Author: markt
Date: Tue Feb 22 11:08:42 2011
New Revision: 1073296
URL: http://svn.apache.org/viewvc?rev=1073296&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
Add an option to the JNDI realm to allow role searches to be performed by the
authenticated user.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/realm.xml
Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1073296&r1=1073295&r2=1073296&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Tue Feb 22
11:08:42 2011
@@ -365,7 +365,14 @@ public class JNDIRealm extends RealmBase
*/
protected boolean roleNested = false;
-
+ /**
+ * When searching for user roles, should the search be performed as the
user
+ * currently being authenticated? If false, {@link #connectionName} and
+ * {@link #connectionPassword} will be used if specified, else an anonymous
+ * connection will be used.
+ */
+ protected boolean roleSearchAsUser = false;
+
/**
* An alternate URL, to which, we should connect if connectionURL fails.
*/
@@ -1692,8 +1699,18 @@ public class JNDIRealm extends RealmBase
controls.setReturningAttributes(new String[] {roleName});
// Perform the configured search and process the results
- NamingEnumeration<SearchResult> results =
- context.search(roleBase, filter, controls);
+ NamingEnumeration<SearchResult> results = null;
+ try {
+ if (roleSearchAsUser) {
+ userCredentialsAdd(context, dn, user.getPassword());
+ }
+ results = context.search(roleBase, filter, controls);
+ } finally {
+ if (roleSearchAsUser) {
+ userCredentialsRemove(context);
+ }
+ }
+
if (results == null)
return (list); // Should never happen, but just in case ...
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1073296&r1=1073295&r2=1073296&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Feb 22 11:08:42 2011
@@ -45,6 +45,10 @@
<section name="Tomcat 7.0.9 (markt)">
<subsection name="Catalina">
<changelog>
+ <add>
+ <bug>19444</bug>: Add an option to the JNDI realm to allow role
searches
+ to be performed by the authenticated user. (markt)
+ </add>
<fix>
<bug>48863</bug>: Better logging when specifying an invalid directory
for a class loader. Based on a patch by Ralf Hauser. (markt)
Modified: tomcat/trunk/webapps/docs/config/realm.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1073296&r1=1073295&r2=1073296&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/trunk/webapps/docs/config/realm.xml Tue Feb 22 11:08:42 2011
@@ -412,6 +412,14 @@
property.</p>
</attribute>
+ <attribute name="roleSearchAsUser" required="false">
+ <p> When searching for user roles, should the search be performed as
the
+ user currently being authenticated? If false,
+ <code>connectionName</code>} and <code>connectionPassword</code> will
be
+ used if specified, else an anonymous. If not specified, the default
+ value of <code>false</code> is used.</p>
+ </attribute>
+
<attribute name="roleSubtree" required="false">
<p>Set to <code>true</code> if you want to search the entire
subtree of the element specified by the <code>roleBase</code>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
