shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject LDAP rewrite
Date Sun, 08 Aug 2010 03:15:09 GMT
Hi all,

I finally got around to tackling SHIRO-127 [1] today.  I cleaned up
quite a bit and added lots of JavaDoc, but all of the work focused
initially around authentication.  Authorization (in a
generic/configurable way) still needs to be flushed out.  Summary:

- Two new classes (JndiLdapRealm and JndiLdapContextFactory) were
added to retain backwards compatibility and to not disrupt users of
the existing AbstractLdapRealm and DefaultLdapContextFactory classes.
The latter two are effectively deprecated though by the former - that
just won't be finalized until authorization is complete.

- The JndiLdapRealm will support LDAP authentication mechanism -
simple username/password or even SASL mechanisms (MD5-DIGEST,
Kerberos, etc).  I.e. it can support any AuthenticationToken, not just

- All connection properties are now part of the JndiLdapContextFactory
implementation and abstracted out of the JndiLdapRealm implementation.
 The JndiLdapRealm delegates to this factory at runtime to create the
LDAP connections.

- Specifying User DN format is much easier now - you can specify a
template and correct principal values are substituted correctly at
runtime (see the example below with the {0} substitution token).

The next step is to support the Authorization implementation. I'll
take a crack at it and update the list for review when that's done.

Anyway, please check out the latest commit and let me know if you have
any feedback.  Here is a simple example of how you'd use it in

ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid={0},ou=users,dc=mycompany,dc=com
ldapRealm.contextFactory.url = ldap://ldapHost:ldapPort
ldapRealm.contextFactory.environment[] = someValue

Please offer any feedback!



View raw message