the user to create.password
- the password for the user.bypassPasswordPolicy
- if password policy should be enforced when creating this user.accountValid
- is this account valid.passwordValid
- is the password valid.- Returns:
- the created user object
-
deleteUser
public boolean deleteUser(java.lang.String username, boolean removeNativeUser)
Remove a user.- Parameters:
username
- of the user to removeremoveNativeUser
- if the user should be removed from the directory instead of just the secure domain.- Returns:
- true if the user was removed / false if the user was not removed.
-
search
public java.lang.String[] search(java.lang.String searchAttr, java.lang.String attrPattern, int maxReturned)
Search users based on a given attribute pattern. Returns an array of native ids which match the provided attribute pattern.- Parameters:
searchAttr
- the attribute to search onattrPattern
- the pattern the provided attribute must match. Wildcards('*') are allowed.maxReturned
- Limit on search results
-
search
public java.lang.String[] search(java.lang.String searchAttr, java.lang.String attrPattern, int maxReturned, int pageSize)
Search users based on a given attribute pattern. Returns an array of native ids which match the provided attribute pattern.- Parameters:
searchAttr
- the attribute to search onattrPattern
- the pattern the provided attribute must match. Wildcards('*') are allowed.maxReturned
- Limit on search resultspageSize
- indicates to the registry the pagesize to be used. Will be ignored if value passed in is not a positive integer.
-
-