javax.security.identitystore.annotation

Annotation Type LdapIdentityStoreDefinition

@Retention(value=RUNTIME)
 @Target(value=TYPE)
public @interface LdapIdentityStoreDefinition

Annotation used to define a container provided IdentityStore that stores caller credentials and identity attributes (together caller identities) in an LDAP store, and make that implementation available as an enabled CDI bean.

Author:

Arjan Tijms, Rudy De Busscher

Optional Element Summary

Optional Elements

Modifier and Type	Optional Element and Description
String	baseDn Base of the distinguished name for the application user that will be used to make the initial connection to the LDAP.
String	callerBaseDn Base of the distinguished name that contains the caller name.
String	callerNameAttribute Name of the attribute that contains the caller name in the node just below the one identified by callerBaseDn().
String	groupBaseDn Base of the distinguished name that contains the groups E.g.
String	groupCallerDnAttribute DN attribute for the group DN that identifies the callers that are in that group.
String	groupNameAttribute Name of the attribute that contains the group name in the node just below the one identified by groupBaseDn().
String	password Password for the application user defined by the baseDn member.
int	priority Determines the order in case multiple IdentityStores are found.
String	searchBase Search base for finding the user.
String	searchExpression Search expression to find Only used when the member baseDN is filled in.
String	url URL where the LDAP server can be reached.
IdentityStore.ValidationType[]	useFor Determines what the identity store is used for

Element Detail

url

public abstract String url

URL where the LDAP server can be reached. E.g. ldap://localhost:33389"

Returns:

URL where the LDAP server can be reached

Default:

""

callerBaseDn

public abstract String callerBaseDn

Base of the distinguished name that contains the caller name. E.g. ou=caller,dc=jsr375,dc=net When this member value is specified, direct binding is attempted, see also baseDn

Returns:

Base of the distinguished name that contains the caller name

Default:

""

callerNameAttribute

public abstract String callerNameAttribute

Name of the attribute that contains the caller name in the node just below the one identified by callerBaseDn(). E.g. uid

Example for the relationship with callerBaseDn() and the name of the caller that needs to be authenticated:
Given the DN uid=peter,ou=caller,dc=jsr375,dc=net,

• callerNameAttribute() corresponds to uid
• callerBaseDn() corresponds to ou=caller,dc=jsr375,dc=net
• peter is the caller name that needs to be authenticated

The following gives an example in ldif format:

 
 dn: uid=peter,ou=caller,dc=jsr375,dc=net
 objectclass: top
 objectclass: uidObject
 objectclass: person
 uid: peter
 cn: Peter Smith
 sn: Peter
 userPassword: secret1
 
 

Returns:

Name of the attribute that contains the caller name

Default:

"uid"

groupBaseDn

public abstract String groupBaseDn

Base of the distinguished name that contains the groups E.g. ou=group,dc=jsr375,dc=net

Returns:

Base of the distinguished name that contains the groups

Default:

""

groupNameAttribute

public abstract String groupNameAttribute

Name of the attribute that contains the group name in the node just below the one identified by groupBaseDn(). E.g. cn

Example for the relationship with groupBaseDn() and the role name
Given the DN cn=foo,ou=group,dc=jsr375,dc=net,

• groupNameAttribute() corresponds to cn
• groupBaseDn() corresponds to ou=group,dc=jsr375,dc=net
• foo is the group name that will be returned by the store when authentication succeeds

Returns:

Name of the attribute that contains the group name

Default:

"cn"

groupCallerDnAttribute

public abstract String groupCallerDnAttribute

DN attribute for the group DN that identifies the callers that are in that group. E.g. member

The value of this attribute has to the full DN of the caller. The following gives an example entry in ldif format:

 
 dn: cn=foo,ou=group,dc=jsr375,dc=net
 objectclass: top
 objectclass: groupOfNames
 cn: foo
 member: uid=pete,ou=caller,dc=jsr375,dc=net
 member: uid=john,ou=caller,dc=jsr375,dc=net
 
 

Returns:

DN attribute for the group DN

Default:

"member"

baseDn

public abstract String baseDn

Base of the distinguished name for the application user that will be used to make the initial connection to the LDAP. This account needs search persons in the LDAP to find the actual DN of the user who we need to authenticate. When this member is filled in, the value in callerBaseDn is ignored.

E.g. uid=ldap,ou=apps,dc=jsr375,dc=net

Returns:

The distinguished name for the application user.

Default:

""

password

public abstract String password

Password for the application user defined by the baseDn member. Only used when the member baseDN is filled in.

Returns:

password for the application user.

Default:

""

searchBase

public abstract String searchBase

Search base for finding the user. Only used when the member baseDN is filled in.

Returns:

base for searching the LDAP tree for the user.

Default:

""

searchExpression

public abstract String searchExpression

Search expression to find Only used when the member baseDN is filled in.

Returns:

Search expression to find the user.

Default:

""

priority

public abstract int priority

Determines the order in case multiple IdentityStores are found.

Returns:

the priority.

Default:

80

useFor

public abstract IdentityStore.ValidationType[] useFor

Determines what the identity store is used for

Returns:

the type the identity store is used for

Default:

{javax.security.identitystore.IdentityStore.ValidationType.VALIDATE, javax.security.identitystore.IdentityStore.ValidationType.PROVIDE_GROUPS}