tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Filip Hanik \(mailing lists\)" <devli...@hanik.com>
Subject RE: svn commit: r1355615 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml
Date Sun, 01 Jul 2012 21:35:47 GMT
Thanks for the review and fix

> -----Original Message-----
> From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
> Sent: Sunday, July 01, 2012 6:06 AM
> To: Tomcat Developers List
> Subject: Re: svn commit: r1355615 - in /tomcat/trunk:
> java/org/apache/catalina/realm/JNDIRealm.java
> webapps/docs/config/realm.xml
> 
> 2012/6/30  <fhanik@apache.org>:
> > Author: fhanik
> > Date: Sat Jun 30 01:04:59 2012
> > New Revision: 1355615
> >
> > URL: http://svn.apache.org/viewvc?rev=1355615&view=rev
> > Log:
> > With more and more use of RFC 2307 http://tools.ietf.org/html/rfc2307
> > There is a new way to search for roles using the memberUid that can
> contain the value of another attribute within the users directory entry.
> > This may not be very specific to 2307, but that is where I see this
> combination of role searches occur the most.
> >
> > Example: http://www.openldap.org/lists/openldap-
> technical/200904/msg00024.html
> >
> >
> >
> >
> > Modified:
> >     tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
> >     tomcat/trunk/webapps/docs/config/realm.xml
> >
> > Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
> > URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm
> /JNDIRealm.java?rev=1355615&r1=1355614&r2=1355615&view=diff
> >
> ========================================================================
> ======
> > --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
> (original)
> > +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sat Jun
> 30 01:04:59 2012
> > @@ -126,8 +126,9 @@ import org.ietf.jgss.GSSCredential;
> >   *         property.</li>
> >   *     <li>The <code>roleSearch</code> pattern optionally includes
> pattern
> >   *         replacements "{0}" for the distinguished name, and/or
> "{1}" for
> > - *         the username, of the authenticated user for which roles
> will be
> > - *         retrieved.</li>
> > + *         the username, and/or "{2}" the value of the
> userRoleAttribute
> > + *         attribute from the users entry, of the authenticated user
> > + *         for which roles will be retrieved.</li>
> >   *     <li>The <code>roleBase</code> property can be set to the
> element that
> >   *         is the base of the search for matching roles.  If not
> specified,
> >   *         the entire context will be searched.</li>
> > @@ -292,6 +293,14 @@ public class JNDIRealm extends RealmBase
> >       */
> >      protected String userPassword = null;
> >
> > +    /**
> > +     * The name of the attribute inside the users
> > +     * directory entry where the value will be
> > +     * taken to search for roles
> > +     * This attribute is not used during a nested search
> > +     */
> > +    protected String userRoleAttribute = null;
> > +
> >
> >      /**
> >       * A string of LDAP user patterns or paths, ":"-separated
> > @@ -829,6 +838,14 @@ public class JNDIRealm extends RealmBase
> >      }
> >
> >
> > +    public String getUserRoleAttribute() {
> > +        return userRoleAttribute;
> > +    }
> > +
> > +    public void setUserRoleAttribute(String userRoleAttribute) {
> > +        this.userRoleAttribute = userRoleAttribute;
> > +    }
> > +
> >      /**
> >       * Return the message format pattern for selecting users in this
> Realm.
> >       */
> > @@ -839,6 +856,8 @@ public class JNDIRealm extends RealmBase
> >      }
> >
> >
> > +
> > +
> >      /**
> >       * Set the message format pattern for selecting users in this
> Realm.
> >       * This may be one simple pattern, or multiple patterns to be
> tried,
> > @@ -1230,6 +1249,9 @@ public class JNDIRealm extends RealmBase
> >              list.add(userPassword);
> >          if (userRoleName != null)
> >              list.add(userRoleName);
> > +        if (userRoleAttribute != null) {
> > +            list.add(userRoleAttribute);
> > +        }
> >          String[] attrIds = new String[list.size()];
> >          list.toArray(attrIds);
> >
> > @@ -1265,7 +1287,7 @@ public class JNDIRealm extends RealmBase
> >
> >          // If no attributes are requested, no need to look for them
> >          if (attrIds == null || attrIds.length == 0) {
> > -            return new User(username, dn, null, null);
> > +            return new User(username, dn, null, null,null);
> >          }
> >
> >          // Get required attributes from user entry
> > @@ -1283,12 +1305,17 @@ public class JNDIRealm extends RealmBase
> >          if (userPassword != null)
> >              password = getAttributeValue(userPassword, attrs);
> >
> > +        String userRoleAttrValue = null;
> > +        if (userRoleAttribute != null) {
> > +            userRoleAttrValue = getAttributeValue(userRoleAttribute,
> attrs);
> > +        }
> > +
> >          // Retrieve values of userRoleName attribute
> >          ArrayList<String> roles = null;
> >          if (userRoleName != null)
> >              roles = addAttributeValues(userRoleName, attrs, roles);
> >
> > -        return new User(username, dn, password, roles);
> > +        return new User(username, dn, password, roles,
> userRoleAttrValue);
> >      }
> >
> >
> > @@ -1427,12 +1454,17 @@ public class JNDIRealm extends RealmBase
> >          if (userPassword != null)
> >              password = getAttributeValue(userPassword, attrs);
> >
> > +        String userRoleAttrValue = null;
> > +        if (userRoleAttribute != null) {
> > +            userRoleAttrValue = getAttributeValue(userRoleAttribute,
> attrs);
> > +        }
> > +
> >          // Retrieve values of userRoleName attribute
> >          ArrayList<String> roles = null;
> >          if (userRoleName != null)
> >              roles = addAttributeValues(userRoleName, attrs, roles);
> >
> > -        return new User(username, dn, password, roles);
> > +        return new User(username, dn, password, roles, password);
> 
> The above line is likely wrong. The last argument should not be
> "password".
> 
> >      }
> >
> >
> > @@ -1675,6 +1707,7 @@ public class JNDIRealm extends RealmBase
> >
> >          String dn = user.getDN();
> >          String username = user.getUserName();
> > +        String userRoleId = user.getUserRoleId();
> >
> >          if (dn == null || username == null)
> >              return (null);
> > @@ -1702,7 +1735,7 @@ public class JNDIRealm extends RealmBase
> >              return (list);
> >
> >          // Set up parameters for an appropriate search
> > -        String filter = roleFormat.format(new String[] {
> doRFC2254Encoding(dn), username });
> > +        String filter = roleFormat.format(new String[] {
> doRFC2254Encoding(dn), username, userRoleId });
> >          SearchControls controls = new SearchControls();
> >          if (roleSubtree)
> >              controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > @@ -1775,7 +1808,7 @@ public class JNDIRealm extends RealmBase
> >                  Map<String, String> newThisRound = new
> HashMap<String, String>(); // Stores the groups we find in this
> iteration
> >
> >                  for (Entry<String, String> group :
> newGroups.entrySet()) {
> > -                    filter = roleFormat.format(new String[] {
> group.getKey(), group.getValue() });
> > +                    filter = roleFormat.format(new String[] {
> group.getKey(), group.getValue(), group.getValue() });
> >
> >                      if (containerLog.isTraceEnabled()) {
> >                          containerLog.trace("Perform a nested group
> search with base "+ roleBase + " and filter " + filter);
> > @@ -2359,9 +2392,11 @@ public class JNDIRealm extends RealmBase
> >          private final String dn;
> >          private final String password;
> >          private final List<String> roles;
> > +        private final String userRoleId;
> > +
> >
> >          public User(String username, String dn, String password,
> > -                List<String> roles) {
> > +                List<String> roles, String userRoleId) {
> >              this.username = username;
> >              this.dn = dn;
> >              this.password = password;
> > @@ -2370,6 +2405,7 @@ public class JNDIRealm extends RealmBase
> >              } else {
> >                  this.roles = Collections.unmodifiableList(roles);
> >              }
> > +            this.userRoleId = userRoleId;
> >          }
> >
> >          public String getUserName() {
> > @@ -2387,6 +2423,12 @@ public class JNDIRealm extends RealmBase
> >          public List<String> getRoles() {
> >              return roles;
> >          }
> > +
> > +        public String getUserRoleId() {
> > +            return userRoleId;
> > +        }
> > +
> > +
> >      }
> >  }
> >
> >(...)
> 
> Best regards,
> Konstantin Kolinko
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message