Package com.sun.identity.authentication.modules.radius.client

Class RadiusConn

java.lang.Object

com.sun.identity.authentication.modules.radius.client.RadiusConn

public class RadiusConn
extends Object

This class implements RFC2865 - Remote Authentication Dial In User Service (RADIUS), June 2000.

Field Summary

Fields

Modifier and Type	Field	Description
static int	DEFAULT_TIMEOUT	The default timeout.

Constructor Summary

Constructors

Constructor	Description
RadiusConn(Set<RADIUSServer> primaries, String secret, byte[] seed, int healthCheckInterval)	Constructs a connection object with only a set of primary servers.
RadiusConn(Set<RADIUSServer> primaries, Set<RADIUSServer> secondaries, String secret, int timeout, byte[] seed, int healthCheckInterval)	Construct a connection object primary and secondary servers and seed for generating a SecureRandom.
RadiusConn(Set<RADIUSServer> primaries, Set<RADIUSServer> secondaries, String secret, int timeout, byte[] seed, int healthCheckInterval, boolean requireMessageAuthenticator)	Full-featured constructor that allows the caller to opt-in to the strict RFC 3579 / BlastRADIUS-mitigation profile.
RadiusConn(Set<RADIUSServer> primaries, Set<RADIUSServer> secondaries, String secret, int timeout, int healthCheckInterval)	Construct a connection object with a set of primary and seconary servers.

Method Summary

Modifier and Type	Method	Description
Packet	authenticate(String name, String password)	Authenticates the username and password against the remote servers.
void	disconnect()	Closes the underlying datagram socket, releasing the associated file descriptor and ephemeral UDP port back to the operating system.
Packet	replyChallenge(String name, String password, ChallengeException ce)	Sends an access-request to the server in response to a challenge request.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_TIMEOUT

public static final int DEFAULT_TIMEOUT

The default timeout.

See Also:

Constant Field Values

Constructor Detail

RadiusConn

public RadiusConn(Set<RADIUSServer> primaries,
                  Set<RADIUSServer> secondaries,
                  String secret,
                  int timeout,
                  int healthCheckInterval)
           throws SocketException

Construct a connection object with a set of primary and seconary servers.

Parameters:

primaries - the primary servers to connect to.

secondaries - the secondary servers to connect to.

secret - the secret shared between this client and the remote servers.

timeout - the timeout value.

healthCheckInterval - the health check interval.

Throws:

SocketException - thrown if unable to create a DatagramSocket.

RadiusConn

public RadiusConn(Set<RADIUSServer> primaries,
                  String secret,
                  byte[] seed,
                  int healthCheckInterval)
           throws SocketException

Constructs a connection object with only a set of primary servers.

Parameters:

primaries - the primary servers to connect to.

secret - the secret shared between this client and the remote servers.

seed - the seed value to be used to create a SecureRandom instance.

healthCheckInterval - the health check interval.

Throws:

SocketException - thrown if unable to create a DatagramSocket.

RadiusConn

public RadiusConn(Set<RADIUSServer> primaries,
                  Set<RADIUSServer> secondaries,
                  String secret,
                  int timeout,
                  byte[] seed,
                  int healthCheckInterval)
           throws SocketException

Construct a connection object primary and secondary servers and seed for generating a SecureRandom.

Parameters:

primaries - the primary servers to connect to.

secondaries - the secondary servers to connect to.

secret - the secret shared between this client and the remote servers.

timeout - the timeout value.

seed - the seed value to be used to create a SecureRandom instance.

healthCheckInterval - the health check interval.

Throws:

SocketException - if a socket exception occurs.

RadiusConn

public RadiusConn(Set<RADIUSServer> primaries,
                  Set<RADIUSServer> secondaries,
                  String secret,
                  int timeout,
                  byte[] seed,
                  int healthCheckInterval,
                  boolean requireMessageAuthenticator)
           throws SocketException

Full-featured constructor that allows the caller to opt-in to the strict RFC 3579 / BlastRADIUS-mitigation profile.

Parameters:

primaries - the primary servers to connect to.

secondaries - the secondary servers to connect to.

secret - the secret shared between this client and the remote servers.

timeout - the timeout value, in seconds.

seed - optional SecureRandom seed; null for default entropy.

healthCheckInterval - the health check interval, in minutes.

requireMessageAuthenticator - when true, every Access-Accept/Reject/Challenge received from the server MUST carry a verifiable Message-Authenticator (RFC 3579 attribute 80). This is the fully protected flow recommended by Cisco's BlastRADIUS guidance. When false, the client verifies MA only when the server happens to include it, remaining interoperable with legacy servers.

Throws:

SocketException - if a socket exception occurs.

Method Detail

disconnect

public void disconnect()
                throws IOException

Closes the underlying datagram socket, releasing the associated file descriptor and ephemeral UDP port back to the operating system.

Historically this method only invoked DatagramSocket.disconnect(), which merely removes the peer association but keeps the socket (and therefore its file descriptor and ephemeral port) allocated until the JVM finaliser eventually reclaims it. Because RADIUS.shutdown() discards its RadiusConn reference right after calling this method, that behaviour leaked one FD / one ephemeral port per authentication attempt under load. The method is now an idempotent close, which is what every caller in the tree actually wants.

Throws:

IOException - if an io exception occurs.

authenticate

public Packet authenticate(String name,
                           String password)
                    throws IOException,
                           NoSuchAlgorithmException,
                           RejectException,
                           ChallengeException

Authenticates the username and password against the remote servers.

Parameters:

name - the username.

password - the password.

Returns:

the response packet.

Throws:

IOException - if there is a problem.

NoSuchAlgorithmException - if there is a problem.

RejectException - if there is a problem.

ChallengeException - if there is a problem.

replyChallenge

public Packet replyChallenge(String name,
                             String password,
                             ChallengeException ce)
                      throws IOException,
                             NoSuchAlgorithmException,
                             RejectException,
                             ChallengeException

Sends an access-request to the server in response to a challenge request.

Parameters:

name - the username.

password - the password.

ce - the challenge exception providing access to the original challenge response.

Returns:

the response packet.

Throws:

IOException - if there is a problem.

NoSuchAlgorithmException - if there is a problem.

RejectException - if there is a problem.

ChallengeException - if there is a problem.