Class InMemoryPasswordEncoder

    • Constructor Detail

      • InMemoryPasswordEncoder

        protected InMemoryPasswordEncoder​(java.lang.String prefix,
                                          PasswordEncoderOutputFormatter outputFormatter)
        Creates a new instance of this in-memory directory server password encoder with the provided information.
        Parameters:
        prefix - The string that will appear at the beginning of encoded passwords. It must not be null or empty.
        outputFormatter - The output formatter that will be used to format the encoded representation of clear-text passwords. It may be null if no special formatting should be applied to the raw bytes.
    • Method Detail

      • getPrefix

        public final java.lang.String getPrefix()
        Retrieves the string that will appear at the beginning of encoded passwords.
        Returns:
        The string that will appear at the beginning of encoded passwords.
      • getOutputFormatter

        public final PasswordEncoderOutputFormatter getOutputFormatter()
        Retrieves the output formatter that will be used when generating the encoded representation of a password.
        Returns:
        The output formatter that will be used when generating the encoded representation of a password, or nulL if no output formatting will be applied.
      • encodePassword

        public final ASN1OctetString encodePassword​(ASN1OctetString clearPassword,
                                                    ReadOnlyEntry userEntry,
                                                    java.util.List<Modification> modifications)
                                             throws LDAPException
        Encodes the provided clear-text password for storage in the in-memory directory server. The encoded password that is returned will include the prefix, and any appropriate output formatting will have been applied.

        This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations.
        Parameters:
        clearPassword - The clear-text password to be encoded. It must not be null or empty, and it must not be pre-encoded.
        userEntry - The entry in which the encoded password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.
        modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.
        Returns:
        The encoded representation of the provided clear-text password. It will include the prefix, and any appropriate output formatting will have been applied.
        Throws:
        LDAPException - If a problem is encountered while trying to encode the provided clear-text password.
      • encodePassword

        protected abstract byte[] encodePassword​(byte[] clearPassword,
                                                 ReadOnlyEntry userEntry,
                                                 java.util.List<Modification> modifications)
                                          throws LDAPException
        Encodes the provided clear-text password for storage in the in-memory directory server. The encoded password that is returned must not include the prefix, and no output formatting should have been applied.

        This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations.
        Parameters:
        clearPassword - The bytes that comprise the clear-text password to be encoded. It must not be null or empty.
        userEntry - The entry in which the encoded password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.
        modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.
        Returns:
        The bytes that comprise encoded representation of the provided clear-text password, without the prefix, and without any output formatting applied.
        Throws:
        LDAPException - If a problem is encountered while trying to encode the provided clear-text password.
      • ensurePreEncodedPasswordAppearsValid

        public final void ensurePreEncodedPasswordAppearsValid​(ASN1OctetString prefixedFormattedEncodedPassword,
                                                               ReadOnlyEntry userEntry,
                                                               java.util.List<Modification> modifications)
                                                        throws LDAPException
        Verifies that the provided pre-encoded password (including the prefix, and with any appropriate output formatting applied) is compatible with the validation performed by this password encoder.

        This method will be invoked when adding data into the server, including through LDAP add operations or LDIF imports, and when modifying existing entries through LDAP modify operations. Any password included in any of these entries that starts with a prefix registered with the in-memory directory server will be validated with the encoder that corresponds to that password's prefix.
        Parameters:
        prefixedFormattedEncodedPassword - The pre-encoded password to validate. It must not be null, and it should include the prefix and any applicable output formatting.
        userEntry - The entry in which the password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.
        modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.
        Throws:
        LDAPException - If the provided encoded password is not compatible with the validation performed by this password encoder, or if a problem is encountered while making the determination.
      • ensurePreEncodedPasswordAppearsValid

        protected abstract void ensurePreEncodedPasswordAppearsValid​(byte[] unPrefixedUnFormattedEncodedPasswordBytes,
                                                                     ReadOnlyEntry userEntry,
                                                                     java.util.List<Modification> modifications)
                                                              throws LDAPException
        Verifies that the provided pre-encoded password (with the prefix removed and any output formatting reverted) is compatible with the validation performed by this password encoder.

        Note that this method should return true if the provided unPrefixedUnFormattedEncodedPasswordBytes value could be used in conjunction with the passwordMatches(byte[], byte[], com.unboundid.ldap.sdk.ReadOnlyEntry) method, even if it does not exactly match the format of the output that would have been generated by the encodePassword(com.unboundid.asn1.ASN1OctetString, com.unboundid.ldap.sdk.ReadOnlyEntry, java.util.List<com.unboundid.ldap.sdk.Modification>) method. For example, if this password encoder uses a salt, then it may be desirable to accept passwords encoded with a salt that has a different length than the encodePassword method would use when encoding a clear-test password. This may allow the in-memory directory server to support pre-encoded passwords generated from other types of directory servers that may use different settings when encoding passwords, but still generates encoded passwords that are compatible with this password encoder.
        Parameters:
        unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the pre-encoded password to validate, with the prefix stripped off and the output formatting reverted.
        userEntry - The entry in which the password will appear. It must not be null. If the entry is in the process of being modified, then this will be a representation of the entry as it appeared before any changes have been applied.
        modifications - A set of modifications to be applied to the user entry. It must not be [@code null}. It will be an empty list for entries created via LDAP add and LDIF import operations. It will be a non-empty list for LDAP modifications.
        Throws:
        LDAPException - If the provided encoded password is not compatible with the validation performed by this password encoder, or if a problem is encountered while making the determination.
      • clearPasswordMatchesEncodedPassword

        public final boolean clearPasswordMatchesEncodedPassword​(ASN1OctetString clearPassword,
                                                                 ASN1OctetString prefixedFormattedEncodedPassword,
                                                                 ReadOnlyEntry userEntry)
                                                          throws LDAPException
        Indicates whether the provided clear-text password could have been used to generate the given encoded password. This method will be invoked when verifying a provided clear-text password during bind processing, or when removing an existing password in a modify operation.
        Parameters:
        clearPassword - The clear-text password to be compared against the encoded password. It must not be null or empty.
        prefixedFormattedEncodedPassword - The encoded password to compare against the clear-text password. It must not be null, it must include the prefix, and any appropriate output formatting must have been applied.
        userEntry - The entry in which the encoded password appears. It must not be null.
        Returns:
        true if the provided clear-text password could be used to generate the given encoded password, or false if not.
        Throws:
        LDAPException - If a problem is encountered while making the determination.
      • passwordMatches

        protected abstract boolean passwordMatches​(byte[] clearPasswordBytes,
                                                   byte[] unPrefixedUnFormattedEncodedPasswordBytes,
                                                   ReadOnlyEntry userEntry)
                                            throws LDAPException
        Indicates whether the provided clear-text password could have been used to generate the given encoded password. This method will be invoked when verifying a provided clear-text password during bind processing, or when removing an existing password in a modify operation.
        Parameters:
        clearPasswordBytes - The bytes that comprise the clear-text password to be compared against the encoded password. It must not be null or empty.
        unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the encoded password, with the prefix stripped off and the output formatting reverted.
        userEntry - The entry in which the encoded password appears. It must not be null.
        Returns:
        true if the provided clear-text password could have been used to generate the given encoded password, or false if not.
        Throws:
        LDAPException - If a problem is encountered while attempting to make the determination.
      • extractClearPasswordFromEncodedPassword

        public final ASN1OctetString extractClearPasswordFromEncodedPassword​(ASN1OctetString prefixedFormattedEncodedPassword,
                                                                             ReadOnlyEntry userEntry)
                                                                      throws LDAPException
        Attempts to extract the clear-text password used to generate the provided encoded representation, if possible. Many password encoder implementations may use one-way encoding mechanisms, so it will often not be possible to obtain the original clear-text password from its encoded representation.
        Parameters:
        prefixedFormattedEncodedPassword - The encoded password from which to extract the clear-text password. It must not be null, it must include the prefix, and any appropriate output formatting must have been applied.
        userEntry - The entry in which the encoded password appears. It must not be null.
        Returns:
        The clear-text password used to generate the provided encoded representation.
        Throws:
        LDAPException - If this password encoder is not reversible, or if a problem occurs while trying to extract the clear-text representation from the provided encoded password.
      • extractClearPassword

        protected abstract byte[] extractClearPassword​(byte[] unPrefixedUnFormattedEncodedPasswordBytes,
                                                       ReadOnlyEntry userEntry)
                                                throws LDAPException
        Attempts to extract the clear-text password used to generate the provided encoded representation, if possible. Many password encoder implementations may use one-way encoding mechanisms, so it will often not be possible to obtain the original clear-text password from its encoded representation.
        Parameters:
        unPrefixedUnFormattedEncodedPasswordBytes - The bytes that comprise the encoded password, with the prefix stripped off and the output formatting reverted.
        userEntry - The entry in which the encoded password appears. It must not be null.
        Returns:
        The clear-text password used to generate the provided encoded representation.
        Throws:
        LDAPException - If this password encoder is not reversible, or if a problem occurs while trying to extract the clear-text representation from the provided encoded password.
      • passwordStartsWithPrefix

        public final boolean passwordStartsWithPrefix​(ASN1OctetString password)
        Indicates whether the provided password starts with the encoded password prefix.
        Parameters:
        password - The password for which to make the determination.
        Returns:
        true if the provided password starts with the encoded password prefix, or false if not.
      • toString

        public final java.lang.String toString()
        Retrieves a string representation of this password encoder.
        Overrides:
        toString in class java.lang.Object
        Returns:
        A string representation of this password encoder.
      • toString

        public abstract void toString​(java.lang.StringBuilder buffer)
        Appends a string representation of this password encoder to the provided buffer.
        Parameters:
        buffer - The buffer to which the information should be appended.