tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: svn commit: r1355615 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml
Date Sun, 01 Jul 2012 12:06:18 GMT
2012/6/30  <fhanik@apache.org>:
> Author: fhanik
> Date: Sat Jun 30 01:04:59 2012
> New Revision: 1355615
>
> URL: http://svn.apache.org/viewvc?rev=1355615&view=rev
> Log:
> With more and more use of RFC 2307 http://tools.ietf.org/html/rfc2307
> There is a new way to search for roles using the memberUid that can contain the value
of another attribute within the users directory entry.
> This may not be very specific to 2307, but that is where I see this combination of role
searches occur the most.
>
> Example: http://www.openldap.org/lists/openldap-technical/200904/msg00024.html
>
>
>
>
> Modified:
>     tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
>     tomcat/trunk/webapps/docs/config/realm.xml
>
> Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1355615&r1=1355614&r2=1355615&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sat Jun 30 01:04:59 2012
> @@ -126,8 +126,9 @@ import org.ietf.jgss.GSSCredential;
>   *         property.</li>
>   *     <li>The <code>roleSearch</code> pattern optionally includes
pattern
>   *         replacements "{0}" for the distinguished name, and/or "{1}" for
> - *         the username, of the authenticated user for which roles will be
> - *         retrieved.</li>
> + *         the username, and/or "{2}" the value of the userRoleAttribute
> + *         attribute from the users entry, of the authenticated user
> + *         for which roles will be retrieved.</li>
>   *     <li>The <code>roleBase</code> property can be set to the element
that
>   *         is the base of the search for matching roles.  If not specified,
>   *         the entire context will be searched.</li>
> @@ -292,6 +293,14 @@ public class JNDIRealm extends RealmBase
>       */
>      protected String userPassword = null;
>
> +    /**
> +     * The name of the attribute inside the users
> +     * directory entry where the value will be
> +     * taken to search for roles
> +     * This attribute is not used during a nested search
> +     */
> +    protected String userRoleAttribute = null;
> +
>
>      /**
>       * A string of LDAP user patterns or paths, ":"-separated
> @@ -829,6 +838,14 @@ public class JNDIRealm extends RealmBase
>      }
>
>
> +    public String getUserRoleAttribute() {
> +        return userRoleAttribute;
> +    }
> +
> +    public void setUserRoleAttribute(String userRoleAttribute) {
> +        this.userRoleAttribute = userRoleAttribute;
> +    }
> +
>      /**
>       * Return the message format pattern for selecting users in this Realm.
>       */
> @@ -839,6 +856,8 @@ public class JNDIRealm extends RealmBase
>      }
>
>
> +
> +
>      /**
>       * Set the message format pattern for selecting users in this Realm.
>       * This may be one simple pattern, or multiple patterns to be tried,
> @@ -1230,6 +1249,9 @@ public class JNDIRealm extends RealmBase
>              list.add(userPassword);
>          if (userRoleName != null)
>              list.add(userRoleName);
> +        if (userRoleAttribute != null) {
> +            list.add(userRoleAttribute);
> +        }
>          String[] attrIds = new String[list.size()];
>          list.toArray(attrIds);
>
> @@ -1265,7 +1287,7 @@ public class JNDIRealm extends RealmBase
>
>          // If no attributes are requested, no need to look for them
>          if (attrIds == null || attrIds.length == 0) {
> -            return new User(username, dn, null, null);
> +            return new User(username, dn, null, null,null);
>          }
>
>          // Get required attributes from user entry
> @@ -1283,12 +1305,17 @@ public class JNDIRealm extends RealmBase
>          if (userPassword != null)
>              password = getAttributeValue(userPassword, attrs);
>
> +        String userRoleAttrValue = null;
> +        if (userRoleAttribute != null) {
> +            userRoleAttrValue = getAttributeValue(userRoleAttribute, attrs);
> +        }
> +
>          // Retrieve values of userRoleName attribute
>          ArrayList<String> roles = null;
>          if (userRoleName != null)
>              roles = addAttributeValues(userRoleName, attrs, roles);
>
> -        return new User(username, dn, password, roles);
> +        return new User(username, dn, password, roles, userRoleAttrValue);
>      }
>
>
> @@ -1427,12 +1454,17 @@ public class JNDIRealm extends RealmBase
>          if (userPassword != null)
>              password = getAttributeValue(userPassword, attrs);
>
> +        String userRoleAttrValue = null;
> +        if (userRoleAttribute != null) {
> +            userRoleAttrValue = getAttributeValue(userRoleAttribute, attrs);
> +        }
> +
>          // Retrieve values of userRoleName attribute
>          ArrayList<String> roles = null;
>          if (userRoleName != null)
>              roles = addAttributeValues(userRoleName, attrs, roles);
>
> -        return new User(username, dn, password, roles);
> +        return new User(username, dn, password, roles, password);

The above line is likely wrong. The last argument should not be "password".

>      }
>
>
> @@ -1675,6 +1707,7 @@ public class JNDIRealm extends RealmBase
>
>          String dn = user.getDN();
>          String username = user.getUserName();
> +        String userRoleId = user.getUserRoleId();
>
>          if (dn == null || username == null)
>              return (null);
> @@ -1702,7 +1735,7 @@ public class JNDIRealm extends RealmBase
>              return (list);
>
>          // Set up parameters for an appropriate search
> -        String filter = roleFormat.format(new String[] { doRFC2254Encoding(dn), username
});
> +        String filter = roleFormat.format(new String[] { doRFC2254Encoding(dn), username,
userRoleId });
>          SearchControls controls = new SearchControls();
>          if (roleSubtree)
>              controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
> @@ -1775,7 +1808,7 @@ public class JNDIRealm extends RealmBase
>                  Map<String, String> newThisRound = new HashMap<String, String>();
// Stores the groups we find in this iteration
>
>                  for (Entry<String, String> group : newGroups.entrySet()) {
> -                    filter = roleFormat.format(new String[] { group.getKey(), group.getValue()
});
> +                    filter = roleFormat.format(new String[] { group.getKey(), group.getValue(),
group.getValue() });
>
>                      if (containerLog.isTraceEnabled()) {
>                          containerLog.trace("Perform a nested group search with base
"+ roleBase + " and filter " + filter);
> @@ -2359,9 +2392,11 @@ public class JNDIRealm extends RealmBase
>          private final String dn;
>          private final String password;
>          private final List<String> roles;
> +        private final String userRoleId;
> +
>
>          public User(String username, String dn, String password,
> -                List<String> roles) {
> +                List<String> roles, String userRoleId) {
>              this.username = username;
>              this.dn = dn;
>              this.password = password;
> @@ -2370,6 +2405,7 @@ public class JNDIRealm extends RealmBase
>              } else {
>                  this.roles = Collections.unmodifiableList(roles);
>              }
> +            this.userRoleId = userRoleId;
>          }
>
>          public String getUserName() {
> @@ -2387,6 +2423,12 @@ public class JNDIRealm extends RealmBase
>          public List<String> getRoles() {
>              return roles;
>          }
> +
> +        public String getUserRoleId() {
> +            return userRoleId;
> +        }
> +
> +
>      }
>  }
>
>(...)

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message