Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7FE30D5E4 for ; Sun, 1 Jul 2012 21:36:17 +0000 (UTC) Received: (qmail 33104 invoked by uid 500); 1 Jul 2012 21:36:16 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 33044 invoked by uid 500); 1 Jul 2012 21:36:16 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 33035 invoked by uid 99); 1 Jul 2012 21:36:16 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Jul 2012 21:36:16 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [66.160.196.165] (HELO arizona.hanik.com) (66.160.196.165) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Jul 2012 21:36:10 +0000 Received: from workstation (184-96-227-85.hlrn.qwest.net [184.96.227.85]) by arizona.hanik.com (Postfix) with ESMTPSA id 4BF29A8001EA for ; Sun, 1 Jul 2012 15:35:49 -0600 (MDT) From: "Filip Hanik \(mailing lists\)" To: "'Tomcat Developers List'" References: <20120630010501.C8A8D23889BB@eris.apache.org> In-Reply-To: Subject: RE: svn commit: r1355615 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml Date: Sun, 1 Jul 2012 15:35:47 -0600 Message-ID: <00b301cd57d1$7c912200$75b36600$@hanik.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQH1dXOVOkfgtQsXcOWyYNrSFydudwEbsZdHlrvaesA= Content-Language: en-us X-Virus-Checked: Checked by ClamAV on apache.org Thanks for the review and fix > -----Original Message----- > From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com] > Sent: Sunday, July 01, 2012 6:06 AM > To: Tomcat Developers List > Subject: Re: svn commit: r1355615 - in /tomcat/trunk: > java/org/apache/catalina/realm/JNDIRealm.java > webapps/docs/config/realm.xml > > 2012/6/30 : > > Author: fhanik > > Date: Sat Jun 30 01:04:59 2012 > > New Revision: 1355615 > > > > URL: http://svn.apache.org/viewvc?rev=1355615&view=rev > > Log: > > With more and more use of RFC 2307 http://tools.ietf.org/html/rfc2307 > > There is a new way to search for roles using the memberUid that can > contain the value of another attribute within the users directory entry. > > This may not be very specific to 2307, but that is where I see this > combination of role searches occur the most. > > > > Example: http://www.openldap.org/lists/openldap- > technical/200904/msg00024.html > > > > > > > > > > Modified: > > tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java > > tomcat/trunk/webapps/docs/config/realm.xml > > > > Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java > > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm > /JNDIRealm.java?rev=1355615&r1=1355614&r2=1355615&view=diff > > > ======================================================================== > ====== > > --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java > (original) > > +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Sat Jun > 30 01:04:59 2012 > > @@ -126,8 +126,9 @@ import org.ietf.jgss.GSSCredential; > > * property. > > *
  • The roleSearch pattern optionally includes > pattern > > * replacements "{0}" for the distinguished name, and/or > "{1}" for > > - * the username, of the authenticated user for which roles > will be > > - * retrieved.
    • > > + * the username, and/or "{2}" the value of the > userRoleAttribute > > + * attribute from the users entry, of the authenticated user > > + * for which roles will be retrieved. > > *
  • The roleBase property can be set to the > element that > > * is the base of the search for matching roles. If not > specified, > > * the entire context will be searched.
    • > > @@ -292,6 +293,14 @@ public class JNDIRealm extends RealmBase > > */ > > protected String userPassword = null; > > > > + /** > > + * The name of the attribute inside the users > > + * directory entry where the value will be > > + * taken to search for roles > > + * This attribute is not used during a nested search > > + */ > > + protected String userRoleAttribute = null; > > + > > > > /** > > * A string of LDAP user patterns or paths, ":"-separated > > @@ -829,6 +838,14 @@ public class JNDIRealm extends RealmBase > > } > > > > > > + public String getUserRoleAttribute() { > > + return userRoleAttribute; > > + } > > + > > + public void setUserRoleAttribute(String userRoleAttribute) { > > + this.userRoleAttribute = userRoleAttribute; > > + } > > + > > /** > > * Return the message format pattern for selecting users in this > Realm. > > */ > > @@ -839,6 +856,8 @@ public class JNDIRealm extends RealmBase > > } > > > > > > + > > + > > /** > > * Set the message format pattern for selecting users in this > Realm. > > * This may be one simple pattern, or multiple patterns to be > tried, > > @@ -1230,6 +1249,9 @@ public class JNDIRealm extends RealmBase > > list.add(userPassword); > > if (userRoleName != null) > > list.add(userRoleName); > > + if (userRoleAttribute != null) { > > + list.add(userRoleAttribute); > > + } > > String[] attrIds = new String[list.size()]; > > list.toArray(attrIds); > > > > @@ -1265,7 +1287,7 @@ public class JNDIRealm extends RealmBase > > > > // If no attributes are requested, no need to look for them > > if (attrIds == null || attrIds.length == 0) { > > - return new User(username, dn, null, null); > > + return new User(username, dn, null, null,null); > > } > > > > // Get required attributes from user entry > > @@ -1283,12 +1305,17 @@ public class JNDIRealm extends RealmBase > > if (userPassword != null) > > password = getAttributeValue(userPassword, attrs); > > > > + String userRoleAttrValue = null; > > + if (userRoleAttribute != null) { > > + userRoleAttrValue = getAttributeValue(userRoleAttribute, > attrs); > > + } > > + > > // Retrieve values of userRoleName attribute > > ArrayList roles = null; > > if (userRoleName != null) > > roles = addAttributeValues(userRoleName, attrs, roles); > > > > - return new User(username, dn, password, roles); > > + return new User(username, dn, password, roles, > userRoleAttrValue); > > } > > > > > > @@ -1427,12 +1454,17 @@ public class JNDIRealm extends RealmBase > > if (userPassword != null) > > password = getAttributeValue(userPassword, attrs); > > > > + String userRoleAttrValue = null; > > + if (userRoleAttribute != null) { > > + userRoleAttrValue = getAttributeValue(userRoleAttribute, > attrs); > > + } > > + > > // Retrieve values of userRoleName attribute > > ArrayList roles = null; > > if (userRoleName != null) > > roles = addAttributeValues(userRoleName, attrs, roles); > > > > - return new User(username, dn, password, roles); > > + return new User(username, dn, password, roles, password); > > The above line is likely wrong. The last argument should not be > "password". > > > } > > > > > > @@ -1675,6 +1707,7 @@ public class JNDIRealm extends RealmBase > > > > String dn = user.getDN(); > > String username = user.getUserName(); > > + String userRoleId = user.getUserRoleId(); > > > > if (dn == null || username == null) > > return (null); > > @@ -1702,7 +1735,7 @@ public class JNDIRealm extends RealmBase > > return (list); > > > > // Set up parameters for an appropriate search > > - String filter = roleFormat.format(new String[] { > doRFC2254Encoding(dn), username }); > > + String filter = roleFormat.format(new String[] { > doRFC2254Encoding(dn), username, userRoleId }); > > SearchControls controls = new SearchControls(); > > if (roleSubtree) > > controls.setSearchScope(SearchControls.SUBTREE_SCOPE); > > @@ -1775,7 +1808,7 @@ public class JNDIRealm extends RealmBase > > Map newThisRound = new > HashMap(); // Stores the groups we find in this > iteration > > > > for (Entry group : > newGroups.entrySet()) { > > - filter = roleFormat.format(new String[] { > group.getKey(), group.getValue() }); > > + filter = roleFormat.format(new String[] { > group.getKey(), group.getValue(), group.getValue() }); > > > > if (containerLog.isTraceEnabled()) { > > containerLog.trace("Perform a nested group > search with base "+ roleBase + " and filter " + filter); > > @@ -2359,9 +2392,11 @@ public class JNDIRealm extends RealmBase > > private final String dn; > > private final String password; > > private final List roles; > > + private final String userRoleId; > > + > > > > public User(String username, String dn, String password, > > - List roles) { > > + List roles, String userRoleId) { > > this.username = username; > > this.dn = dn; > > this.password = password; > > @@ -2370,6 +2405,7 @@ public class JNDIRealm extends RealmBase > > } else { > > this.roles = Collections.unmodifiableList(roles); > > } > > + this.userRoleId = userRoleId; > > } > > > > public String getUserName() { > > @@ -2387,6 +2423,12 @@ public class JNDIRealm extends RealmBase > > public List getRoles() { > > return roles; > > } > > + > > + public String getUserRoleId() { > > + return userRoleId; > > + } > > + > > + > > } > > } > > > >(...) > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org