Author: markt
Date: Tue Feb 22 11:48:09 2011
New Revision: 1073301
URL: http://svn.apache.org/viewvc?rev=1073301&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=21669
Add the ability to specify the roleBase for the JNDI Realm as relative to the
users DN. Based on a patch by Art W.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/realm.xml
Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1073301&r1=1073300&r2=1073301&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Tue Feb 22
11:48:09 2011
@@ -330,6 +330,13 @@ public class JNDIRealm extends RealmBase
/**
* The MessageFormat object associated with the current
+ * <code>roleBase</code>.
+ */
+ protected MessageFormat roleBaseFormat = null;
+
+
+ /**
+ * The MessageFormat object associated with the current
* <code>roleSearch</code>.
*/
protected MessageFormat roleFormat = null;
@@ -697,6 +704,10 @@ public class JNDIRealm extends RealmBase
public void setRoleBase(String roleBase) {
this.roleBase = roleBase;
+ if (roleBase == null)
+ roleBaseFormat = null;
+ else
+ roleBaseFormat = new MessageFormat(roleBase);
}
@@ -1698,13 +1709,24 @@ public class JNDIRealm extends RealmBase
controls.setSearchScope(SearchControls.ONELEVEL_SCOPE);
controls.setReturningAttributes(new String[] {roleName});
+ String base = null;
+ if (roleBaseFormat != null) {
+ NameParser np = context.getNameParser("");
+ Name name = np.parse(dn);
+ String nameParts[] = new String[name.size()];
+ for (int i = 0; i < name.size(); i++) {
+ nameParts[i] = name.get(i);
+ }
+ base = roleBaseFormat.format(nameParts);
+ }
+
// Perform the configured search and process the results
NamingEnumeration<SearchResult> results = null;
try {
if (roleSearchAsUser) {
userCredentialsAdd(context, dn, user.getPassword());
}
- results = context.search(roleBase, filter, controls);
+ results = context.search(base, filter, controls);
} finally {
if (roleSearchAsUser) {
userCredentialsRemove(context);
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1073301&r1=1073300&r2=1073301&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Feb 22 11:48:09 2011
@@ -49,6 +49,10 @@
<bug>19444</bug>: Add an option to the JNDI realm to allow role
searches
to be performed by the authenticated user. (markt)
</add>
+ <add>
+ <bug>21669</bug>: Add the ability to specify the roleBase for the JNDI
+ Realm as relative to the users DN. Based on a patch by Art W. (markt)
+ </add>
<fix>
<bug>48863</bug>: Better logging when specifying an invalid directory
for a class loader. Based on a patch by Ralf Hauser. (markt)
Modified: tomcat/trunk/webapps/docs/config/realm.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1073301&r1=1073300&r2=1073301&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/trunk/webapps/docs/config/realm.xml Tue Feb 22 11:48:09 2011
@@ -387,9 +387,12 @@
</attribute>
<attribute name="roleBase" required="false">
- <p>The base directory entry for performing role searches. If
- not specified the top-level element in the directory context
- will be used.</p>
+ <p>The base directory entry for performing role searches. If not
+ specified the top-level element in the directory context will be used.
+ If specified it may optionally include pattern replacements
+ "{0}".."{n}" corrosponding to the name parts of the
+ user's distinguished name (as returned by
+ <code>javax.naming.Name.get()</code>).</p>
</attribute>
<attribute name="roleName" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
