Novell Documentation: Classes for Java & JNDI Providers (NJCL)

2.2 Authentication Services

2.2.1 Introduction

The Authenticator enables application level authentication by prompting for user credentials when an authentication request is issued. Authentication is achieved via the Java class com.novell.java.security.Authenticator. The Authenticator uses the underlying requester to perform the actual authentication. The SessionManager and therefore the JNDI providers use the Authenticator for all authentication processes including login and logout. The Authentication service also provides the ability to create and change user passwords.

To take advantage of Network Attached Storage (NAS) login capability, call the setUseNAS method.

Seven samples that demonstrate how to use the Authenticator can be found in Authenticator Samples of Sample Code and Demos. The samples demonstrate how to perform a login, logout, token creation, token modification, token verification, and getting all authenticated identities.

The Authenticator is mechanism and storage independent. It is responsible for managing the authentication process for identities within a JVM. The Authenticator is designed to avoid two common types of application dependencies: authentication mechanism dependence and authentication secrets storage dependency. These design choices were made for two reasons:

To allow Administrators to make policy decisions regarding authentication mechanisms rather than programmers.
To insulate application developers from worrying about long-term secret storage.

By encapsulating the authentication protocols and long-term secret storage within the Authenticator, applications are not built with such dependencies. This provides administrators with the flexibility to decide the type of authentication mechanism employed in the organization, and it enables an organization to design and deploy schemes that can be verified at a particular security level.

For example, suppose a corporation decides on a security policy that uses smart-cards for all authentication within the corporation. After deployment of the smart-card systems an enterprise e-mail system is purchased that employs a password authentication mechanism. To integrate and deploy the e-mail application, the corporation has four choices:

Issue common credentials for every employee for the e-mail application, thereby circumventing the non-repudiation achieved with the smart-cards.
Issue unique credentials for every employee for the e-mail application, which increases the work for both the administrators and the users.
Convince the vendor to support the corporation’s smart-cards and wait for the upgrade.
Choose another e-mail system that supports the corporate security policy.

Essentially, the customer either suffers with a less than satisfactory application, or the application distributor loses a customer to one of its competitors.

Since the Authenticator is mechanism and storage independent, applications that use this API do not suffer from these problems.

NOTE:The APIs required for the construction of authentication protocols and long-term authentication secrets are not part of the public release at this time; they will be made public in a future version.

2.2.2 Authentication Components

The important components (interfaces and classes) of Authentication are:

Authenticator class manages the authentication process for identities within a JVM. The Authenticator achieves application authentication by prompting for user credentials when an authentication request is issued.
Identity class represents identities, which are real-world objects, such as people, companies, and organizations whose identities can be authenticated using their public keys, or more abstract (or concrete) constructs such as software services.
Principal interface represents a principal, which can be an individual, a company, a program thread, or anything that can have an identity.
PublicKey interface serves to group and provide type safety for all public key interfaces. All specialized public key interfaces extend this PublicKey interface.
Key interface is the top level interface for all keys. It defines the functionality shared by all key objects.
IdentityScope class represents a scope for identities. It is an identity itself, and therefore has a name, can have a scope, and can optionally have a public key and associated certificates.
Password class creates and holds passwords.
PasswordIdentity interface identifies an object that can have a password set without using the authentication GUI. It is intended that an object implementing this interface also extends the Identity class.
PasswordIdentityFactory interface identifies an object that can create PasswordIdentity objects.
BinderyIdentity class represents an authenticatable entity in a bindery system (a user, an administrator, and so forth). Every BinderyIdentity is associated with a server identity scope, which is then associated with the bindery administrative domain scope.
BinderyIdentityScope class represents an authenticatable container in a bindery system, such as a server.
BinderyPasswordIdentity class represents a bindery identity with a password.
NdsIdentity class represents an authenticatable entity in NDS, such as a user, an administrator, and so forth. Every NdsIdentity is associated with an identity scope, which is typically an NDS context.
NdsIdentityScope class represents an authenticatable container in NDS such as a context or a tree.
NdsPasswordIdentity class represents an NDS identity with a password.
XplatIdentity class represents an authenticatable entity in Xplat such as a user, an administrator, and so forth.
XplatIdentityScope class represents an authenticatable container in a Xplat system such as a server.

2.2.3 Important Authentication Methods

All methods of the Authenticator use an Identity class, which can represent any authenticatable object including user objects. A concrete subclass of Identity, which represents the entity being authenticated, should be constructed and passed to the Authenticator. For example, NdsIdentity may be used to specify an authenticatable NDS user. The Login sample shows NdsIdentity being instantiated and later passed to the Authenticator.login() method.

The IdentityScope object is an Identity that can contain many Identities. IdentityScopes are used to hierarchically associate related Identities. For example, NdsIdentityScope is used to specify each NDS context for a user object.

Listed below are some important Authentication methods of which to be aware. For a complete list of available methods, go to the two security packages in the API Reference documentation - com.novell.java.security package and com.novell.service.security package.

Authenticator.login - Performs a login of the specified Identity to its scope.
Authenticator.logout - Logs out the specified Identity object from its identity scope and destroys the associated short-term credentials.
Authenticator.createTokens - Creates new authentication login secrets or tokens for an Identity object. Typically, administrators use this method to initialize a user object with some secret. For password systems, this means creating a new user password.
Authenticator.modifyTokens - Modifies existing authentication secrets or tokens for an Identity object. Typically, end-users use this method to modify their authentication tokens. For password systems this means changing a user password.
Authenticator.verifyTokens - Verifies existing authentication login secrets or tokens for an Identity object. For password systems this means verifying a user password.
Authenticator.getIdentities - Returns a list of currently authenticated Identity objects.
Authenticator.getIdentities - Returns a list of currently authenticated Identity objects within the specified scope.
Password.setPassword- Set the password to equal the specified Password.
PasswordIdentity.setPassword - Set the password for this identity to the specified Password.
PasswordIdentity.setNewPassword - Set the new password for this identity to the specified Password.
PasswordIdentity.getPassword - Return the password for this identity.
PasswordIdentity.getNewPassword - Return the new password for this identity.
PasswordIdentityFactory.getPasswordIdentityInstance - Instantiate a password identity class.

2.2.4 Relationship of Authentication Classes and Interfaces

The relationship between the Authenticator interfaces and classes is illustrated in the diagram below, followed by a brief description of the relationship each interface and class has with other interfaces and classes.

Figure 2-1 Authentication Interfaces and Classes

In this diagram of interfaces and classes a solid blue line ending with a hollow arrow represents an implementation of an interface. A solid red line ending with a solid arrow represent an extension of a class. The dotted black lines ending with a small solid arrow imply some relationships between the different interfaces and classes. Links are provided to the Reference Guide documentation for each of these important authentication interfaces and classes.

Authenticator class manages the authentication process for identities, providing methods for logging in and out; creating, verifying and modifying tokens; and getting currently authenticated identities within a given scope. It obtains the scope from the Identity class.
Identity class implements the Principal interface, and is extended by the IdentityScope, LdapIdentity, and XplatIdentity classes. It also represents the entity that is authenticated by the Authenticator class.
Principal interface is extended by the Identity class.
PublicKey interface extends the Key interface, and is used by several methods in the Identity class.
Key interface is extended by the PublicKey interface.
IdentityScope is an implementation class that extends the Identity class and provides the scope for the identity, and it is extended by the XplatIdentityScope class.
XplatIdentityScope is an implementation class that extends the IdentityScope class, and is extended by the BinderyIdentityScope and NdsIdentityScope classes.
BinderyIdentityScope is an implementation class that extends the XplatIdentityScope class.
NdsIdentityScope is an implementation class that extends the XplatIdentityScope class.
Password class constructs and holds passwords, and provides these passwords to the PasswordIdentity interface.
PasswordIdentity interface identifies an object that can have a password set without using the authentication GUI. An object implementing this interface should also extend the Identity class.
PasswordIdentityFactory interface is implemented by the NdsIdentity, BinderyIdentity and LdapIdentity classes. It identifies an object that can create PasswordIdentity objects, and it provides a method for instantiating a PasswordIdentity class.
BinderyIdentity class extends the XplatIdentity class and implements the PasswordIdentityFactory interface. It is also extended by the BinderyPasswordIdentity class.
BinderyPasswordIdentity class extends the BinderyIdentity class and implements the PasswordIdentity interface.
NdsIdentity class extends the XplatIdentity class and implements the PasswordIdentityFactory interface. It is also extended by the NdsPasswordIdentity class.
NdsPasswordIdentity class extends the NdsIdentity class and implements the PasswordIdentity interface.
XplatIdentity class extends the Identity class, and is extended by the BinderyIdentity and NdsIdentity classes.