001/* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt 010 * or http://forgerock.org/license/CDDLv1.0.html. 011 * See the License for the specific language governing permissions 012 * and limitations under the License. 013 * 014 * When distributing Covered Code, include this CDDL HEADER in each 015 * file and include the License file at legal-notices/CDDLv1_0.txt. 016 * If applicable, add the following below this CDDL HEADER, with the 017 * fields enclosed by brackets "[]" replaced with your own identifying 018 * information: 019 * Portions Copyright [yyyy] [name of copyright owner] 020 * 021 * CDDL HEADER END 022 * 023 * 024 * Copyright 2010 Sun Microsystems, Inc. 025 * Portions Copyright 2012-2014 ForgeRock AS. 026 */ 027 028package org.forgerock.opendj.ldap.requests; 029 030import java.util.List; 031 032import org.forgerock.i18n.LocalizedIllegalArgumentException; 033import org.forgerock.opendj.ldap.DecodeException; 034import org.forgerock.opendj.ldap.DecodeOptions; 035import org.forgerock.opendj.ldap.LdapException; 036import org.forgerock.opendj.ldap.controls.Control; 037import org.forgerock.opendj.ldap.controls.ControlDecoder; 038 039/** 040 * The External SASL bind request as defined in RFC 4422. This SASL mechanism 041 * allows a client to request the server to use credentials established by means 042 * external to the mechanism to authenticate the client. The external means may 043 * be, for instance, SSL or TLS. 044 * <p> 045 * A client may either request that its authorization identity be automatically 046 * derived from its authentication credentials exchanged at a lower security 047 * layer, or it may explicitly provide a desired authorization identity. 048 * <p> 049 * The optional authorization identity is specified using an authorization ID, 050 * or {@code authzId}, as defined in RFC 4513 section 5.2.1.8. 051 * 052 * @see <a href="http://tools.ietf.org/html/rfc4422">RFC 4422 - Simple 053 * Authentication and Security Layer (SASL) </a> 054 * @see <a href="http://tools.ietf.org/html/rfc4513#section-5.2.1.8">RFC 4513 - 055 * SASL Authorization Identities (authzId) </a> 056 */ 057public interface ExternalSASLBindRequest extends SASLBindRequest { 058 059 /** 060 * The name of the SASL mechanism based on external authentication. 061 */ 062 String SASL_MECHANISM_NAME = "EXTERNAL"; 063 064 @Override 065 ExternalSASLBindRequest addControl(Control control); 066 067 @Override 068 BindClient createBindClient(String serverName) throws LdapException; 069 070 /** 071 * Returns the authentication mechanism identifier for this SASL bind 072 * request as defined by the LDAP protocol, which is always {@code 0xA3}. 073 * 074 * @return The authentication mechanism identifier. 075 */ 076 @Override 077 byte getAuthenticationType(); 078 079 /** 080 * Returns the optional desired authorization ID of the user, or 081 * {@code null} if the authorization ID should derived from authentication 082 * credentials exchanged at a lower security layer. The authorization ID 083 * usually has the form "dn:" immediately followed by the distinguished name 084 * of the user, or "u:" followed by a user ID string, but other forms are 085 * permitted. 086 * 087 * @return The desired authorization ID of the user, which may be 088 * {@code null} . 089 */ 090 String getAuthorizationID(); 091 092 @Override 093 <C extends Control> C getControl(ControlDecoder<C> decoder, DecodeOptions options) 094 throws DecodeException; 095 096 @Override 097 List<Control> getControls(); 098 099 /** 100 * Returns the name of the Directory object that the client wishes to bind 101 * as, which is always the empty string for SASL authentication. 102 * 103 * @return The name of the Directory object that the client wishes to bind 104 * as. 105 */ 106 @Override 107 String getName(); 108 109 @Override 110 String getSASLMechanism(); 111 112 /** 113 * Sets the optional desired authorization ID of the user, or {@code null} 114 * if the authorization ID should derived from authentication credentials 115 * exchanged at a lower security layer. The authorization ID usually has the 116 * form "dn:" immediately followed by the distinguished name of the user, or 117 * "u:" followed by a user ID string, but other forms are permitted. 118 * 119 * @param authorizationID 120 * The desired authorization ID of the user, which may be 121 * {@code null}. 122 * @return This bind request. 123 * @throws UnsupportedOperationException 124 * If this external SASL request does not permit the 125 * authorization ID to be set. 126 * @throws LocalizedIllegalArgumentException 127 * If {@code authorizationID} was non-empty and did not contain 128 * a valid authorization ID type. 129 */ 130 ExternalSASLBindRequest setAuthorizationID(String authorizationID); 131}